Continue your mission
Cybersecurity for consulting firms, law firms, engineering firms, accounting firms, and staffing agencies. Covers the unique risk profile created by perpetual access to highly sensitive client information, double-extortion ransomware, BEC attacks, professional liability implications of data breaches, and CDA's PDM applied to client-facing knowledge businesses.
# Security for Professional Services
Professional services firms occupy a distinctive position in the cybersecurity threat landscape. Unlike retailers, which hold customer financial data, or healthcare organizations, which hold patient records, professional services firms hold the most sensitive strategic and operational information of their clients. A consulting firm advising a Fortune 500 company on a merger holds documents that could move financial markets. An engineering firm designing a data center holds facility blueprints that could enable physical intrusion. An accounting firm managing a client's financial records holds information that enables both financial fraud and competitive intelligence. A law firm holds privileged communications, litigation strategy, and the full details of every sensitive transaction it has ever been involved in.
This accumulation of client sensitive information is not incidental to the professional services business model: it is the business. Clients must share their most sensitive information with the firm in order to receive competent advice. The relationship is built on trust, and in law and accounting, that trust is formalized by professional ethics rules with legal force.
The combination of client data sensitivity, trusted relationship access, and (in many cases) immature security posture makes professional services firms high-value targets for sophisticated threat actors. They are frequently targeted not for their own data, but as a pathway to the data of their clients.
This article addresses the cybersecurity threat landscape for professional services across firm types, the regulatory and liability framework, and how CDA's Planetary Defense Model maps to a defensible security program for knowledge-based businesses.
---
Nation-state threat groups and sophisticated criminal actors have recognized that professional services firms are often an easier pathway to sensitive client information than attacking clients directly. A large corporation with a mature security operations center, EDR deployment, and 24/7 monitoring may be effectively hardened against many attack vectors. Its outside law firm, whose IT infrastructure is managed by a two-person team, is not.
This dynamic means that attacking a professional services firm produces access to a portfolio of sensitive client matters: multiple corporations' M&A strategies, multiple defendants' litigation positions, multiple companies' financial projections. A single compromise at a mid-size consulting firm may expose sensitive information for dozens of clients simultaneously.
The SolarWinds supply chain attack, while not a professional services firm attack specifically, illustrated the amplifying effect of compromising a trusted third party: attackers gained access to thousands of organizations through a single trusted software provider. Professional services firms play an analogous trusted-intermediary role in business relationships.
Professional services firms are a primary target for ransomware groups that use double extortion: not only encrypting systems to demand a decryption ransom, but also exfiltrating data and threatening to publish it unless a separate data ransom is paid. The threat to publish confidential client communications, litigation strategy, or M&A plans is not merely a financial threat to the firm; it is an existential threat to client relationships that have been built over years or decades.
For law firms, the threatened publication of privileged attorney-client communications is a particular pressure point: clients may view the firm's failure to prevent such a compromise, and the resulting publication, as a breach of the professional duty of confidentiality. The reputational damage is typically irreparable regardless of the technical cause of the breach.
Notable professional services ransomware incidents include the 2021 attack on Campbell Conroy and O'Neil, a litigation firm representing Fortune 500 clients including Apple, Johnson and Johnson, ExxonMobil, and others. The attack resulted in the exposure of Social Security numbers, financial account information, and health records of individuals associated with the firm's client matters. The firm's clients included defendants in active litigation, making the exposure of case-related information particularly sensitive.
Government-sponsored threat actors, including APT groups attributed to China, Russia, and others, have been publicly identified in targeting of professional services firms for pre-public merger and acquisition intelligence. M&A transactions generate documents with extraordinary information value: the parties involved, the consideration, the strategic rationale, the regulatory strategy, and the anticipated market impact. This information, obtained prior to public announcement, enables informed trading ahead of announcements.
The FBI and CISA have issued advisories specifically warning that law firms and investment banking advisory firms are targeted by nation-state actors and criminal groups for M&A intelligence collection. The major accounting firms and Big 4 consulting firms have all been targeted or breached, though disclosure of such incidents is limited.
Business Email Compromise (BEC) is disproportionately impactful in professional services because the firms' core operational process is email communication with clients, counterparts, and financial institutions. Professional services firms routinely wire large sums of money based on emailed wire instructions: settlement payments, transaction closings, payroll disbursements, client fund remittances.
Attackers compromise or spoof email accounts within the firm or at a counterpart organization and insert fraudulent wire instructions into legitimate transaction flows. A single successful BEC attack against a firm handling a transaction closing can result in the misdirection of millions of dollars. The professional services context amplifies the risk because the dollar amounts involved are often transaction-scale rather than individual-scale, and because the urgency culture of professional services (deadlines, closings, regulatory filings) creates pressure to execute quickly without verification.
Law firms are subject to specific bar association guidance (ABA Formal Opinion 483) on their obligations following a data breach affecting client information, including notification obligations that may be triggered regardless of whether the bar's confidentiality rules were technically violated.
Professional services firms face a tension unique to their sector in data management: retention obligations run directly against security best practice. A law firm may be required to retain client files indefinitely under applicable bar rules or client instructions. An accounting firm must retain tax records for seven years under IRS guidance and client agreements. These retained records are targets: they accumulate over time, they contain sensitive information, and they are often stored in legacy systems or archive environments that receive less active security attention than production systems.
The data protection principle of storage limitation (retain data only as long as necessary) conflicts directly with these retention obligations. A mature professional services security program addresses this tension explicitly: retained data should be encrypted, access-controlled, and monitored even in archive environments, and the retention period itself should be documented and enforced rather than treated as indefinite by default.
---
ABA Model Rule 1.6 (Law Firms): The American Bar Association's Model Rule 1.6 requires lawyers to make reasonable efforts to prevent the inadvertent or unauthorized disclosure of client information. ABA Formal Opinion 477R (2017) extended this obligation explicitly to cloud services and technology platforms used to handle client communications and files. A security breach that exposes client confidential information may constitute a Rule 1.6 violation, triggering bar disciplinary proceedings and civil liability.
AICPA SOC Standards (Accounting Firms): Accounting firms that perform SOC 1 and SOC 2 audits for clients are themselves subject to scrutiny of their own security controls. The AICPA's standards create an expectation that audit firms maintain security programs commensurate with their access to client data.
Gramm-Leach-Bliley Act (Financial Information): Professional services firms handling client financial information (particularly accounting and tax advisory firms) may be subject to GLBA's Safeguards Rule, which requires a written information security program, risk assessment, and safeguards appropriate to the size and complexity of the firm.
State Data Privacy Laws: Client individuals' PII held by professional services firms is subject to CCPA, CPA, CTDPA, and similar state privacy laws. Many professional services engagements involve multiple clients and multiple jurisdictions, requiring privacy programs that address varying state requirements.
GDPR: Firms with EU clients or operating in EU jurisdictions must address GDPR requirements for data processed in connection with those client relationships. For law firms, the intersection of GDPR's rights of access and erasure with attorney-client privilege and litigation holds creates specific compliance complexity.
Professional Liability Insurance: The cybersecurity posture of a professional services firm is increasingly a factor in professional liability insurance underwriting. Insurers offering professional liability (E&O) coverage increasingly require evidence of security controls as a condition of coverage or as a factor in premium calculation.
---
DPS: Data Protection and Sovereignty Every client engagement generates confidential information that must be protected from the moment it is received or created through the full retention lifecycle. The Sovereign Data Protocol (SDP) applied in professional services means: know where every client matter's data lives, have made a deliberate decision about that location (on-premises, firm cloud, client-specified system), and enforce encryption and access controls appropriate to the sensitivity of the matter. Matter-level data classification, client data inventories, and retention and destruction policies are the DPS program components for professional services. Special attention is required for email archives, which typically contain the full record of client communications over the life of the firm.
VSD: Vulnerability and Surface Defense Professional services firms present a more traditional enterprise IT attack surface: managed endpoints, email platforms, document management systems, remote access infrastructure, and client-facing portals. Continuous Surface Reduction (CSR) here means systematic vulnerability management on all firm endpoints and servers, attack surface mapping of all external-facing services (client portals, VPNs, webmail), and penetration testing of externally accessible infrastructure. Many professional services firms have not invested in systematic vulnerability management, creating an accumulation of unpatched exposure over time.
SPH: Security Posture and Hygiene Hardening of email clients and servers is the highest-priority hygiene control in professional services: email is the primary attack surface for both BEC and initial access for ransomware. Autonomous Posture Command (APC) for professional services includes enforcing DMARC/DKIM/SPF on all firm email domains, disabling legacy authentication protocols that bypass MFA, hardening email clients against macro-based malware, and standardizing endpoint configuration across all attorney or consultant workstations.
IAT: Identity Access and Trust Matter-level access controls in document management systems, MFA on all remote access and email platforms, and privileged access management for IT administrators are the core IAT requirements. Zero Possession Architecture (ZPA) principles are particularly applicable in law firm settings: partners may assume they need access to all client matters, but least-privilege access that is explicitly authorized and logged is both a security and a conflicts-of-interest management tool. BEC prevention depends heavily on strong IAT: email account compromise is the precondition for both impersonation and wire fraud attacks.
TID: Threat Intelligence and Defense The threat actor population targeting professional services is sophisticated: nation-state groups targeting M&A intelligence, ransomware operators using double extortion, and BEC actors specifically targeting transaction workflows. Predictive Defense Intelligence (PDI) for professional services means participating in sector-relevant threat intelligence sharing (the Legal Services ISAC for law firms, FS-ISAC for financial advisory firms), monitoring for spearphishing campaigns specifically targeting the firm's domain and attorney email addresses, and maintaining dark web monitoring for leaked firm or client data.
RGA: Risk Governance and Assurance The governance framework for professional services integrates security with professional ethics obligations. Perpetual Compliance Assurance (PCA) means that the firm's information security program is documented, tested, and aligned with bar rules (for law firms), professional standards (for accounting firms), and contractual commitments to clients. Client agreements increasingly include cybersecurity requirements: enterprise clients may impose specific security standards on their outside counsel or consulting firms, and these contractual obligations must be tracked and verified.
---
Professional services FRM assessments are consistently weighted toward DPS and RGA. The data protection obligations for client information are complex, the retention landscape is vast, and the governance expectations from both professional bodies and client contracts are significant. At the same time, the VSD and IAT domains in professional services firms frequently show underinvestment: many firms have not had systematic vulnerability management or a formal IAM program.
A CDA FRM for a professional services firm addresses all six PDM domains over two weeks, with particular attention to email security posture (the primary BEC and phishing vector), document management system access controls (matter-level permissions), and data retention architecture. The assessment produces a Shield visualization and posture score that is well-suited for use in client security questionnaires and professional liability insurance applications.
Recommended starting tier by firm type and size:
The DPS and RGA domains are CDA's emphasis in professional services engagements, but the TID domain warrants explicit attention for any firm involved in M&A transactions, government contracting, or high-profile litigation. These matters make the firm a named target for sophisticated actors, and the standard enterprise security posture is not adequate to defend against nation-state spearphishing campaigns targeting specific partner email accounts.
---
---
---
CDA Theater missions that address topics covered in this article.
Cryptographic technique that encrypts data while preserving its original format and length, enabling protection without breaking legacy system compatibility.
Guide to HTTP/2 security covering binary framing, HPACK compression attacks, rapid reset vulnerability, stream multiplexing risks, and mitigation strategies.
Explanation of Certificate Transparency framework, covering log servers, Signed Certificate Timestamps, monitoring capabilities, and detection of fraudulent certificates.
Written by Evan Morgan
Found an issue? Help improve this article.