- within Technology topic(s)
- in Australia
- with readers working within the Business & Consumer Services, Technology and Retail & Leisure industries
- within Technology, Government and Public Sector topic(s)
- with Inhouse Counsel
Most law firms know clients are asking more cybersecurity questions. The question is: how ready are you to answer them?
Let’s start with the basics. Most client security questionnaires are not trying to turn your firm into a technology company. They are trying to understand whether you have the fundamentals in place.
That means controlling who has access to client information, protecting email and document systems, backing up data, training staff, managing IT providers, and knowing what to do if something goes wrong.
If you are like many law firms, you may already have pieces of this in place.
- You may use multi-factor authentication.
- You may have an external IT provider.
- You may have cyber insurance.
- You may have policies somewhere in the firm.
But when a client, bank, technology company, government agency, or regulated business sends a security questionnaire, the issue is not only what you do. It is whether you can answer clearly, consistently, and with evidence.
So, the problem is not choosing the “right” cybersecurity framework. It is knowing whether your firm can respond to reasonable client security questions with confidence.
That is why we built this client security questionnaire readiness checklist. It pulls together common baseline expectations seen across cybersecurity frameworks and client due diligence requests into 12 straightforward areas. It is designed to help law firms self-assess where they stand before the next questionnaire, panel review, RFP, contract renewal, or client onboarding request arrives.
How to use it:
Go through each of the 12 areas and check off what your firm has actually implemented, not what you plan to do or assume your IT provider is handling.
Be honest. Each checkpoint is worth one point. Add up your total, then compare it to the grading matrix. You are not trying to get a perfect score on day one. You are trying to see clearly where the gaps are so the firm can prioritize what matters most.
Common Baseline Security Self-Evaluation Matrix. For framework references, check appendix 1
|
# |
Readiness area |
What clients are usually trying to confirm |
Self-evaluation checkpoints |
Score |
|
1 |
Information Security Governance |
Cybersecurity is formally supported by firm leadership. |
|
__ / 4 |
|
2 |
Questionnaire Ownership & Evidence |
The firm can answer client security questions consistently. |
|
__ / 5 |
|
3 |
People & Confidentiality |
Lawyers, staff, students, contractors, and vendors understand their security responsibilities. |
|
__ / 4 |
|
4 |
Access Management |
Access to client information and firm systems is limited to authorized users. |
|
__ / 6 |
|
5 |
Email, Device & Network Security |
The systems most often used for client work are protected. |
|
__ / 7 |
|
6 |
Client Data Protection & Privacy |
Sensitive, privileged, personal, and confidential information is identified and protected. |
|
__ / 7 |
|
7 |
Monitoring & Incident Response |
Security issues are detected, escalated, and handled consistently. |
|
__ / 5 |
|
8 |
System Changes & IT Administration |
Changes to firm systems are controlled before they affect client work. |
|
__ / 5 |
|
9 |
Vulnerability Assessment & Penetration Testing |
Vulnerabilities are identified, prioritized, and remediated. |
|
__ / 5 |
|
10 |
Backup, Resilience & Recovery |
The firm can recover from operational or cyber disruption. |
|
__ / 5 |
|
11 |
IT Provider & Third-Party Risk |
External providers supporting client information are identified and managed. |
|
__ / 5 |
|
12 |
AI Governance & Responsible Use |
AI tools are used responsibly, securely, and with appropriate human oversight. |
|
__ / 5 |
Total possible score: 63 points
Updated Grading Matrix
|
Total score |
Percentage |
Rating |
Meaning |
|
54 – 63 |
85% – 100% |
Strong Client Review Readiness |
A strong baseline appears to be in place. The firm is better positioned to respond to client questionnaires with supporting evidence, subject to the client’s specific requirements. |
|
45 – 53 |
70% – 84% |
Strong Foundation |
Most key practices appear to exist, but some gaps may create follow-up questions during client reviews. |
|
31 – 44 |
50% – 69% |
Building Readiness |
Several practices appear to exist, but important improvements are needed before relying on responses in higher-risk client situations. |
|
0 – 30 |
Below 50% |
Foundational Gaps |
The checklist indicates foundational gaps that should be prioritized before the firm faces a detailed client security review. |
What Your Score Actually Means
Once you've tallied your points, the grading matrix will place you in one of four categories.
- If you scored between 54 and 63, your firm likely has strong client review readiness. That does not mean every client will accept every answer without follow-up. It means the baseline essentials appear to be in place and your firm should be better positioned to respond with confidence and evidence.
- If you landed between 45 and 53, you have a strong foundation. You may already be doing many of the right things, but some areas still need tightening. These are the gaps that can slow down onboarding, panel reviews, or contract renewals.
- If you scored between 31 and 44, you are building readiness. Some practices exist, but the firm may struggle to answer a detailed questionnaire consistently, especially for regulated clients or sensitive matters.
- Below 30? At this stage, the checklist indicates foundational gaps that need attention. The priority should be getting the basics in place before the next client asks for evidence.
What to do about the gaps
Start with the areas where you scored lowest. But do not work down the list mechanically. Think about three things: what kind of client information you handle, which clients or industries you serve, and what resources you realistically have to improve.
A litigation boutique handling sensitive employment records may have different priorities than an M&A practice supporting data room access for private equity clients. A firm advising banks, healthcare organizations, government agencies, technology companies, or defence suppliers may face deeper security reviews than a firm serving lower-risk clients.
Do not try to fix everything at once. Pick two or three critical gaps and assign someone to own them. That may be a managing partner, operations lead, privacy contact, IT provider, or external advisor. Then come back to this checklist in three to six months and reassess.
Also, do not assume that “our IT provider handles it” is enough. Your provider may manage the technology, but your firm still needs to understand the answer being given to the client. If a questionnaire asks whether access is reviewed periodically, whether backups are tested, or whether vendors are monitored, someone at the firm should know what evidence supports the response.
Conclusion
Client security questionnaires are becoming part of the business of law. They may show up during onboarding, RFPs, panel appointments, contract renewals, cyber insurance discussions, or before a client grants access to sensitive files and systems.
The good news is that many clients are not expecting perfection. They are looking for reasonable controls, clear ownership, and evidence that the firm takes client information seriously.
So start with this. Use the checklist to understand where you are, where the gaps are, and what needs work before the next questionnaire arrives.
If your firm wants help reviewing the results, preparing for a client security review, organizing evidence, or identifying which gaps matter most, SAV Associates can help. We work with professional services firms on cybersecurity readiness, vulnerability assessments, penetration testing, questionnaire support, and assurance or certification readiness where needed. Being a CPA firm and ISO Certification Body, we provide assurance reports and services like SOC 2, ISO 27001, Cybersecure Canada, etc.
Appendix 1 -
|
# |
Baseline security area |
Framework references |
|
1 |
Information Security Governance |
|
|
2 |
Questionnaire Ownership & Evidence |
|
|
3 |
People & Confidentiality |
|
|
4 |
Access Management |
|
|
5 |
Email, Device & Network Security |
|
|
6 |
Client Data Protection & Privacy |
|
|
7 |
Monitoring & Incident Response |
|
|
8 |
System Changes & IT Administration |
|
|
9 |
Vulnerability Assessment & Penetration Testing |
|
|
10 |
Backup, Resilience & Recovery |
|
|
11 |
IT Provider & Third-Party Risk |
|
|
12 |
AI Governance & Responsible Use |
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
