Webinar Recap: Cyber Risk Assessments for Law Firms

Written By Anthony Tran

👉 View the full webinar recording here.

On January 9th, we had the privilege of hosting a webinar on Cyber Risk Assessments for Law Firms. Greg Spicer, our Co-founder and CRO, moderated the session alongside guest speaker, Arlan McMillan, CSO of a top 100 AMLaw law firm. The webinar provided insights on how law firms can approach cyber risk assessments with confidence and clarity.

We’d like to extend special thanks to ILTA (The International Legal Technology Association) for helping spread the word about this event. ILTA is the trusted global resource community for legal technologists, providing information, education, peer connections, and career support.

Poll Results: Cyber Risk Assessment Frequency

To kick off the webinar, we asked attendees how often their law firms conduct cyber risk assessments. Here's what they shared:

  • 32% perform assessments quarterly or more frequently.

  • 46% conduct them annually.

  • 14% only perform assessments when required by clients or regulations.

  • 7% have never conducted a formal cyber risk assessment.

Key Takeaways

  1. Shifting Risk Conversations to the Boardroom
    Arlan highlighted the importance of moving beyond technical, project-focused discussions to conversations that resonate with executive leadership and boards. Drawing on his experience as CSO at Kirkland & Ellis, he shared how framing risks as business impacts ensures better alignment, support, and resources.

  2. Using a Balanced Approach to Assess Risk
    Combining qualitative methods like NIST CSF with quantitative frameworks such as FAIR helps law firms measure risks effectively. Arlan shared how this blend provides a more complete picture of potential threats and informs smarter decisions.

  3. Focusing on What Matters Most
    Arlan demonstrated how tools like Ostrich’s Birdseye platform allow firms to identify their biggest risks and match them to the controls that provide the greatest impact. This ensures resources are used where they’re needed most, avoiding wasted time and effort on low-priority areas.

  4. Making Cyber Risk Relatable to Leadership
    Using examples like heat maps and financial impact models, Arlan shared how to present risks in a way that connects with business leaders. By tying cyber risk to financial and operational outcomes, CISOs can ensure their programs receive the attention and funding they deserve.

From the Q&A

The audience posed some questions, including how to budget cybersecurity spend as a percentage of IT costs and how to map risks efficiently. Arlan shared practical tips, emphasizing the need to use defensible data and focus on meaningful risk reduction strategies.

What’s Next?

View the full webinar recording here.


Anthony Tran
Next

The Importance of Cyber Risk Due Diligence in M&A for Private Equity Firms