An independent cybersecurity review across the largest law firms in the United States — AmLaw 100 firms handling M&A, litigation, and client funds across every major practice area including Kirkland & Ellis, Latham & Watkins, and Skadden — reveals a surprisingly wide range of results. These organizations handle sensitive customer and financial data at national scale, yet several show the same email-authentication gaps found at much smaller regional institutions.
Using data from audit.emailmenow.com, we evaluated each firm’s primary domain across email, website, and network security — including SPF, DKIM, DMARC, MTA-STS/TLS, and security headers.
In this national audit, scores ranged from 84% to 38% — 7 of 18 (39%) scored below 60%.
Cybersecurity Scores of Law Firms
Overall compliance scores from audit.emailmenow.com. Re-run any domain at the link to verify.
| Rank | Law Firm | Domain | Overall Score | Performance Level |
|---|---|---|---|---|
| 1 | White & Case | whitecase.com | 84% | Strong |
| 2 | Paul Weiss | paulweiss.com | 75% | Strong |
| 3 | Wachtell Lipton | wachtell.com | 74% | Strong |
| 4 | DLA Piper | dlapiper.com | 70% | Strong |
| 4 | Akin Gump | akingump.com | 70% | Strong |
| 6 | Latham & Watkins | lw.com | 64% | Above Average |
| 7 | Baker McKenzie | bakermckenzie.com | 63% | Above Average |
| 8 | Fenwick & West | fenwick.com | 61% | Above Average |
| 9 | Kirkland & Ellis | kirkland.com | 60% | Above Average |
| 9 | Morgan Lewis | morganlewis.com | 60% | Above Average |
| 9 | Cleary Gottlieb | clearygottlieb.com | 60% | Above Average |
| 12 | Wilson Sonsini | wsgr.com | 58% | Average |
| 13 | Skadden | skadden.com | 54% | Below Average |
| 13 | Sidley Austin | sidley.com | 54% | Below Average |
| 13 | Cooley | cooley.com | 54% | Below Average |
| 16 | Gibson Dunn | gibsondunn.com | 44% | Weak |
| 17 | Sullivan & Cromwell | sullcrom.com | 39% | Weak |
| 18 | Jones Day | jonesday.com | 38% | Weak |
What the Results Reveal
- Scores range from 84% (White & Case) down to 38% (Jones Day) — White & Case (84%), Paul Weiss (75%), and Wachtell (74%) lead the AmLaw field.
- Several global elite firms trail boutique peers: Jones Day (38%), Sullivan & Cromwell (39%), and Gibson Dunn (44%) score well below DLA Piper (70%) and Akin Gump (70%).
- The gap from top to bottom is 46 points — revenue rank and prestige do not predict email hygiene.
- Without an enforced DMARC policy, criminals can spoof a firm’s own domain to phish clients or redirect trust-account wiring instructions.
Why This Matters for Law Firms
AmLaw 100 firms are bound by ABA ethics obligations, state bar cybersecurity guidance, and client contractual security requirements. Email authentication (SPF, DKIM, and an enforced DMARC policy) is the single highest-impact control against client phishing, trust-account wire fraud, and business email compromise during closings and litigation.
Check any firm’s posture at audit.emailmenow.com/?industry=law-firms.
See also — state audits
- Texas Law Firms
- California Law Firms
- Florida Law Firms
- Illinois Law Firms
- New York Law Firms
- Pennsylvania Law Firms
- Ohio Law Firms
- Georgia Law Firms
- Michigan Law Firms
Recommendations
- Enforce DMARC (
p=reject), strict SPF (-all), and DKIM signing. - Add MTA-STS and website security headers.
- Adopt verified call-back procedures for any change to payment or wiring instructions, and train customer-facing staff.
Protect your organization. Run a free Instant Cybersecurity Audit at audit.emailmenow.com/?industry=law-firms.
Contact EmailMeNow IT Consulting for help with client-trust email security hardening.
Source & methodology: Overall compliance scores from the free scan at audit.emailmenow.com — each domain checked for email authentication (SPF, DKIM, DMARC), transport security (MTA-STS/TLS), website security headers, and network security. Re-run any domain at the link to verify.