Have you ever wondered why Amazon Web Services (AWS) is so focused on security? When you visit their compliance page, they have nearly every privacy and security badge available, noted with the global standards highlighted below:


AWS places heavy emphasis on information and cybersecurity because it is a cornerstone of their business model and is extremely important to their clients. After all, no one wants to use a cloud provider that has experienced a breach or cyberattack.

The legal industry is facing these same security pressures. If no one wants to work with a software company that has experienced a breach, who would want to work with a law firm who has faced a similar issue?

Many cybersecurity experts believe that as many as 80% of the top 100 law firms have been breached. As a result, clients are asking for more assurance around the security of the sensitive data they share with their attorneys. Larger clients with more complex information technology (IT) and governance structures are sending numerous questionnaires regarding data security to their law firms to complete. At times, it can be hard for a law firm to complete one questionnaire before another arrives.

What if there was an easier and better way? Instead of completing multiple questionnaires, what if your law firm could provide an annual audit to clients that would deliver the desired assurance regarding data security? The good news is that this annual audit already exists.

The American Institute of CPAs (AICPA) has issued a framework for auditors to test System and Organization Controls (SOC) for an entity. This framework, abbreviated “SOC,” includes three separate types of reports:

  • SOC 1 – Controls at a service organization (such as a law firm or software company) relevant to user entities (clients) financial control over financial reporting
  • SOC 2, SOC 3 – Controls at a service organization relevant to security, availability, processing integrity, confidentiality or privacy

Most law firms will wish to consider a SOC 2 to comply with client requests regarding data security. SOC 2 reports are intended for more limited distribution to management and user entities such as clients, while a SOC 3 report can be posted on a public website.

The SOC 2 includes an evaluation of up to 209 separate control objectives as well as an independent audit of each control. To begin the process, we recommend a “pre-audit” or Readiness Assessment. The Readiness Assessment includes a walk through of each control objective to verify that the related control is in place. For those objectives with a related control, a gap is identified and a remediation plan developed. Once the law firm has completed the remediation plan then the formal audit can begin.

In terms of best practices, SOC audits should be performed at least annually but can be completed every three to nine months depending on specific client needs. The benefits to the SOC approach compared to other frameworks is an independent, objective audit of the controls that is performed by a third party. These audits alleviate the burden of self-audits or certifications as well as the requirement to complete a multitude of different security questionnaires.

An additional item to consider: if clients are asking questions about data security, then it’s safe to assume that prospects will ask them as well. We have seen that larger entities seeking legal services are already beginning to ask about data controls and audits in Request for Proposals (RFPs). Having a SOC audit performed on your law firm is an excellent way to stay ahead of and respond to your client and prospect’s questions regarding data security.

Be prepared with a ready-to-view SOC audit. It is no longer a question of "if" but "when" in regard to an information security breach. Be sure you are actively taking the proper steps to secure your law firm’s data and your client’s data.