Cybersecurity Guidelines

Cyber Security Guidelines

By the IBA’s Presidential Task Force on Cyber Security
October 2018

Law firms hold large volumes of valuable personal and commercially sensitive information about their firms, employees, case information and clients. This makes law firms of all sizes a highly attractive target for cybercriminals1. Breaches of data security can have devastating legal, financial and reputational consequences for a law firm’s clients and business, as well as the law firm. As such, it is critical that firms have effective cyber security technologies and processes that focus on protecting the confidentiality, integrity and availability of sensitive data2.

The threat of large-scale cyberattacks against law firms is a real risk. It has been reported that attackers have targeted law firms because they hold valuable commercial information and are regarded as ‘weak links’ because they do not usually take cyber security as seriously as their clients3 or do not have the financial capabilities to invest in efficient technologies that protect the firm from cyberattacks. Global law firms have been the subject of targeted attacks by hackers attempting to acquire insider knowledge ahead of major business negotiations and mergers and acquisitions (M&A)4. While smaller law firms commonly believe that they are less likely to be a victim of cybercrime,5 experts have suggested that hackers target small businesses, including law firms, because they usually have lower cyber security defences due to a lack of financial and human resources.6 In 2015, it was estimated that up to 50 per cent of small businesses had been a victim of a cyberattack and 60 per cent of those who suffer a significant cyber breach go out of business within six months.7 Such attacks will continue with increasing sophistication and frequency.8 Consequently, it is essential that law firms of all sizes are aware of cyber security threats and have policies and procedures to counter such threats.

This report forms part of the International Bar Association’s (IBA’s) ongoing work on cyber security. The IBA Presidential Task Force on Cyber Security (the ‘Task Force’) has the objective of:

  • producing a set of recommended best practices to help law firms to protect themselves from breaches of data security;
  • assisting their ability to keep operations running if a breach of data security or ransom attack does occur;
  • giving their clients the best possible assurances that their data is protected;
  • helping protect the reputation of the profession.


These guidelines are particularly relevant for:

  • Single practitioner
  • Small firms (20+ employees)
  • Medium-sized (21-40 employees)
  • Intermediate-sized to large firms (41+ employees)


These guidelines are separated into the following three broad areas:

Download the Cyber Security Guidelines (2018)