← All industries
Law firms · Corporate counsel · E-discovery vendors

Privilege survives
the breach.

Privilege-aware penetration testing, M&A advisory ransomware readiness, client trust account BEC defence and e-discovery custody-chain review for law firms, in-house corporate counsel teams and e-discovery vendors. Mapped to ABA Formal Opinions 477R / 483 / 498, ILTA LegalSEC, ISO 27001, SOC 2, the EU CCBE guidance, the India IT Act and the Bar Council of India confidentiality rules.

ABA 477R / 483 / 498
ethics-opinion mapped
ILTA LegalSEC
LM3 maturity model
Privilege-aware
ethical-wall delivery
ISO 27001 · SOC 2
vendor custody chain

Pain points legal-services GCs and CISOs raise on the scoping call

Privileged documents leak

Matter folders, partner inboxes and the document management system hold the most damaging single concentration of attorney-client privileged material in the firm. A single broken access control on iManage / NetDocuments / SharePoint, a single mis-shared OneDrive link to a deal room, or a single phished partner is enough to surface privileged material on a leak site. The Mossack Fonseca, Appleby and several 2023-2024 ransomware incidents all followed this shape.

M&A advisory as a ransomware target

M&A teams concentrate non-public deal information, signing schedules and counterparty contact lists in the days before announcement — the highest-leverage extortion window in any client portfolio. The 2024 incidents against AmLaw 200 firms (covered by Reuters, Law360 and Bloomberg Law) confirm M&A advisory remains the single most actively targeted practice line in big-law.

Bar council confidentiality obligations

ABA Model Rule 1.6 and Formal Opinions 477R / 483 / 498 in the US, the EU CCBE Code of Conduct, the SRA Code in the UK, and the Bar Council of India Standards of Professional Conduct rule 24 each impose an affirmative duty to take reasonable steps to safeguard client information. A breach that exposes the firm to a bar council complaint also exposes the partnership to a malpractice premium increase and OCG non-conformance with the firm's enterprise clients.

E-discovery custody chain integrity

Forensic-image collection, processing, hosting, review and production cross at least three system boundaries and frequently two or three vendors. A break in the cryptographic hash chain, an immutable-storage misconfiguration, or a tenant-isolation flaw in the review platform is enough to invite a motion to exclude on chain-of-custody grounds, or worse, a Rule 37(e) spoliation argument under the US FRCP.

Client trust account and IOLTA wire redirect

Real-estate closings, settlement disbursements, escrow releases and IOLTA wires are the highest single-transaction value the firm initiates. Business-email-compromise crews target precisely these flows — partner-impersonation, look-alike-domain reply-chain insertion, and last-mile wire-instruction redirect. The FBI IC3 BEC losses against legal services continue to rank in the top three sectors year on year.

Third-party vendor blast radius

E-discovery vendors, court reporters, expert-witness services, translation vendors, secretarial services, document-review LPOs, cyber-forensics partners and managed-IT providers each hold a window into matter content. The 2023 court-reporting platform incident and the 2024 LPO incidents in the public record demonstrate that an outside vendor's breach lands on the firm's reputation and the firm's OCG response, not the vendor's.

Compliance frameworks the engagement maps to

ISO/IEC 27001:2022

link ↗

International information-security management standard. The 2022 revision restructured Annex A into four control themes (Organizational, People, Physical, Technological) and introduced eleven new controls relevant to law firms — A.5.7 threat intelligence, A.5.23 cloud-service information security, A.5.30 ICT readiness for business continuity, A.8.9 configuration management, A.8.10 information deletion, A.8.16 monitoring activities. Most enterprise clients now expect either ISO 27001 or SOC 2 Type 2 from outside counsel above a revenue threshold; the engagement appendix maps findings to the relevant Annex A controls.

ABA Formal Opinion 477R — Securing Communication of Protected Client Information

link ↗

May 2017 revision. Modernises the duty of competent communication under Model Rules 1.1 and 1.6 in light of the cybersecurity threat landscape. Requires reasonable efforts to prevent inadvertent or unauthorised disclosure — risk-based, fact-specific analysis of the sensitivity of information, likelihood of disclosure absent safeguards, cost of additional safeguards, difficulty of implementation, and impact on client representation.

ABA Formal Opinion 483 — Lawyers' Obligations After an Electronic Data Breach

link ↗

October 2018. Establishes the affirmative duty under Model Rules 1.1, 1.4, 1.6, 5.1 and 5.3 to monitor for and respond to data breaches. Requires reasonable steps to stop the breach, restore systems, evaluate the incident, comply with breach-notification statutes and notify affected clients where the breach involved or substantially threatened material client information.

ABA Formal Opinion 498 — Virtual Practice

link ↗

March 2021. Extends the Model Rules 1.1, 1.3, 1.4, 1.6, 5.1, 5.3 and 7.1 duties into the virtual-practice context — home office security, cloud-storage and SaaS practice management, video-conferencing, smart speakers in the lawyer's workspace. Particularly relevant to the post-2020 hybrid working posture most firms now operate under.

ILTA LegalSEC

link ↗

International Legal Technology Association legal-industry security programme. Includes the LegalSEC LM3 (Legal Maturity Model) assessment, the LegalSEC Council guidance and a body of practitioner-driven controls calibrated specifically to the law-firm threat model. AxVeil findings reference the relevant LM3 maturity dimension and LegalSEC guidance.

EU CCBE — Council of Bars and Law Societies of Europe guidance

link ↗

CCBE Charter of Core Principles of the European Legal Profession and the CCBE Code of Conduct, together with the CCBE guidance on the use of cloud computing services by lawyers, the CCBE recommendations on the protection of client confidentiality within the context of surveillance activities, and the GDPR Articles 5, 6, 9, 25 and 32 obligations on the law firm as Controller for client personal data.

India IT Act 2000 + Bar Council of India confidentiality rules

link ↗

IT Act section 43A (reasonable security practices for sensitive personal data, with the SPDI Rules 2011), section 72A (penalty for disclosure of information in breach of lawful contract), the DPDP Act 2023 and DPDP Rules 2025 where the firm acts as Data Fiduciary for client personal data, and the Bar Council of India Standards of Professional Conduct and Etiquette (under section 49(1)(c) Advocates Act 1961) rule 24 confidentiality duty. CERT-In directions of 28 April 2022 impose six-hour incident reporting on any qualifying cyber incident.

AICPA SOC 2 Type 2 — e-discovery vendor and SaaS legal-tech path

link ↗

Trust Services Criteria 2017 with 2022 points of focus. Most e-discovery and legal-SaaS vendors operate under SOC 2 Type 2; the engagement appendix walks the vendor's report against CC6 logical access, CC7 system operations and monitoring, CC8 change management, plus the Confidentiality criteria where the vendor processes privileged content.

Sample attack scenarios exercised

Three scenarios from a typical mid-to-large law-firm engagement, drawn from the public-record ransomware incidents against AmLaw firms, the FBI IC3 BEC loss data for legal services and the recurring third-party-vendor breach pattern in the e-discovery supply chain.

Scenario 1 — Phishing-to-ransomware against the M&A advisory team
Targeted spear-phish landing in a corporate-M&A partner's inbox during a live signing window — pretext is a counterparty due-diligence document with a credential-harvesting link or an HTML-smuggled loader. On execution, the operator drops a Cobalt Strike / Sliver beacon, escalates via Kerberoasting or DCSync against the firm domain, enumerates the iManage / NetDocuments matter store and the deal-room platform, exfiltrates the active M&A matter folders to a leak-site staging server, and detonates ransomware across the file shares and Hyper-V / VMware estate. The scenario validates EDR coverage on partner endpoints, identity-tier privilege segmentation, deal-room download monitoring, the off-site immutable backup chain and the firm's ability to invoke the partner-led incident-response tabletop within the FBI / CERT-In / regulator notification windows. Maps to MITRE ATT&CK T1566 Phishing, T1078 Valid Accounts, T1003 OS Credential Dumping, T1486 Data Encrypted for Impact and T1567 Exfiltration Over Web Service.
Scenario 2 — Business-email-compromise for client trust account redirect
Reconnaissance against the firm's real-estate or settlement practice via public closings calendars, LinkedIn and the EDGAR filings for any listed counterparty. The operator stands up a look-alike domain (homoglyph or typosquat of the firm or counterparty), compromises a partner mailbox via password-spray or MFA fatigue against the M365 / Google Workspace tenant, sits as silent observer on the closing thread for several days, then injects a reply at the wire-transfer step with revised banking instructions pointing at a money-mule account. The scenario validates DMARC reject enforcement, anti-spoofing on inbound mail flow, MFA phishing-resistance (FIDO2 vs. push), the firm's wire-callback verification policy, the trust-accounting platform's dual-control on outbound wires and the partner training cadence. Maps to MITRE ATT&CK T1566.002 Spearphishing Link, T1078.004 Cloud Accounts, T1114 Email Collection and T1534 Internal Spearphishing. Loss data: FBI IC3 reports BEC losses against legal services in the top three sectors annually.
Scenario 3 — E-discovery vendor breach and matter content exposure
Assumed-breach mandate against an e-discovery vendor's review portal — credentials issued at every role (reviewer, second-pass reviewer, privilege-team lead, admin, opposing-counsel guest). The test exercises OWASP API Top 10 against the document-render, redaction-apply, search and export endpoints — BOLA on document IDs across matter boundaries, BFLA on the privilege-tag write surface, mass assignment on the review-task workflow, redaction-burn bypass via direct image-fetch, and tenant-isolation flaws between two different clients on the same platform. Where the vendor exposes an API or SDK to the firm's matter-management platform, the integration credentials are tested for over-privilege and for token leakage to the browser. The scenario validates the SOC 2 Type 2 CC6 / CC7 / CC8 controls the vendor attests to and produces a per-vendor risk register the firm uses for OCG responses. Maps to MITRE ATT&CK T1199 Trusted Relationship and to the OWASP API Top 10 2023 catalogue.

Case study

Redacted reference — available under NDA

Top-25 regional full-service law firm, ~600 fee-earners across corporate, M&A, real estate, IP and disputes practices, iManage Cloud document store, M365 tenant, hybrid VMware estate, three retained e-discovery vendors. Ten-week engagement covering the partner endpoint fleet under an assumed-breach mandate, the iManage and M365 control plane, the deal-room platform used by the M&A practice, the trust-accounting wire workflow, the inbound mail surface and a control walk against each of the three e-discovery vendors' SOC 2 Type 2 reports. Findings: Kerberoast-able service accounts on the matter-store integration path; DMARC at quarantine rather than reject; deal-room downloads not logged to the SIEM; one e-discovery vendor's review portal exhibiting cross-tenant BOLA on document IDs; wire-callback policy documented but not enforced for intra-firm sender addresses.

Outcome: Service-account rotation and tier-0 segregation completed in 21 days; DMARC moved to reject with BIMI; deal-room download telemetry piped to the SIEM with anomaly rules on bulk-export; cross-tenant BOLA finding escalated to the e-discovery vendor under a joint disclosure timeline and remediated within 14 days; wire-callback policy re-trained and enforced via the trust-accounting platform's dual-control. ABA 477R / 483 and ILTA LegalSEC mapping appendix delivered for the firm's malpractice carrier and three enterprise-client OCG renewal cycles.

Full redacted report and reference call available under mutual NDA. Request via the scoping form →

Related work

Services
Reading
Sibling industries

Frequently asked questions

We are a mid-size law firm with a managed-services IT provider. Why do we need an independent pentest?+

Because the threat model that targets law firms is no longer opportunistic. The 2016 Panama Papers leak (Mossack Fonseca, 11.5 million documents), the 2017 DLA Piper NotPetya outage and a continuous stream of ransomware incidents against AmLaw 100 and AmLaw 200 firms (Campbell Conroy & O'Neil 2021, Bryan Cave 2023, Orrick 2023, several 2024 incidents covered by Reuters and Bloomberg Law) all reinforce that mid-to-large firms are a deliberate target. ABA Formal Opinion 477R imposes a duty of competent communication of client information, Formal Opinion 483 imposes a duty to take reasonable steps to monitor for and respond to breaches, and Formal Opinion 498 (March 2021) extends those duties to virtual practice. An independent pentest produces the evidence that the firm exercised reasonable care — the standard the bar, the malpractice carrier, and the client outside-counsel-guideline (OCG) review all apply.

How does the engagement protect attorney-client privilege during testing?+

Three layers. First, the engagement is run under a written ethical wall — the test team has no exposure to live matter content, and all reproduction artefacts are redacted to hash-references rather than document bodies. Second, where reproduction of an authorisation flaw requires accessing a matter folder, we use a test matter seeded with synthetic privileged-looking content, not real client work product. Third, the master services agreement is structured so AxVeil is engaged through the firm's general counsel or managing partner under the work-product doctrine where US jurisdictions allow it, mirroring the Kovel arrangement firms use with forensic accountants. Reports are marked confidential and attorney-work-product where US-applicable; for India practice the agreement carves out the Bar Council of India Standards of Professional Conduct rule 24 confidentiality obligation explicitly. No live matter content leaves the firm's environment.

Our M&A advisory team is the obvious ransomware target. What does the engagement actually do about it?+

The M&A practice is treated as a sub-engagement with its own threat model. We exercise the deal-room platform (Datasite, Intralinks, Ansarada, SecureDocs, Firmex or in-house) for IDOR / BOLA on document IDs, watermark-stripping bypass, expired-link revocation lag and viewer-vs-downloader privilege escalation. We exercise the M&A team's endpoints under an assumed-breach mandate — Cobalt Strike / Sliver beaconing from a phished partner workstation, lateral movement against the file shares hosting due-diligence rooms, the iManage / NetDocuments / SharePoint matter store, and the time-and-billing system. We exercise the email surface for partner-impersonation BEC against the deal counterparties. The output is a deal-room hardening backlog plus a tabletop walking the partners through a ransomware-during-signing scenario — the incident class that has cost firms eight-figure remediation and reputational damage in the public record.

Our biggest risk is an e-discovery vendor with our data. How do you scope the third-party piece?+

We treat the e-discovery custody chain as a single end-to-end system rather than a vendor questionnaire. The engagement walks the data from collection (forensic image, custodian self-collect, cloud-API collection via Microsoft 365 Compliance, Google Vault, Slack Discovery API), through processing and hosting (Relativity, Reveal, DISCO, Everlaw, Logikcull, Nuix), through review (privilege review workflow, redaction, production set assembly) and through production (Bates-stamped export, transfer to opposing counsel). At each handoff we test custody-chain integrity — cryptographic hash chain, write-once storage, access-log immutability — and the vendor's tenant-isolation posture. For matters in scope we run a control walk against the vendor's SOC 2 Type 2 report (CC6 logical access, CC7 monitoring, CC8 change management) and any ILTA LegalSEC self-attestation, and we exercise the vendor's review portal against the OWASP API Top 10 with credentials issued at every role (reviewer, admin, opposing-counsel guest). The deliverable is a per-vendor risk register the firm uses for OCG responses and for client custodial-letter exhibits.

We operate in India and need the engagement to satisfy Bar Council rules plus the IT Act. How is that handled?+

The engagement is structured against the Bar Council of India Standards of Professional Conduct and Etiquette (Section 49(1)(c) Advocates Act 1961) rule 24 confidentiality duty, the Information Technology Act 2000 sections 43A (reasonable security practices for sensitive personal data) and 72A (penalty for disclosure of information in breach of lawful contract), the Digital Personal Data Protection Act 2023 and the 2025 Rules where the firm acts as Data Fiduciary for client personal data, and the CERT-In 6 April 2022 directions on six-hour incident reporting. Where the firm services foreign-listed corporate clients we additionally map to the client's outside-counsel guideline obligations under ABA 477R / 483 (US clients), the EU CCBE Code of Conduct (EU clients), and the Solicitors Regulation Authority Code (UK clients). The report appendix gives the General Counsel a control-by-control mapping suitable for forwarding to the bar council or regulator without exposing matter content.

Scope a legal-services engagement

Send the firm size and practice mix, the document management system (iManage, NetDocuments, SharePoint), the deal-room platforms in use, the retained e-discovery vendors, the trust-accounting workflow and the OCG / bar-council regimes you operate under. We respond with a fixed-fee proposal, a privilege-protective engagement letter template and a redacted report from a comparable firm under NDA.

Request a scoping call