How to Respond When a Cyberattack Hits Your Law Firm

Written By Trey Hiller

Cyberattacks on law firms are becoming more common, more sophisticated, and more damaging. When they hit, you have only hours to act — and how you respond can either mitigate or magnify the damage.

So what should you do when your firm gets hit?

1. Do Not Panic — Follow Your Incident Response Plan

The best response starts before the attack happens. If you already have an incident response plan (IRP), this is when it earns its keep. If not — you’re in for a rough ride.

Run regular tabletop exercises to practice scenarios. Consider training resources like IR Games, which simulate real-world incident decision-making in a safe environment.

2. Identify the Incident — and Don’t Touch That Power Button

Early detection is key. Empower your staff to report strange behavior or suspicious activity immediately. And once something's flagged?

  • Do NOT reboot or shut down systems.
    Forensic evidence is fragile and easily lost.

  • Do segment the threat.
    Disconnect affected systems from the network to contain spread — but leave them powered on.

3. Engage Your Cyber Insurance Provider Immediately

Your insurance provider will bring in three essential resources:

  • A Policy Manager – Who outlines what’s covered and how much you’re responsible for.

  • External Legal Counsel – Specialized in cyber incidents and regulatory compliance. Ensure they’re contracted directly with your firm to maintain attorney-client privilege.

  • Incident Response (IR) Team – Cybersecurity professionals who handle triage, forensics, and recovery.

Do not try to handle it alone, even if you have a capable IT team. IR teams know how to preserve evidence, stop further loss, and guide you through regulatory landmines.

4. Pause Recovery Until You’re Cleared

Don’t rush to bring systems back online. Wait until your insurance-backed IR team and legal counsel give you the green light. Premature recovery can:

  • Worsen the breach

  • Trigger compliance violations

  • Jeopardize future legal protection

Patience is painful, but critical.

5. Prepare for a Long Forensic Process

Even after systems are back up, you may wait weeks for final forensics reports. Expect ambiguous conclusions. Rarely do investigators find 100% definitive answers — instead, they’ll provide likely scenarios with risk percentages.

That’s the reality of cybercrime.

6. Loop in Law Enforcement

Notify local and federal law enforcement early. In Austin, for example, both APD and the FBI have strong cybercrime divisions ready to help. Sharing your forensic findings can help others avoid similar attacks — and they may offer insights from parallel cases.

Final Thought

Responding to a cyberattack is a legal, technical, and strategic process. It’s not something you should navigate alone. A trusted response plan, cyber insurance, legal counsel, and IR experts are the difference between a recoverable event and a firm-ending disaster.

Is your firm prepared to respond to a breach?
Let Clear Guidance Partners help you develop a response plan and walk you through the process before a crisis hits.

Trey Hiller
Previous

How AI Is Fixing the Legal Industry’s Most Expensive Admin Problem
Next

How to Build an Incident Response Plan Your Law Firm Can Count On