Twenty percent of U.S. law firms were hit by cyberattacks in the past 12 months, and nearly 1 in 10 lost or exposed sensitive data, according to a new study by Geneva-based Proton. The survey of 500 firms revealed widespread vulnerability, knowledge gaps, and escalating client pressure on firms to meet cybersecurity expectations.

While the size of the targeted firms was not disclosed, recent breaches involving Am Law 100 firms—including Fenwick & West, Taft Stettinius & Hollister, and global players like Kirkland & Ellis and Allen & Overy—highlight that no tier is immune.

Proton found that 65% of surveyed firms were unfamiliar with their legal obligations following a breach, and 42% were uncertain about their ability to recover post-incident. The findings expose a critical disconnect between risk awareness and preparedness across the sector.

Tristan Hall, a partner in CMS’s cybersecurity practice, noted the complexity of the modern threat landscape: “Attackers are increasingly targeting people and processes rather than just technology. Even multi-factor authentication, once a reliable safeguard, can now be bypassed through social engineering and technical exploitation.”

Recent warnings from the FBI spotlight criminal gangs like Luna Moth, which have targeted law firms under the guise of IT support, exfiltrating data related to M&A activity and litigation strategies. Ransom demands are often accompanied by threats to publish or leak files, with staff contacted directly to apply pressure.

“Law firms are extremely sensitive to breaches involving client data,” said Philip Tansley, a crisis management partner at Osborne Clarke. “The reputational and legal fallout of leaked court or transaction documents could be catastrophic.”

Proton's report suggests a growing dependence on digital platforms has contributed to the risk. Cloud adoption and remote collaboration tools have increased firms’ attack surfaces, often without commensurate increases in security spending or training.

In the U.K., the implications of poor cybersecurity were illustrated by the £60,000 fine imposed on DPP Law in April. Attackers accessed 32GB of highly sensitive data through an unprotected admin account, exploiting basic failures in account security.

Proton’s head of security, Patricia Egger, recommended technical and procedural controls, including end-to-end encryption, strict access privileges, and real-time device monitoring. “Firms should assume compromise is possible and design systems to minimize exposure when it happens,” she said.

Dechert’s global cyber practice chair, Brenda Sharton, framed the current situation as an “arms race.” While threat actors evolve, so too do defensive technologies, including AI-powered detection tools. But Sharton warned that attackers often exploit legacy systems or overlooked components—“the places organisations deprioritize, sometimes justifiably.”

CMS’s Hall emphasized that cybersecurity is now a precondition for client trust: “Firms must view confidentiality not only as a legal obligation but as a commercial imperative. Testing breach readiness should be as routine as reviewing contracts.”