Does NIS2 apply to law firms and accounting practices?

If your firm has 50+ employees or €10M+ revenue, you may be classified as an "Important" entity under NIS2, especially if you serve critical sectors. Smaller firms are not directly covered but should still follow best practices and may face requirements from regulated clients.

What are the ethical obligations around cybersecurity?

Professional ethics rules require maintaining client confidentiality, which includes protecting data from cyber threats. Bar associations and accounting bodies increasingly expect reasonable security measures. A preventable breach could result in disciplinary proceedings.

How do we balance security with client service?

Modern security tools can be seamless. Secure client portals, encrypted email, and single sign-on actually improve client experience while protecting data. The key is choosing solutions designed for professional services workflows.

What should we do if we discover a breach?

Contain it immediately, engage cyber counsel (for privilege protection), assess which clients are affected, and prepare notifications. Under GDPR you have 72 hours to notify the DPA. Professional ethics may require faster client notification.

Should we get cyber insurance?

Yes, cyber insurance is strongly recommended for professional services firms. It covers breach response costs, client notification, and potential liability. Many insurers also provide incident response services. Note: insurers increasingly require baseline security measures.

Cybersecurity for Professional Services: Protecting Client Data

Why Professional Services Are Targeted

Your firm is an attractive target for several reasons:

Valuable data

Financial records, legal strategies, M&A plans, intellectual property - all highly valuable to attackers

Trusted relationships

Attackers can use your email to reach your clients with credible-looking requests

Smaller IT teams

Most firms lack dedicated security staff, creating gaps attackers exploit

Time pressure

Urgent deadlines make staff more likely to click malicious links or bypass security

Client access

You often have direct access to client systems, financials, and confidential documents

Professional ethics

Breaches can result in disciplinary action from professional bodies

Common Threats to Professional Services

Understanding the threats helps you defend against them:

Business Email Compromise (BEC)

Attackers impersonate partners or clients to request fund transfers or sensitive documents

Average loss: €120,000 per incident

Client Data Theft

Targeted attacks to steal confidential client information for competitive advantage or blackmail

Regulatory fines + client lawsuits + reputation damage

Ransomware

Encryption of all firm files, including client documents, with payment demanded

Weeks of downtime, potential permanent data loss

Insider Threats

Departing employees taking client lists or confidential matter files

Competitive harm + potential ethics violations

Supply Chain Attacks

Compromised software or service providers giving attackers access to your systems

Difficult to detect, wide-ranging access

Regulatory Requirements

Professional services firms must comply with multiple overlapping requirements:

GDPR Applies to all client personal data. Requires breach notification within 72 hours.

Professional Ethics Bar associations, accounting boards require client confidentiality - breaches can mean sanctions.

NIS2 Larger firms (50+ employees or €10M+ revenue) may be classified as "Important" entities.

Anti-Money Laundering Additional security requirements for customer due diligence data.

Client Contracts Many clients require specific security measures in engagement letters.

Essential Security Measures

Prioritize these protections for your firm:

1. Client Data Encryption

Encrypt all client files at rest (on your servers and laptops)
Use encrypted email for confidential communications
Enable full-disk encryption on all devices
Use secure client portals instead of email attachments
Encrypt backups (and test restoration regularly)

2. Secure File Sharing

Use professional secure file sharing (not personal Dropbox)
Set expiration dates on shared links
Log all access to shared files
Require authentication for downloads
Avoid USB drives for client data

3. Email Security

Enable multi-factor authentication (MFA) for all email accounts
Implement advanced phishing protection
Train staff to verify wire transfer requests by phone
Use email encryption for sensitive matters
Configure DMARC, SPF, DKIM to prevent spoofing

4. Access Controls

Limit access to client matters on need-to-know basis
Use unique strong passwords + password manager
Immediately revoke access when staff leave
Audit who accessed what files (for client inquiries)
Implement Chinese wall controls for conflict matters

Communicating Security to Clients

Proactive security communication builds client confidence:

Include security practices in engagement letters
Offer secure client portals for document exchange
Explain how you protect their confidential information
Have a clear policy for notifying clients of any incidents
Be prepared to answer client security questionnaires
Consider obtaining ISO 27001 or SOC 2 certification for larger clients

Incident Response for Professional Services

When a security incident occurs, act quickly and carefully:

1

Contain

Isolate affected systems immediately - time is critical

2

Assess

Determine which clients and matters are affected

3

Legal

Engage cyber incident counsel (privilege considerations)

4

Notify

Report to DPA (72 hours), professional body, affected clients

5

Recover

Restore from clean backups, change all credentials

6

Review

Document lessons learned, update security measures

Protect Your Clients, Protect Your Reputation

Easy Cyber Protection helps professional services firms implement CyberFundamentals with guidance tailored to your industry. Meet regulatory requirements and client expectations without disrupting your practice.