Industries · Legal
Cyber security for Australian legal professionals.
Legal practices hold the most sensitive personal information in any professional context. The regulatory consequences of getting security wrong are immediate, and the operational consequences can be worse.
IronSights works with law firms, conveyancers, family lawyers and criminal defence practices across Australia. ISO 27001 certified, Microsoft certified, and based in Sydney.
Threat landscape
Why legal practices are targeted.
Legal practices are consistent targets for two reasons. They hold concentrated, sensitive information that has direct value on criminal markets: financial affidavits, family violence disclosures, commercial contracts, estate planning documents, criminal defence files. And they have historically operated with security postures that do not reflect what they hold. Matter management systems carry years of client records. Email inboxes carry privileged communications. Trust accounts carry client money.
Business email compromise is the most common attack type affecting Australian legal practices. In conveyancing, the mechanism is well understood: attackers gain access to a conveyancing email thread, monitor the correspondence until days before settlement, then send modified payment instructions with substituted bank details. A typical residential settlement in Sydney or Melbourne is between $500,000 and $1.5 million. The loss is immediate and recovery is rarely straightforward.
Ransomware targeting law firms has increased in frequency since 2022. Attackers targeting legal practices are often motivated by the sensitivity of the data, not just its volume. A criminal defence file, a family law affidavit, or documents related to a commercial dispute can put more pressure on a firm than a much larger breach elsewhere would. The sensitivity is the point. Published breach reporting under the NDB scheme has included law firms, and the OAIC has received complaints about inadequate data security from legal practice clients.
Credential theft is the most common entry point. Attackers target LEAP, PracticeEvolve, ActionStep and Clio credentials through phishing campaigns and credential-stuffing attacks using data from earlier breaches. A compromised matter management credential exposes every active client file. A compromised Microsoft 365 account adds years of correspondence, trust account instructions and privileged communications. One login, in most environments.
How we help
How IronSights supports legal practices.
The practices we work with are not looking for theory. They want to know what their actual exposure is, what needs to change, and how to demonstrate to the Law Society, their PI insurer and their managing partner that they are managing cyber risk properly.
Fortify — managed security
Around-the-clock monitoring across endpoints, identities, email and cloud. Rapid containment when something goes wrong. Monthly uplift and a posture report your managing partner and practice manager can act on. For legal practices without a dedicated security function, Fortify provides the monitoring and response coverage that an understaffed IT environment rarely sustains.
Microsoft 365 security
Most Australian legal practices run on and LEAP. We harden those environments: policies, enforcement across all accounts, Defender for Business, DMARC, DKIM and SPF configuration, and sensitivity labelling for client documents, trust account records and privileged communications.
Penetration testing
External network, internal network and web application penetration tests using a methodology. Each engagement produces a risk-rated report with an executive summary your managing partner can read and technical guidance your IT support can act on. Thirty-day free retest included.
Audit and assurance
We assess legal practices against maturity levels and the Law Society cyber guidance published in NSW and Victoria. The report gives you a documented baseline for your PI insurer, your Law Society obligations, and AML/CTF readiness if you are in scope for the Tranche 2 reforms commencing 1 July 2026.
Incident response
Available 24 hours a day. containment, investigation, notification support and insurance claim documentation. For legal practices, we understand the interaction between client confidentiality obligations, mandatory breach notification, and what can and cannot be disclosed about incidents involving privileged communications.
Security reviews
Most new clients start here. We identify your highest-priority gaps, give you a clear picture of where you stand against your Privacy Act and Legal Profession obligations, and recommend the right next steps. No obligation to proceed further.
Compliance
Understanding your cyber security obligations.
The regulatory picture for Australian legal practices spans multiple frameworks. Most practices are covered by at least two of them.
APP obligations and the NDB scheme
Legal practices with annual turnover above $3 million are covered by the Privacy Act 1988 and must comply with the Australian Privacy Principles. Practices below that threshold may still be covered if they provide services under a Commonwealth contract, which includes Legal Aid agreements and government panel work.
The Notifiable Data Breaches scheme requires notification to the OAIC and affected individuals when a breach is likely to result in serious harm. Client legal files containing income records, family violence disclosures, identity documents and financial positions will almost always meet that threshold if accessed without authorisation. The Privacy and Other Legislation Amendment Act 2024 increased penalties and introduced tiered civil penalty tiers.
Uniform Law obligations and Law Society requirements
The Legal Profession Uniform Law, which applies in NSW and Victoria, imposes obligations on practitioners around competence, confidentiality and the protection of client information. A cyber security failure that exposes privileged client communications or enables unauthorised access to a trust account is not only a Privacy Act matter. It may be a disciplinary matter before the Legal Profession Conduct Commissioner.
Law Societies in NSW and Victoria have each published cyber security guidance for legal practitioners. That guidance cites the Essential Eight as the relevant technical baseline. It is the reference point a practitioner would be measured against if disciplinary action followed a breach.
Tranche 2 reforms from 1 July 2026
The Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 extends the AML/CTF regime to additional designated services from 1 July 2026. Legal practices providing conveyancing services, company and trust formation, estate administration and certain trust account management services will become reporting entities under AUSTRAC.
This means AML/CTF program obligations, customer due diligence requirements, suspicious matter reporting and record-keeping duties. Privacy Act obligations will also apply to personal information handled for AML/CTF purposes, regardless of annual turnover. Practices changing their service mix should review their AML/CTF compliance position before that date.
Law Society audit exposure
Law Society trust account audits are a standing feature of legal practice in every state and territory. The obligations around trust account management are strict: records must be maintained, reconciliations completed and client funds protected.
A cyber security incident that results in unauthorised access to a firm's trust account, whether through a compromised practice management system, a BEC-driven payment redirection, or a ransomware event affecting records, creates immediate regulatory exposure. Law Society auditors are not generally equipped for forensic cyber investigation. Firms that experience a trust account-related incident need to be prepared to explain what happened and demonstrate the controls that were in place.
Common risks
What we see when we work with legal practices.
Settlement payment fraud
Conveyancing email threads are monitored by attackers waiting for the right moment to intervene. Days before settlement, modified payment instructions with substituted BSB and account numbers arrive from what appears to be a familiar address. A typical Sydney or Melbourne residential settlement is between $500,000 and $1.5 million. Once transferred, funds are moved quickly. DMARC, DKIM and SPF configuration, MFA on every email account, and process-level verification for payment instructions are the controls that address this risk directly.
Matter management credential theft
LEAP, PracticeEvolve, ActionStep and Clio are the platforms through which attackers reach active client files. Credentials are obtained through phishing, through credential-stuffing using data from earlier breaches, or through access to a shared password list. A single set of stolen credentials can expose every open matter and years of closed files. MFA is available on most of these platforms. It is often not turned on.
Privileged communications in uncontrolled environments
Client files, counsel opinions, settlement instructions and trust account correspondence move through shared Microsoft 365 inboxes and shared SharePoint folders with broad internal access. When a staff account is compromised, the attacker can read years of privileged communications without triggering any alerts. Sensitivity labelling and access controls within Microsoft Purview address this, but they require deliberate configuration.
Inadequate offboarding
A lawyer or paralegal leaves. Their Microsoft 365 account is disabled, but their access to LEAP, the document management system and external file sharing tools remains active because offboarding was not coordinated. Former staff retain access to active client matters. This is a common finding across every segment of the legal sector.
No tested incident response plan
Most legal practices have a written data breach response procedure. Few have tested it. When a ransomware event or BEC incident occurs, the practical questions need answers that do not require locating a document under pressure: who calls the PI insurer, when does the OAIC notification clock start, what can be disclosed about an incident involving privileged communications, who contacts affected clients.
Third-party platform risk
Legal practices connect document signing platforms, accounting tools, client portals and external counsel collaboration platforms to their Microsoft 365 environment. Each connection is a potential entry point. Most firms have no documented list of which applications hold access to their tenant, or what permissions those applications have been granted.
Who we work with
Legal practices we work with.
Law firms
Commercial and general practice law firms hold client files spanning contract disputes, corporate transactions, estate planning, employment matters and more. The combination of Microsoft 365, LEAP and external document platforms creates an attack surface that is broader than most practice managers realise. A compromised account reaches active matters, trust account instructions and privileged communications in one step.
Conveyancers
Conveyancers handle the largest single transactions most clients will ever make. Settlement payment fraud, where attackers intercept email threads and substitute bank details days before settlement, is the dominant risk. A successful attack on a residential transaction causes immediate financial loss that is rarely recoverable. DMARC, MFA and process-level payment verification are the controls that matter most.
Family lawyers
Family law files contain the most sensitive personal information in any professional context: family violence disclosures, children's arrangements, mental health records, financial affidavits, and documents tendered as exhibits in proceedings. A breach involving this information will almost always meet the serious harm threshold for mandatory NDB notification. The clients who provided it are often already in vulnerable circumstances.
Criminal defence practices
Criminal defence files carry information that creates risk well beyond standard data breach consequences: informant identities, covert operation details, client confessions and material subject to public interest immunity claims. A breach affecting this information may give rise to contempt exposure, professional disciplinary proceedings, and potentially endanger individuals named in the files.
Further reading
Related insights.
Cyber security obligations for Australian legal practices
Privacy Act, Legal Profession Uniform Law and the AML/CTF Tranche 2 reforms. What each framework requires and who it applies to.
Read more →Threat intelligenceSettlement fraud in Australian conveyancing
Attackers monitor email threads and substitute payment details before settlement. How the attack works, what it costs, and the controls that stop it.
Read more →ComplianceProtecting trust accounts from cyber attack
Trust account access via compromised matter management credentials is a direct regulatory exposure. What the controls look like and what auditors expect.
Read more →Threat intelligenceRansomware in Australian law firms
Legal practices are consistent ransomware targets. Why attackers go after legal data, what NDB obligations look like when it happens, and how firms recover.
Read more →TechnicalThe Essential Eight for Australian legal practices
No mandatory cyber framework applies to legal practices, but Law Societies in NSW and Victoria have both cited the Essential Eight as the relevant baseline.
Read more →Common questions
Asked by buyers like you.
Not in this list? Call us on 1300 004 766 or book a 30-minute consultation. No obligation.
Does the Privacy Act apply to my law firm?
Law firms with annual turnover above $3 million are covered entities under the Privacy Act 1988 and must comply with all thirteen Australian Privacy Principles. Smaller practices may still be covered if they provide services under a Commonwealth contract. Legal Aid Commission agreements and government panel appointments typically bring a practice within scope regardless of turnover. The test has three limbs: annual turnover above $3 million, a Commonwealth contract, or whether you handle tax file numbers or credit eligibility information for clients.
What is the Notifiable Data Breaches scheme and when does it apply to a legal practice?
The NDB scheme requires covered entities to notify the OAIC and affected individuals when a data breach is likely to result in serious harm. For a law firm, the threshold is almost always met when client files are involved. Income records, family violence disclosures, identity documents, financial affidavits and privileged communications each independently create serious harm risk if accessed without authorisation. The assessment is whether a reasonable person would conclude there is a real risk of serious harm. For most legal data, that answer is yes. Notification should not be delayed once that assessment is made.
Can a cyber security failure lead to disciplinary action under the Legal Profession Uniform Law?
It can. The Legal Profession Uniform Law imposes obligations on practitioners around competence and the protection of client confidentiality. A failure to maintain adequate security controls that results in the exposure of privileged client communications or unauthorised access to client funds could constitute unsatisfactory professional conduct or professional misconduct, depending on the circumstances. Law Societies in NSW and Victoria have published cyber security guidance for practitioners. That guidance is the reference point a practitioner would be measured against if disciplinary action followed a breach.
Which legal practices will be covered by the AML/CTF Tranche 2 reforms from 1 July 2026?
The Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 extends the AML/CTF regime to legal practices providing designated services including conveyancing, company and trust formation, estate administration and certain trust account management services. From 1 July 2026, those practices will be AUSTRAC reporting entities with obligations to maintain an AML/CTF program, conduct customer due diligence, report suspicious matters and keep records. Privacy Act obligations will also apply to personal information handled for AML/CTF purposes regardless of annual turnover.
What is settlement payment fraud and how does it work?
Settlement payment fraud is the most common financial attack affecting Australian conveyancing practices. Attackers gain access to a conveyancing email thread, through a compromised email account, a spoofed domain or a compromised client mailbox, and monitor the correspondence. Days before settlement, they send modified payment instructions with substituted BSB and account numbers. The email appears to come from the conveyancer's address and references the correct property and settlement details. Buyers, expecting payment instructions at that point in the process, often transfer without calling to verify. A typical residential settlement is between $500,000 and $1.5 million.
What does a law firm's trust account exposure look like after a cyber incident?
It depends on what was accessed and what was done with that access. If a compromised matter management credential allowed an attacker to view trust account balances and transaction records, you have a potential NDB breach. If the compromise enabled a payment redirection from the trust account, you face both a regulatory and a financial consequence simultaneously. Law Society auditors will expect you to account for what happened, when you detected it and what controls you had in place. Practices that cannot produce that account face audit exposure on top of the breach itself.
What matter management systems do you work with?
We work with law firms and legal practices running LEAP, PracticeEvolve, ActionStep and Clio, as well as custom or legacy document management environments. Our work is primarily at the Microsoft 365 layer, because that is where most breaches affecting legal practices begin. Where matter management platforms have their own MFA and access control settings, we review those as part of any engagement.
Is the Essential Eight mandatory for Australian legal practices?
Not in the sense that a statute requires it. There is no mandatory cyber security framework that applies to private legal practices. But the Law Societies of NSW and Victoria have each published cyber security guidance for legal practitioners that cites the Essential Eight as the relevant baseline. That guidance is relevant in a disciplinary proceeding and in PI insurance renewals. A practice that cannot demonstrate alignment with the Essential Eight at an appropriate maturity level is harder to defend before a Law Society auditor or a disciplinary committee.
How quickly can a security review be completed for a legal practice?
A security review usually runs two to three weeks from initial conversation to report. For practices with a clear, bounded environment, a single Microsoft 365 tenant, a single office and LEAP as the primary platform, the process is often faster. We are upfront about scope and timeline from the first conversation.
What does IronSights actually do during a Microsoft 365 security engagement for a law firm?
We start by reviewing your Secure Score and tenant configuration: whether legacy authentication is enabled, whether MFA is enforced on all accounts, whether admin accounts are separated from standard user accounts, and whether DMARC, DKIM and SPF are correctly configured on your email domains. From there, we work through Conditional Access policies, Defender for Business deployment, and Microsoft Purview sensitivity labelling for client documents. For legal practices specifically, we pay attention to SharePoint external sharing settings and the permissions held by third-party applications connected to your tenant.
What happens during a ransomware attack on a law firm?
In most ransomware events affecting law firms, the attacker has been inside the network for days or weeks before encryption begins. That access period is used to map the environment, identify the most sensitive files, and in many cases exfiltrate a copy of client data before encryption occurs. When encryption starts, the firm loses access to active matters, trust account records and client correspondence simultaneously. The attacker may also threaten to publish exfiltrated data. Client files in a legal context carry particular pressure as threatened disclosures. Containment, recovery from backup and NDB assessment all need to happen at the same time.
Do you work with sole practitioners or only with larger firms?
We work across the size range, from sole practitioners to mid-size practices with multiple offices. Most of our work with smaller practices starts with a security review: a structured assessment of the Microsoft 365 environment, identity controls and how client data is stored. From there, the right next steps depend on the firm's risk profile and what the review finds. Not every practice needs a managed security service. Some need to address a defined set of gaps and maintain their own posture from there.
Start with a review
A structured security review tells you exactly where your practice stands.
We assess your Microsoft 365 environment, identity controls, how client data is stored and handled, and whether your incident response plan accounts for your Privacy Act and Legal Profession obligations. The output is a practical roadmap you can act on.
ISO 27001 and ISO 9001 certified. NSW Master Security Licence 000109187. Microsoft certified security engineers. Australian-owned. Sydney-based.