Website Security for Small Law Firms: What Carriers, Clients, and the ABA Are Asking
Three pressures are forcing small firms to take website security seriously at the same time. Each one is asking for something different. None of them are asking for a $30,000 pentest.
By RiskMeter
Imagine the managing partner of a six-attorney firm opening her email on a Tuesday morning. The first message is from the firm's insurance broker, with the subject line Cyber renewal — application attached. She's done this before. It used to be three pages.
The PDF that opens is fourteen pages. New sections ask whether the firm performs external vulnerability scanning of internet-facing assets, the cadence of patching, whether the website's admin paths are exposed to the public internet, and whether the firm maintains documentation of recent scan results. There is no “not applicable” option.
She forwards it to the IT contractor the firm uses for laptops and email. He replies an hour later: “I think most of this is really your call.”
This article is for that managing partner. It explains why those questions arrived in the first place, what an honest answer looks like for a small firm, and what an external website scan actually finds when it runs.
Three pressures, all hitting at once.
1. Cyber-insurance renewals got harder.
The cyber-insurance market hardened sharply after the ransomware wave of 2021–2023. Carriers added underwriting scrutiny on the security controls they could verify, and the renewal questionnaire became the place where that scrutiny lives. Whether your firm is insured by Coalition, Beazley, Chubb, CNA, AmTrust, Travelers, or another carrier, the trend is the same: questionnaires are longer, and several of the new questions are about your public website.
At renewal, the firms that can attach a recent external scan report move through underwriting faster and, in some cases, on better terms. Firms that can't attach anything end up answering by attestation alone — which is the underwriting equivalent of trusting your word.
At claim time, the question reverses. After a website-related incident, your carrier's incident-response counsel will ask what you were doing about external vulnerabilities before the event. A timestamped scan, with findings and a record of what was fixed, is the answer they're looking for.
2. Clients started sending security questionnaires.
Corporate and institutional clients — banks, healthcare systems, government agencies, technology companies — increasingly send vendor security questionnaires before sharing matters with outside counsel. Many are based on standardized frameworks like the Shared Assessments SIG or the Cloud Security Alliance CAIQ, and most include a question along the lines of Do you perform external vulnerability scans of your internet-facing assets, and at what frequency?
Most small firms have one of two responses. The first is an honest non-answer (“our IT vendor handles that”), which lands as a non-answer. The second is silence, which lands worse. Either way, the firm is on the back foot during what should be a relationship-building moment.
A documented scan flips the dynamic. “We perform an external scan quarterly, here's the most recent summary, and here's how we've handled findings” is a full, two-sentence answer. Most general counsel reading the questionnaire are not looking for perfection. They're looking for someone who has thought about this.
3. The bar has been clear for a decade.
In 2012, the American Bar Association added a single sentence to Comment 8 of Model Rule 1.1: lawyers must “keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” Most U.S. states have since adopted some form of this language.
The ABA expanded on what that means in practice in two formal opinions. Formal Opinion 477R (2017) addresses an attorney's duties around securing the communication of confidential client information. Formal Opinion 483 (2018) addresses obligations when a data breach occurs. State opinions reinforce the same theme — California Formal Opinion 2010-179 ties technology competence directly to the duty of confidentiality, and New York State Bar Opinion 842 reaches a similar conclusion in the cloud context.
Read together, these opinions don't require any particular tool or vendor. They require the attorney to understand the technology being used to handle client information, and to take reasonable steps to safeguard it. An external scan of the firm's own website is among the lowest-effort ways to demonstrate that the question has actually been asked.
None of these three pressures are asking for a thirty-thousand-dollar penetration test. They're asking whether anyone at the firm has actually looked.
What's actually exposed on a typical small-firm website.
Below are the categories that come up most often. None are exotic. All are findable in a few hours and most are fixable in an afternoon by the IT vendor you already work with.
Insecure intake forms
Submission over plain HTTP, missing CSRF protection, or no rate limiting on contact forms. Common in WordPress sites running off-the-shelf form plugins that haven't been updated in two years.
Outdated CMS plugins
WordPress, Drupal, or Joomla plugins with publicly known CVEs. Each one is an entry point if it hasn't been patched. The hardest part is usually realizing the plugin is even installed.
Exposed admin paths
Default admin URLs (/wp-admin, /admin, /administrator) accessible from the public internet, often with no rate limiting and sometimes still showing usernames in error messages. A foundation for credential-stuffing attacks.
TLS and certificate weaknesses
Expired or near-expiry certificates, deprecated cipher suites still enabled, and mixed-content warnings on the intake page. Visible to any client checking the lock icon — and to any client's IT team running a site review.
Missing security headers
No HSTS, no Content-Security-Policy, no X-Frame-Options. Each header is a small thing on its own. Together they're a missing defense layer that gets called out on every modern security questionnaire.
Forgotten subdomains
A staging site from a redesign two years ago, still live, still publicly indexed, still running the version of the CMS that was current at the time. The firm doesn't remember it exists. Attackers' automated scanners do.
What due diligence looks like at the small-firm scale.
You don't need a thirty-thousand-dollar pentest.
Penetration tests are deep, manual security engagements designed for software companies, banks, and SaaS platforms with custom applications and complex authentication flows. For a one-to-ten attorney firm whose threat model is “criminals scanning the internet for outdated WordPress sites,” a documented external scan answers most of the question for a small fraction of the cost. Pentests have their place. That place is rarely the small firm's public website.
You do need it documented.
A finding you fix without paper is a finding you can't defend. Insurance forms, client questionnaires, and any after-the-fact bar inquiry will all want documentation: when the scan was done, what was found, what was fixed, when, and by whom. Keep the report. Keep a one-page log of remediation. That log is the artifact that turns “we take security seriously” into a defensible statement.
You do need it repeated.
A scan is a snapshot. The answer to “are we secure today?” decays as plugins update, subdomains spin up, and security headers get accidentally dropped during the next redesign. Quarterly is the typical cadence for SMB-scale firms; twice a year is the floor. Once is the wrong answer.
What to ask any vendor — including us.
This list happens to favor vendors that operate the way RiskMeter does. That's on purpose, and we'll own it. Every one of these is also a fair question to ask any vendor. The point is to ask.
- Will you put your scope in writing?
- Any vendor scanning your site should ask you to sign a written authorization listing exactly which domains and paths are in-scope. Without that, both of you are exposed.
- Will you throttle the scan?
- Aggressive scanning has, on rare occasions, taken sites offline. A vendor who can't tell you their throttling policy is a vendor to skip.
- Can you send a sample report?
- If they can't show you what their deliverable looks like before you commit, you don't know what you're buying.
- Will the report be readable by a managing partner?
- A two-hundred-page raw scanner export is useless for the audiences you actually need to satisfy. The report should make sense to a non-security reader.
- What is specifically excluded?
- Authenticated testing, social engineering, and destructive checks should all be out-of-scope by default — included only with separate written agreement.
- Where does my data go?
- Findings should be encrypted at rest, access-controlled, and deletable on request. The vendor should be able to explain how, briefly, without consulting their lawyer.
A 30-minute checklist a managing partner can run today.
These won't replace a full external scan, but they will catch the most embarrassing finds — and they're free.
- 01
Check your TLS
Open ssllabs.com/ssltest, paste your site, and look for an A or A+ grade. Anything B or below is worth a follow-up with your IT vendor this week.
- 02
Check your security headers
Open securityheaders.com and run the same check. A passing grade means at least HSTS, X-Frame-Options, and X-Content-Type-Options are configured.
- 03
Confirm your intake form is HTTPS
Open the form in a browser. The URL should start with
https://. Submit a test entry and confirm you actually received it where you expected. - 04
List every domain and subdomain you own
If you can't list them from memory, that itself is a finding. Old subdomains from past redesigns are one of the most common unmonitored entry points.
- 05
Verify your site backup is recent — and tested
Ask your IT vendor when the last successful backup restoration testwas performed. “We have backups” and “we have tested backups” are different statements.
- 06
Document who has admin access
List who has admin credentials to your site, your DNS provider, and your hosting account. Most firms have at least one ex-employee or ex-vendor still on the list.
We do this scan for small firms — and we're reserving ten of them for free.
RiskMeter performs focused, throttled, plain-English website security scans for small and mid-sized businesses, including small law firms. The first ten qualified businesses receive a complete scan and report at no cost. No card on file, no upsell.
- Scope confirmed in writing before anything runs
- Plain-English report you can attach to an insurance form
- Suitable as documentation for client security questionnaires
We only scan assets you own or are authorized to test. Submitting an application does not guarantee acceptance.
- ABA Model Rules of Professional Conduct, Rule 1.1 (Competence) — Comment 8
- ABA Formal Opinion 477R (2017) — Securing Communication of Protected Client Information
- ABA Formal Opinion 483 (2018) — Lawyers' Obligations After an Electronic Data Breach or Cyberattack
- California Formal Opinion 2010-179 — Ethical Duties When Using Technology
- OWASP Top 10 — the standard reference list for web application risks