Law Firm Compliance

What Is a Cybersecurity Maturity Assessment and Does Your Law Firm Need One?

Makita Tunsill, JM
Juris Master — Cybersecurity, Privacy & Technology Risk Management | First Step Technology LLC
Published: July 4, 2026
12 min read

The first requirement of Florida Bar Recommendation 25-1 is a cybersecurity maturity assessment. The deadline is March 2027. Most attorneys have heard the term but are unclear on what an assessment actually involves, what it produces, and whether what they already have from their IT provider qualifies. This article answers all of those questions.

The short answer to whether your law firm needs one: yes, if you are a Florida Bar member. The deadline is active. The assessment is the documented baseline that every other compliance requirement — the data map and the incident response plan — is built on. Without it, you have no starting point and no defense if client data is compromised.

What a Cybersecurity Maturity Assessment Is and Is Not

A cybersecurity maturity assessment is a structured, documented evaluation of an organization's security program against a recognized framework. It measures how consistently and effectively security controls are implemented across the environment, produces a baseline score in each domain, and generates a prioritized list of what needs to change.

It is important to be clear about what it is not, because law firms frequently receive services from IT providers that sound similar but serve a different purpose.

A cybersecurity maturity assessment that satisfies Recommendation 25-1 is conducted by an independent advisor, follows a recognized framework, evaluates the firm across multiple security domains, and produces a written report that documents findings, scores, and recommendations. That report is your compliance deliverable.

The Maturity Scale: What the Levels Mean

Maturity assessments use a scaled scoring system to describe where an organization sits within each security domain. The scale used for law firm assessments aligned to Recommendation 25-1 has five levels:

LevelNameWhat It Means in Practice
1InitialSecurity practices in this domain are ad hoc and undocumented. The organization relies on individual knowledge rather than established processes. Results are unpredictable. Most law firms fall here in one or more domains on their first assessment.
2DevelopingSome security practices exist but are inconsistently applied and not formally documented. Depends on who is in the office or which partner manages a particular client relationship. Risk varies by individual.
3DefinedSecurity practices are documented, communicated, and consistently followed. Written policies exist. New staff receive training. Controls are applied uniformly regardless of who is involved.
4ManagedSecurity controls are actively monitored, measured, and reviewed. The organization tracks metrics and uses data to identify gaps. Management receives regular reporting on the security program.
5OptimizedSecurity practices are continuously improved based on performance data, threat intelligence, and lessons learned. The organization proactively adapts to new risks and regularly tests its controls.

A small or mid-size Florida law firm completing its first maturity assessment will typically score Level 1 or Level 2 across most domains. This is not a failure — it is the baseline. The purpose of the assessment is to document where the firm currently stands so it can develop a realistic remediation plan. A Level 1 score with a documented plan and evidence of progress is a far better position than no assessment at all.

The Six Domains of a Law Firm Maturity Assessment

A maturity assessment for a law firm evaluates six security domains that collectively cover the full scope of the firm's data protection obligations. Each domain is scored independently, which allows the remediation roadmap to be prioritized based on which gaps represent the greatest risk to client confidentiality.

Domain 1: Access Controls

This domain evaluates how the firm manages who has access to what. It covers multi-factor authentication enforcement, password policy and password manager usage, role-based access control, and the firm's process for removing access when employees or contractors leave. Access control failures are the leading cause of unauthorized access to law firm systems. A compromised credential without MFA is an open door to every client file in the firm's email and document management system.

Domain 2: Email Security

Email is the primary attack vector against law firms. This domain evaluates the firm's SPF, DKIM, and DMARC DNS configuration, the presence of anti-phishing filtering beyond basic spam protection, and whether attorneys and staff have received phishing awareness training. Business email compromise attacks targeting law firms — particularly those involving fraudulent wire transfer instructions — are among the most financially damaging cyber incidents in the legal sector.

Domain 3: Endpoint Security

Endpoints are the laptops, desktops, tablets, and mobile devices that attorneys use to access, store, and transmit client data. This domain evaluates whether devices have adequate endpoint security software, whether full-disk encryption is enforced, whether devices receive timely security updates, and whether the firm has a documented process for securely disposing of old devices. Ransomware targeting law firms enters through endpoints. Insurers now require endpoint detection and response (EDR) capabilities as a condition of coverage in many cases.

Domain 4: Data Handling

This domain evaluates how client data is stored, transmitted, retained, and ultimately destroyed. It examines whether the firm uses secure communication methods for sensitive client documents, whether a retention schedule exists and is followed, and how the firm handles data disposal for closed matter files. This domain overlaps heavily with the data mapping survey requirement and often surfaces the most significant findings in terms of unrealized breach notification obligations.

Domain 5: Vendor and MSP Risk

Most law firms rely on external technology providers for some or all of their IT needs. This domain evaluates whether those providers have documented security controls, whether the firm has reviewed those controls, and whether vendor contracts include appropriate data protection provisions. Recommendation 25-1 specifically addresses vendor vetting. The Bar's position is that delegating IT management to a vendor does not delegate the firm's ethical responsibility for the security of client data.

Domain 6: Incident Response Readiness

This domain evaluates whether the firm has a written incident response plan, whether key personnel know their roles under that plan, whether backups are in place and tested, and whether the firm understands its breach notification obligations under FIPA and ABA Rule 1.4. A firm that discovers a ransomware attack at 7 PM on a Friday and has no documented plan faces a qualitatively different crisis than one that knows exactly who to call, what to shut down, and what to communicate to clients within 30 days.

Common Questions About Law Firm Maturity Assessments

Does the assessment our IT company performed qualify?

It depends on what they produced. An IT provider conducting a technical audit of their own systems is not the same as an independent maturity assessment. What you need for Recommendation 25-1 is a written report from an independent advisor that scores the firm across the six security domains, documents findings with business impact statements, and produces a prioritized remediation roadmap. If your IT provider's report does that, it may qualify. If it is a list of system configurations they manage, it does not.

How long does the assessment take?

For a small firm of one to five attorneys, the assessment process typically takes two to four weeks from kickoff to final report delivery. For a mid-size firm of six to twenty attorneys with more complex systems and vendor relationships, four to six weeks is more typical. The assessment does not require significant time from firm personnel — a discovery call, participation in structured interviews, and providing existing documentation are the main inputs from the firm's side.

What does the assessment report look like?

A properly structured law firm maturity assessment report includes an executive summary written in plain English for the managing partner, a maturity scorecard showing the firm's level in each of the six domains, a full findings table with observation, technical meaning, business impact, and recommendation for each finding, a data map summary, an IRP readiness rating, and a prioritized remediation roadmap organized by timeline. The report is the document you retain as evidence of having completed the Recommendation 25-1 requirement.

Does the assessment need to be repeated?

The initial assessment establishes the baseline and satisfies the Recommendation 25-1 requirement. Follow-up assessments are advisable after significant changes to the firm's technology environment, after a security incident, and periodically to track remediation progress. Many firms transition to an annual assessment schedule once the initial compliance requirement is satisfied, which also positions them well for cyber insurance renewals.

What if the assessment reveals significant problems?

That is exactly what it is designed to do. Discovering significant gaps through a proactive assessment is far better than discovering them after a breach. The findings become the basis for a remediation roadmap — a prioritized, phased plan to address the gaps in order of risk. The assessment report itself demonstrates to the Bar, to an insurer, and to clients that the firm identified its gaps and took documented action to address them. That posture is defensible. Having no assessment at all is not.

What the Assessment Costs

Maturity assessment pricing varies based on firm size, complexity, and the scope of the engagement. The ranges below reflect the Florida advisory market for independent cybersecurity assessments aligned to Recommendation 25-1 requirements.

Solo / Small Firm
$1,500 – $2,500
1 to 5 attorneys. Assessment across all six domains, written report, maturity scorecard, remediation priorities, findings presentation call.
Standard Firm
$3,500 – $6,000
6 to 20 attorneys. Full assessment, data mapping facilitation, comprehensive report with executive summary, remediation roadmap, 90-minute findings presentation.
Full Compliance Package
$6,500 – $10,000
Any size. Assessment plus data mapping plus IRP development using Florida Bar Model IRP. Covers all three Recommendation 25-1 requirements in a single engagement.

Compare this to your exposure: The average cost of a law firm data breach in 2025 was between $150,000 and $500,000 when you factor in incident response, notification costs, regulatory fines, malpractice claims, and client loss. A maturity assessment that identifies and closes the gaps before a breach occurs is among the most cost-effective risk management investments a firm can make.

How to Get Started

The starting point is a discovery call with a qualified cybersecurity advisor who has experience with law firm environments and understands the ethical framework behind Recommendation 25-1. That call is typically 30 to 45 minutes and covers the firm's size, technology environment, current security practices, and any existing documentation. From there, the advisor can scope the engagement and provide a written proposal.

Before the call, it helps to have a general sense of how many users are in the firm's systems, who manages the firm's IT, what practice areas the firm handles, and whether there have been any prior incidents or close calls. That information does not need to be comprehensive — the discovery process surfaces what matters.

Start Your Law Firm Maturity Assessment

First Step Technology LLC provides cybersecurity maturity assessments specifically designed for Florida law firms. Engagements satisfy the Recommendation 25-1 assessment requirement and produce a report you can present to insurers, corporate clients, and the Bar.

Schedule Your Discovery Call
Disclaimer: This article is published by ComplianceFirst.io, a compliance intelligence publication of First Step Technology LLC. It is provided for informational purposes only and does not constitute legal advice. First Step Technology LLC is not a law firm. Questions regarding your obligations under the Florida Rules of Professional Conduct should be directed to qualified legal counsel or the Florida Bar Ethics Hotline at 1-800-235-8619.