What does the ABA say about cybersecurity at law firms?

ABA Model Rule 1.1 (competence, with Comment 8 covering technology), Rule 1.6 (confidentiality, with reasonable-efforts language amended in 2012) and Formal Opinion 483 (ethical obligations after a data breach) collectively establish that lawyers have an affirmative duty to maintain reasonable cybersecurity for client information. Most state bar opinions following the ABA framing treat security awareness training as part of reasonable efforts.

Are law firms required to run phishing simulations?

No bar rule names phishing simulation specifically. But large corporate clients increasingly require it through outside counsel guidelines (OCGs), and cyber insurance applications now ask about it directly. Firms handling regulated client data - healthcare, financial, government, defense - face derivative requirements (HIPAA BAAs, GLBA flow-down, CMMC) that effectively mandate simulation.

What's the highest-loss phishing scenario at a law firm?

Two: wire-fraud BEC during real estate, M&A or trust-account closings, where attackers impersonate the closing attorney or counterparty to redirect funds; and credential theft against attorneys handling sensitive matters, where the resulting access exposes privileged client work product. Both have produced multi-million-dollar losses at AmLaw 200 firms in the public record.

How should firms phish their attorneys without offending them?

Communicate the program clearly at firm-wide level once, then run it with no exceptions. Avoid template content that mocks specific practice groups or individual matters. The framing is professional skill-building, not gotcha. Firms that exempt partners or particular practice groups from simulations consistently produce the worst breach outcomes; the framing problem is solvable, the loss problem is not.

How often should law firms run phishing simulations?

Monthly across all timekeepers and staff is the cadence most well-run firms have settled on. Practice groups handling closings, real estate, trust accounts and IP often receive an additional layer of higher-difficulty simulations specific to wire-fraud and matter-impersonation scenarios on a quarterly basis.

Law Firm Phishing Simulation: ABA Guide

Law Firm Phishing Simulation: ABA Cybersecurity Best Practices

By The Bait & Phish Team
Legal, ABA, Industry

A law firm's most valuable asset is the privileged work product locked in attorney email and document management. The second most valuable asset is the client trust account that funds matter closings. Both of those targets are reachable through a single click on a phishing email, and attackers - particularly nation-state actors targeting M&A, IP and litigation work - have been refining their lures against the legal sector for over a decade.

This post is for the firm's general counsel, the chief operating officer, the IT director and the partner who has been told that the firm "needs a phishing program." It walks through the ABA framing, the practical risk model unique to legal practice, lures that resonate with attorneys and staff and the documentation now expected by clients via outside counsel guidelines (OCGs) and by cyber-insurance underwriters at renewal.

The ABA framing

Model Rule 1.1 (Competence) - Comment 8 explicitly extends competence to "the benefits and risks associated with relevant technology." Adopted in some form by nearly every state bar.
Model Rule 1.6 (Confidentiality) - paragraph (c) requires reasonable efforts to prevent inadvertent or unauthorized disclosure of client information. The 2012 amendment specifically anticipated electronic disclosure.
Formal Opinion 477R (2017) - secure communication of protected client information.
Formal Opinion 483 (2018) - ethical obligations following an electronic data breach, including a duty to monitor for breaches and notify affected clients.
State bar opinions - most state bars following ABA framing treat security awareness training as part of reasonable efforts under 1.6. New York, California, Florida and Texas have specific opinions.

None of these name "phishing simulation" by string. But the trajectory of opinions and post-incident discipline is unambiguous: a firm that suffers a credential-theft breach and cannot demonstrate any phishing program has a much harder reasonable-efforts argument than one that can.

Derivative requirements that bite harder

Beyond bar ethics, three regulatory channels apply pressure:

Client OCGs. AmLaw 100 firms now routinely receive OCGs that require security awareness training, phishing simulation, MFA and breach notification within tight windows. Failure to comply puts the engagement, not just the matter, at risk.
Regulated-data flow-down. Healthcare-client representations bring HIPAA business-associate obligations. Financial-services representations bring GLBA flow-down. Government and DIB representations bring CMMC, FAR and DFARS obligations. Each of these has explicit awareness-training requirements.
Cyber insurance. See our 2026 renewal post - the questionnaire is now standard and law firms get the same treatment as everyone else.

A firm representing regulated clients without a phishing program has multiple overlapping problems, only one of which is the bar rule.

The threat model unique to law firms

Real-estate and M&A wire fraud. Closings have a short fuse, large dollar amounts and predictable email signatures. Attackers impersonate the closing attorney, the title company or the counterparty bank to reroute funds. This is the highest-frequency direct loss scenario at firms.
Privileged-information theft. Credential theft against partners and associates working on M&A, IP, regulatory or sensitive-litigation matters yields work product an attacker can sell, leak or use to extort. Documented incidents at international firms have exposed deal documents pre-announcement.
Court notice impersonation. Fake e-filing notices, fake docket alerts, fake hearing reschedules. Attorneys click on those reflexively because they look exactly like the real thing.
Client impersonation. A long-running matter produces an email rhythm attackers can mimic. Counsel-to-client and client-to-counsel BEC produces wire fraud and document-disclosure incidents.
Vendor and ESI provider lures. Relativity, e-discovery vendors, transcription services and outside court reporters are realistic impersonation targets that capture credentials with high downstream blast radius.
Trust account and IOLTA fraud. Attorneys with signing authority on trust accounts are direct fraud targets.

Templates that land at firms

E-filing / docket alert lures - PACER notice impersonation, state e-filing system password resets, court rule-update bulletins.
Closing wire instruction changes - title company, counterparty bank, paying agent impersonation. Targets transactional groups.
DMS credential prompts - iManage, NetDocuments, SharePoint password expiration. Universal lure.
Time-and-billing system lures - Aderant, Elite, ProLaw prompts. Targets timekeepers and billing.
E-discovery vendor lures - Relativity, Reveal, Everlaw access prompts. Targets litigation support.
Bar association and CLE phishing - fake CLE registration, fake bar dues notices.
HR and payroll BEC - direct deposit changes during open enrollment.
Vendor invoice fraud - outside copy services, transcription, expert witness invoices targeting AP.

A balanced rotation across these categories at varying difficulty produces useful cohort data. Multi-channel coverage matters in legal - SMS smishing of e-filing alerts, voice vishing impersonating an opposing counsel paralegal - because the BEC scenarios that produce the largest losses don't always start in email.

Cohort design at a firm

Partners and senior counsel - highest-loss whaling target. Hard-difficulty simulations on a separate track.
Associates - standard monthly cadence; matter-impersonation simulations layered in.
Paralegals and legal assistants - closing-fraud and court-notice lures.
Litigation support / e-discovery - vendor portal credential lures.
Finance, AP, AR, billing - wire fraud, vendor invoice fraud, time-and-billing system lures.
HR and recruiting - BEC and direct deposit fraud.
IT and admin - credential-theft and MFA-fatigue scenarios.
C-level (managing partner, COO, CFO) - separate hard-difficulty whaling track.

The exemption problem

The single biggest mistake firms make is exempting partners - usually because someone senior found a simulation embarrassing. Partners are the highest-loss BEC target in the building. Exemption is an indefensible position post-incident.

The fix is communication, not carve-out: announce the program firm-wide once, frame it as professional skill-building consistent with Rule 1.1 competence, and run it with no exceptions. Partners who fail simulations get the same auto-assigned remediation training as anyone else. Auto-assigned just-in-time training removes the personal-friction objection because no one has to be "called out" by IT.

ESI and privilege handling in the program

Two things to be careful about:

Lure content should not reference real matter information. Generic personas only. A template that names a real client or matter is asking for an inadvertent-disclosure problem.
Simulation telemetry is not privileged but is sensitive. Click data identifying which attorneys failed which simulation should be access-restricted to the IT and compliance leads, not broadly visible. Treat it like personnel data.

OCG-driven program design

Outside counsel guidelines from large corporate clients have become the most aggressive single source of program design pressure for firms. A typical 2026 OCG cyber section requires:

Documented security awareness training program with periodic phishing simulation
MFA on all accounts handling client data
Encryption in transit and at rest for client matter data
Breach notification to the client within 24-72 hours
Annual SOC 2 Type II report or equivalent independent assessment
Defined incident response plan with tabletop exercise evidence

The OCG package is the realistic forcing function. Firms that fail to produce phishing-program evidence on a client request risk losing the engagement, not just the matter. The same evidence packet that satisfies one OCG generally satisfies the next, with minor formatting changes.

Documentation packet for OCGs and renewal

Campaign log: dates, target population, template category, difficulty
Click and reporting rate trend over 24 months by cohort (timekeeper / staff / leadership)
Training completion rate per campaign with median time-to-completion
Coverage report: % of personnel including partners, associates, contractors, contract attorneys
Multi-channel evidence: SMS or voice campaign reports
Written security awareness policy approved by management committee or executive committee
Board / executive committee reporting cadence
Phishing-related incident log for the past 24 months with remediation

The same packet handles client OCG audits, the cyber-insurance renewal and any state bar inquiry following an incident.

Where Bait & Phish fits

Bait & Phish has been running phishing simulation and security awareness training programs for AmLaw firms, regional firms, boutique practices and in-house legal departments for more than 15 years. The platform supports the cadence, cohort segmentation and confidentiality posture legal practice requires: monthly multi-channel campaigns (email, SMS, voice), legal-realistic template categories (e-filing, closing wires, DMS, e-discovery, billing), auto-assigned just-in-time remediation training, role-segmented reporting and one-click exports formatted for OCG compliance, bar-rule documentation and cyber-insurance renewal.

Start a free trial covering up to 25 users - typically the corporate, real-estate or transactional practice group - or contact us about firm pricing. Plan structure is on the pricing page. For more on documentation flow into your insurance renewal, see what cyber insurers ask about phishing training.

This post is informational and does not constitute legal, ethics or compliance advice. Specific bar obligations vary by jurisdiction; consult your firm's general counsel and ethics counsel for guidance.

Related industry guides

17dec