Skip to content

Industry · Legal

IT and cybersecurity for Australian law firms.

Privilege, trust accounts, matter files, conveyancing settlements. The assets are valuable, the regulators are attentive, and the email fraud targeting your clients is getting better at its job every month. We've worked in the industry long enough to know what the risks actually look like, and which controls actually mitigate them.

What's actually different in legal

The threats that hit law firms aren't generic.

Email-based invoice redirection targeting conveyancers is now the most common real loss we see in the Western Australian market. A fraudster compromises a client's email, watches the settlement, and sends revised bank details at the right moment. Your practice-management software doesn't see it. Your secretary does, and she believes the email because it's from the right person.

Client-driven audits are also arriving. Larger corporate clients are now asking mid-tier firms for evidence of MFA, offboarding controls, and data-handling practices before renewing engagement letters. The questions are basic; the issue is whether your current setup can answer them with evidence when asked.

Practice-management vendors (Affinity, LEAP, Smokeball, FilePro, Actionstep) each have their own security posture. The one that matters is the environment around them: identity, device, network, backup, offboarding. That's where most incidents start, not in the PMS itself.

Live right now ·  legal

The 2026 pressure points we're actively working on with clients.

The specific asks, deadlines and enforcement actions shaping 2026 conversations in your sector.

AML/CTF Tranche 2 enrolment, 29 July 2026

Enrolment opens 31 March 2026. Lawyers and conveyancers providing designated services must be enrolled with AUSTRAC by 29 July 2026, with obligations commencing 1 July 2026: a written AML/CTF program, KYC procedures, record-keeping and reporting. This is the biggest compliance shift the profession has faced in a decade, and it's largely an IT and data-handling project underneath the legal work.

Mandatory ransomware payment reporting, 72 hours

Under the Cyber Security Act, firms with turnover above $3M must report any ransomware payment to ASD within 72 hours (commenced 30 May 2025). Which means your incident-response plan now has a legal deadline, not just a commercial one. Most firms we assess don't have an IR plan at all.

Privacy Act Tranche 2, expected mid-2026

Tranche 1 (statutory tort for serious invasions of privacy, children's privacy code) is live. Tranche 2 is likely to remove the small-business exemption from APP obligations for approximately 100,000 Australian businesses. Most mid-tier law firms already handle enough personal information to be treated as APP entities; the formal coverage makes the obligations explicit.

PI insurance and conveyancing fraud

PEXA MFA is mandatory on every practitioner account and has been for some time. Invoice-redirection fraud targeting conveyancers remains the #1 PI claim driver in Western Australia, and Law Mutual's 2025/26 Master Policy is pricing it accordingly. Preventing one incident pays for multiple years of proper IT.

Frameworks that turn up in the room

Industry frameworks, regulations and audit standards for legal in Australia.

Law Society / Bar Association rules
Each state's legal profession rules cover client confidentiality, trust-account handling and record retention. Rules vary by state. We match the control environment to the firm's jurisdiction(s).
Privacy Act 1988 + APPs
The Australian Privacy Principles and Notifiable Data Breaches scheme. Any firm handling personal information (all of them) has obligations around access, correction, breach notification and retention.
Legal professional privilege
Not a statutory control, but a defensible chain-of-custody matters. Email routing, backup handling, and eDiscovery workflows all have to preserve privilege without accidental waiver.
ACSC Essential Eight
The baseline most cyber insurers and increasingly large corporate clients are scoring law firms against. See our /essential-eight page for the maturity model and how we move firms through it.
Conveyancing-specific obligations
PEXA MFA requirements, Cyber Insurance mandates for firms handling property settlements, fraud-prevention controls around email-based invoice redirection (the single most common real loss).

Common questions

The things legal clients ask us first.

Our current IT person says we're 'fine' because we have MFA. Are we?
MFA is one control of the Essential Eight's eight, and only effective if it's phish-resistant, if it's applied to every critical system (not just Microsoft 365), and if it's enforced rather than suggested. Most firms we assess have MFA on email and nothing else, and SMS-based codes on top of that. That's not "fine." We can assess your current maturity and give you a plain-English answer.
Can you run our practice-management software (Affinity, LEAP, Smokeball, etc.)?
We manage the environment those applications run on: the Microsoft 365 tenant, the devices, the network, the backups, the identities. Where the vendor provides a cloud-hosted version, we integrate it into your security and identity stack. Where it's still on-premises, we host or manage the server hosting it. Application-level workflow support remains with the software vendor, but we know where the boundary sits and we own the systems side end-to-end.
Our clients are starting to send us security questionnaires. Can you help?
Yes. We've completed these for firms being asked by corporate clients, major financial institutions, and listed companies. We fill them in with you, not for you, because some answers are yours to give (incident-response decisions, retention policy) and some are ours (technical control detail). Either way, we'd rather give an honest "partial" than a confident "yes" that blows up on audit.
We had a suspicious email go to a partner. What do we do?
Right now: don't click anything, don't delete the email, and ring us. We have an incident-response playbook that starts with containment, works through identity and endpoint verification, and ends with a written record you can show your insurer if needed. If it turns out to be nothing, the record matters less. If it's real, the first hour is where most of the damage is prevented.
Can our lawyers use Microsoft 365 Copilot or Claude for Work on matter data?
Yes, with governance. Copilot inherits every access permission a user already has, which in most law firms includes matters they shouldn't reach and client data they shouldn't summarise. Before rolling out Copilot we audit matter-level permissions, apply sensitivity labels, and pilot with a small practice group. For Claude for Work or ChatGPT Enterprise, the considerations are similar: enterprise tier with the right data-processing terms, acceptable-use policy written for legal context, consumer tiers blocked at DNS. None of it is a blanket yes or no. All of it is a tooling-plus-policy question we've helped firms work through.
AML/CTF Tranche 2 is coming in July 2026. How much of this is an IT problem?
Most of it, underneath the legal work. You need a written AML/CTF program, KYC record-keeping, audit trails, staff training records, and a way to produce the evidence when AUSTRAC asks. We don't write the AML/CTF program itself (that's your legal and compliance call), but we set up the document-management, identity, logging and retention infrastructure that makes the program actually operable. The firms leaving this to the last month before 29 July 2026 will struggle; the ones starting in early 2026 will be fine.

The qualifier

Let's see if we're a fit.

Seven questions, one moment of your time. We'd rather tell you now than three months in.

Step 1 of 7

How big is your team?

Counting everyone: staff, contractors, anyone with an account.
See if we're a fit