The brief.
A regional law firm engaged us to perform IT and cybersecurity diligence on an acquisition target in the lead-up to deal close. The target was a multi-office firm with a long operational history and a reputation in its practice area; on paper, the IT posture appeared adequate. Our job was to verify that with engineering rigor — not just by reading documentation.
What we found.
Ransomware near-misses
- Two prior security events that had not been disclosed to leadership of the target firm
- Backup configuration that would not have survived a full ransomware encryption event
- Endpoint detection coverage gaps on several attorney laptops, including partners
Cyber insurance
- Cyber insurance policy had lapsed; the renewal was being processed under the assumption that the controls hadn't materially changed since the prior policy — which was not true
- Several control attestations on the renewal application would not have survived an underwriter audit
Document management
- Document management system in production with no functioning ethical-wall enforcement — matters separated only by folder convention
- Several attorneys had access to matters they should not have had access to under conflict-of-interest rules
- No audit trail capable of demonstrating who had touched what client document, on what date
Outcomes.
- The buying firm renegotiated the deal terms based on the diligence findings, with the risks reflected in price and reps-and-warranties
- Our team led the post-close IT integration: backup overhaul, EDR rollout, cyber-insurance remediation, and a document management migration to a proper privilege-aware platform
- Cyber insurance was successfully renewed at improved terms post-remediation
Both firms' names withheld. Reference can be arranged with explicit consent after the initial scoping conversation. Pre-acquisition diligence work is typically bound by particularly strict confidentiality clauses.