Cybersecurity for Law and Accounting Firms in Brazil

Resposta direta

Law firms, accounting firms, agents and consultancies concentrate confidential data of many clients — cases under judicial secrecy, balance sheets, tax documents and sensitive personal data — which makes them high-value targets for BEC (invoice/transfer fraud), ransomware and leaks. Decripte unites the duty of professional confidentiality (OAB/CFC) with the obligations of LGPD (Law 13.709/2018) through a 24x7 SOC, incident response in under 1 hour, per-client access segregation and MFA. Start with the free diagnostic at decripte.com.br/intelligence-center.

Principais conclusões

  • Firms are high-value targets: they concentrate confidential data of dozens or hundreds of clients in a single environment, multiplying the impact of a single compromise and attracting BEC, ransomware and exfiltration.
  • Professional confidentiality is not optional: the OAB Statute (Law 8.906/1994) and the legal profession's Code of Ethics, and the Accountant's Code of Ethics (CFC Resolution 803/1996), impose a duty of safekeeping — a technical failure also becomes an ethical and disciplinary failure.
  • LGPD (Law 13.709/2018) applies in full: the firm acts as controller or processor of personal and sensitive data, with the obligation to adopt security measures (art. 46) and to notify incidents to the ANPD and data subjects (art. 48).
  • BEC is the most profitable fraud against firms: a compromised email redirects the payment of fees, court costs or transfers to the fraudster's account — prevention requires MFA, DMARC/SPF/DKIM and out-of-band verification of changes to bank details.
  • Ransomware has double extortion: it paralyzes the firm and threatens to publish the exfiltrated confidential documents — immutable backups, EDR and segmentation reduce the blast radius, aligned with NIST CSF and MITRE ATT&CK.
  • Start at no cost: Decripte's free Threat Management plan (decripte.com.br/intelligence-center) maps vulnerabilities, monitors threats and provides a team and AI 24x7 — a basis to progress to paid services according to size, from the MEI to the Enterprise.

Why law and accounting firms are priority targets

A law or accounting firm is, in practice, a vault of third parties' information. On a single network coexist petitions and evidence under judicial secrecy, strategic contracts, agreements under a confidentiality clause, balance sheets, tax returns, payrolls, bank details and personal documents of the clients' partners and employees. This concentration is exactly what attracts the criminal: compromising a small firm can yield access to dozens or hundreds of companies and individuals at once. In risk vocabulary, the firm is a supply-chain target — a single point whose fall brings down many. It is the same reasoning that makes vendors and service providers targeted as an entry point to larger targets.

Add to this the sector's operational profile. Firms work with fatal deadlines, frequent financial transactions (fees, court costs, client transfers, tax slips) and an intense flow of emails with attachments from external sources — clients, opposing parties, notary offices, public agencies. Each attachment is a potential vector for phishing and malware; each transfer is an opportunity for invoice fraud. The pressure for agility favors human error, which remains the main facilitator of incidents. The criminal exploits precisely that urgency: emails that imitate a judge, a client or the partner themselves, requesting immediate action, have a disproportionate success rate in high-pressure environments.

There is also a maturity aggravator. Many firms grew in legal and accounting structure without matching investment in technology and security. It is common to find email inboxes without a second authentication factor, file servers where any employee can see everyone's client folders, backups on the same machine that can be hijacked and the absence of any incident response plan. Frameworks like the NIST Cybersecurity Framework (CSF 2.0) organize this gap into functions — Govern, Identify, Protect, Detect, Respond and Recover — and make it evident that most firms operate strongly in 'Identify' regarding their own business, but weakly in protecting, detecting and responding to attacks.

What is at stake goes beyond the direct financial loss. At stake is professional confidentiality, which is the foundation of the relationship of trust between lawyer and client and between accountant and client. A leak of case strategy can ruin a case; the exposure of a balance sheet can destroy a negotiation or an IPO; the disclosure of data from a case under judicial secrecy can constitute a crime and disciplinary accountability. A firm's reputation is built over decades and can be destroyed by a single poorly handled incident. That is why, for this sector, cybersecurity is not an IT cost — it is business continuity and protection of the most sensitive asset that exists: trust.

Threat map: BEC, leakage of confidential data and ransomware

The financially most expensive threat for firms is BEC (Business Email Compromise). The scam unfolds in phases that correspond to tactics cataloged in MITRE ATT&CK: the criminal gains access to a legitimate email inbox (via phishing or a leaked credential), silently observes the communications for days or weeks (information gathering), learns the tone and the payment flows, and then intervenes at a real moment — replying to a fees or transfer email with new bank details, redirecting the payment to the fraudster's account. It is 'invoice fraud' in its most sophisticated form: there is no visible malware, only a message that looks authentic because it comes from a real account. In accounting firms, the classic variation is the fake request to change an account for payroll or tax payment.

The second category is the leakage of confidential data. It can occur through active exfiltration by an intruder, through social engineering, through a lost unencrypted device, through an email sent to the wrong recipient or through a malicious employee (insider). The exposed content is usually devastating: cases under judicial secrecy, sensitive personal data (health, biometrics, minors' data, convictions), defense strategies, tax and financial documents, trade secrets. Unlike an industry that loses 'operational data', the firm loses the trust of third parties who entrusted it with their most intimate matters — and each affected data subject has their own rights under LGPD, which multiplies the firm's legal exposure.

The third major threat is ransomware, today almost always operated in a double extortion model. Before encrypting the files, the criminal group copies (exfiltrates) the most sensitive documents; then it encrypts everything and demands a ransom. The victim faces two simultaneous pressures: the total paralysis of the operation (no access to cases, deadline calendar, accounting system, emails) and the threat of publishing the confidential documents on leak sites if the ransom is not paid. For a firm, missing a procedural deadline due to unavailability can cause irreparable harm to the client; and having documents published constitutes a breach of confidentiality. CERT.br and the incident response literature are unanimous: paying the ransom does not guarantee return or prevent publication, and it feeds the criminal ecosystem — which is why the correct defense is preventive.

Around these three major vectors orbit facilitating threats: phishing and spear-phishing (targeted bait emails, the entry point to almost everything), compromise of reused and leaked credentials, malware in attachments, attacks on the supply chain of legal/accounting software and the lack of access segregation, which turns any individual compromise into total compromise. Mapping this scenario in a structured way — and not reactively — is the first step. Decripte's free Threat Management plan (decripte.com.br/intelligence-center) does exactly this initial mapping of attack surface and monitoring, offering the firm an honest snapshot of its own risk before a criminal obtains it.

Gestão de Ameaças · Grátis

Os dados da sua empresa de advocacia e contabilidade já estão expostos? Descubra agora — de graça.

Sem cartão, sem compromisso. Descubra em minutos o que já vazou da sua empresa e qual é o seu risco real.

LGPD (Law 13.709/2018) applies in full to law firms, accounting firms, agents and consultancies, because all of them process personal data on a large scale. Depending on the operation, the firm acts as controller (when it defines the purposes, for example in managing its own clients) or as processor (when it processes data on behalf of a client who is the controller). In both roles, article 46 imposes the adoption of technical and administrative security measures capable of protecting the data from unauthorized access and from accidental or unlawful situations of destruction, loss, alteration and leakage. Article 47 extends the duty of security throughout the entire processing, including after its termination. There is no 'sector exemption': the legal or accounting core activity does not remove the data protection obligations.

When an incident occurs that may pose relevant risk or harm to data subjects, article 48 requires notification to the ANPD (National Data Protection Authority) and to affected data subjects, within a reasonable timeframe. The ANPD has already regulated the matter with content and deadline requirements for security incident notification, and it maintains sanctioning power that includes a warning, publicizing the infraction and a fine that can reach 2% of revenue, capped at R$ 50 million per infraction (art. 52). For firms, the notification has an extra dimension: many affected data subjects are clients — people and companies that entrusted their data — so the transparency required by the law intersects with the duty of loyalty and information of the professional relationship.

Above and beyond LGPD there is professional confidentiality, which for the sector is a central obligation and historically predates the data law. In the legal profession, confidentiality is a right and a duty foreseen in the OAB Statute (Law 8.906/1994) and detailed in the OAB Code of Ethics and Discipline, covering facts confided by the client and the inviolability of the firm and its communications; its violation is an ethical infraction subject to disciplinary proceedings, and judicial secrecy (art. 189 of the Code of Civil Procedure) imposes additional restrictions on access to case files. In accounting, confidentiality is in the Accountant's Professional Code of Ethics (CFC Resolution 803/1996) and in related rules of the Federal Accounting Council. The practical consequence is twofold: a technical leak at a firm generates not only exposure under LGPD, but also ethical and disciplinary accountability before the OAB or the CFC.

Much of the legal and ethical requirements can be translated into auditable technical controls using recognized standards. ISO/IEC 27001 offers an information security management system with controls for access, encryption, incident management and continuity; NIST CSF organizes the posture into governance and response functions; OWASP guides the protection of the applications and portals the firm uses; and MITRE ATT&CK and CERT.br anchor detection and response in real adversary tactics. Decripte works precisely on that bridge: turning the 'duty of confidentiality' and the 'duty of security' — abstract on paper — into concrete, measurable measures defensible before the ANPD, the OAB and the CFC.

How Decripte protects firms in practice

Decripte's implementation starts where the real risk is, not where theory suggests. The starting point is the free Threat Management plan (decripte.com.br/intelligence-center), which maps the firm's attack surface — domains, exposed emails, services published on the internet, credentials leaked in incident databases — and monitors threats continuously, with a team and artificial intelligence acting 24x7. In a few minutes, the firm moves from a diffuse perception of risk to an objective diagnosis: what is exposed, what has already leaked and where the priority vulnerabilities are. This free snapshot is the foundation on which you decide what to evolve.

From the diagnostic, the paid services address each layer according to size — from the MEI to the Enterprise, founded in 2019 and built to scale with the client. The 24x7 SOC monitors the environments full-time and correlates events to flag anomalous behavior (a login outside business hours, mass access to client folders, an email forwarding rule created by an intruder). Vulnerability Management identifies and prioritizes fixes based on real risk. Pentesting simulates the attack of an adversary to validate the defenses before the criminal does. Preventive/EDR installs detection and response on the endpoints, isolating an infected machine before the ransomware spreads. And Edge/WAF protects the portals and applications the firm exposes to clients.

In the direct fight against the sector's threats, Decripte implements specific controls. Against BEC, multi-factor authentication (MFA) is reinforced on all email inboxes, SPF, DKIM and DMARC are correctly configured to prevent domain spoofing, and the out-of-band verification rule is established for any change of bank details. Against ransomware, EDR is adopted, network segmentation to contain the blast radius and immutable, tested backups isolated from the main environment. Against leakage and the insider, per-client access segregation is applied — each employee sees only the folders and cases they need — combined with an audit log and the principle of least privilege, all aligned with ISO 27001 and NIST CSF.

On top of this technical base, LGPD/ISO Consulting and the CISO-as-a-Service service provide governance: data mapping, drafting of security and retention policies, a data protection impact report when applicable, a documented incident response plan and simultaneous adaptation to the professional confidentiality of the OAB and the CFC. For firms working with crypto and Web3 clients, there is also the specialized service. The result is a security posture that not only reduces the likelihood of an incident, but also produces the evidence of diligence that protects the firm before the ANPD and the professional councils should the worst happen — because demonstrating that reasonable measures were adopted is part of the defense.

Gestão de Ameaças · Grátis

Sua operação em advocacia e contabilidade aguenta um ataque hoje? Comece o diagnóstico gratuito.

Sem cartão, sem compromisso. Descubra em minutos o que já vazou da sua empresa e qual é o seu risco real.

Incident response with confidential documents: every minute counts

When the incident has already happened, the difference between a contained scare and a catastrophe lies in the speed and method of the response. Decripte offers Incident Response with engagement in under 1 hour, following the established handling cycle — preparation, identification, containment, eradication, recovery and lessons learned — aligned with NIST guidelines and CERT.br guidance. The first hours are decisive: it is in them that propagation is contained, forensic evidence is preserved and the intruder is prevented from expanding access or completing the exfiltration. Improvising at that moment, or shutting down machines without method, usually destroys the evidence needed to understand what leaked and to sustain the legal communication.

The first technical objective is containment without destruction of proof: isolate the compromised systems from the network, revoke credentials and active sessions, block malicious email forwarding rules and preserve logs and forensic images. In parallel, the investigation begins to answer the questions that matter to a firm: which clients were affected, which documents were accessed or copied, whether there is sensitive personal data or cases under judicial secrecy in scope, and by which vector the attack entered. This investigation is what sustains both the technical remediation and the subsequent legal decision-making.

The legal and ethical dimension runs in parallel with the technical one. Once the probability of relevant risk to data subjects is identified, the notification to the ANPD and to affected data subjects is organized under the terms of article 48 of LGPD, with the content and deadline required by the regulation. When the data belongs to the firm's clients, there is also the duty to inform them with transparency and loyalty, respecting professional confidentiality — and, as the case may be, to assess communication to the OAB or the CFC and the filing of a police report. Conducting this communication hastily, incompletely or late aggravates the situation both before the authority and before the client; conducting it in a structured way demonstrates diligence and mitigates accountability.

The final phase — recovery and lessons learned — restores the operation from trusted backups, validates that the intruder does not remain in the environment and corrects the root cause that allowed the incident. In firms paralyzed by ransomware, the restoration of critical deadline and case systems is prioritized to avoid irreparable harm to clients. Each incident is documented and converted into concrete control improvements, closing the cycle. This learning feeds back into the continuous monitoring of the SOC and the free plan, so that the firm emerges from the episode stronger than it entered — and with documented evidence that it acted correctly.

The other side of the counter: the client whose confidential data leaks

It is easy to treat firm security as an internal IT problem, but the true center of gravity is outside it: in the person or company that entrusted their most sensitive matters to the professional. When a confidential document leaks, the one who suffers the harm first is the data subject. It can be the individual whose health data, financial situation or family case was exposed; it can be the company whose defense strategy, balance sheet or negotiation fell into the hands of a competitor or an extortionist. For that client, the trust placed in the firm — the expectation that their data would be protected under confidentiality — was broken by a failure they did not commit and had no way to prevent.

The data subject's rights in this situation are concrete. LGPD assures them, among others, the right to be informed about the processing and about incidents that affect them (art. 18 and art. 48), to access their data, to demand correction and, as the case may be, deletion. The data subject may also seek reparation for material or moral damage resulting from the leak, and the controller or processor firm answers for it. For the individual client, the leakage of sensitive data can open the way to identity fraud, extortion, embarrassment and improper credit opening — harms that extend well beyond the day of the incident. That is why transparency and speed in communication are not just legal requirements: they are acts of respect for those who trusted.

There is a turning point that shifts the balance of power in the client's favor: they can and should ask how their firm protects their data. Ask whether there is MFA on email, whether accesses are segregated per client, whether there are backups and an incident response plan, whether there is LGPD adaptation and how professional confidentiality is technically operationalized. A firm that takes security seriously answers these questions naturally and with evidence; one that stumbles signals risk. This demand, coming from the clients themselves, is what most quickly raises the security maturity of the entire sector — because it turns data protection from an invisible cost into a visible competitive differentiator.

For firms that want to be on the right side of that conversation, the path starts simple and at no cost. Decripte's free Threat Management plan (decripte.com.br/intelligence-center) gives the firm, in minutes, the same snapshot a criminal would have of its risk — and the chance to fix it first. From there, the progression is proportional to size and risk appetite, from the MEI to the Enterprise, with a 24x7 SOC, incident response in under 1 hour, pentesting, EDR, WAF and LGPD/ISO consulting. Protecting the firm is, in the end, protecting each client who trusted it — and that is the only promise of confidentiality that holds up in the digital world.

Termos do setor

BEC (Business Email Compromise)
Fraud in which a criminal compromises or spoofs a legitimate email to redirect a real payment — fees, court costs, transfers, payroll or taxes — to the fraudster's account. It is the sophisticated form of 'invoice/transfer fraud': there is no visible malware, only a message that looks authentic because it comes from a real account. Defense: MFA, SPF/DKIM/DMARC and out-of-band verification of bank details.
Professional confidentiality
The ethical and legal duty to keep secret the facts and data confided by the client. In the legal profession, it is in the OAB Statute (Law 8.906/1994) and the Code of Ethics and Discipline; in accounting, in the Accountant's Code of Ethics (CFC Resolution 803/1996). Its violation generates disciplinary accountability before the OAB or the CFC, in addition to the consequences of LGPD. It is the foundation of the relationship of trust between the professional and their client.
Judicial secrecy
A procedural regime that restricts access to the files of certain cases to a limited number of people, foreseen in art. 189 of the Code of Civil Procedure, in situations such as public interest, privacy, family law and confidential arbitration. For the firm, it means the documents of these cases require reinforced protection — their leakage can constitute a crime and a breach of confidentiality, in addition to serious harm to the protected party.
MFA (Multi-Factor Authentication)
A mechanism that requires more than one factor to authenticate access — typically something you know (a password) combined with something you have (an app code, a token) or something you are (biometrics). It is the single control that most reduces account compromise, since it neutralizes leaked or stolen passwords. Essential in the firm's email, legal/accounting system, bank and file cloud.
Access segregation
The practice of ensuring that each user has access only to the data and resources strictly necessary for their work (principle of least privilege), instead of broad access to everything. In firms, it prevents a single compromised access — or a malicious insider — from exposing the entire client portfolio. Accompanied by an audit log, it is a central control of ISO 27001 and NIST CSF.
Sensitive personal data
A special category of personal data defined by LGPD (art. 5, II): information on racial or ethnic origin, religious conviction, political opinion, membership in a union or a religious/philosophical/political organization, health data, sex life, genetic or biometric data. Due to its potential for discrimination and harm, it receives stricter protection and legal bases — and it is exactly the type of data firms handle in cases and services.

Por onde começar

  1. Run the free diagnostic of your exposure: use the Threat Management plan at decripte.com.br/intelligence-center to map domains, exposed emails, already-leaked credentials and vulnerabilities, and establish an honest baseline of your risk before investing in any tool.
  2. Activate MFA (multi-factor authentication) on all email inboxes and critical systems — email, legal/accounting system, bank, file cloud. The second factor is the barrier that most reduces account compromise and neutralizes most leaked credentials.
  3. Harden email against spoofing and BEC: configure SPF, DKIM and DMARC on the domain, review and remove suspicious automatic forwarding rules, and train the team to be wary of urgent requests to change bank details.
  4. Implement the out-of-band verification rule: any change of bank account for the payment of fees, court costs, payroll or taxes must be confirmed through a channel other than email (a phone call to an already-known number), before executing the payment.
  5. Segregate access per client: apply the principle of least privilege so that each employee sees only the folders, cases and data they need, with an audit log — preventing a single compromised access from exposing the entire portfolio.
  6. Structure immutable, tested backups: keep copies isolated from the main environment, encrypted and out of reach of ransomware, and test restoration periodically — a backup that has never been restored is not a trustworthy backup.
  7. Document an incident response plan and engage fast response: define who triggers whom, how to contain without destroying evidence and how to notify the ANPD and data subjects (art. 48 of LGPD). Decripte's Incident Response responds in under 1 hour.
  8. Adapt to LGPD and professional confidentiality with continuous governance: do the data mapping, security and retention policies, and alignment with the OAB/CFC through LGPD/ISO Consulting or CISO-as-a-Service — turning the legal and ethical duty into auditable, defensible controls.

Perguntas frequentes

Does a law or accounting firm need to comply with LGPD?

Yes, in full. LGPD (Law 13.709/2018) applies to any organization that processes personal data, and firms process large volumes of personal and sensitive data of clients, partners and employees. The firm acts as controller (when it defines purposes, for example in managing its own clients) or as processor (when it processes data on behalf of a controller client). In both roles there is a duty to adopt security measures (art. 46) and to notify relevant incidents to the ANPD and data subjects (art. 48). The legal or accounting activity does not create an exemption; the professional confidentiality of the OAB and the CFC coexists with LGPD and reinforces it.

How do I prevent invoice fraud and transfer fraud (BEC)?

BEC is when a compromised (or spoofed) email is used to redirect a legitimate payment to the fraudster's account. The defense combines three layers. Technical: MFA on all email accounts and correct configuration of SPF, DKIM and DMARC to prevent domain spoofing. Process: the out-of-band verification rule — every change of bank details is confirmed by a phone call to an already-known number, never only by email. People: train the team to be wary of urgency and of new payment details. Decripte implements and monitors these defenses; the initial diagnostic is free at decripte.com.br/intelligence-center.

A case under judicial secrecy or a confidential document leaked. What do I do?

Engage incident response immediately, without shutting down machines any which way (that destroys evidence). The priorities are: contain (isolate systems, revoke credentials and sessions, block malicious email rules), preserve forensic evidence and investigate what was accessed or copied and which data subjects were affected. In parallel, assess notification to the ANPD and data subjects (art. 48 of LGPD), inform the affected clients respecting professional confidentiality and, as the case may be, notify the OAB/CFC and file a police report. Decripte's Incident Response responds in under 1 hour to conduct this process with method.

Isn't professional confidentiality enough? Why do I need cybersecurity?

Professional confidentiality is an ethical and legal obligation (OAB Statute, Law 8.906/1994 and Code of Ethics; Accountant's Code of Ethics, CFC Resolution 803/1996), but it is a duty, not a technical protection. It says you must keep the secret; it does not prevent ransomware from encrypting your files, a compromised email from leaking documents or an improper access from copying a client's folder. Cybersecurity is what makes confidentiality effective in the digital world: MFA, access segregation, EDR, backup and monitoring are the controls that fulfill, in practice, the promise of confidentiality that the duty requires.

How much does it cost to protect a small firm? Is there a free option?

Yes. Decripte offers the free Threat Management plan (decripte.com.br/intelligence-center), which maps vulnerabilities, monitors threats and provides a team and artificial intelligence 24x7 — a real starting point, at no cost, ideal for small firms and agents to begin understanding and reducing their own risk. From there, the paid services scale according to size and risk appetite, from the MEI to the Enterprise. The model avoids the common mistake of buying expensive tools before knowing where the risk is: first you diagnose for free, then you invest in what matters.

How do I prevent an employee from seeing all clients' data?

By applying access segregation with the principle of least privilege: each person sees only the folders, cases and data they need for their work, and each access is recorded in an audit log. This drastically reduces the impact both of a malicious employee (insider) and of a credential compromise, because a single hacked account no longer grants access to the entire portfolio. It is a control foreseen in ISO 27001 and NIST CSF, and Decripte structures its implementation in the email, the file cloud and the firm's legal/accounting systems.

Ransomware paralyzed the firm. Should I pay the ransom?

The consolidated guidance of CERT.br and incident response practice is not to pay: payment does not guarantee the return of the data or prevent the publication of the exfiltrated documents (double extortion), and it finances crime. The correct response is technical and legal: engage incident response to contain and investigate, restore the operation from immutable, tested backups, notify the ANPD and data subjects when applicable and correct the root cause. The best defense, however, is preventive — EDR, segmentation and isolated backups prevent the attack from reaching the ransom point. Decripte covers prevention and response.

Planos indicados para Advocacia e Contabilidade

Serviços da Decripte mapeados para as ameaças e regulamentações do seu setor — do diagnóstico gratuito ao SOC gerenciado.

A Decripte implementa a segurança do seu setor — sem você montar um time interno.

Pentest, SOC 24x7, resposta a incidentes e conformidade, com SLA e relatórios executivos. Ou comece de graça vendo o que já vazou da sua empresa.