Professional services firms, and law firms in particular, have become the primary focus of cybercriminals seeking to exploit their access to sensitive client information.
Holly Waszak, head of cyber claims advocacy at Marsh, told City AM that insurers are already taking action to protect clients in the sector from emerging threats.
“We’re seeing insurers come to us with law firms on their books, and they are trying to engage with clients as much as possible to forewarn them,” Waszak said.
The nature of professional services work makes these firms exceptionally attractive targets, as they routinely hold confidential information spanning M&A deals, trade secrets, and contentious employment matters.
Waszak highlighted that criminal groups such as the so-called silent ransom collective, which includes Luna Moth and Chatty Spider, prioritise quiet data theft over disruptive encryption attacks.
Rather than deploying ransomware, these groups use social engineering tactics to gain remote access to firm systems and immediately begin stealing whatever data they can find.
“They are using phishing tactics… so, calling these kinds of employees, partners, saying ‘we really need to access your computer, it’s your IT help desk support, can you give me remote access’,” Waszak explained.
Once inside a network, attackers move quickly to exfiltrate data before issuing extortion demands, threatening to leak stolen client information unless their financial demands are met.
This threat is not entirely new to the legal sector, as magic circle firm Allen & Overy, now known as A&O Shearman, was targeted by the notorious LockBit ransomware group back in 2023.
More recently, Stewarts Law reported incidents in which criminals impersonated the firm by sending fraudulent emails and faxes to members of the public, exploiting its established brand identity.
Waszak stressed that firms must now shift their thinking entirely, describing the situation as “not a matter of when, it’s if, and response is key” when addressing how organisations should prepare.
Leaders are being urged to build and regularly rehearse incident response plans that clearly name decision-makers, insurers, forensic providers, external counsel, and PR advisers before any attack occurs.
“The incident response plan isn’t a stale document on a shelf,” Waszak warned, emphasising that tabletop exercises are essential to keep teams prepared and able to “flex those muscles.”
Beyond technical controls, Waszak argued that workplace culture plays an equally important role, with staff needing to feel safe admitting mistakes quickly before criminal actors can establish a deeper foothold.
“Anyone could do it, anyone can make that mistake,” she said, warning that silence from employees allows threat actors to lurk undetected on systems for months at a time.
The broader cybersecurity landscape shifted noticeably following a wave of high-profile attacks on major UK retailers last year, including M&S, which prompted many boardrooms to take cyber risk far more seriously and drive demand for insurance coverage.

