Cyber risk


Cyber security is a risk for all organisations. Law firms are increasingly targeted as they hold both a wealth of sensitive data and large amounts of client money.

This year, our survey found that the most significant cyber threats that law firms faced were phishing, data breaches, ransomware and supply chain compromise, with phishing attacks reported as the most common. In Top 10 firms, malware infection and loss or leakage of confidential information were the second and third most common incidents.

Read our cyber blog post on how can law firms adapt to the cyber security threat.

Read our 'at a glance' preview below for more on this section.

At a glance

Cyber risk

The cyber security threat

  • Law firms consider the cyber threat to be greater than one year ago, the second greatest threat behind Brexit (up from 2018 when it ranked third).
  • This year, every respondent to our survey suffered a security incident, with the most common attack being phishing.
    Amongst Top 10 firms, 100% suffered a phishing attack, 75% suffered a malware attack and 25% experienced network intrusion, DOS, and confidential information loss or leakage.
  • In Top 11-25 and 26-50 firms, the top three attacks were phishing, other incidents caused by staff and loss or leakage of confidential information.
  • Overall, network intrusion was the least common known cyber security attack and this, perhaps, implies poor detection capabilities across the legal sector.
  • The insider threat is prevalent amongst all sizes of firms, with 75% of Top 10 and 90% of Top 11-100 having experienced incidents due to insiders over the last year.

IT capital spend

  • Average global IT capital spend of Top 10 firms was much higher than that for the Top 11-25, at £17.2m (1.9% of global fee income) compared to £2.4m (0.9% of global fee income), albeit the range in the Top 10 is significant (£4.6m to £51.6m). This highlights a need for some firms to increase their level of IT capital investment. 
  • We acknowledge there are various demands on IT capital spend; however, investing to become more “securable” in the face of an ever increasing cyber security threat is clearly business critical.

Executive ownership

  • Despite widespread acknowledgement of the cyber security threat, a number of law firms have no executive level risk ownership, true for 40% of Top 10 and 82% of Top 11-25 firms.
  • For the larger firms in the Top 25, that may be reflective of Chief Information Security Officers (“CISOs”) not sitting on boards. For others, a CISO may not even exist. 
  • Cyber security risks are not always receiving the due attention and budgetary considerations at the right level of influence. We consider it imperative that cyber security risk is owned at an Executive level and features on the Board Risk Register.

Crisis Management

  • Crisis management is a key component of ensuring resilience against a cyber attack, but this area does not appear to be prioritised outside Top 10 firms. 
  • In Top 11-25 firms, 54% have either not had senior management participate in crisis management exercises or they have not done so for over 12 months. This compares to 83% of Top 10 firms that have had senior management participate in a cyber crisis management exercise in the last 12 months. 
  • There is a real risk that firms outside the Top 10 are not adequately prepared to respond effectively in the event of a cyber security crisis.
Follow us

Contact us

Paul Brady

Paul Brady

Northern England - Cyber Security Director, PwC United Kingdom

Tel: +44 (0)7841 563498