There is a persistent assumption in how professional services firms think about their threat exposure: the real targets are banks, hospitals, energy companies. The named sectors in the National Cyber Security Strategy. The places where disruption makes the news.
This assumption misunderstands what sophisticated threat actors are actually trying to collect. Disruption is rarely the objective for the most capable adversaries. Intelligence is. And if you mapped a diagram of where the most commercially and strategically sensitive information in the UK economy is concentrated, law firms and professional services businesses would be near the top of the list — and near the bottom of the list of organisations investing proportionately in their security.
What Law Firms Actually Hold
Start with the document management system of a mid-sized UK corporate law firm. It contains:
Pre-announcement M&A information. Draft SPAs, heads of terms, board minutes, due diligence reports. This is information whose entire commercial value depends on it not being known to anyone outside the transaction. A nation-state actor with an interest in a cross-border acquisition — perhaps because it involves a strategic asset, a defence contractor, or a technology company with export control implications — has an obvious interest in this material before announcement.
Regulatory and competition filings. How companies are characterising their market positions in CMA or EC merger filings. The arguments that are being run and the arguments that have been abandoned. The side letters and remedies that are under discussion.
Litigation strategy. In contested commercial matters, the file contains the client’s full settlement thinking, the weaknesses they’ve identified in their position, the evidence they do and don’t have, and the arguments they plan to run. An adversary in a live commercial dispute — or a state with an interest in one of the parties — has an obvious use for this.
Regulatory investigations. Firms acting in dawn raid responses, criminal investigations, or regulatory inquiries hold sensitive communications about what clients knew, when, and what they said to regulators. For intelligence services monitoring specific individuals or companies, this information is extremely valuable.
Client lists and relationship maps. Beyond the matter-level data, firms’ CRM systems and business development records map who is working with whom on what — intelligence infrastructure that has value beyond any single transaction.
Why This Matters for Nation-States Specifically
Criminal ransomware actors want leverage for a ransom. Nation-state actors want information, and they want to obtain it without detection. These are different threat models requiring different defensive thinking.
The Chinese intelligence services, specifically, have demonstrated sustained interest in M&A transactions involving Western technology companies, defence contractors, and critical infrastructure assets. Understanding who is acquiring what, on what terms, and with what financing provides both intelligence about the acquirer’s strategic intentions and, in some cases, a window to influence the transaction — through regulators, through the counterparty, or through public disclosure at a damaging moment.
The UK Solicitors Regulation Authority and the government’s own classified briefings to the legal sector have both made clear that this is not theoretical. Multiple major law firms have experienced intrusions assessed to be attributable to nation-state actors. Most have not been publicly disclosed, for the same commercial reasons that make law firms attractive targets — the reputational cost of disclosure is very high.
The Professional Privilege Paradox
Legal professional privilege creates a security problem as well as a legal protection. Because communications between lawyer and client are privileged, and because privilege survives the firm’s other disclosure obligations in many circumstances, law firms have developed institutional habits around the confidentiality of their systems and processes. This is appropriate and necessary.
But it also means that security events affecting privileged communications sit in a regulatory and legal grey zone that creates paralysis in incident response. Firms that have experienced nation-state intrusions affecting client files have, in some cases, delayed response actions because of uncertainty about whether their own forensic investigators could review the affected material without breaching privilege.
This is a solved problem in principle — waiver mechanisms, separate handling procedures, appropriately structured retainers — but it requires pre-incident legal advice, not legal advice obtained during an active incident.
The Senior Partner Problem
Every serious risk in a professional services firm ultimately sits with the equity partnership. Cyber security risk is no exception. The challenge is that many senior partners have built 20- or 30-year careers on the premise that security is an operational concern — something IT handles — rather than a partnership-level risk.
That framing is wrong, and the consequences of it being wrong have become material. A significant data breach involving client M&A data, pre-announcement and extracted by a sophisticated actor, is a negligence claim, a regulatory enforcement action, and a client relationship crisis simultaneously. Partners who don’t engage with it as a governance matter because they find it technical are making a choice about risk exposure.
The security conversation that needs to happen at partner level is not about firewalls and MFA. It is about what data the firm holds, what its value is to adversaries, and what the firm would owe to clients, regulators, and counterparties if it were extracted. That is a conversation lawyers are well-equipped to have — it requires no technical background — but it requires someone to start it.
Where Investment Makes the Biggest Difference
The most effective security controls for a professional services firm are not particularly exotic:
Access control on matter data. Only the working team should have access to a live matter file. Broad read access across the document management system is a common configuration that dramatically increases exposure in any compromise.
Monitoring for anomalous data access. Privilege escalation, large volume access to documents outside normal working patterns, access to old matters by accounts with no current involvement — these are detectable signals that require an alerting capability.
Client-matter segmentation in the DMS. Sensitive transactions should sit in environments with enhanced access controls, not alongside routine conveyancing files.
Incident response planning that accounts for privilege. Pre-instruction of IR providers, pre-agreed legal advice on privilege handling during forensic investigation, and a rehearsed decision tree for notifying clients and regulators.
Third-party access management. External counsel, experts, and data room administrators all have access to sensitive matter data. Their credentials and access controls are your attack surface.
The threat to professional services firms is not novel. It is the same espionage and criminal targeting that has always existed, conducted by actors who are now more capable and more persistent than they were a decade ago, against organisations whose security investment has not kept pace with the value of what they hold.