The Law Firm Cybersecurity Checklist (2026): 50 Controls Every Practice Needs
A practical, ABA- and insurance-aligned cybersecurity checklist for law firms in 2026 — 50 controls across identity, email, endpoints, data, vendors, and incident response, with priority, owner, and evidence for each.

Most "law firm cybersecurity checklists" online are marketing fluff — vague tips like "use strong passwords" that won't pass a client questionnaire or a cyber-insurance underwriter. This is the checklist we actually use when assessing law firms: 50 controls, grouped into 9 domains, each mapped to an owner, a priority tier, and the evidence you need on file.
If your firm can mark these green with documentation, you will pass the ABA Model Rule 1.6(c) "reasonable efforts" test, the standard Outside Counsel Guidelines (OCGs) from Fortune 500 clients, and the 2026 underwriter questionnaire from carriers like Beazley, Chubb, and Coalition.
How to use this checklist
- Priority tiers. P0 = must have, breach- or insurance-blocking if missing. P1 = required by most clients and underwriters. P2 = maturity controls that separate a defensible program from a target.
- Owner. The role accountable — Managing Partner (MP), IT/MSP, Security Lead, Office Administrator (OA), or HR. Solos: you wear all hats; the discipline of naming the owner still matters.
- Evidence. What an auditor, client, or carrier will ask to see. "We do that" is not evidence. A policy, a screenshot, a report, or a log is.
Print this. Walk every row. Anything not green gets a date and an owner.
1. Governance and policy (P0–P1)
1. Written Information Security Program (WISP) — P0 Board- or partner-approved document covering administrative, technical, and physical safeguards. Required by Massachusetts 201 CMR 17, the FTC Safeguards Rule (for firms handling tax/financial matters), and virtually every OCG. Owner: MP + Security Lead. Evidence: signed PDF, annual review date.
2. Acceptable Use Policy — P0 Covers personal device use, AI tools (ChatGPT, Copilot, Claude), removable media, and remote work. Signed by every employee and contractor at onboarding and annually. Owner: HR. Evidence: signed acknowledgments.
3. Data classification policy — P1 Defines Public / Internal / Confidential / Privileged tiers and the handling rules for each. Drives DLP, retention, and encryption decisions. Owner: Security Lead. Evidence: 1–2 page policy + matter-intake mapping.
4. Incident response plan (IRP) — P0 Named incident commander, decision tree, breach-counsel and forensics on retainer, notification thresholds for clients, regulators, and the bar. Tested at least annually. See our [72-hour breach response playbook](/blog/law-firm-data-breach). Owner: Security Lead + MP. Evidence: IRP doc + tabletop minutes.
5. Vendor and AI governance policy — P1 Approval process for new SaaS and AI tools touching client data; bans on free-tier consumer AI for matter content. Owner: Security Lead. Evidence: approved-vendor list.
6. Annual risk assessment — P1 Documented review of threats, controls, and gaps. Most state bar opinions (NY 1019, CA 2020-203) reference it as part of "reasonable efforts." Owner: Security Lead. Evidence: assessment report + remediation tracker.
2. Identity and access (P0)
7. MFA on every account — P0 Email, DMS, VPN, cloud admin, e-discovery, time/billing, banking. No exceptions for partners. This is the single most common control missing on breached firms. Owner: IT/MSP. Evidence: tenant report showing 100% MFA.
8. Phishing-resistant MFA for admins and partners — P1 FIDO2 security keys (YubiKey) or platform passkeys. SMS and push-only MFA are bypassable via SIM swap and MFA fatigue. Owner: IT/MSP. Evidence: admin role audit.
9. SSO for SaaS — P1 Microsoft Entra ID or Okta in front of DMS, e-signature, e-discovery, HR, and billing. One off-boarding action revokes all access. Owner: IT/MSP. Evidence: SSO app inventory.
10. Quarterly access reviews — P1 Review who has access to which matter, DMS workspace, and admin role. Remove anyone who changed roles or matters. Owner: Security Lead. Evidence: signed review log.
11. Privileged Access Management (PAM) — P2 Separate admin accounts, no daily-driver admin email, just-in-time elevation. Owner: IT/MSP. Evidence: PAM tool report.
12. 24-hour off-boarding SLA — P0 Departing staff lose all access — email, DMS, VPN, mobile, building — within 24 hours. Owner: HR + IT. Evidence: off-boarding checklist with timestamps.
3. Email security (P0)
13. SPF, DKIM, and DMARC at p=reject — P0 Anti-spoofing for your sending domain. p=reject (not p=none) prevents attackers from impersonating partners in wire-fraud and BEC scams — the #1 financial loss vector for law firms. Owner: IT/MSP. Evidence: DMARC report.
14. Advanced email threat protection — P0 Microsoft Defender for Office 365 (Plan 2), Mimecast, or Proofpoint. Sandboxes links and attachments, detects impersonation. Owner: IT/MSP. Evidence: license + policy screenshots.
15. External-sender banner — P1 Visible banner on every email from outside the firm. Cuts BEC click-throughs measurably. Owner: IT/MSP.
16. Wire-instruction verification policy — P0 **No wire instructions are honored from email alone.** Verbal callback to a known-good number on file for the client or counterparty. Documented in the matter file. Owner: Accounting + every attorney. Evidence: written policy + signed acknowledgments.
17. Email encryption for sensitive content — P1 Microsoft Purview, Virtru, or Mimecast for messages containing PII, PHI, or trade secrets. Owner: IT/MSP.
18. Mailbox audit logging on — P1 365 unified audit log on, retained ≥ 1 year. Critical for breach scoping. Owner: IT/MSP. Evidence: audit log retention setting.
4. Endpoints and devices (P0–P1)
19. EDR/XDR on every endpoint — P0 CrowdStrike, SentinelOne, Microsoft Defender for Endpoint (P2), or Sophos Intercept X. Antivirus alone is not sufficient and not insurable. Owner: IT/MSP. Evidence: console showing 100% coverage.
20. Full-disk encryption — P0 BitLocker (Windows) and FileVault (macOS) on every laptop. Enforced and reported via MDM. Owner: IT/MSP.
21. MDM enrollment on all mobile and laptop — P1 Intune, Jamf, or Kandji. Enforces passcode, encryption, remote wipe, and OS-patch level. Bring-Your-Own-Device gets app-level containerization at minimum. Owner: IT/MSP.
22. Patch SLAs — P1 Critical patches within 7 days, high within 30. Reported monthly. Owner: IT/MSP. Evidence: patch report.
23. Local admin rights restricted — P1 End users do not have local admin on workstations. Owner: IT/MSP.
24. USB and removable-media control — P2 Block or read-only via EDR/MDM unless explicitly approved. Owner: IT/MSP.
5. Network and remote work (P1)
25. Next-gen firewall with IDS/IPS — P1 At every office. Logs retained ≥ 90 days. Owner: IT/MSP.
26. ZTNA or modern VPN — P1 Cloudflare Access, Zscaler, Tailscale, or Twingate for remote access to on-prem resources. Old IPSec/SSL VPNs with split tunneling are a major ransomware entry point in 2026. Owner: IT/MSP.
27. DNS filtering — P1 Cisco Umbrella, Cloudflare Gateway, or DNSFilter. Blocks known-bad domains before they load. Owner: IT/MSP.
28. Guest Wi-Fi isolated from corporate — P1 Separate VLAN/SSID. Clients and visitors never on the staff network. Owner: IT/MSP.
6. Data, DMS, and backups (P0)
29. DMS with matter-level access controls — P1 iManage, NetDocuments, or Worldox configured for need-to-know access by matter, not blanket "all attorneys see everything." Owner: Security Lead. Evidence: ethical-wall configuration.
30. Encryption at rest and in transit — P0 TLS 1.2+ everywhere; AES-256 at rest in DMS, email, and backups. Owner: IT/MSP.
31. 3-2-1-1 backup rule with immutable copy — P0 3 copies, 2 media, 1 off-site, **1 immutable** (object lock / WORM). Tested restore quarterly. Lack of immutable backups is the most common reason firms pay a ransom. Owner: IT/MSP. Evidence: backup report + last restore test.
32. Quarterly restore test — P0 A real file from a real backup, restored to a real environment, signed off. Owner: IT/MSP. Evidence: restore log.
33. Data Loss Prevention (DLP) — P2 Microsoft Purview or Mimecast DLP policies for client PII, PHI, SSNs, payment data. Owner: Security Lead.
34. Records retention and defensible disposal — P1 Schedule by matter type. Privileged client data is not kept forever — it is a liability after the matter closes. Owner: Records + Security Lead. Evidence: retention schedule.
7. Vendor and AI risk (P1)
35. Vendor inventory with data flows — P1 Every SaaS and AI tool that touches client data, with data types, sub-processors, and SOC 2 / ISO 27001 status. Owner: Security Lead. Evidence: vendor register.
36. Security review before procurement — P1 No new tool goes live without Security Lead sign-off. Standard questionnaire (SIG-Lite or CAIQ) for anything Confidential or above. Owner: Security Lead.
37. Contractual security terms — P1 DPA, breach-notice SLA (≤ 72 hours), audit rights, sub-processor notice, deletion-on-termination clause. Owner: GC / outside counsel.
38. AI tool governance — P1 Enterprise tenants only (Microsoft 365 Copilot, ChatGPT Enterprise, Anthropic Claude for Work) with training opt-out. No free ChatGPT or consumer Gemini for matter content. Audit logs on. Owner: Security Lead.
8. People and awareness (P0–P1)
39. Security awareness training at onboarding + annually — P0 KnowBe4, Hoxhunt, or Proofpoint. Tracked completion. Owner: HR + Security Lead. Evidence: completion report.
40. Monthly phishing simulations — P1 Reported click-rate trending down quarter-over-quarter. Owner: Security Lead.
41. Wire-fraud and BEC tabletop — P1 At least annually with accounting, partners, and front desk. Owner: Security Lead.
42. Background checks on all hires and contractors — P1 Insider risk is real. Owner: HR.
9. Detection, response, and resilience (P0–P1)
43. 24x7 SOC or MDR — P0 You will not see the alert at 2 a.m. on a Saturday. Managed Detection and Response from Arctic Wolf, Huntress, eSentire, Red Canary, or your EDR vendor. Owner: Security Lead. Evidence: contract + monthly report.
44. Centralized logging ≥ 90 days — P1 Email, EDR, identity, firewall, DMS audit logs into a SIEM or log lake. Required for breach scoping under most state laws. Owner: IT/MSP.
45. Breach counsel and forensics on retainer — P0 Pre-signed engagement letters with a breach coach (privilege-preserving) and a DFIR firm (Mandiant, Kroll, Arete, Unit 42). Owner: GC / MP.
46. Cyber insurance with adequate limits — P0 Minimum $1M per-claim for small firms; $5–10M+ for mid-market; tower coverage for AmLaw. Underwriters now require items 7, 14, 19, 31, and 43 to bind. See our [cyber insurance for law firms guide](/blog/cyber-insurance-for-law-firms). Owner: MP + broker.
47. Annual tabletop exercise — P1 Walk a real ransomware or BEC scenario with leadership, IT, GC, communications, and breach counsel. Owner: Security Lead. Evidence: after-action report.
48. External attack-surface scan — P1 Quarterly scan of internet-facing assets, DNS, leaked credentials, and exposed services. Owner: Security Lead. Evidence: latest report.
49. Penetration test annually — P2 External + internal + (if applicable) web application. Findings tracked to remediation. Owner: Security Lead.
50. Continuous compliance evidence collection — P2 Drata, Vanta, or Secureframe to automate SOC 2 / ISO 27001 evidence. Cuts client-questionnaire response time from weeks to days. Owner: Security Lead.
What "good" looks like at the end of 2026
A defensible program scores P0 green, P1 mostly green, P2 in flight, with an owner and an evidence link on every row. You can hand the binder (or, more realistically, the Drata/Vanta dashboard) to:
- A Fortune 500 GC's outside-counsel security review
- A Beazley or Coalition cyber-insurance underwriter
- A state-bar inquiry after a security event
- A client whose matter just got hit and is asking, "Are we exposed?"
Each of those audiences asks slightly different questions. The same checklist answers all of them.
Frequently asked questions
How long does it take a 25-attorney firm to implement this checklist? A typical mid-market firm with an MSP can reach P0-green in **60–90 days** and P1-green in **6 months**, working in parallel streams: identity & email (weeks 1–4), endpoints & backups (weeks 4–8), governance & vendor (weeks 8–12). The bottleneck is rarely technology — it is partner sign-off on the WISP and the wire-verification policy.
Do solo and small firms really need all 50? Yes — but the implementation collapses. A solo's "SOC" is an MDR subscription ($150–300/month), the "WISP" is a 3-page document, and the "vendor inventory" is a spreadsheet. The controls are the same; the scale is not.
Which controls do cyber-insurance underwriters care about most in 2026? In order: **#7 MFA**, **#19 EDR**, **#31 immutable backups**, **#14 advanced email security**, **#43 24x7 MDR**, **#39 security awareness training**. Missing any of these is increasingly a decline-to-quote, not a higher premium.
Is this checklist enough for HIPAA or GDPR work? It is the foundation. HIPAA Security Rule adds specific administrative, physical, and technical safeguards (Business Associate Agreements, audit controls, transmission security) on top. GDPR adds lawful basis, DPIA, data-subject rights, and Article 30 records of processing. Both build on the controls above — they don't replace them.
How often should we refresh the checklist? Re-score every quarter; rebuild evidence annually; re-run the risk assessment annually or after any material change (new office, M&A, new client tier, new AI tool). The threat landscape moved meaningfully between 2024 and 2026 — assume it will again.
Related reading
- Cybersecurity for Law Firms: The 2026 Playbook
- Law Firm Data Breach: The 72-Hour Response Playbook
- Law Firm Ransomware in 2026: 90-Day Prevention Plan
- Cyber Insurance for Law Firms
- Law Firm Compliance in 2026
Ready to see where you actually stand? Run a free external attack-surface assessment on your firm's domain — it takes under two minutes and maps directly to items #13, #25, and #48 of this checklist.
Free Assessment
See what an attacker sees.
Run a no-obligation external attack-surface scan on your firm's domain in under two minutes.
Start the assessment


