Contact Us

Cyber Security Policy

Last updated : 07/03/2026

1. Purpose

ACME Consulting is committed to protecting the confidentiality, integrity and availability of client information, legal files, trust account data and business systems. This Cyber Security Policy establishes the framework for managing cyber risk in a legal practice environment and supports compliance with professional obligations, privacy law and cyber-insurance expectations.

2. Who We Are

ACME Consulting is a legal practice providing litigation, dispute resolution and advisory services.

Contact:

Email: info@acmeconsult.com.au

Phone: +61 2 8076 6001

Address: Level 21, 133 Castlereagh Street, Sydney NSW Australia

3. Scope

This policy applies to:

  • The Principal
  • Paralegal staff and contractors
  • All firm devices and systems
  • LEAP practice management system
  • Microsoft 365 and OneDrive
  • Email systems
  • Trust account and financial workflows
  • Remote and office-based work

4. Cyber Risk Profile

As a litigation law practice that handles settlements, trust funds and confidential client information, ACME Consulting faces elevated risk of:

  • Email compromise
  • Payment redirection fraud
  • Ransomware attacks
  • Data breaches
  • Unauthorised system access

5. Governance and Responsibility

5.1 Principal

The Principal is responsible for:

  • Cyber risk oversight
  • Incident response decisions
  • Technology and vendor approval
  • Compliance with privacy and professional obligations

5.2 Staff and Contractors

All personnel must:

  • Follow this policy
  • Protect login credentials
  • Use systems securely
  • Report suspicious activity immediately

6. Core Security Principles

  • Client confidentiality and privilege protection
  • Least-privilege access
  • Verification before financial transactions
  • Secure-by-default technology
  • Continuous monitoring and improvement

7. Access Control

  • Unique user accounts required
  • Multi-factor authentication mandatory for:
    • Email
    • Microsoft 365
    • LEAP
    • Banking
  • Password requirements:
    • Minimum 14 characters
    • Not reused across services
    • Password manager recommended
  • Access removed immediately when engagement ends

8. Device Security

All devices used for firm work must:

  • Use encryption
  • Require passwords or biometrics
  • Automatically lock after inactivity
  • Run current software updates
  • Use antivirus/endpoint protection

Personal devices may only be used if secure and approved.

9. Email Security

Email is the highest cyber risk channel.

Controls include:

  • Independent verification of payment instructions
  • Confirmation of bank detail changes via phone
  • Careful review of sender addresses
  • No opening of suspicious attachments

10. Trust Account & Financial Cyber Controls

Mandatory controls:

  • Phone verification of payment instructions
  • Verification of new bank details
  • No reliance solely on email
  • File note of financial confirmations
  • Approval processes for transfers where possible

11. LEAP Security

  • Access limited to authorised users
  • MFA enabled
  • Matter data not exported to personal systems
  • Periodic access review

12. Microsoft OneDrive & Cloud Systems

  • Client data stored only in firm-controlled folders
  • Restricted sharing permissions
  • No public file links
  • Backup enabled

13. Data Protection

  • Client information treated as confidential and privileged
  • No use of personal email for legal work
  • No storage on unencrypted USB devices
  • Secure disposal of electronic data

14. Remote Work Security

  • Secure Wi-Fi required
  • No use of public computers
  • Screens protected in public settings
  • VPN used where available

15. Third-Party Providers

Technology providers must:

  • Maintain appropriate cyber security
  • Protect client information
  • Limit data access

Includes:

  • LEAP
  • Microsoft
  • IT service providers

16. Artificial Intelligence and Technology Use

  • No uploading confidential client data into public AI tools
  • De-identified data used where possible
  • Technology used responsibly and securely

17. Incident Response

17.1 Examples

  • Phishing attacks
  • Email compromise
  • Ransomware
  • Data breach
  • Unauthorised access

17.2 Immediate Response Steps

  1. Disconnect affected device
  2. Notify Principal
  3. Preserve evidence
  4. Contact IT/security support
  5. Assess data exposure
  6. Notify bank if financial risk
  7. Consider regulatory and client notifications

18. Data Breach Obligations

ACME Consulting will comply with:

  • Privacy Act 1988 (Cth)
  • Notifiable Data Breaches scheme
  • Professional conduct obligations

19. Backup & Business Continuity

  • Cloud backups enabled
  • Critical data stored securely
  • Recovery processes maintained

20. Training & Awareness

  • Annual cyber awareness training
  • Phishing awareness
  • Secure handling of client data
  • Trust payment fraud awareness

21. Cyber Insurance Readiness

This policy supports future cyber insurance applications by demonstrating:

  • Governance
  • Controls
  • Incident response capability
  • Staff awareness

22. Monitoring & Review

  • Annual policy review
  • Updates following incidents
  • Ongoing technology assessment

23. Compliance

Failure to comply may result in disciplinary action or termination of engagement.

24. Contact Us

ACME Consulting
Email: info@acmeconsult.com.au
Phone: +61 2 8076 6001

Menu

contact us
Search
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.