Watusoft helps small law firms identify and close the security gaps in Microsoft 365 that expose client data, violate ABA ethics rules, and trigger cyber insurance complications.
The ABA requires all attorneys to take "reasonable measures" to prevent unauthorized disclosure of client data. Vague by design — but bar associations are increasingly clear that your cloud environment falls squarely within this obligation. An unsecured Microsoft 365 tenant is a documented ethics exposure.
Ethics ObligationSince 2021, cyber insurers have added mandatory security requirements — MFA, conditional access policies, email authentication — that many small firms cannot document. Firms without proof of controls are seeing premium increases of 40–80% and claim disputes. Your renewal questionnaire is not a formality.
Insurance RiskLaw firms are a top target for Business Email Compromise attacks. Attackers spoof attorney email addresses to redirect wire transfers, intercept settlement funds, and steal client data. Most successful attacks exploit gaps that exist in default Microsoft 365 configurations.
Attack VectorMicrosoft 365 ships with settings optimized for ease of use, not security. Without deliberate hardening, most tenants have MFA gaps, admin accounts with no access controls, SharePoint configured to share files with anyone who has a link, and email authentication entirely missing.
Configuration RiskEvery assessment produces a written report, a documented Secure Score improvement, and a clear remediation roadmap — deliverables you can show your cyber insurer or bar counsel.
A comprehensive review of your Microsoft 365 security posture with a written findings report and top 5 priority fixes.
Full assessment with active remediation of critical findings during the engagement — not just a list of recommendations.
The complete engagement, including custom security policy documentation and a formal letter for cyber insurance purposes.
Copilot, CoCounsel, and ChatGPT are already inside law practices — often without approval, oversight, or any record of what client information goes in. ABA Formal Opinion 512 makes clear that generative AI use falls under your existing duties of competence, confidentiality, and supervision. This engagement puts the guardrails in place before a client audit, an insurance renewal, or a confidentiality incident does it for you.
Built on AI vendor review methodology applied at Am Law 100 scale
A complete AI governance foundation for your firm — from tool inventory to an acceptable-use policy your staff actually understands.
A 30-minute call to understand your environment, current concerns, and insurance requirements. No pressure, no sales pitch.
We use read-only delegated access — no admin passwords shared. Scoped exclusively to assessment requirements.
7 days of systematic review across identity, email, endpoints, and sharing. Critical fixes implemented during the engagement.
A written executive report with risk ratings, actions taken, and a prioritized roadmap — plus a live debrief call to walk through findings.
The one-page checklist your IT team or MSP can walk through this week. No new tooling. No new budget. All twelve show up in client audits, cyber insurance findings, and post-incident reviews.
I lead cybersecurity governance work at one of the largest law firms in the world — running vendor risk reviews on AI platforms used by attorneys, access governance across enterprise SaaS, and Microsoft 365 security operations. I understand the data sensitivity and regulatory environment attorneys operate in because I work inside it every day.
Every assessment is structured around the specific obligations law firms face — ABA Model Rule 1.6, state bar ethics guidance, and the security controls cyber insurers now mandate. Your report is written to be useful in those contexts, not just for IT.
Watusoft is an independent advisory. No software to sell you, no kickback partnerships with tools you don't need. The only deliverable is an honest assessment and actionable recommendations you can take to any vendor — or implement yourself.
ABA Model Rule 1.6(c) does not define what "reasonable measures" means — but bar associations, legal ethics experts, and courts are increasingly specific. A documented security assessment of your cloud environment is one of the clearest ways to demonstrate compliance with this obligation.
Watusoft engagements are flat-fee: a Microsoft 365 security audit starts at $2,500, audit plus hands-on hardening is $4,500, and the full compliance package — including policy documentation and a cyber insurance posture letter — is $7,500. AI Governance Readiness is a separate $4,500 engagement, and ongoing monitoring retainers run $1,200–$2,500 per month.
Rule 1.6(c) requires lawyers to make reasonable efforts to prevent unauthorized disclosure of, or access to, client information. Bar guidance increasingly treats cloud email and document systems — including Microsoft 365 — as squarely within that duty, which means an unsecured tenant is an ethics exposure, not just an IT problem.
Yes. ABA Formal Opinion 512 confirms that generative AI use falls under lawyers' existing duties of competence, confidentiality, and supervision. Most firms already have attorneys and staff using tools like ChatGPT or Copilot informally — so the practical question is not whether AI is in the building, but whether its use is governed.
Since 2021, insurers have tightened underwriting for law firms specifically. Multi-factor authentication, conditional access, and email authentication (SPF, DKIM, DMARC) are now common prerequisites — firms that can't document these controls face higher premiums, coverage exclusions, or disputed claims.
No. Assessments use read-only delegated access scoped to what the engagement requires — no shared admin passwords. Remediation work in the hardening tiers is performed with time-limited, documented access, and every change appears in the final report.
Most engagements run five to ten business days from kickoff: five days for the Essentials audit, seven for Audit + Hardening or AI Governance Readiness, and ten for the full Compliance Package.
We review your current setup, identify your highest-risk gaps, and give you a clear picture of what an engagement would look like — with no obligation to proceed.
Fill in your details and I will reach out within one business day to confirm your call time.