Accounting & law firms · checked July 2026
Cyber readiness for accounting and law firms.
A professional firm holds its clients’ most sensitive financial and legal records, and moves money on their behalf. That makes it a target twice over. This page shows what has actually happened to firms in Singapore, with sources, and how to show clients their data is safe. Forward it to your managing partner.
Readiness record · private issue
- Scheme
- CYBER ESSENTIALS
- Scope
- ACCOUNTING & LAW
- Consultant
- NAMED ON EVERY JOB
- Reviewed
- JUL 2026
Targeted twice over.
Two things make a professional practice attractive to an attacker, and neither is the size of the firm.
- The data is concentrated.
-
Full financial statements, tax records, M&A and litigation files, client identity documents. A firm holds the most sensitive records its clients have, protected by confidentiality duties that sit on top of the PDPA.
- The money moves through you.
-
Conveyancing completions, client accounts, escrow payments. A fraudster does not need to break your server for that, only to land one convincing email that changes the bank details on a transfer.
- The defences rarely match the files.
-
Most small practices run on a practice manager and an outsourced IT vendor. Attackers know the value of the files does not match the size of the defences, and CSA’s own data shows they act on it.
What has actually happened, with sources.
Every case here was publicly reported by a named source, the Singapore ones by the regulator or the police themselves. Nothing is embellished. Checked July 2026.
-
The Law Society of Singapore
Singapore · PDPC decision, 2023
In December 2020 a threat actor got into the Law Society’s IT administrator account and ran ransomware across its servers. PDPC found the admin password was easy to guess, had not been changed at reasonable intervals, and that no security review had been done in the three years before the attack. Personal data of 16,009 members and former members was affected, including NRIC numbers and residential addresses. PDPC held this a negligent breach of the Protection Obligation and directed a security audit; it did not impose a fine. The lesson is not the ransomware. It is that one unreviewed admin password was, on its own, enough to count as negligence.
Source: PDPC decision [2023] SGPDPC 4, published 11 May 2023 (pdpc.gov.sg).
-
Shook Lin & Bok
Singapore · ransomware, 2024
One of Singapore’s oldest and largest law firms detected a ransomware intrusion on 9 April 2024 and contained it within a day. The attacker was the Akira group, which targets small and medium-sized organisations. The Straits Times and Mothership, citing the incident tracker SuspectFile, reported the firm paid about S$1.89 million in bitcoin for decryption keys; the firm itself has not published a figure, and said there was no evidence the document management systems holding client data were affected. CSA and PDPC were notified. A top-tier firm with a real IT budget was still hit; a smaller practice faces the same playbook against a softer target.
Source: SuspectFile (May 2024); The Straits Times; Mothership.sg; firm statement via Asian Legal Business.
-
CSA names your sector
Singapore · national data, 2024
CSA’s Singapore Cyber Landscape 2024/2025 recorded a 21% year-on-year rise in reported ransomware cases for 2024, and found that SMEs in professional services, named as consulting, legal and accounting, were disproportionately targeted. Data encryption remained a preferred tactic in this sector due to its operational impact. That is Singapore’s own cyber agency naming small professional firms, not just big ones, as the pattern.
Source: CSA, Singapore Cyber Landscape 2024/2025, published 3 September 2025 (csa.gov.sg).
-
One spoofed email, US$42.3 million
Singapore · adjacent case, 2024
Not a professional firm: a Singapore commodities trader, included because the mechanism is the one that matters to you. In July 2024 the firm received an email from what looked like a regular supplier, one letter changed in the address, asking for payment to a new bank account. It wired about US$42.3 million (around S$56 million). Police, INTERPOL and Timor-Leste authorities recovered over US$40 million, and seven suspects were arrested. A spoofed change of bank details is exactly the fraud pattern the Law Society has repeatedly warned members about in conveyancing and client-account transfers.
Source: Singapore Police Force press release, 3 August 2024; INTERPOL press release, 2024.
Which mark first.
One at a time, in the order the asking usually arrives.
-
Cyber Essentials, first
The CSA baseline most tenders, bank panels and client due-diligence checks ask for. It closes the exact gaps behind this sector’s real incidents: guessable admin passwords, no MFA, no periodic review, untested backups.
-
Data Protection Essentials, for client data
The IMDA and PDPC baseline for handling personal data properly, which is what a client’s data-protection questionnaire is really asking about. It pairs naturally with Cyber Essentials, and the two share homework.
-
Then the staircase
Cyber Trust when enterprise clients, panels or insurers want more depth. ISO 27001 for firms serving MNC or cross-border clients who name it. The Data Protection Trustmark as the client-facing data-governance credential. Each mark reuses the last one’s evidence.
The Cyber Trust mark · ISO 27001 · Data Protection Trustmark
Ransomware can encrypt your business data and demand payment for its return. Reliable, tested backups are the most effective safeguard.
Ransomware lock up all your files, then ask you pay to get them back. Pay also might not return. Got proper backup? You just restore and carry on. No drama.
No law makes your firm certify. We say that first.
Nothing in the PDPA or your professional conduct rules requires an accounting or law practice to hold a cybersecurity mark today. The pressure is commercial: a tender clause, a bank panel review, a client’s due-diligence questionnaire, a cyber insurer at renewal. What a mark gives you is one checkable answer to all of them, instead of a bespoke security audit every time someone asks. And if nobody is asking you yet, we will say so plainly, and you can come back when they do.
Priced for a small practice, said in one sentence.
Cyber Essentials readiness: S$6,000, six days of work, up to 70% co-funded for eligible SMEs. That's the whole sentence.
The work is scheduled around client matters, not through them, and the documents we leave behind are written so a practice manager can maintain them without calling us every time something changes.
Talk to a consultant about your firmPlain answers
Our clients already trust us under confidentiality duties. What does a certification add?
The duty is yours already, under the PDPA and, for law practices, the professional conduct rules and the Evidence Act. A mark does two things the duty alone cannot: it makes the firm actually implement the controls, and it gives clients, panels and insurers an independently checkable answer instead of your own assurance. The Law Society case shows the gap between owing the duty and having the controls.
A tender, bank panel or client questionnaire is asking about our security. Which mark answers it?
Most tenders and panel reviews in Singapore ask for the Cyber Essentials mark, the CSA baseline. A data-protection questionnaire from a client usually points to Data Protection Essentials, the IMDA and PDPC baseline. Send us the clause or the questionnaire and we will tell you which one it is actually asking for, free, before you commit to anything.
Can PDPC really take action against a small firm like ours?
Yes. PDPC held the Law Society of Singapore itself in breach of the PDPA Protection Obligation after its ransomware attack, because an administrator password was easy to guess and had never been reviewed. There was no fine in that case, but the finding of negligence and the directions to audit sit on the public record. Notifiable data breaches must now also be reported to PDPC, so an incident cannot be quietly absorbed.
Which mark should we get first?
Cyber Essentials first, for most firms: it is the mark buyers actually name, and the work it requires covers the failure modes seen in this sector’s real cases. Pair it with Data Protection Essentials if you handle client personal data in any volume, since the two share homework. Cyber Trust and ISO 27001 sit further up the staircase, for firms with enterprise clients or cross-border work.
What does readiness cost, and what help is there?
Cyber Essentials readiness is S$6,000 and 6 days of our work, with up to 70% co-funding for eligible SMEs under CSA’s CISOaaS scheme once the consultant is CSA-onboarded; our onboarding application is in progress. CSA separately offers S$250 to S$650 towards the certification audit fee for a first certification. We check what your firm qualifies for, free, before any engagement.
Send us the clause. We'll send back the plan.
A named consultant reads what the tender, panel or client is actually asking for, and replies with a one-page plan and the whole price. Free.