Free · About a week, start to finish

Your firm's cybersecurity, mapped against what carriers and the ABA actually require.

A 12 to 16 page written PDF, branded to your firm and mapped to NIST CSF 2.0 and ABA Model Rule 1.6(c). It shows where your firm passes and where it would fail an insurance audit, before you submit one. Built from a short questionnaire and a brief governance interview — not a 30-minute form alone.

Written, branded, and framework-mapped. Yours to keep.
No sales pitch in the document. Just the findings.
Free whether you hire us or not.

Start your Readiness Report

CyberSuite Readiness Report

Against the Law Firm Cyber Framework v2.0

Sample LLP

Assessment date: May 25, 2026

Engagement ID ENG-20260524-sample-llp-7a3f

Executive summary

Firm: Sample LLP
Primary contact: Margaret Whitcombe, Managing Partner
Report date: May 25, 2026
Report type: CyberSuite Readiness Report
Report version: v2.0
Engagement ID: ENG-20260524-sample-llp-7a3f

This report presents Sample LLP’s posture against the Law Firm Cyber Framework v2.0 as of May 25, 2026. The firm has invested in foundational tools — endpoint protection is deployed, immutable backup runs nightly, and Multi-Factor Authentication is enforced for partners and most staff — but documentation gaps and uneven coverage across personal devices and governance controls would surface in a current cyber insurance application.

Of the 22 controls assessed, the firm passes 9, partially satisfies 7, and has gaps in 6. The gaps that matter most before a renewal submission are written policy, vendor due diligence, patch management, and a written incident response plan with a tested tabletop. None require new tooling; all are addressable in 30 to 60 days.

Overall posture

9 PASS 7 PARTIAL 6 GAP

Headline finding: the firm has 6 documentation and process gaps to address before submitting a cyber insurance application.

Next step: a 45-minute walkthrough with the firm’s managing partner and administrator to align on remediation owners and sequence.

Sample LLP Page 2 of 8 v2.0

The framework

Framework explainer — condensed for this preview; the actual deliverable runs 3 pages per §3.1.5.

The Law Firm Cyber Framework v2.0 is a 22-control set crosswalked to the standards a tri-state law firm is measured against: NIST CSF 2.0, CIS Controls v8 IG1, ABA Model Rule 1.6(c), GLBA Safeguards Rule, and the Cyber Insurance Baseline. Controls also reference the data-breach statutes in NJ, NY, PA, and CT where applicable.

The 22 controls, grouped per Section 2 §2.1

Governance

C-01, C-02, C-03 — 3 controls

Identity & Email

C-04, C-05, C-06, C-07 — 4 controls

Operational & Technical

C-08 through C-22 — 15 controls (endpoint, data & backup, people & vendor, incident readiness)

Each control receives one of three findings: PASS, PARTIAL, or GAP. No numeric score, no percentage gauge — the three-state model matches how carriers and the ABA standard read evidence.

Sample LLP Page 3 of 8 v2.0

Findings by control family

Selected findings (excerpt) — the full report walks all 22 controls with evidence citations.

Governance family

GAP

C-01 — Written Information Security Program

No documented WISP. Required by NY SHIELD Act and ABA Model Rule 1.6(c). A productized CyberSuite WISP template is planned for v1.3.0; in the interim, the WISP itself is firm-led.

Identity & Email family

PARTIAL

C-04 — Multi-Factor Authentication on Email and Identity

Enforced for all partners and 31 of 35 staff. Four staff accounts grandfathered without MFA; carrier baseline requires 100% (required by Cyber Insurance Baseline).

Operational & Technical family

PASS

C-08 — Managed Endpoint Detection & Response

Managed endpoint detection and response with 24/7 SOC validation deployed across all 38 endpoints. Last 90-day triage volume reviewed.

PASS

C-12 — Backup Coverage

M365 mailboxes, SharePoint, and OneDrive backed up nightly to immutable cloud storage; 30-day retention verified.

PARTIAL

C-11 — Personal Device Access Controls

BYOD policy exists informally; no MDM or conditional access enforcement on the ~22 personal phones receiving firm email.

Incident Readiness family

GAP

C-21 — Written Incident Response Plan

No written incident response plan; no tabletop exercise on record (required by Cyber Insurance Baseline). NJ/NY/PA/CT notification statutes also flow from incident response capability.

Sample LLP Page 5 of 8 v2.0

Gaps requiring attention

Ordered by Cyber Insurance Baseline materiality. PARTIAL and GAP findings only; PASS findings are not repeated here.

GAP

C-21 — Written Incident Response Plan

Action: Adopt firm-led IRP (productized CyberSuite template planned v1.3.0). CyberSuite delivers the first tabletop within 30 days at Defense and above.

PARTIAL

C-04 — Multi-Factor Authentication on Email and Identity

Action: Enforce MFA on the 4 grandfathered staff accounts; document tenant policy.

Remediation owner: CyberSuite Engineer

GAP

C-01 — Written Information Security Program

Action: Adopt firm-led WISP (productized CyberSuite template planned v1.3.0); partnership sign-off; review annually.

Remediation owner: Firm operations lead

GAP

C-09 — Patch & Vulnerability Management

Action: Establish patch SLA (Critical 7 days, High 30 days, Standard 60 days); evidence reporting (firm-led; not currently included in any CyberSuite plan).

PARTIAL

C-11 — Personal Device Access Controls

Action: MDM or conditional access on M365 personal devices; written BYOD policy.

Sample LLP Page 6 of 8 v2.0

Recommendations and tier mapping

How each CyberSuite tier addresses this firm’s gaps. Informational — tier recommendation happens in the proposal call.

Control	Current	+ Standard	+ Defense	+ Sentinel
C-04	PARTIAL	PARTIAL	PARTIAL	PARTIAL
C-07	GAP	GAP	PASS	PASS
C-09	GAP	GAP	GAP	PARTIAL
C-11	PARTIAL	PARTIAL	PARTIAL	PARTIAL
C-21	GAP	GAP	PASS	PASS
C-22	PARTIAL	PARTIAL	PASS	PASS

Pattern: Defense closes 3 of this firm’s most material gaps (C-07 awareness training, C-21 incident response plan, C-22 continuous monitoring). Sentinel adds partial coverage on C-09 patch management via SaaS posture monitoring. Governance gaps (C-01, C-03, C-18) remain firm-led across all tiers.

Sample LLP Page 7 of 8 v2.0

What happens next

1 45-minute walkthrough. Managing partner and administrator. We walk every PARTIAL and GAP finding, name the remediation owner, and answer questions. No sales pitch in the meeting.
2 Proposal call (optional). If you would like CyberSuite to close the gaps, we present a tier recommendation grounded in this report.
3 14-day onboarding. If we proceed, day 1 kickoff to day 14 live. The first month is included in the onboarding fee and used for stabilization.
4 Or remediate independently. The report is yours to keep. Many firms use it with their existing IT to close the gaps themselves.

Scope and limitations

This is the CyberSuite Readiness Report defined in §3.1, produced under framework system v2, control library framework-system-v2-section-2.md v1.0.2 (content v2.0), against the Law Firm Cyber Framework v2.0.

Tracks completed: Track A (Assessment) and Track B (governance interview).

This report presents the firm’s posture or plan at the date stated above, as measured against the framework system defined in framework-system-v2-section-1.md and framework-system-v2-section-2.md. It is not a certified audit, a penetration test, a guarantee of insurability or of bar compliance, or legal advice. Decisions about insurance coverage, regulatory compliance, and incident response remain the responsibility of the firm and its advisors.

Report version v2.0 · Generated May 25, 2026

Questions: CyberSuite Account Manager — sales@cybersuite.tech

Sample LLP Page 8 of 8 v2.0

Page 1 of 8

How it works

Four steps. About a week, start to finish.

Questionnaire (20-30 min)

Online. You or your firm administrator answers it in about half an hour. No technical jargon. No homework.

Governance interview (45-60 min)

A short conversation that covers the three controls a questionnaire can't honestly score on its own: information security policy, roles and responsibilities, and risk management.

Written report delivery

A 12 to 16 page PDF in your inbox, branded to your firm and mapped to NIST CSF 2.0 and ABA Model Rule 1.6(c).

45-minute walkthrough

Optional. We walk through the report with you and your administrator. No pressure to engage CyberSuite. Many firms use the report independently.

What's in the report

The 22-control framework, in three categories.

Crosswalked to NIST CSF 2.0, CIS Controls v8 IG1, ABA Model Rule 1.6(c), GLBA Safeguards Rule. Each control receives a PASS, PARTIAL, or GAP finding, with the evidence that finding rests on.

Governance

Example controls

C-01 Written Information Security Program
C-02 Periodic Risk Assessment
C-03 Roles and Responsibilities

Identity & Email

Example controls

C-04 Multi-Factor Authentication on Email and Identity
C-05 Password Hygiene
C-06 Email Threat Protection
C-07 Security Awareness Training & Phishing Simulation

Operational & Technical

Example controls

C-08 Managed EDR
C-12 Backup Coverage with restore testing
C-21 Written IRP & Tabletop
C-22 Continuous Security Monitoring

How findings are scored

PASS PARTIAL GAP

No numeric scores. No percentage gauges. No compliance theater. Each control is one of three states, with the evidence and the gap stated plainly.

Start your Readiness Report

Two ways in. Pick the one that fits.

Ready now

Start the assessment.

The assessment is a 20-30 minute online questionnaire. After you finish it, we schedule a 45-60 minute governance interview and deliver the 12 to 16 page written report about a week later.

Start the assessment →

Firm name, contact, and role are collected at the start of the questionnaire — no separate sign-up step.

Not ready right now?

Send me the 12-point checklist instead.

A one-page cyber insurance readiness checklist you can run on your own firm. No follow-up sales sequence. The checklist is yours.

Either way, the deliverable is yours to keep whether you hire us or not.

Yours to keep.

You take the report whether you hire us or not. We would rather you leave with a written, framework-mapped view of where your firm stands than a sales pitch.