Now Accepting Clients — NJ & NY Law Firms

Your Microsoft 365
environment is your
greatest liability.

Watusoft helps small law firms identify and close the security gaps in Microsoft 365 that expose client data, violate ABA ethics rules, and trigger cyber insurance complications.

5–10
Day Engagements
$2,500
Starting Investment
Why Law Firms Are Exposed

Three forces converging
on your practice right now.

01
⚖️

ABA Model Rule 1.6

The ABA requires all attorneys to take "reasonable measures" to prevent unauthorized disclosure of client data. Vague by design — but bar associations are increasingly clear that your cloud environment falls squarely within this obligation. An unsecured Microsoft 365 tenant is a documented ethics exposure.

Ethics Obligation
02
🛡️

Cyber Insurance Tightening

Since 2021, cyber insurers have added mandatory security requirements — MFA, conditional access policies, email authentication — that many small firms cannot document. Firms without proof of controls are seeing premium increases of 40–80% and claim disputes. Your renewal questionnaire is not a formality.

Insurance Risk
03
📧

Business Email Compromise

Law firms are a top target for Business Email Compromise attacks. Attackers spoof attorney email addresses to redirect wire transfers, intercept settlement funds, and steal client data. Most successful attacks exploit gaps that exist in default Microsoft 365 configurations.

Attack Vector
04
🔓

Default M365 Is Not Secure

Microsoft 365 ships with settings optimized for ease of use, not security. Without deliberate hardening, most tenants have MFA gaps, admin accounts with no access controls, SharePoint configured to share files with anyone who has a link, and email authentication entirely missing.

Configuration Risk
Services

Structured engagements.
Measurable outcomes.

Every assessment produces a written report, a documented Secure Score improvement, and a clear remediation roadmap — deliverables you can show your cyber insurer or bar counsel.

Tier 1 — Essentials
$2,500
One-time · 5 days

M365 Security Audit

A comprehensive review of your Microsoft 365 security posture with a written findings report and top 5 priority fixes.

  • Microsoft Secure Score baseline & review
  • MFA status audit across all accounts
  • Admin privilege assessment
  • Email security — DMARC, DKIM, SPF
  • External sharing settings review
  • Written findings report with risk ratings
  • One 60-minute debrief call
Tier 3 — Premium
$7,500
One-time · 10 days

Compliance Package

The complete engagement, including custom security policy documentation and a formal letter for cyber insurance purposes.

  • Everything in Standard
  • Tenable vulnerability scan (up to 16 IPs)
  • Microsoft Sentinel / SIEM review
  • Custom security policy documents
  • Acceptable Use & Incident Response plans
  • Cyber insurance posture letter
  • 90-day follow-up assessment
Ongoing Protection
Monthly Security Retainer
Monthly Secure Score review, patch status monitoring, quarterly mini-assessment, and incident response SLA — so your posture stays strong between annual assessments.
$1,200–$2,500
per month
New Offering — AI Governance

Your attorneys are
already using AI.
Your policies aren't.

Copilot, CoCounsel, and ChatGPT are already inside law practices — often without approval, oversight, or any record of what client information goes in. ABA Formal Opinion 512 makes clear that generative AI use falls under your existing duties of competence, confidentiality, and supervision. This engagement puts the guardrails in place before a client audit, an insurance renewal, or a confidentiality incident does it for you.

Built on AI vendor review methodology applied at Am Law 100 scale

Best-Value Pairing
M365 Hardening + AI Governance
Pair the Tier 2 Audit + Hardening engagement with AI Governance Readiness — the two exposures insurers and bar counsel ask about most, closed in a single two-week engagement.
$6,500
bundled · $9,000 separately
How It Works

From first call to secured environment
in seven days.

01

Discovery Call

A 30-minute call to understand your environment, current concerns, and insurance requirements. No pressure, no sales pitch.

02

Access & Kickoff

We use read-only delegated access — no admin passwords shared. Scoped exclusively to assessment requirements.

03

Assessment & Remediation

7 days of systematic review across identity, email, endpoints, and sharing. Critical fixes implemented during the engagement.

04

Report & Debrief

A written executive report with risk ratings, actions taken, and a prioritized roadmap — plus a live debrief call to walk through findings.

Watusoft
CYBERSECURITY ADVISORY · NJ
A practical checklist
v. 2026.05
Microsoft 365
Security Checklist
12 misconfigurations that show up in nearly every law firm audit
01
Legacy authentication is still enabled
Basic auth for IMAP, POP, and SMTP bypasses MFA entirely…
02
MFA not enforced for every account
Partners and service accounts are the most commonly exempted…
03
Too many Global Administrators
Most firms have eight to fifteen, often including former IT staff…
+ 9 more across Data Protection, Auditing & Endpoint
Free Resource

12 misconfigurations
we find in nearly every
law firm M365 tenant.

The one-page checklist your IT team or MSP can walk through this week. No new tooling. No new budget. All twelve show up in client audits, cyber insurance findings, and post-incident reviews.

  • Plain-English explanations of each misconfiguration
  • Exact admin paths and PowerShell commands to verify
  • The specific fix for each, prioritized by risk
PDF sent to your inbox immediately. No spam, no list-sharing, no marketing emails — just the checklist.
The Watusoft Methodology
Five domains. One systematic review.
Every engagement covers the same five domains in the same order. Findings are mapped to ABA Rule 1.6 obligations and standard cyber insurance questionnaires.
01
Identity & Access
MFA enforcement, Conditional Access policies, admin role audits, privilege sprawl
02
Data Protection & Sharing
External sharing controls, sensitivity labels, DLP policies, sensitive data discovery
03
Auditing & Logging
Mailbox audit completeness, Unified Audit Log review cadence, forensic readiness
04
Email & Endpoint
Anti-phishing presets, DMARC/DKIM/SPF, external forwarding, third-party app consent
05
Compliance Mapping
Findings cross-referenced to ABA Rule 1.6 and standard cyber insurance questionnaires
Why Watusoft

Built for law firms.
Not generic IT.

01

Law Firm Operations Experience

I lead cybersecurity governance work at one of the largest law firms in the world — running vendor risk reviews on AI platforms used by attorneys, access governance across enterprise SaaS, and Microsoft 365 security operations. I understand the data sensitivity and regulatory environment attorneys operate in because I work inside it every day.

02

ABA & Insurance Aligned

Every assessment is structured around the specific obligations law firms face — ABA Model Rule 1.6, state bar ethics guidance, and the security controls cyber insurers now mandate. Your report is written to be useful in those contexts, not just for IT.

03

No Vendor Relationships. No Upsells.

Watusoft is an independent advisory. No software to sell you, no kickback partnerships with tools you don't need. The only deliverable is an honest assessment and actionable recommendations you can take to any vendor — or implement yourself.

"Reasonable measures to protect
against unauthorized disclosure."

ABA Model Rule 1.6(c) does not define what "reasonable measures" means — but bar associations, legal ethics experts, and courts are increasingly specific. A documented security assessment of your cloud environment is one of the clearest ways to demonstrate compliance with this obligation.

ABA 1.6(c)
Confidentiality — Reasonable Measures
ABA 477R
Cloud Communications & Data
ABA Op. 512
Generative AI — Lawyers' Duties
NJ RPC 1.6
New Jersey Confidentiality Rule
NY RPC 1.6
New York Confidentiality Rule
Common Questions

Straight answers,
before the sales call.

How much does a cybersecurity assessment cost for a small law firm?

Watusoft engagements are flat-fee: a Microsoft 365 security audit starts at $2,500, audit plus hands-on hardening is $4,500, and the full compliance package — including policy documentation and a cyber insurance posture letter — is $7,500. AI Governance Readiness is a separate $4,500 engagement, and ongoing monitoring retainers run $1,200–$2,500 per month.

What does ABA Model Rule 1.6 require for law firm technology?

Rule 1.6(c) requires lawyers to make reasonable efforts to prevent unauthorized disclosure of, or access to, client information. Bar guidance increasingly treats cloud email and document systems — including Microsoft 365 — as squarely within that duty, which means an unsecured tenant is an ethics exposure, not just an IT problem.

Does a small law firm really need an AI use policy?

Yes. ABA Formal Opinion 512 confirms that generative AI use falls under lawyers' existing duties of competence, confidentiality, and supervision. Most firms already have attorneys and staff using tools like ChatGPT or Copilot informally — so the practical question is not whether AI is in the building, but whether its use is governed.

Why is my cyber insurance renewal asking about MFA and email authentication?

Since 2021, insurers have tightened underwriting for law firms specifically. Multi-factor authentication, conditional access, and email authentication (SPF, DKIM, DMARC) are now common prerequisites — firms that can't document these controls face higher premiums, coverage exclusions, or disputed claims.

Will Watusoft need admin passwords or full access to our systems?

No. Assessments use read-only delegated access scoped to what the engagement requires — no shared admin passwords. Remediation work in the hardening tiers is performed with time-limited, documented access, and every change appears in the final report.

How long does an engagement take?

Most engagements run five to ten business days from kickoff: five days for the Essentials audit, seven for Audit + Hardening or AI Governance Readiness, and ten for the full Compliance Package.

Get Started

Book a free
15-minute call.

We review your current setup, identify your highest-risk gaps, and give you a clear picture of what an engagement would look like — with no obligation to proceed.

Location Jersey City, NJ · Serving NJ/NY Law Firms
Response Time Within one business day
First Engagement Available Accepting new clients now

Request a Consultation

Fill in your details and I will reach out within one business day to confirm your call time.