The perfect storm for legal cybersecurity?
2nd July 2026 • Park Plaza Victoria, London, UK
Legal firms face an existential shift that some may not survive. Securing the new business model will be tough.
No country for old CISOs? Protecting the Al-native law firm
Law firms, like many other services companies, face an uncertain future. Is their current business model obsolete, as Al tools take over many of the low- to mid-level functions of the old fashioned 'document producer' operating model? Will senior partners see Al as an easy way to higher profits even while the technology is still nascent? And what do law firms, and the wider legal marketplace, look like in a world in which Al tools really do deliver on their promises?
While the business wrestles with these questions, the future operating model of their firms also profoundly affects cybersecurity teams. As we have seen recently with the attack on consultancy firm McKinsey, and others, the Al tools being introduced into firms to deliver this alleged revolution are vulnerable to a range of security issues, from the Echoleak/ZeroClick vulnerabilities in Microsoft 365 Copilot, to the data leakage and access control issues with the use of off-the-shelf LLMs.
And, as Al-enabled attacks also show, Al agents are being used offensively as well as creating vulnerabilities within the organisations in which they are deployed. If identity is the new perimeter, it just got even more complicated.
The potential upheaval in their operating model, the already unique challenges of securing client data in an environment of constant external data sharing around sensitive real-time deal making, and the attractiveness of the firms as a target for both economic and nation-state/geopolitical actors, will create the perfect storm for cybersecurity leaders in the legal sector.
So, what needs to be done?
Law firms need to accelerate their current BAU security programmes whilst adding additional Al-related initiatives:
- Upgrade identity security: identity lifecycle management & privileged-access hardening; unifying 1AM, PAM, CIEM, and SSO into a coherent identity fabric; conditional access with continuous risk scoring; identity threat detection (ITDR); MFA hardening+ phishingresistant methods (FID02, passkeys).
- Add Al-driven identity security and insider-threat detection, Al-augmented antiphishing and social engineering defences, Al-powered vulnerability discovery and code security, and Al-enhanced soc operations.
- Modernise detection and response modernisation: XDR + Al-augmented SOC; automated incident response and playbooks; adversary-simulation tooling to tune detections.
- Third-party and Saas risk: Continuous external attack-surface monitoring of vendors; Automated evidence collection & assurance workflows; contract-level visibility of data access, and attack/threat data.
- Data security and data governance (especially in Al-driven environments): data discovery; DSPM (Data Security Posture Management); guardrails for LLM/AI usage: data leakage prevention, policy enforcement.
- Business continuity and resilience engineering: immutable backup architecture + automated recovery; mapping minimum viable business processes; dependency mapping across apps, vendors, cloud, data.
The Securing the Law Firm Summit will look at the latest thinking around legal cybersecurity. As well as presentations from some of the world’s largest firms we will also be asking how small and medium-sized organisations can keep up with cybersecurity best practice in the sector.
Key themes will include:
Identity, authority, and control for non-human actors
CISOs must rethink core identity and governance frameworks, including the adoption of robust agent identity models (spanning machine, service, and workload identities), and clearly defined delegation structures that determine what authority an agent holds and who grants it. What technologies can help them maintain visibility and control?
Securing algorithmic insiders
What does "insider threat" mean when the actor is non-human? For CISOs, the focus shifts to monitoring the behaviour of agents as well as users, developing capabilities to detect anomalous machine activity, and establishing effective controls that balance guardrails, detection, and containment. Do you need Al defences to do that?
Data control when there is no perimeter
How can firms enforce confidentiality when data is constantly in motion across systems the firm does not fully control? For CISOs, does this mean that the focus must shift toward controlling data itself rather than the environments it resides in? If so, what kinds of architectures and solutions can deliver security in that context?
The power of automation
There's too much manual intervention in security. SOAR pulls data from SIEMs, EDRs, firewalls, cloud APls, ticketing systems threat intelligence feeds, and even email servers and coordinates actions across tools via APls and prebuilt integrations and intelligent playbooks. Well, that's the theory. How does it work in the real world?
Integrity and the Al-enabled supply chain
Al-native operating models imply dependence on a complex supply chain of foundation models, internal systems, and external APls and orchestration layers that collectively produce legal work. Imagine the consequences of hacking such a system. So how do CISOs stop that happening?
Dealing with regulations
CISOs now must build a single coherent security program that simultaneously satisfies divergent regulatory demands; they must interpret vague legal standards into technical architectures, and they risk non-compliance if auditors, regulators, or courts interpret differently later; they face unrealistic expectations around incident reporting; and they face personal liability. Can RegTech help?
