For Solicitors, Accountants & Consultancies

One redirected invoice.
£47,000 transferred
to a fraudster.
The client blamed the firm.

Business Email Compromise does not need a sophisticated attack. It starts with one intercepted email thread, one fake supplier invoice with new bank details, and one accounts team acting in good faith. By the time anyone checks, the transfer is irreversible.

Bulwark gives professional services firms the client confidentiality posture and invoice fraud prevention that stops it — and the documented evidence trail that protects your professional indemnity cover and regulatory standing if you ever need to demonstrate you had the right controls in place.

Book a Free Security Audit See the Full Service
Finance Inbox — Received Domain spoofed
With Bulwark: DMARC at reject. Spoofed emails blocked before delivery. Your domain cannot be used to defraud your clients or suppliers.
£27k
Average loss per successful Business
Email Compromise attack on a UK SMB
72hrs
ICO mandatory window to report
a personal data breach — no exceptions
94%
Of cyberattacks begin with
a phishing or spoofed email
21days
Average attacker dwell time in
an unprotected environment
The Three Threats

Professional services firms face three specific risks
that other businesses do not.

You hold client data — financial records, legal documents, business strategies — that has inherent value to attackers. You handle payments and invoices on behalf of clients. And you operate under regulatory frameworks that treat a breach as a professional conduct matter, not just an operational inconvenience.

01

Invoice & Payment Fraud

An attacker monitors your email thread with a supplier or client. At the right moment — typically during an expected payment — they send a message from a spoofed domain with updated bank details. Your finance team has no reason to suspect it. The money leaves.

This is not a technology failure. It is a process that works exactly as intended — against you. The only controls that prevent it are DMARC enforcement on your domain (so your address cannot be spoofed to defraud others) and email authentication verification processes.

Risk — Average loss £27,000. Rarely recoverable. Fix — DMARC at reject. SPF and DKIM correct. Domain locked.
02

Client Data Breach

A compromised inbox — through credential stuffing, a reused password, or a phishing link — gives an attacker full access to your client communications, financial records, and confidential documents. They may dwell for weeks before you know they are there.

Under GDPR, you have 72 hours from becoming aware of a breach to notify the ICO. If the breach involves client data your clients entrusted to you — financial projections, legal matters, business strategies — you must also notify those clients. The professional and reputational consequences are immediate.

Risk — ICO fine up to £17.5m. Client notification required. Fix — MFA enforced. 24/7 endpoint monitoring. Breach detection active.
03

Regulatory Scrutiny After an Incident

A security incident at a solicitor's firm triggers SRA scrutiny. At an accountancy practice, it may involve ICAEW or ACCA review. The question regulators ask is not just what happened — it is what controls you had in place and whether they were adequate for the nature of the data you held.

Firms that can produce documented evidence of their security posture — MFA logs, DMARC configuration, endpoint monitoring reports, backup records — close investigations faster and with fewer consequences. Firms that cannot are exposed to disciplinary proceedings and PI cover complications.

Risk — Professional conduct proceedings. PI cover implications. Fix — Monthly compliance reports. Timestamped evidence trail. Always ready.
Without the Right Controls

How an incident unfolds at a professional services firm with gaps in its security posture.

1

The account is compromised

An attacker gains access to a staff inbox — typically through a reused password, a phishing link, or a credential exposed in a third-party breach. MFA is not enforced, so the password is sufficient.

2

Undetected for 21 days — on average

Without endpoint monitoring, the attacker reads emails, identifies payment patterns, maps client relationships, and locates sensitive documents. No alert is triggered. Your team continues working normally.

3

The breach is discovered — too late

A payment doesn't arrive. A client calls to query a suspicious email. Someone notices something. By then, data has been exfiltrated or funds have been transferred. The damage is already done.

4

72-hour ICO notification clock starts

If personal data was accessed, the clock starts when you become aware. Missing the window compounds the regulatory exposure. The question is whether you can demonstrate that you acted promptly and had adequate controls in place.

5

Regulatory body and PI insurer are involved

SRA, ICAEW, or ACCA are notified where professional obligations require it. PI insurer queries your security posture. Without documented evidence of your controls, the conversation is difficult.

Security Posture — Bulwark Managed Client Compliant
MFA enforced — all accounts, all devices Enforced at the admin level. Not optional. A stolen password alone is not enough.
DMARC at reject — domain spoofing blocked Your domain cannot be used to send fraudulent emails to clients or suppliers.
24/7 endpoint monitoring — all devices 8-minute average response time. Anomalous behaviour flagged and contained — not discovered weeks later.
Daily backup — tested and recoverable Client files backed up independently. Recovery tested. Ransomware cannot destroy your only copy.
Monthly compliance report — timestamped evidence Written record of your security posture each month. Ready to present to ICO, SRA, ICAEW, or PI insurer.
If an incident occurs and a regulator or insurer asks what controls you had in place, you hand them the file. The investigation moves faster and with a stronger foundation.
Without Bulwark — Typical Unmanaged Firm
!
MFA not enforced — staff opt in Recommended in a policy document. No technical enforcement. Gaps exist.
DMARC not configured or set to none Domain can be spoofed. Fraudulent emails appear to come from your address.
No endpoint monitoring in place Average 21-day attacker dwell time. No alert. No visibility.
When something goes wrong, the question from regulators and insurers is not whether you were targeted — it is whether your controls were adequate. Without documentation, that question is unanswerable in your favour.
What Bulwark Actually Builds

Every technical control has a direct
compliance and commercial counterpart.

Zero Trust means no user, no device, and no transaction is trusted by default — access is verified at every step. For a professional services firm, it means the security architecture of your practice matches the standard of care your clients assume you already have, your PI insurer expects, and the ICO may ask you to demonstrate.

Enforced MFA on Every Account

In professional services terms: no one accesses client files, financial records, or confidential communications without a second verification step. A compromised password is not enough.

Enforced at the Google Workspace Admin Console — not a policy recommendation, not optional for staff, not skippable on personal devices. Every account. Every login. Every access to client data. The ICO's guidance on appropriate technical measures lists MFA as a baseline control. Bulwark makes it a technical requirement, not an aspiration.

→ GDPR appropriate technical measures — access control baseline met

DMARC at Reject — Invoice Fraud Prevention

In professional services terms: no external party can send an email that appears to come from your firm's domain. The fraud chain that relies on impersonating your firm to redirect client payments or supplier invoices cannot begin.

DMARC, DKIM, and SPF correctly configured and set to reject policy. This is the single most important technical control against Business Email Compromise and invoice fraud. When an attacker attempts to spoof your domain — to redirect a client payment, to impersonate a partner, or to issue fraudulent instructions — the email is rejected before it is delivered. The fraud chain is broken at the first link.

→ Invoice fraud prevention — domain verified, spoofing blocked

24/7 Endpoint Monitoring — All Devices

In professional services terms: every device used to access client data — including staff laptops used at home — is monitored for behaviour that precedes a data exfiltration, account takeover, or ransomware event.

24/7 managed detection and response. Average response time: 8 minutes from anomaly detection to containment. The alternative is the industry average: 21 days of undetected attacker access to your client files, your financial records, and your internal communications — well past the 72-hour ICO notification window and deep into PI insurer territory.

→ GDPR appropriate technical measures — breach detection and response active

Daily Backup — Tested and Documented

In professional services terms: your client files, financial records, and business data are backed up independently every day. A ransomware attack cannot destroy your only copy. A hardware failure does not create a client data loss event.

AFI Backup configured for Google Workspace — all Drives, all Gmail, all Shared Drives. Daily backup. Documented recovery procedure. Recovery tested. For a professional services firm, a backup that has never been tested is not a backup — it is an assumption. Bulwark treats backup verification as a recurring monthly check, not a set-and-forget configuration.

→ Business continuity and GDPR data integrity — tested and evidenced
Get Started

A free 45-minute audit.
A written report within 48 hours.

We run a 20-point manual security review — live in your admin console. You see every finding in real time. We score your posture out of 215 and deliver a written PDF report within 48 hours. No charge. No obligation. The audit alone is a useful document — whether you work with us or not.

Book Your Free Security Audit Ask a Question First

Free audit. No contract required. Written report included.