Likelihood: HIGH
Impact: VERY HIGH
Treatment: MITIGATE
Confidence: Moderate
SRG is an active, named threat actor with an FBI advisory confirming ongoing campaigns specifically targeting law firms using a documented hybrid social-engineering-plus-remote-intrusion methodology; likelihood is high because the attack vector requires no unpatched CVE and exploits sector-wide human and physical access controls that are historically under-resourced in legal environments. Impact is very high because the exfiltrated assets — attorney-client privileged records, litigation strategy, settlement data — carry compounded harm: extortion pressure is amplified by the ethical and reputational cost of disclosure itself, creating a coercive dynamic that maximizes loss magnitude beyond the data theft alone.
Treatment rationale: The threat is active, sector-targeted, and exploits structural vulnerabilities intrinsic to law firm operating models (privilege confidentiality, open visitor access, high-value data density), making avoidance impractical and acceptance ethically untenable; mitigation through layered physical security, identity verification controls, privileged access management, and incident response readiness directly reduces both likelihood and impact.
Third-Party / Supply-Chain Risk
Law firms routinely share privileged data with co-counsel, expert witnesses, e-discovery vendors, and client-controlled document repositories; SRG's exfiltration of matter files can expose third-party client data held under the firm's custodianship, creating downstream breach liability for clients whose records were entrusted to the firm. Shared legal technology platforms (matter management, document review, secure file-transfer portals) represent additional lateral-exposure points if SRG pivot access extends to cloud-integrated services — assess all vendors with access to privileged matter data per NIST SP 800-161 third-party risk tiering.
Loss Exposure (illustrative)
Magnitude: Very high — illustrative $2M–$15M per incident for a mid-to-large firm
Frequency: Illustrative: given active FBI-confirmed SRG targeting of the legal sector, an exposed firm with no compensating physical or identity controls faces a plausible event frequency of once in 2–5 years at current threat tempo
Annualized: Illustrative ALE: $400K–$7.5M annually when loss magnitude and frequency ranges are combined; wide range reflects firm size, data sensitivity, and extortion outcome variability
Basis: Loss magnitude is derived from compounding four cost categories specific to this threat: (1) extortion payment pressure elevated by privilege-disclosure disincentive creating reduced negotiating leverage; (2) client notification and remediation costs multiplied by the number of active matters exposed; (3) bar disciplinary proceedings and potential malpractice claims if privileged data is weaponized; (4) reputational harm and client attrition in a referral-dependent business model where confidentiality is the core service promise. Frequency is derived from the FBI advisory confirming an active, ongoing SRG campaign with confirmed law-firm targeting — this is not a generic sector estimate but reflects a named actor with documented operational focus on this vertical. No external vendor loss reports were used.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• Exfiltration of client PII or financial records may invoke state breach-notification obligations — verify with counsel.
• Extortion payment contemplation may trigger cyber-insurance ransomware or extortion coverage notice requirements and pre-authorization conditions — verify with broker before any payment consideration.
• Breach of client confidentiality may constitute a material event under client engagement letters or data-handling agreements — verify with counsel.
• State bar rules of professional conduct regarding client notification of data security incidents may impose independent disclosure obligations — verify with counsel.
• If client data includes health information or financial account records, HIPAA or GLBA applicability may arise depending on client type — verify with counsel.
