As Cyber Security Awareness Month draws to a close, it’s a good time to reflect on why cyber security matters to every legal practitioner and to share practical steps for protecting your clients, your firm, and your professional reputation.
Lawyers hold some of the most sensitive personal and commercial information in the country, and cyber threats such as phishing, ransomware, and business email compromise continue to rise. Maintaining strong cyber-security safeguards is not just good business practice; the consequences of a cyber incident can include substantial financial losses, reputational harm and breaches of professional obligations.
Common threats to law firms
Business Email Compromise (BEC): Attackers impersonate lawyers or clients to redirect trust-account payments.
Ransomware: Criminals lock systems or encrypt data until a ransom is paid.
Phishing and credential theft: Malicious links or attachments steal login details.
Third-party or supply-chain compromise: Breaches at IT providers, cloud storage, or document-sharing services.
The New Zealand National Cyber Security Centre (NCSC) and CERT NZ both warn that even small firms are targets, particularly those handling client funds or commercially sensitive information.
Key obligations for lawyers
There are some key professional obligations lawyers need to be aware of when considering cyber security and to ensure they are managing the risks competently and effectively.
For example, the Lawyers and Conveyancers Act (Lawyers: Conduct and Client Care) Rules 2008 and the Privacy Act 2020 require lawyers to protect and hold in strict confidence all information concerning a client acquired during the professional relationship.
Chapters 8 and 11 of the Rules of Conduct and Client Care outline lawyers’ fundamental obligations in protecting confidentiality and ensuring that their legal practice is competently managed and supervised at all times, to meet their professional obligations and preserve the reputation of the legal profession.
Five practical steps for stronger security
Secure access and authentication
Use multi-factor authentication (MFA) on all accounts, especially email, cloud and trust-account systems.
Require strong, unique passwords and use a password manager.
Keep systems up to date
Regularly apply software and security updates. Consider getting regular IT Security Audits to benchmark your systems.
Deactivate old accounts and remove access when staff leave.
Train and test your people
Conduct staff training on phishing and safe email practices at least annually.
Establish a clear policy for verifying any changes to bank details or payment instructions.
Plan for incidents
Develop an incident-response plan outlining who to contact, steps to isolate affected systems, and how to notify clients or regulators.
Keep contact details for CERT NZ and your IT provider accessible offline.
Back up and recover
Maintain encrypted, tested backups stored offline or in a secure cloud.
Review your recovery process so you can restore data quickly if systems are compromised.
Special considerations for legal practice
Cloud and AI tools: Ensure external platforms meet privacy and confidentiality requirements. Avoid uploading sensitive client information to generative AI tools without safeguards.
Trust-account security: Verify fund transfer instructions with clients by phone or in person.
Cyber insurance: Consider specialist cover, but remember it supplements not replaces robust security controls.
Data sovereignty: Check where client information is stored and processed, particularly with overseas vendors.
Quick action checklist
☑ Enable MFA on all systems
☑ Update software and devices
☑ Conduct phishing-awareness training
☑ Review cloud provider contracts
☑ Test your backup and restoration process
☑ Create or update your incident-response plan
Cyber security is a core part of professional responsibility for lawyers. A single breach can undermine client trust, disrupt your practice, and compromise legal and regulatory duties.
By taking practical steps now including securing access, training staff, maintaining backups, and preparing for incidents, you protect not only your clients’ information but also your firm’s integrity and reputation.
For guidance and resources, visit CERT NZ or the New Zealand Law Society’s professional practice resources. You can also utilise the online security assessment tool for yourself or your business.