Compliance
Why multi-office firms and acquiring firms inherit the worst cybersecurity posture of their weakest office — and the 4-quarter program that fixes it without slowing down growth.
A multi-office law firm inherits the worst cybersecurity posture of its weakest office. That is the sentence I open every managing-partner conversation with, and most of the leadership team has nodded before I finish saying it. They have seen the boutique they acquired last year — shared paralegal accounts, port-forwarded RDP, a two-year-old DMS export on a partner's home laptop. They just have not had a clean way to talk about how that office becomes the breach path for the entire firm.
This is the framework I use with managing partners and firm administrators. It assumes you are adding offices through lateral group moves and small-firm mergers, cannot pause the deal pipeline, and need a program that runs alongside growth.
Attackers do not target the polished downtown office or the consolidated cloud DMS. They target the recently acquired boutique that has not been integrated yet — running an unpatched on-premise file server, with shared paralegal credentials, port-forwarded RDP, and a partner who keeps a personal Dropbox of "working copies" because the prior DMS was too slow. Once they are inside, the parent firm has often already established a trust path — a VPN, a domain trust, or shared M365 admin accounts — that lets them move laterally to every office and every active matter.
A firm absorbing two boutiques and four lateral groups a year creates roughly six new attack surfaces, each of which has to be brought to the parent's baseline before a real adversary finds it.
Before we talk about fixing the problem, you have to know which architecture you are starting from. Almost every multi-office firm falls into one of three buckets.
Every office keeps its existing MSP, DMS instance, network gear, and often its email tenant. The parent firm has centralized finance, but technology is still local. The DMS in the Chicago office looks nothing like the DMS in the Atlanta office. Some have working backups. Some do not. MSP relationships range from excellent to non-existent.
Cheap to grow into, expensive to defend. No standard image, no central identity, no consistent endpoint coverage, and no way to answer "are all our offices patched?" without calling each MSP individually.
One MSP services every office, usually with a shared Remote Monitoring and Management platform. Single help-desk number, single ticket queue, single set of admin credentials across the firm.
The shared RMM is the security story and the security problem in one sentence. It gives you consistency. It also gives an attacker who compromises that RMM credential a one-stop lateral-movement path into every office the MSP touches. The MSP-supply-chain compromise pattern is well-documented across the industry. Hub-and-spoke is better than decentralized, but it concentrates risk rather than eliminating it.
The DMS is cloud-hosted — NetDocuments, iManage Cloud, Clio, or similar — every laptop is joined to Microsoft Entra ID, every endpoint runs the same managed image, and identity, email, and file storage live in one consolidated tenant. One conditional access policy, one endpoint detection deployment, one set of tiered admin accounts.
Highest upfront cost and, by a wide margin, the most defensible posture. Lateral groups and acquired boutiques get migrated to the standard, not absorbed as-is. Most growing firms end up here by the time they cross fifty to seventy-five attorneys.
Most firms cannot jump from architecture A or B to C in one project. They need a sequenced program that fits inside one fiscal year, runs alongside lateral hiring, and produces evidence the executive committee can see.
You cannot defend what you cannot count. Quarter one is inventory: every endpoint, every DMS instance, every domain, every M365 or Google tenant, every cloud account, every line-of-business application, every client-facing portal, every MSP relationship.
Most multi-office firms cannot tell me how many M365 tenants they have. The honest answer is usually two to eight, accumulated through mergers and lateral group moves where nobody collapsed the seller's tenant after the deal. Discovery surfaces this and lets you make a real plan rather than a hopeful one.
Identity is where attackers actually win, so identity is where consolidation starts. Quarter two collapses multiple M365 or Google tenants into a target tenant — or accepts a small number with an explicit governance plan and central detection. We centralize IT-admin accounts into a tiered model, enforce MFA everywhere with no exceptions for senior partners, and deploy Managed ITDR across the consolidated identity layer so an Entra ID compromise is detected the moment it happens, not thirty days later when the wire-fraud email goes out.
Quarter three puts Managed EDR on every endpoint and DMS server. We standardize the backup architecture so every site has the same immutable, tested pattern. We roll out a firm-wide security awareness training program so the legal assistant in the satellite office sees the same phishing simulations as the executive assistant at headquarters. And we standardize remote access through Entra ID Conditional Access or a single SASE solution, retiring port-forwarded RDP and per-office VPNs.
Quarter four turns the controls into evidence. We produce a written information security plan, a firm-wide incident response plan, a tabletop exercise with the managing partner and office heads, a cyber insurance renewal package, and a vendor agreement inventory across every third party that touches client matter data. By the end of Q4, the firm has a defensible posture, executive-committee documentation, and an insurance application that does not require apologies.
The cheapest moment to fix an office's security is before you own it. Whatever you do not negotiate into the LOI and merger agreement, you will pay for after close. The minimum diligence list for every legal M&A transaction:
A target firm that cannot produce these is not a bad merger, just a more expensive one. Price the remediation into the deal or walk.
Lateral hiring is the cybersecurity problem unique to law. No other industry routinely brings in senior practitioners who arrive carrying years of confidential client material from a prior employer.
Lateral partners almost always show up with portable matter files — on USB drives, in personal cloud accounts, exported directly from the prior DMS, occasionally as email attachments forwarded to a personal address "to clean up later." The arriving partner's personal device should never be plugged into the firm network for matter import. Transfer happens through a managed channel with conflict-check review, malware scanning, and a documented chain of custody.
The exports themselves require careful handling. They contain confidential information from prior clients who have not consented to the lateral move and whose data the new firm has no business retaining beyond what is needed to clear conflicts.
The arriving partner's habits also travel with them. If they emailed client documents to Gmail at the prior firm because the DMS was painful, they will do it at the new firm too unless someone retrains them on day one. ABA Model Rules 1.6 confidentiality, 1.9 duties to former clients, 1.10 imputation of conflicts, and 5.1 supervisory responsibility all converge on the lateral onboarding moment.
More damage gets done in the first ninety days after a merger than in any other period. The patterns that hurt firms most:
Treat every acquired environment as untrusted until proven otherwise. You do not know what you bought until you have looked.
Every leadership team eventually has to answer this: do we migrate every office to one document management system, or accept a heterogeneous environment?
Standardization is better for security, conflict-checking, ethical-wall enforcement, and lateral onboarding speed. A heterogeneous environment is cheaper to inherit but expensive to operate — every conflict-check question becomes a manual process and every security control has to be retested per platform.
DMS migrations run roughly $50,000 to $200,000 per office and take six to eighteen months. Most growing firms run heterogeneous until they cross roughly fifty attorneys, then standardize — often on NetDocuments, iManage Cloud, or Clio — because the operational drag of running multiple DMS products eventually exceeds the migration cost.
Should a multi-office firm build a NOC or SOC internally or outsource it? Mostly a function of scale.
The mistake to avoid is the in-between: a single internal "IT and security person" carrying a pager 24/7. That role does not survive contact with reality, and the person you hire into it does not stay.
Each attorney remains individually responsible for Model Rule 1.6 confidentiality, regardless of how the firm centralizes its security program. The firm can standardize controls, tooling, and training, but the ethical duty lives with the individual lawyer.
Model Rule 5.1 supervisory duties run from the supervising partner through paralegals and legal assistants to outside vendors. A partner who delegates matter handling to a junior associate still has a supervisory obligation, and that obligation extends to the cybersecurity controls that protect the matter. ABA Formal Opinion 483 makes the point: in a data event, ethical obligations to clients run through the responsible attorneys, not just through the IT function.
The most expensive insurance mistake I see is buying a firm-wide cyber policy that names only the primary partnership entity. When the incident happens at a subsidiary PLLC or a named office that operates under its own entity — which is where incidents actually happen — the carrier scopes coverage to the named insured and disclaims the subsidiary loss. Confirm in writing that every office, wholly-owned subsidiary, and PLLC is a named insured.
Sublimits matter too. A single ransomware event can hit four or five offices simultaneously across business interruption, breach response, and regulatory coverage. A group policy with a small per-event sublimit can be exhausted before the second office has called the help desk. Read the sublimits, model a multi-office event, and renegotiate at renewal if the math does not work.
We run the Huntress Managed EDR, ITDR, and SAT program for the entire firm from one console with per-office reporting. ABA-aligned documentation, firm-wide incident response, quarterly executive briefing for the managing partner and office heads, and a single point of accountability for detection and response across every office.
We are not an MSP. We do not compete with the IT firm that handles help desk, printers, or DMS support. We sit alongside that team and own the security operations function so the IT firm can focus on uptime and firm leadership can focus on growth.
If you are leading a multi-office firm or working through a lateral group move or boutique acquisition, book a private executive briefing. Bring your managing partner, firm administrator, and general counsel. We will walk through your current state, your diligence checklist for the next deal, and a sequenced program your executive committee can read in one sitting. More on the program for the legal sector at Obsidian Ridge for law firms.
Last updated
May 14, 2026. We refresh this content as the threat landscape and tools evolve.
FAQ
At minimum: written confirmation of MFA on M365 or Google for every attorney and staff member, a 24-month breach and security-incident history disclosure including business email compromise events, evidence of active EDR or MDR coverage on every endpoint, backup test evidence from the last 90 days, a written information security plan dated within the last 12 months, a full list of client-facing portals and integrations, reps and warranties on undisclosed breaches, confirmation of past ABA Formal Opinion 483 notification obligations, and disclosure of any pending bar disciplinary matters related to cybersecurity. If the target firm cannot produce these, price the remediation into the deal.
Standardization is better for security, conflict-checking, and reporting — but DMS migrations run roughly fifty thousand to two hundred thousand dollars per office and take six to eighteen months. Most growing firms run heterogeneous until they cross roughly fifty attorneys and then standardize, often on NetDocuments, iManage Cloud, or Clio. There is no single right answer, only a clear-eyed cost-benefit conversation about when standardization pays for itself in operational drag and conflict-check accuracy.
The end state most multi-office firms need is one identity tenant — usually Microsoft Entra ID — with MFA enforced everywhere and a tiered admin model. Getting there often means collapsing two to eight M365 tenants accumulated through mergers and lateral group moves. If full consolidation is not feasible, you can run multiple tenants with a documented governance model, but you must centralize admin accounts and detection coverage across all of them either way.
Each attorney remains individually responsible for Model Rule 1.6 confidentiality, regardless of how the firm centralizes its security program. The firm can standardize controls, tooling, and training, but the ethical duty lives with the individual lawyer. Model Rule 5.1 supervisory duties run from the supervising partner through paralegals and legal assistants to outside vendors. Centralizing the program does not move the obligation, it just makes it easier to satisfy.
Lateral partners almost always arrive with portable matter files from the prior firm — sometimes on USB drives, sometimes in personal cloud accounts, sometimes exported directly from the prior DMS. The arriving partner's personal device should never be plugged into the firm network for matter import. Transfer happens through a managed channel with conflict-check review, and the lateral's habits get retrained on day one. If the new partner emailed client documents to a personal Gmail at the prior firm, they will do it at the new firm too unless someone explicitly tells them not to.
Below fifty attorneys, outsource. Building a 24/7 internal security operation is hard to staff and harder to retain at that scale. Between fifty and one hundred fifty attorneys, most firms land in a hybrid model with an internal IT or security director plus an outsourced 24/7 SOC. Above one hundred fifty attorneys, you typically need a dedicated CISO and either a fully internal SOC or a co-managed arrangement with a managed detection partner.
The most common error is buying a firm-wide cyber policy that names only the primary partnership, leaving subsidiary PLLCs and named offices technically outside coverage for an incident that originates there. Confirm every office, every wholly-owned subsidiary, and every PLLC is a named insured. Group sublimits matter as well — one ransomware event can hit multiple offices simultaneously and exhaust per-event coverage faster than a single-office firm ever would.
Day one network connection. Plugging a newly merged office's unhardened network into the parent firm network, or establishing an Active Directory trust between the acquired domain and the parent domain before forensic review, has caused more cross-firm incidents than every other failure combined. Treat every acquired environment as untrusted until it has been inventoried, scanned, and brought to baseline.
Related reading
What ABA Model Rule 1.6, Formal Opinion 477R, and Formal Opinion 483 actually require of law firms in 2026 — reasonable efforts, breach response duties, supervisory obligations, and where most firms get it wrong.
Read articleWhat dental cyber insurance actually covers in 2026, the underwriting questionnaire controls that move premiums, and how to pass the application without overspending.
Read articleWhat law firm cyber insurance actually covers in 2026, the underwriting questionnaire controls that move premiums, and how to pass the application without overspending.
Read article