For Professional Services

Confidentiality isn't aspirational.
Neither is the security questionnaire your biggest client just sent.

We do information security and AI governance for the firms whose product is judgment, advice, and client trust — law firms, accounting practices, consulting and advisory firms, RIAs, and financial professionals where one breach is one too many.

Schedule a security readiness call See what we actually do
Built for5–500 professionals
PostureSOC 2-friendly
OutputRegulator-ready docs
Where most firm leaders are

Three places we usually find people.

If one of these sounds familiar, you're not alone. Most professional services firms walk into our office because of a procurement email, an ethics question, or a near-miss at a wire desk.

01

Your biggest client sent a 30-page security questionnaire.

Procurement attached it to the renewal. Half the answers are "we'll get back to you," half are guesses, and the deadline is Friday. The client representative is friendly. The questionnaire is not. You can tell a real answer from a hopeful one — and so can they.

02

An AI tool quietly entered your practice.

Maybe it's contract drafting. Maybe it's research summaries. Maybe a paralegal pasted a privileged document into a tool whose terms of service nobody read. The work is genuinely better. The ethics rules haven't moved, and your engagement letters don't say what you'd want them to say if a client asked.

03

A wire transfer almost went to the wrong account.

A spoofed email. A timing coincidence. Someone's good instinct caught it at the last step. You don't want "almost" to be the policy. The next one might not have a happy ending — and the carrier renewal is asking pointed questions about what happened.

What we actually do

Six concrete pieces of work. Done in plain language.

Compliance vendors love acronyms. Clients want to see receipts. Your ethics rules want both. We translate among all three.

Client security questionnaire response.

We draft the answers your enterprise clients can verify, with the underlying documentation that backs each line. So you can return the questionnaire on time, on accurate, and without a junior associate guessing what "logical access controls" means.

AI governance for client work.

Which AI tools your team can actually use on confidential matters, what your engagement letters should say, what your conflicts process should ask. Practical answers your partners can defend, not a 60-page policy nobody will read.

Wire fraud prevention & response.

Multi-channel verification, BEC training that survives a busy week, controls on the wire desk that don't require courage to follow. And when "almost" stops being almost — we know what to do, who to call, and how to get the money back if there's any chance.

Document retention & e-discovery readiness.

Retention policies that match your practice areas, not generic templates someone bought off the internet. ESI handling, legal-hold workflows, and a paper trail your clients' counsel can verify if they ever need to. Discovery shouldn't be a fire drill.

SOC 2 / ISO 27001 readiness.

When you actually need it for sales. When you don't. What it really requires versus what your auditor's brochure said. We sit on your side of the table — if a Type II report unlocks revenue, great; if it doesn't, we'll tell you that too and save you the cycle.

Cyber insurance renewal support.

Answering the questionnaire so the answers earn the renewal. We've sat in calls with brokers and underwriters — we know which line items move premium, which create exclusions, and which require a phone call before you submit anything in writing.

How we work

Three things you won't get from a commodity IT shop.

01

We understand professional ethics rules, not just IT controls.

Privilege. Conflicts. Confidentiality obligations that survive an engagement. Bar advisory opinions on AI. AICPA guidance. SEC rules for advisors. The control catalog matters, but it's the second thing — the first is whether what you're doing is consistent with the rules of your profession. We start there.

02

We design controls that fit billable-hour reality.

If a control breaks the workflow, it gets bypassed at the worst possible moment. We build controls that survive a partner's bad day, a deadline week, and the moment a client calls and needs the file in fifteen minutes. Compliance that breaks the work doesn't last.

03

We've sat in client procurement calls.

When your enterprise client wants to "talk to your security team," that's us. We know which questions to expect, which answers earn the engagement, and which ones quietly cost you the next renewal. Worth more than another PDF policy in the folder.

Questions we get every week

The questions firm leaders actually ask us.

Bring better questions to the readiness call and we'll go further. These are the starters.

Do we actually need SOC 2?+
Sometimes. SOC 2 is genuinely useful when an enterprise client is making it a buying requirement, when you're selling into regulated industries, or when you handle data on behalf of customers who are themselves audited. It's overkill for many smaller firms. We sit on your side of the table and tell you whether it's worth the effort. If it isn't, we can usually get you to "the answer the questionnaire wants" with a security program that's significantly less expensive.
Can our team use ChatGPT for client work?+
Depends on the tier and the matter. Free or personal-tier ChatGPT generally trains on inputs and is a confidentiality problem for client work. ChatGPT Enterprise (or equivalent enterprise-tier offerings from other vendors) typically doesn't train on inputs and has stronger data handling — but the BAA, the engagement letter, and your conflicts process all need to align. Most firms end up with a "yes, here, with these guardrails" answer rather than a blanket yes or no.
What about purpose-built AI tools for legal or accounting research?+
More defensible than general chat tools — but not automatically safe. Look at the data handling terms, the training disclosures, where the model runs, and what happens to your queries. Some are genuinely well-built for confidential work. Some are wrappers around the same general models with a thin veneer of branding. The diligence is worth it before the firm standardizes on one.
A wire transfer didn't go through. What do we do?+
Within hours, you may have options. Within a day, you have fewer. Beyond a week, the money is usually gone. We've handled BEC incidents from "we caught it in time" to "we have a wire that landed and now we need to recover it." The first calls — to the bank, to the FBI's IC3, to your insurance carrier — matter enormously, and the order matters. If this is happening right now, schedule the call as an emergency line, not as a sales conversation.
What's the difference between confidentiality and privilege, technically?+
Confidentiality is your professional obligation to your client — broad and ongoing. Privilege is a legal protection against compelled disclosure that applies in specific contexts (attorney-client communications, work product doctrine, accountant-client privilege in some jurisdictions). The technology angle: introducing a third party (like an AI vendor) into a privileged communication can in some cases waive the privilege, even if you've also met your confidentiality obligations. The waiver risk is what makes the AI question more than just a security question.
What does this actually cost?+
A real ongoing security program for a professional services firm — risk analysis, policies, training, BAA management, vendor governance, breach readiness — typically runs $20–100k/year depending on size. The implementation engagement that gets you from "we have a folder somewhere" to "we have a defensible posture" runs $30–150k. SOC 2 Type II adds materially on top. We quote our piece on the call so you have real numbers before committing.
How to start

Three ways in. Pick what fits.

No qualifying call before the qualifying call. Each path is real, each one's free or fixed-fee, each ends with you having a better answer than you walked in with.

01
30 MIN · NO FEE

Security readiness call.

Bring the questionnaire your client just sent, the AI tools your team is already using, the carrier's renewal questions, the wire-fraud incident you're not sure how to handle. We'll tell you where the real gaps are and roughly what it'll cost to close them.

Schedule the call
02
90 SECONDS · FREE

Take the AI Readiness Scorecard.

Especially relevant for professional services — AI tools in client work are the new exposure surface. Twelve questions, a real grade, no email gate. Worth taking even if you're not asking AI questions yet — your associates probably are.

Start the Scorecard
03
5 DAYS · FIXED-FEE

Read about the Exposure Report.

Same engagement style we'd run for a security pre-assessment, applied to AI exposure. Worth a look if you want to see how we run paid diagnostics — and to gauge fit before the call.

See deliverables