Penetration Testing and Security Audits for Law Firms

In March 2023, hackers accessed Orrick, Herrington & Sutcliffe's network and spent roughly four months inside before the firm discovered the intrusion. By then, data from more than 637,000 individuals had been exfiltrated. The forensic investigation that followed revealed what a penetration test conducted the previous year might have identified: insufficient network monitoring and a lack of controls to limit lateral movement once an attacker was inside the perimeter. The firm had no 24/7 security monitoring and lacked network segmentation. Post-breach costs exceeded an estimated $15 million. Orrick is a global law firm with hundreds of attorneys. But the same vulnerabilities—undetected access, flat networks, inadequate monitoring—appear consistently in breaches at firms of all sizes. The legal industry faces an average of 1,055 cyberattacks per week in 2025, and penetration testing is the most effective way to identify the specific gaps that will be exploited before attackers find them first. For managing partners asking whether their firm needs a penetration test, the short answer is: if your clients trust you with their most sensitive matters, you almost certainly do.

What Is the Difference Between a Vulnerability Assessment and a Penetration Test?

These terms are often used interchangeably, but they describe materially different engagements with different outputs—and cyber insurers, in particular, know the difference.

A vulnerability assessment uses automated scanning tools combined with manual review to identify known weaknesses in your systems: unpatched software, misconfigured servers, open ports, weak authentication settings. It tells you what is exposed. It is a good starting point and often the appropriate first engagement for a firm that has not done structured security testing before.

A penetration test goes further. A qualified tester—working within an agreed scope and rules of engagement—attempts to actively exploit the vulnerabilities discovered, chain weaknesses together to escalate access, and demonstrate what an attacker could actually accomplish if they gained a foothold. A penetration test does not just list what is exposed; it shows you what can be done with that exposure. It answers the question: "If someone got in through this vulnerability, how far could they go?"

For cyber insurance purposes, most carriers can distinguish between the two. For policies above $1 million in coverage, penetration testing is increasingly required rather than recommended. Above $5 million, it is nearly universal. Insurers want to see the test methodology, findings with severity ratings, evidence of remediation for critical issues, and a retest report confirming fixes were implemented.

What Does ABA Model Rule 1.1 Say About Security Testing?

ABA Model Rule 1.1 requires lawyers to provide competent representation, and Comment 8 extends this duty to technological competence: lawyers must "keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology." The ABA House of Delegates adopted Resolution 609 in August 2023, explicitly urging lawyers to "conduct periodic external and internal vulnerability scans" among other specific security practices.

The implications for security testing are direct. A law firm that stores privileged communications, client financial data, trade secrets, and litigation strategy across networked systems—without periodically testing whether those protections are effective—cannot credibly claim to be exercising the technological competence Rule 1.1 demands. ABA Resolution 609's report stated directly: "Lawyers do not get a free pass when it comes to data security."

State bar ethics committees have reinforced this position. When evaluating whether a firm met its obligations under Rule 1.6(c) following a breach, regulators consider what security testing the firm had performed and when. A firm that suffered a breach through a vulnerability that a standard penetration test would have detected—and that had no record of recent security testing—faces a substantially more difficult defense in a disciplinary proceeding or malpractice action.

What Are the Specific Law Firm Vulnerabilities That Security Testing Reveals?

Law firms have a distinct technology and risk profile that creates vulnerabilities different from those in other industries. Security testing for law firms regularly uncovers:

• Email system misconfigurations: Inadequate email authentication settings (SPF, DKIM, DMARC) allow attackers to spoof the firm's domain in phishing campaigns targeting clients. Many small firm email environments are configured to accept external email without adequate filtering—making it trivially easy for attackers to impersonate attorneys.
• Exposed remote access: Many law firms deployed remote access solutions rapidly during the pandemic and never hardened them afterward. RDP (Remote Desktop Protocol) exposed to the internet without MFA is a primary ransomware entry point and consistently appears as a critical finding in law firm penetration tests.
• Case management and document system access controls: Overly broad permissions within practice management platforms mean that a single compromised user account can access the entire firm's client database. Penetration tests regularly demonstrate that an attacker who compromises a receptionist's credentials can access partner-level client files.
• Trust account and billing system integration: Financial system integrations that allow transfers without out-of-band verification are a primary target for business email compromise and internal fraud. Penetration testers evaluating financial system access can identify how far a compromised session could reach into trust accounting controls.
• Legacy software and unpatched systems: The Jones Day breach (2021) originated through an end-of-life file transfer application. The firm lacked a technology lifecycle management process. Penetration testing includes identifying software that has reached end-of-life and patch levels across all systems.
• Third-party vendor access: IT vendors, managed service providers, and software platforms with privileged access to firm systems represent lateral movement opportunities. The 2023 Genova Burns breach originated through a vendor relationship. Testing should include evaluation of how third-party access is controlled and monitored.
• Physical security integration: Physical access to firm workstations can allow attackers to bypass many technical controls. Comprehensive penetration testing may include physical and social engineering assessments—testing whether front desk staff would allow an unauthorized individual into the firm's technology environment.

What Do Client RFPs and Enterprise Clients Require?

For law firms with corporate or institutional clients—particularly in financial services, healthcare, technology, and defense sectors—security testing is increasingly a client requirement, not just an internal best practice.

Enterprise clients routinely include security questionnaires in outside counsel panel qualification processes. These questionnaires typically ask:

• Whether the firm conducts annual penetration testing
• Whether vulnerability assessments are performed regularly
• What the firm's most recent test date and scope were
• Whether critical findings from security testing have been remediated
• What security certifications or frameworks the firm adheres to

Law firms that cannot answer these questions affirmatively are increasingly disqualified from enterprise panel consideration. As data privacy regulations have expanded and institutional clients have faced their own regulatory scrutiny over third-party risk management, the security posture of outside counsel has become a supply chain risk issue for sophisticated clients. A firm that wants to represent healthcare systems, financial institutions, or public companies in 2026 should expect to demonstrate active security testing programs as a condition of the engagement.

Financial services clients may also be subject to specific regulatory requirements (SEC, FINRA, NYDFS) that mandate third-party risk assessments of service providers, including outside counsel. Law firms that serve regulated financial institutions and cannot demonstrate security testing programs may create compliance problems for their own clients.

How Often Should Law Firms Conduct Penetration Testing and Security Audits?

Frequency should be risk-based, but the following framework is appropriate for most small to mid-sized law firms:

• Annual external penetration test: Test the firm's externally visible attack surface—internet-facing systems, web applications, email infrastructure, remote access—at minimum once per year. This is the baseline requirement for most cyber insurance policies above $1 million in coverage.
• Annual internal penetration test: Simulates what an attacker can accomplish once inside the network—either through a compromised endpoint, a phishing-delivered payload, or a malicious insider. This assessment reveals lateral movement paths, privilege escalation opportunities, and data access risks that external testing cannot see.
• Vulnerability assessments quarterly: Between annual penetration tests, automated vulnerability scans provide early warning of newly disclosed vulnerabilities affecting your systems and confirm that patches have been applied appropriately.
• After significant changes: Any time the firm makes material changes to its IT environment—migrating to a new practice management platform, expanding a cloud environment, deploying new remote access solutions, or onboarding a new IT vendor—a targeted assessment should be conducted on the changed components.
• Social engineering assessment annually: Phishing simulations managed by an external party provide an objective measure of staff susceptibility and test whether email security controls are effectively blocking malicious messages.

Smaller firms—solo to five-attorney practices—may find that a combined vulnerability assessment and limited external penetration test conducted annually provides adequate coverage at a proportionate cost. As firm size, revenue, and client sensitivity increase, the scope and frequency of testing should expand accordingly.

What Should Law Firms Do with Penetration Test Results?

A penetration test report has no value if it sits unread. The output of every test engagement should drive a structured remediation process:

• Prioritize critical and high findings immediately: Any finding rated critical or high by the testing team represents an exploitable vulnerability that an attacker could use today. These must be remediated as a priority, typically within 30 days.
• Document remediation: Maintain records of every finding, the remediation action taken, who took it, and when. This documentation is essential for cyber insurance applications and for demonstrating due care in bar proceedings or litigation.
• Request retesting on critical findings: After remediating critical findings, request a targeted retest to confirm the fix was implemented correctly. A patch that was applied incompletely or a configuration change that did not take effect may leave the vulnerability open despite the remediation effort.
• Present findings to firm leadership: Managing partners and firm administrators should receive an executive summary of test findings in non-technical language. Cybersecurity decisions require leadership visibility; findings that stay only with the IT team may not receive the resources needed for remediation.
• Use findings to inform training: If the test identified successful phishing susceptibility or social engineering vulnerabilities, feed those findings directly into the firm's security awareness training program. Specific, realistic scenarios based on actual test results are far more effective than generic training content.

What Should Law Firms Do Next?

If your firm has not conducted an external penetration test in the past 12 months, or has never had a formal security assessment, that gap should be addressed before your next cyber insurance renewal—not after. Insurers are increasingly reviewing test documentation as part of underwriting, and enterprise clients are asking for it in panel questionnaires. More importantly, the vulnerabilities that testing reveals are the same ones that attackers are actively probing in the legal sector every week.

At NorthStar Technology Group, we conduct penetration testing and security audits specifically for law firms—with reporting designed to satisfy insurer requirements, meet ABA competence standards, and give managing partners actionable intelligence rather than a technical document they cannot use. Our assessments pair test findings with the managed security services needed to address them. See our broader framework for law firm cybersecurity, and explore how our security capabilities connect with your firm's technology needs at northstartechnologygroup.com/services.