Skip to content 
If your firm has 10 attorneys, a shared drive full of client files, and a cyber insurance policy you have not read in two years, this is the article you need right now.
Law firms are one of the fastest-growing targets for cyberattacks in the country. The reason is simple: your servers hold the kind of information that hackers can sell, leverage, or ransom for maximum payout. Merger details. Litigation strategy. Financial records. Social Security numbers. Medical records from personal injury cases. Privileged communications that were never meant to see the light of day.
Professional services firms, including law firms, accountants, and consultants, saw the most significant growth in cyberattacks in 2025, according to the Identity Theft Resource Center’s annual report. The logic from the attacker’s perspective is brutal. Breaching one mid-size law firm with access to client financial and M&A data can produce intelligence equivalent to breaching dozens of individual organizations.
And here in Sandy Springs, Marietta, and the broader NW Atlanta legal community, most firms with 10 to 50 employees still do not have the protections in place to stop it or the documentation to survive an insurance claim if it happens.
Here is what needs to change.
At A Glance: The 3 Things Every Atlanta Law Firm Needs in Place Right Now
- Cyber Insurance That Actually Covers You: Your policy has requirements. If you have not met them, your claim will be denied.
- Multi-Factor Authentication Everywhere: Not just email. Every system that touches client data.
- An Incident Response Plan On Paper: Not in someone’s head. Written, tested, and accessible.
1. The Cyber Insurance Gap: Your Policy Has Requirements You Might Not Be Meeting
The Tech Term: Multi-Factor Authentication (MFA)
The Tech Term: Cyber Liability Insurance Underwriting
The Business Reality: Most law firms in the Atlanta metro carry some form of cyber insurance. Many believe they are covered. But here is the problem: cyber insurance carriers have dramatically tightened their requirements over the past two years, and 41% of applications are now denied on first submission. The two most common reasons? Missing MFA and inadequate endpoint protection.
If your firm purchased a policy three years ago and has not updated its security controls since, there is a real chance your insurer will deny a claim when you need it most. Some firms assume a small cyber rider on their Errors and Omissions policy is enough. In many cases, that rider provides as little as $25,000 in coverage, which would not come close to covering the real cost of an incident for a firm generating over $1 million in annual revenue.
The average cost of a data breach for law firms reached $5.08 million in 2024, a 10% increase from the prior year. Ransom demands against law firms and professional services firms ranged from $500,000 to $21 million, with the average just under $2 million.
The Fix: Pull your cyber insurance policy and read the security requirements section. Most carriers now require MFA on all accounts (not just email, but VPN, admin consoles, financial systems, and practice management software), endpoint detection and response (EDR) on every device, encrypted and tested backups, a written incident response plan, and documented employee security training. If you cannot answer “yes, documented” to every one of those, expect higher premiums, reduced coverage, or a denied claim.
Why it matters: A denied claim after a breach is a worst case scenario for a small firm. You are paying premiums, you assume you are protected, and then when an incident happens, your carrier points to a clause you missed. The time to close that gap is now, not during an active breach.
2. Privileged Communications and Encrypted Email: The Non-Negotiable Baseline
The Tech Term: Email Encryption and Secure Client Communications
The Business Reality: Every day, attorneys at small firms across Sandy Springs and Marietta send emails containing privileged client information, case strategy, settlement figures, financial documents, and personal health records from injury cases. Most of those emails travel unencrypted.
ABA Model Rule 1.6 requires attorneys to make “reasonable efforts” to prevent unauthorized disclosure of client information. ABA Formal Opinion 477R goes further, explicitly addressing the duty to use secure methods of communication, particularly when transmitting sensitive or privileged information electronically. This is not aspirational guidance. It is an ethical obligation.
And yet, only 40% of law firms currently report carrying dedicated cyber liability insurance. 65% of surveyed firms are unfamiliar with their legal obligations following a breach. Only 34% have an incident response plan in place.
The Fix: At minimum, your firm needs encrypted email for any communication containing client PII, case strategy, financial records, or health information. This does not mean buying a separate email platform. Most modern email systems (Microsoft 365, Google Workspace) have built in encryption features that can be activated and configured for automatic use. Beyond email, client portals for document sharing are far more secure than email attachments and becoming a client expectation.
Why it matters: If opposing counsel, a regulator, or a client discovers that privileged communications were transmitted without basic encryption, the ethical exposure goes beyond the breach itself. You are facing a potential bar complaint, a malpractice claim, and the loss of client trust that your firm’s reputation is built on.
3. The “It Won’t Happen to Us” Problem: Why Small Firms Are the Easiest Target
The Tech Term: Business Email Compromise (BEC) and Credential Stuffing
The Business Reality: There is a persistent belief among smaller firms that hackers only go after large corporate firms with big name clients. The data says the opposite. Small and mid size firms are targeted precisely because they hold high value data with lower security investments.
The most common attack is not some sophisticated nation state operation. It is a phishing email that looks like it came from a client, a court, or your practice management vendor. Someone at the firm clicks the link, enters their credentials, and the attacker is inside. From there, they monitor email threads, wait for a wire transfer or settlement payment, and redirect the funds. This is business email compromise, and it is the single most financially damaging cybercrime in the country.
56% of law firms that experienced a data breach in the past year lost sensitive client information. And because law firms are often a “stepping stone” to their clients’ data, a breach at your firm can cascade into breaches at every organization you represent.
The Fix: Three things make the biggest immediate difference. First, MFA on every account. Not just email. Your practice management system, your document management system, your VPN, your financial platform, and every cloud admin console. Carriers are now requiring phishing resistant MFA (authenticator apps or hardware keys) for privileged users. Second, endpoint detection and response on every device. Traditional antivirus is no longer sufficient. EDR monitors behavior in real time and can stop ransomware before it spreads across your network. Third, regular phishing simulations and security awareness training for every member of the firm, including partners.
Why it matters: 37% of legal clients in 2025 said they were willing to pay a premium for law firms with stronger cybersecurity. Security is no longer just risk management. It is a competitive advantage. The firms that can demonstrate documented security controls are winning clients away from firms that cannot.
Your Ethical Obligation Is Now a Business Requirement
Here is what has changed for law firms in 2026. It is not just about compliance anymore. Your cyber insurance carrier requires documented security controls to honor your policy. Your clients, especially corporate clients, are asking for proof of your cybersecurity posture before they engage you. The ABA has made technology competence an explicit part of your ethical duty. And Georgia’s evolving common law is establishing data protection obligations through litigation, even without a comprehensive state privacy statute.
A 10 person firm in Marietta and a 25 attorney practice in Sandy Springs face the same expectations. The requirements do not scale down because your firm is small.
The firms that get ahead of this now will spend less, have fewer disruptions, and be better positioned to win business from security conscious clients. The firms that wait will pay more in premiums, face harder renewals, and carry the risk of a denied claim sitting underneath everything they do.
The first step is knowing The first step is knowing where your firm stands right now. you stand.
Daniel Haire is the President of Adoverse IT, a cybersecurity focused managed IT services provider based in the NW Atlanta metro. Adoverse IT helps small and mid size businesses in Sandy Springs, Marietta, Alpharetta, and surrounding areas protect
their operations with enterprise grade security solutions built for
growing companies.
Project content
Created By Adoverse IT
Frequently Asked Questions
Are law firms required to have cybersecurity protections for client data? Yes. ABA Model Rule 1.6 requires attorneys to make reasonable efforts to prevent unauthorized access to or disclosure of client information. ABA Formal Opinion 477R specifically addresses the obligation to use secure electronic communication methods. Beyond ethical rules, cyber insurance carriers now require documented security controls as a condition of coverage, and corporate clients are increasingly requiring proof of cybersecurity before retaining outside counsel.
What does cyber insurance require for a small law firm in 2026? Most cyber insurance carriers require multi-factor authentication on all accounts that access sensitive data, endpoint detection and response (EDR) on every device, encrypted and regularly tested data backups, a written and tested incident response plan, and documented employee security awareness training. Firms that cannot demonstrate these controls face higher premiums, coverage limitations, or outright denial of applications and claims.
How much does a data breach cost a small law firm? The average cost of a data breach for law firms reached $5.08 million in 2024. For smaller firms, costs may be lower in absolute terms but proportionally more devastating. Even a $36,000 breach recovery can threaten the financial stability of a small practice. Costs include forensic investigation, client notification, legal liability, regulatory response, lost billings during downtime, and long term reputational damage.
What is business email compromise and why are law firms targeted? Business email compromise (BEC) is a type of cyberattack where an attacker gains access to a legitimate email account, monitors communications, and then impersonates someone at the firm to redirect payments, steal sensitive information, or manipulate transactions. Law firms are targeted because they routinely handle wire transfers, settlement funds, and sensitive financial communications, making them high value targets for this specific type of fraud.
How do I encrypt client emails at a small firm? Most modern email platforms, including Microsoft 365 and Google Workspace, have built in encryption capabilities that can be enabled without purchasing additional software. Encryption should be applied to all emails containing client PII, case strategy, financial data, or health records. Additionally, secure client portals for document sharing are becoming a standard practice and offer stronger protection than email attachments for sensitive files.
