When we sit down with a firm principal after an incident, the conversation almost always starts the same way. They've fixated on the most visible number — the ransom demand, the fraudulent wire, the data recovery quote. What they haven't yet processed are the costs that don't show up on an invoice for weeks or months.
Let's build a realistic picture of what a mid-scale incident actually costs a 10-person professional services firm.
The Full Cost Breakdown: A Realistic Scenario
Scenario: A ransomware attack on a 10-attorney law firm. Files encrypted across shared drives and workstations. Active client matters disrupted for approximately two weeks. Some client data confirmed exfiltrated prior to encryption. Cyber insurance policy in place with a $50,000 sublimit for IR costs.
| Cost Category | Realistic Range |
|---|---|
| Incident Response retainer / DFIR investigation | $25,000 – $60,000 |
| Legal counsel (breach notification, regulatory) | $15,000 – $40,000 |
| Forensic review of exfiltrated data for notification scope | $10,000 – $30,000 |
| Client notification (printing, postage, credit monitoring services) | $5,000 – $20,000 |
| System rebuild and recovery (hardware, labor, licensing) | $10,000 – $35,000 |
| Business interruption — lost billable hours during 2-week disruption | $40,000 – $120,000 |
| Regulatory fines (state AG, bar association, FTC if applicable) | $0 – $50,000+ |
| Reputational damage — client attrition over 12 months | Difficult to quantify; can be existential |
| Realistic Total (excluding attrition) | $105,000 – $355,000 |
That $50,000 cyber insurance sublimit covers roughly a third of the low end of the range. The rest comes directly from the firm.
The Hidden Costs That Hit Hardest
// Billable Hour Loss
For a 10-attorney firm billing an average of $350/hour with six billable attorneys, two weeks of disruption is roughly $168,000 in lost billings — even if the attorneys are still working at reduced capacity. This is the single largest cost category in most ransomware incidents and the one least likely to be covered by cyber insurance.
// Client Notification Scope Surprises
Determining exactly which clients' data was accessed — and whether each state's notification threshold was triggered — requires a forensic review that takes weeks and costs tens of thousands of dollars. Many firms drastically underestimate this. If you hold client data across multiple states, each state's breach notification law may have different thresholds, timelines, and required notification content.
// The Insurance Coverage Gap
Cyber insurance policies have become much more restrictive since 2020. Many policies have sublimits on specific categories (ransomware payment, social engineering/BEC, IR costs) that are far below the headline coverage amount. Policies also have increasingly specific security requirement warranties — if you didn't have MFA on all remote access at the time of the incident, your carrier may deny the claim or reduce the payout.
A comprehensive M365 security assessment, incident response plan development, and ongoing monitoring from Black Tower Cyber costs a fraction of the low end of the incident cost range above — and is completable in weeks rather than months. The economics of prevention versus response are not close. The question for most firms isn't whether they can afford security. It's whether they can afford an incident.
The Reputational Cost Is the One Firms Can't Recover From
Client data breaches at professional services firms — especially law firms — damage the one asset the firm cannot rebuild quickly: trust. Clients whose confidential matters or financial data were exposed will leave. Referral sources who hear about the incident will send matters elsewhere. In a sector where reputation is the entire business model, a breach that becomes public knowledge can be existential for smaller firms.
The firms that survive incidents are the ones that respond transparently, demonstrate they had controls in place, and show clients a concrete remediation roadmap. The worst outcomes happen to firms that tried to handle it quietly, delayed notifications, and couldn't explain what happened or why.
Need help validating your environment? Book a consultation and Black Tower Cyber can review your exposure, identity controls, and incident readiness before attackers find the gap first.