Likelihood: MODERATE
Impact: VERY HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is moderate: SRG/Luna Moth is an active, financially motivated threat actor with a demonstrated operational shift to physical impersonation, but successful physical access requires logistical investment per target, and exploitation at any specific firm is not yet confirmed. Impact is very_high because law firms hold privileged attorney-client communications, litigation strategy, and sensitive PII that SRG explicitly weaponizes for extortion — a credible exfiltration threat alone (without encryption or confirmed breach) is sufficient to trigger client attrition, bar association scrutiny, and regulatory investigation simultaneously.
Treatment rationale: The threat exploits physical access controls and social engineering gaps that are directly addressable through identity verification protocols, visitor access procedures, and security awareness training — mitigating controls exist and are proportionate to the risk level, making avoidance operationally infeasible and acceptance unjustifiable given the magnitude of potential client data exposure.
Third-Party / Supply-Chain Risk
Law firms operating shared legal management platforms, cloud-based case management systems (e.g., multi-tenant practice management SaaS), or co-managed IT service arrangements face compounded exposure: a physical impersonator posing as IT staff could leverage third-party remote access credentials or support sessions to pivot into shared environments, potentially affecting multiple client matters or co-tenanted systems. NIST SP 800-161 framing: assess whether managed service providers or IT support vendors have physical or remote access procedures that SRG could impersonate; verify those vendors' personnel verification and on-site access protocols as part of supply-chain risk management.
Loss Exposure (illustrative)
Magnitude: Very high — illustrative $2M–$15M+ per incident, reflecting legal liability exposure, client attrition, crisis communications, regulatory defense costs, and reputational harm specific to a law firm holding privileged matter data
Frequency: Illustrative: for a mid-to-large law firm with publicly known client relationships and physical office presence in a major market, exposure to a targeted SRG campaign is plausibly a low-frequency event (illustrative: 1-in-5 to 1-in-10 year probability for an in-scope firm), distinct from the broader population of all firms
Annualized: Illustrative ALE approximation: $200K–$3M annualized, derived from illustrative loss magnitude × illustrative frequency range; not suitable for budgetary commitment without actuarial grounding
Basis: Magnitude driven by: (1) extortion leverage value of privileged legal communications — reputational and client-attrition costs dominate over technical remediation costs; (2) regulatory defense and potential bar association proceeding costs; (3) crisis legal and communications retainer costs. Frequency driven by: SRG's active campaign status per FBI advisory, targeting specificity toward law firms, and the logistical constraint that physical impersonation limits the volume of simultaneous targets. No third-party actuarial or vendor report figures were used.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• Physical access resulting in client PII or PHI exposure may invoke state breach-notification obligations under applicable data protection statutes — verify with counsel.
• Exfiltration of privileged client communications may implicate client confidentiality obligations and bar association rules governing data security — verify with counsel.
• An extortion demand following data exfiltration may trigger cyber-insurance notice and reporting obligations, including potential coverage conditions under ransomware or extortion riders — verify with broker and counsel before any payment or public disclosure.
• Healthcare or financial sector client data held by the firm may invoke sector-specific regulatory notification requirements (e.g., HIPAA, GLBA) — verify with counsel.