The threat posed by cybercrime has reached enormous proportions. Conservative estimates put the direct global economic damage at a minimum of $1.2 trillion when factoring in operational disruptions, reputational harm, and insurance costs. In Germany alone, the industry association Bitkom e.V. estimated the annual damage from cyberattacks for 2025 at €289 billion – a new record high. Despite continuously rising cybersecurity spending and more than 4,000 vendors of cybersecurity solutions now on the market, the effectiveness gap continues to widen.
Ransomware ranks among the most common threat types. Approximately seven out of ten attacks are carried out by ransomware groups, and further growth is likely as the sale of RaaS (Ransomware as a Service) and support from artificial intelligence multiply attackers’ capabilities. Beyond ransomware, phishing, DDoS attacks (distributed denial of service), and the deployment of AI-powered malware are among the greatest business risks in 2026.
Due to the exceptional concentration of sensitive information and data – such as attorney-client privileges, contract drafts, acquisition strategies, criminal defense files, or financial records – the legal industry is a particularly lucrative target for cybercriminals. According to a survey of 500 U.S. law firms, 20% were attacked in the past year. An average of more than 1,000 attacks per week are recorded; particularly notable were attacks on DLA Piper (2017) and Allen & Overy (2023), which affected thousands of employees worldwide.
The reasons for days-long system outages and severe reputational losses are often structural: Outdated IT infrastructure, insufficient risk awareness, and declining insurance coverage stand in stark contrast to legal and regulatory requirements.
Fostering cooperation and communication
At the initiative of international legal tech consulting firm Morae Global Corporation, representatives from the company met with their new tech partners Arctic Wolf and Halcyon on 26 February 2026 at the Frankfurt office of HEUKING to exchange ideas with IT security experts from leading business law firms on the challenges of cyber and data security. In his welcome address, Josh Franks, Senior Director and Cyber Practice Leader at Morae, emphasized the company’s self-conception as “partner not a vendor” and stressed that “cybersecurity and data governance are not defensive obligations; they are drivers of operational resilience, competitive advantage, and long-term enterprise value”.
Cybersecurity also plays a central role at Gleiss Lutz. Alongside ongoing technical and operational upgrades, the focus is increasingly on the user as a “human firewall”, reports Marc Geiger, Director Legal Operations & Business Technologies. Even the best technology can prove ineffective if users inadvertently create an entry point for malware through carelessness. Raising risk awareness and understanding that cybersecurity affects everyone were therefore at the heart of a comprehensive cybersecurity awareness campaign. Geiger explains how such awareness measures for “tech topics” can be successfully implemented in law firms. In award-winning campaigns – such as for the Client Collaboration Platform and “The Last Mile” project (winner of the Inhouse Matters Award 2024) or the “Cyberheroes” awareness campaign – analog and aesthetically appealing attention anchors were deliberately deployed in daily work routines alongside technical and organizational measures. Geiger’s personal formula for success: “Change management + communication + practical relevance (with a hook).” The latter is particularly crucial, as awareness always requires an emotional impulse to remain memorable over the long term. With a view to current challenges posed by artificial intelligence, another campaign is already planned – with a tongue-in-cheek reference to not “sleeping through” the rapid development.
Ensuring data sovereignty and data security
Subsequently, Mathias Espeloer, Director of IT at HEUKING and head of the Cyber Security Task Force at the Bundesverband der Wirtschaftskanzleien in Deutschland (BWD), shared his experiences of implementing a backup solution during the transition from on-premises to the iManage Cloud: “We needed a reliable solution for accidental deletions and logical errors.” Various tools on the market were evaluated, but due to internal standards regarding data ownership, user-friendliness, and operational flexibility, the decision was made in favor of HYCU Inc.’s backup and recovery solution. The goal was to strengthen protection of the iManage cloud environment through a secure, flexible, and future-proof data backup strategy that meets the firm’s operational and regulatory requirements. The solution addresses two core use cases: Complete backup of all content including security details with recovery capability at any time, as well as targeted restoration of individual documents, folders, or workspaces that were accidentally or maliciously deleted. Data sovereignty takes priority, which is why backups are stored in a separate, controlled storage destination rather than with the SaaS provider itself.
The fact that only 2% to 5% of available data is actively accessible while 73% is never used represents a significant cost and liability risk for Marc Schneider, Director DACH at Morae. He refers to this as “dark data” – data collected and stored by organizations but not actively used, classified, or analyzed. In the legal environment, this often involves client documents that get “lost” in unstructured file repositories, personal data that is not properly secured, or outdated documents that continue to occupy storage space without an archiving strategy. In contrast, the concept of “Dark Data Mastery” holds that not all data should be managed, only that which is actually business-critical, compliance-relevant, or risk-bearing. The rest should be systematically disposed of, archived, or transferred to controlled systems. Through the integration of appropriate technologies, such as the archiving solution Morae Vault or partnerships with data discovery companies like ActiveNav and Halcyon, relevant data is identified, classified, and protected accordingly.
Maintaining operational capability through partnerships
A strategic partnership between Morae and U.S.-based anti-ransomware provider Halcyon was established in November 2025. The specialized platform from this startup, founded in 2021 by a team of experienced cybersecurity veterans, focuses exclusively on preventing, withstanding, and promptly reversing ransomware attacks. It complements existing protection systems such as antivirus software or EDR programs (e.g., Microsoft Defender, CrowdStrike, SentinelOne, etc.), thereby closing a gap where traditional tools often fail. Using the “Cyber Kill Chain” model, which depicts the typical progression of an attack, cybersecurity expert Sebastiaan Bäck and Sales Director DACH Thomas Wuest explained how the AI-trained software intervenes at multiple points: Suspicious scripts or programs are stopped during execution; spread across the network is blocked; encryption or data exfiltration is prevented – and if files are still affected, the intercepted keys are used to restore them without paying any ransom. The objective is that affected organizations remain flexible and can continue operating their business, as Mark Walmsley, Global CISO at Freshfields, confirmed: “You still have control and people have access to the data.”
Arctic Wolf, presented by Markus Wolf, Director Sales Engineers DACH, and Account Manager Sven Heimann, also positions itself as a globally operating Security Operations Center (SOC) that maintains its clients’ operational and cyber resilience. The company was founded in 2012 in the U.S. and has been active in the German-speaking region from Frankfurt/Main since 2021. The goal is to reduce cyber risk to zero through 250 integrations, more than 1,500 managed service providers and distribution partners, and alliances with insurance companies and law firms. The central technical foundation is the Aurora Platform, a cloud-based security operations structure that analyzes several trillion security-relevant events per week and provides highly automated detection, response, and remediation. At the same time, the “noise” in 24/7 monitoring of networks, endpoints, and cloud systems should be focused on relevant signals, and response times – aided by concierge service teams – should be significantly shortened.
The intensive dialog among experts and users demonstrates that data and cybersecurity is not a one-time project that can be checked off and filed away. Rather, it is a dynamic process that grows increasingly critical with technological progress. Psychological resilience is therefore just as important as technical resilience, and can only be translated into practical solutions through continuous communication and cooperation. “In today’s environment, peer-to-peer exchange with solution providers and users is immensely important, as we can only achieve the goal of raising and strengthening security levels together,” says Mathias Espeloer.
