Geopolitical cyber risk is no longer a peripheral concern for law firms. It is immediate, persistent, and tied to the work firms perform for clients. Law firms sit at the intersection of cross-border transactions, sensitive disputes, and regulatory matters that may implicate state interests. As a result, they are not only targets, but also pathways to their clients and the matters they handle.
As geopolitical tensions escalate, cyber operations advance state interests and extend into adjacent private-sector organizations. For law firms, these dynamics extend beyond technical disruption to client-facing consequences, including delayed transactions, compromised confidentiality, and increased regulatory scrutiny.
This risk cannot be managed through technical controls alone. It requires leadership decisions on risk tolerance, client exposure, governance, and accountability. Exposure is inevitable; outcomes depend on how it is managed.
Three deliberate decisions position firms to sustain trust, demonstrate defensibility, and operate with resilience. Risk determines what the firm accepts. Capability determines what it can support. Authority determines how it acts.
Decision one: Define the firm’s geopolitical risk tolerance and how risk enters the firm
Geopolitical cyber risk is a leadership decision: The level of risk the firm will accept. This decision operates in two parts: Defining risk tolerance and applying it through client and matter selections.
Taking on clients creates both reward and risk. Many firms focus on the former but do not define the latter. Without a clear position, exposure accumulates through new offices, clients, and matters, gradually shifting the firm’s risk profile without deliberate choice. This creates a form of risk “drift”: The firm’s exposure increases over time without a corresponding adjustment in capability or oversight. Defining risk tolerance requires applying it to client and matter selection, where not all engagements carry equal risk. Matters involving sensitive jurisdictions, state-linked entities, or regulated technologies can materially change exposure. These risks may not be visible at the outset and often emerge through deal structures, data flows, or relationships between parties. Without a structured approach, firms may treat all engagements as equivalent, even when they are not.
Recent cyberattacks against firms such as Covington & Burling illustrate how this exposure manifests. Attackers – widely believed to be state-sponsored – targeted communications associated with specific lawyers to obtain information that advanced geopolitical objectives. The firm was not the end target; it was the access point. The implication is direct: Exposing the client and matter is a primary pathway through which geopolitical risk enters the firm. This reflects a broader pattern affecting organizations across sectors (see here).
Leadership must distinguish between ordinary and elevated risk and apply that distinction consistently. This may include integrating risk indicators into client and matter intake, and establishing escalation pathways to identify and manage elevated risk. Where the firm is unwilling or unable to make those investments, it may need to limit certain engagements or accept a higher level of risk.
Defining risk determines what the firm is willing to accept. The next decision determines whether the firm is equipped to support it.
Decision two: Align security capabilities and investment with the level of risk accepted
This is a leadership decision that asks if we can actually support the risks we’ve chosen. This misalignment often emerges gradually, as firms take on higher-risk work without adjusting the security controls required to support it. When taking on new clients or activities that significantly increase the firm’s digital footprint – such as promoting remote work – leaders should confirm whether the firm’s capabilities are sufficient to support the level of risk it has chosen to accept. Where they are not, firm leadership has three choices: Invest in building that capability, constrain the activity, or proceed with an elevated level of risk.
For example, representing a high-profile or politically sensitive client, such as the type contemplated in decision one, may increase the possibility of being targeted and attacked. Aligning security capabilities with risk is key to a successful and risk-managed engagement.
A similar dynamic arises when making operational decisions. Enabling remote work expands access to firm systems and sensitive information across locations and devices. Supporting that flexibility may require stronger authentication, device controls, and monitoring. Where those capabilities are not in place, the firm must decide whether to invest to support that model or constrain how work is performed.
Choosing between the three options – accept, invest or constrain – is a business decision that each organization must make. When capability and risk are aligned, firms can operate with confidence. When they are not, gaps remain – often revealed only under pressure, when the cost of misalignment is highest.
Decision three: Define decision authority for responding to cyber incidents
Geopolitical cyber incidents test not only response, but also control: Who has authority to act, how decisions are made, and whether those decisions can be executed in time to limit harm.
Firms should define in advance who has authority to act, how issues are escalated, and what conditions trigger leadership involvement. This includes defining escalation triggers for leadership. Managing partners, CISOs, and general counsels each play distinct roles, but those roles must align before an incident occurs. Establishing clear authority and accountability requirements determines whether decisions can be defended later.
One common example: Has the firm determined, in advance, who is authorized to shut down major business systems during an incident to contain infection? This decision should be made before – not during – a disruptive event.
Clear decision authority enables faster containment, more consistent communication, and more defensible outcomes. Without it, firms are forced to act without clarity on who can decide – often when the cost of delay is highest.
This is ultimately a question of readiness: Whether the firm can execute its decisions when they matter most.
Governance: Integrate these decisions into a coherent system
Governance is the mechanism that connects these decisions and determines whether they operate as a coherent system under pressure.
These decisions are interconnected. Risk tolerance informs client selection. Client exposure shapes incident scenarios. Incident response depends on clearly defined decision authority. Readiness reflects how effectively these elements operate under pressure. Governance determines whether these decisions operate as intended – and whether they can be verified, tested, and explained under scrutiny.
Governance connects these decisions. It turns leadership intent into consistent practice. Risk tolerance, escalation, and authority must be clear before they are tested. It also ensures that capabilities and investment match the level of risk the firm has chosen to accept. Without that alignment, risk tolerance is aspirational, not operational, and risk and capability will diverge over time – even when individual decisions appear reasonable in isolation. European regulatory frameworks, such as the NIS2 Directive’s Article 20, reinforce this expectation by elevating cybersecurity accountability to the level of boards and equivalent governing bodies.
Without governance, decisions remain informal and inconsistent. With governance, they form a system that can be understood, tested, and explained to clients and regulators – and determine whether those decisions withstand scrutiny under pressure.
Conclusion
Periods of geopolitical escalation are not just moments of heightened risk. They are moments of decision. Law firms cannot eliminate geopolitical cyber risk, but they can proactively determine how it is managed.
In those moments, the difference is not only in what decisions are made. It is also whether the firm aligned its capabilities with the level of risk it chose to accept.
The consequences extend beyond system failure to client trust, regulatory exposure, and the firm’s ability to explain its decisions under scrutiny. Firms that define their approach in advance will be better positioned to protect clients, maintain operations, and sustain trust. Those that do not will be forced to decide during a crisis, when the cost of uncertainty is highest.
Cyber risk outcomes are not determined during moments of crisis. They are determined by the decisions leaders make before a crisis begins.
