Industries · Legal & professional

Client trust, M&A deal flow, and a PI insurer that's watching.

Law firms sit on client wire instructions, M&A deal flow, sensitive IP and trust accounts. Attackers know the value, and professional indemnity insurers now know the risk. RiskSense generates the court-document, contract-review and client-wire phish your team is actually getting — with reports your insurer and regulator will accept.

Protect your team for freeTalk to us

Why Legal & professional keeps getting hit

Legal practices concentrate the things attackers want most in one mailbox: client wire instructions, M&A and corporate deal documents, intellectual property, and access to client trust funds. The phishing landscape for legal is genuinely sophisticated — spear phishing referencing real matter names, real opposing counsel, and real upcoming deadlines is common. The fallout when something goes wrong is amplified by professional duty and PI exposure.

Client wire instruction interception (the classic conveyancing fraud)
Trust account credential theft
M&A and deal document exfiltration for insider trading or extortion
Sensitive IP and patent disclosures (especially patent-stage filings)
Email account takeover for client impersonation downstream
Privileged-communication exfiltration for litigation leverage

Compliance frameworks that touch SAT

These are the regulations and standards in Legal & professional where ongoing security awareness training is either required or strongly expected.

SRA Code of Conduct

UK

Solicitors Regulation Authority guidance on cyber security explicitly identifies staff training as part of competence and confidentiality obligations.

Lawyers and Conveyancers Act

NZ

Confidentiality duties under the Lawyers and Conveyancers Act 2006 and the Rules of Conduct make a phish-driven leak a professional conduct issue, not just a security incident.

Legal Profession Acts

AU

State-based legal profession acts impose confidentiality and trust account obligations; Law Society guidance increasingly references SAT.

AML/CFT Act 2009

NZ

Anti-Money Laundering and Countering Financing of Terrorism Act applies to reporting entities (including most law firms handling trust funds); risk management programme is required.

AML/CTF Act 2006

AU

Designated services include legal practice; programmes must cover staff training for risk identification.

ABA Formal Op. 477R

US

American Bar Association: lawyers must take reasonable efforts to prevent unauthorised access to client information, including ongoing staff training.

Professional indemnity

Global

Most PI insurers now condition cover on documented cyber security baselines including SAT for any firm handling client funds or sensitive matter information.

ISO 27001

Global

A.6.3 Information security awareness, education and training is a required control for any firm seeking certification.

Phish your legal & professional staff are actually getting

Patterns we see most often. RiskSense generates these automatically from your tenant context, not from a template library.

Pattern 1

Court e-filing notification

Email purporting to be from the court registry alerts the recipient that a new document has been filed in an active matter, with a link to view the document.

What tips Glitch off
  • Court registries don't send filing notifications via email links to third-party portals
  • Sender domain is similar but not the real court domain
  • Login form harvests practice-management credentials (LEAP, Actionstep, etc.)
  • Matter reference is generic — no specific case number or party detail
Pattern 2

Opposing counsel — contract review

Email from someone purporting to be opposing counsel attaches a draft contract for review ahead of a tight deadline.

What tips Glitch off
  • Sender domain is one character off the real firm's domain
  • Attached document requires enabling macros or opens a credential prompt
  • Tone references a real matter but with subtle inaccuracies
  • Reply-to address differs from the sender
Pattern 3

Client wire instruction change

Email from the client (or appearing to be) just before settlement, updating the bank account for the conveyancing trust payment.

What tips Glitch off
  • Banking detail change just before settlement — classic conveyancing fraud pattern
  • No confirmation call to a known phone number
  • Email originates from a slightly different domain or a different email provider
  • Account is at a different bank than the client previously used
Pattern 4

M&A NDA / data room invite

Email invites the recipient to access a data room for a deal they're involved in, asking them to authenticate.

What tips Glitch off
  • Real data room invites come from named platforms with predictable domains
  • Authentication is requested for a domain the firm doesn't use
  • Urgency — 'access expires in 24 hours' — pushes past verification
  • Document title generic, no real matter detail

Cyber insurance angle

Professional indemnity insurers have started treating cyber readiness with the same weight as professional competence. Most PI insurers now require evidence of ongoing security awareness training before they'll renew a policy without a loading. After a phish-driven loss of client funds, the absence of SAT documentation is often the difference between a covered claim and a contested one — and a regulator complaint either way.

Read the full cyber insurance breakdown →

Questions legal & professional teams ask

Do PI insurers actually check for SAT?

Increasingly, yes. UK PI proposal forms now ask explicitly about staff cyber training, simulated phishing, and incident response. NZ and AU PI insurers have followed. After a loss, the insurer will ask for evidence — having it ready accelerates the claim; not having it slows it considerably.

What about barristers / sole practitioners?

Same exposure — arguably more, because solo practices typically have weaker controls and the same confidentiality duty. RiskSense's free training tier and per-seat pricing scale down to individual practitioners without the procurement cost of enterprise SAT.

How does this interact with our AML programme?

Most AML/CFT programmes already include staff training requirements. RiskSense provides the cyber and phishing module that sits alongside your AML training — the records are kept in the same place, which simplifies your annual programme review.

Can we train support staff differently to fee earners?

Yes. Cadence and content can be tailored by role on the tenant — partners might get less frequent but more sophisticated spear phishing, accounts staff get wire-fraud heavy content, support staff get credential-harvesting and MFA-fatigue patterns. All from the same connected tenant.

Will the reports satisfy a Law Society or SRA audit?

Yes. Reports include per-fee-earner training records, time-stamped simulation events, coaching completion, and trend data — the evidence pattern regulators want when they ask 'show me your awareness programme'.

Get a legal & professional-aware programme running today.

60 seconds to set up. No credit card. Reports your auditor and your broker will actually accept.

Protect your team for freeSee other industries