Law Firm Cyber Insurance in 2026: The Underwriting Checklist That Decides Whether a Claim Gets Paid

Cyber Insurance · Law Firms · Risk Management

A cyber insurance policy for a law firm is not a safety net you buy and forget. It is a contract that pays out only if your firm was running, and can prove it was running, the exact controls you attested to on the application. This is the practical reading for managing partners and firm administrators: what the policy actually covers, the control checklist underwriters now require, the five things that get a law firm's claim denied, the funds transfer fraud sublimit that quietly catches firms handling settlement and closing money, and a 60-day plan to apply or renew from a position of strength.

Key Takeaways

• A cyber insurance application is an underwriting questionnaire that doubles as a warranty. Inaccurate answers do not just embarrass you later; they give the carrier a clean reason to deny the claim or rescind the policy.
• Carriers now treat multi-factor authentication, endpoint detection and response, tested offline backups, and email filtering as table stakes. A firm that cannot attest to all four is increasingly uninsurable at a reasonable price.
• The coverage that matters most to law firms is often the most restricted: social engineering and funds transfer fraud are usually written as a sublimit far below the headline policy limit.
• Cyber insurance and ABA Model Rule 1.6 solve different problems. Insurance transfers financial loss; it does not transfer the ethical duty to make reasonable efforts to protect client information.
• The single highest-leverage move before a renewal is an independent security review that lets you answer every application question accurately and, where needed, lets you fix the gap before you sign.
• Premium is negotiable through evidence. Firms that document their controls and hand the underwriter a clean assessment routinely secure better terms, higher sublimits, and lower retentions than firms that submit a bare application.

Before you can judge a quote, you have to know what you are buying. A cyber insurance policy is not one thing. It is a bundle of distinct coverages, and a law firm cares about some of them far more than a manufacturer or a retailer would. The bundle splits cleanly into two halves: coverage for losses the firm suffers directly, called first-party coverage, and coverage for claims other people bring against the firm, called third-party coverage.

First-party coverage is the money that flows to the firm. It pays the incident response bill: the forensic investigators who work out what happened, the lawyers who advise on notification duties, the public relations help if the matter becomes public. It pays for restoring data and rebuilding systems. It covers business interruption, the revenue the firm loses while its systems are down, which for a firm that bills by the hour is a real and measurable number. It covers cyber extortion, the ransom and the negotiation around it. And it covers funds transfer fraud, the money that leaves the firm because someone was deceived into sending it.

Third-party coverage is the money that flows to other people because of something that happened at the firm. It covers privacy liability, claims by clients and others whose information was exposed. It covers network security liability, claims that the firm's compromised systems caused harm to someone else. It covers regulatory defense, the cost of responding to a state attorney general or a data protection regulator. For a law firm there is one more category that general policies often omit and that a firm should specifically ask for: coverage for the cost of defending a bar complaint or disciplinary proceeding that arises out of a security incident.

Two practical points follow from this map. First, the headline number on a quote, the policy limit, tells you almost nothing on its own. A one million dollar policy where ransomware is capped at five hundred thousand and funds transfer fraud is capped at one hundred thousand is a very different product from a one million dollar policy without those caps. You have to read the sublimits, and you have to read them against the losses your firm is actually exposed to.

Second, a law firm's risk profile is not generic. A firm that handles real estate closings, estate distributions, or litigation settlements moves other people's money, which raises the funds transfer fraud exposure sharply. A firm with a large personal injury or family law practice holds unusually sensitive personal records, which raises the privacy liability exposure. A firm doing transactional and intellectual property work holds material non-public business information, which raises both the value of the data to an attacker and the stakes of a confidentiality failure. Underwriters know all of this, and they price it. Knowing it yourself is how you make sure the policy you buy is shaped like the firm you actually run.

Lawyers, of all people, should read a cyber insurance application the way they would read a contract their client was about to sign. It is one. The questions about your security controls are not a survey for the carrier's records. They are representations the firm is making, and the policy is priced and issued in reliance on them. When a claim arrives, the carrier's first move is to pull the application and compare what the firm said it did against what an investigation shows it actually did. A material gap between the two is the cleanest defense an insurer has.

The market reached this point for a reason. The cyber insurance market hardened sharply between 2021 and 2023 as ransomware losses outran premium income. Carriers responded by tightening two things at once: the controls they require before they will write a policy at all, and the precision of the language that links those controls to whether a claim pays. The result is that the modern application is short, specific, and unforgiving. A handful of questions now function as gatekeepers. If you cannot answer them with an honest yes, you are either uninsurable at a sensible price or you are buying a policy with a hole in it exactly where you will one day need it.

The controls below are the ones that recur on nearly every application a law firm will see. Treat the list as the minimum you must be able to attest to truthfully. If any line is a no today, that line is your renewal project.

Notice what these eight controls have in common. None of them is exotic. Most of them are settings inside software the firm already pays for: the practice-management suite, the Microsoft 365 or Google Workspace subscription, the device management the firm's IT provider already administers. The reason firms still fail to attest to them is rarely cost. It is that nobody at the firm has been made responsible for confirming that the control is on, everywhere, with no quiet exceptions for the senior partner who finds the second login prompt annoying.

If you take one idea from this section, take this: never let anyone sign a cyber application from memory or from optimism. Each control question should be confirmed by someone looking at the actual configuration, the actual list of accounts, the actual backup job and its last successful restore. That confirmation is a morning of work. It is also the difference between a policy that pays and a policy that funds a coverage dispute.

A cyber policy is most likely to disappoint a firm not because the firm bought too little coverage, but because the firm did something, or failed to do something, that gave the carrier a way out. These five patterns account for the great majority of disputes a small or mid-size firm will ever have with its cyber insurer. Each one is avoidable.

The pattern across all five is the same. Cyber insurance rewards the firm that treats the policy as a live document: read at purchase, verified at signing, maintained through the year, and obeyed precisely in the first hours of an incident. It punishes the firm that files the application in a drawer and hopes. For a profession built on reading documents carefully, this should be the easiest discipline in the building to adopt.

Of all the coverages in the bundle, the one a law firm is most likely to actually need, and most likely to find under-covered, is funds transfer fraud. It deserves its own section because the exposure is specific to how law firms work, and because the gap is so easy to miss.

Law firms move other people's money as a routine part of practice. A real estate practice disburses closing proceeds. A litigation practice distributes settlement funds. An estates practice pays out distributions to beneficiaries. Every one of those transfers is a moment where a criminal who has been quietly reading the firm's email can step in. The classic version: an attacker compromises a paralegal's mailbox weeks before a closing, watches the matter develop, and then, on the morning of the disbursement, sends wiring instructions from the real mailbox or a near-identical lookalike, redirecting the funds to an account the criminal controls. The instructions look right because they come from the right place, reference the right matter, and arrive at the right time. The money is often unrecoverable within hours.

Here is the trap. This kind of loss is usually covered under the social engineering or funds transfer fraud grant, and that grant is very commonly written as a sublimit, a small fraction of the headline policy limit. A firm can hold a one or two million dollar cyber policy and discover that the part of it covering the loss the firm was most likely to suffer is capped at one hundred or two hundred and fifty thousand dollars. Some carriers also attach conditions: the loss is only covered if the firm followed a documented call-back verification procedure, and not covered if it did not.

There are three actions a firm should take here, and they are cheap relative to the exposure. First, find out the exact funds transfer fraud sublimit on the current policy, and ask the broker what it would cost to raise it to a number that reflects the size of the transfers the firm actually handles. For a firm doing real estate or large settlements, a sublimit that does not at least approach a typical single transfer is not real protection.

Second, adopt and document a wire verification procedure: no change to wiring instructions and no transfer above a defined threshold goes out without a voice call to a phone number the firm already had on file, never a number supplied in the email requesting the change. This procedure is what stops step three in the diagram above. It is also, increasingly, a condition the carrier requires before it will pay a social engineering claim, so writing it down and following it protects both the money and the coverage.

Third, make sure the policy's social engineering grant is broad enough to cover the realistic scenarios. Some grants only respond when the firm's own funds are taken and not when client or escrow funds are redirected, which for a law firm is exactly backwards from where the risk lies. This is a question to put to the broker in writing and to get an answer to in writing.

A firm that starts thinking about its cyber renewal the week the quote arrives has already lost most of its leverage. The work that gets a better price and a cleaner policy has to happen before the application goes in. Sixty days is enough time to do it properly without disrupting the practice. Here is how that window should be spent.

The sequence matters as much as the content. Inventory comes first because everything downstream depends on knowing the true picture. Remediation comes second because a fixed gap is worth more than a documented one. Documentation and evidence come third because they convert the work the firm has done into something an underwriter can actually price. And the negotiation comes last, from the strongest position the firm can occupy: a firm that can prove it runs the controls, rather than one that simply claims it does.

Most firms approach a cyber renewal trying to push the premium down. That is the wrong target. The right target is the best combination of price, limit, sublimits, and retention for the firm's actual risk. A cheaper premium with a funds transfer fraud sublimit that does not cover a single closing is not a saving. It is a smaller bet on the wrong horse.

Underwriters price a cyber policy on a handful of variables. The firm's revenue and headcount set the baseline exposure. The practice mix adjusts it: real estate, trusts, and large-settlement litigation raise the funds transfer exposure, while heavy personal-injury, family, or immigration caseloads raise the volume of sensitive records. Prior claims history matters. And then there is the one variable the firm can move quickly: the maturity of its controls. Of all the inputs, this is the one a firm can change between now and the renewal, and it is the one underwriters reward most directly.

Three moves consistently produce better outcomes. The first is the evidence pack described in the 60-day plan: when an underwriter sees configuration screenshots, training records, and a restore-test result, they are no longer pricing an unknown. They are pricing a firm that has demonstrably done the work, and that firm is a better risk in measurable ways. The second is raising the retention deliberately where the firm can absorb it. A higher retention, the cyber equivalent of a deductible, lowers the premium, and a firm with healthy cash flow can often trade retention it can comfortably self-fund for budget that buys a higher funds transfer fraud sublimit. The third is to use a broker who places cyber cover for law firms specifically, not a generalist. The specialist knows which carriers write the bar-complaint defense grant, which are flexible on the social engineering sublimit, and how to present a firm so the underwriter sees its strengths.

One caution. Cyber insurance and the firm's professional liability, or malpractice, policy are different products and overlap in awkward ways. A claim by a client harmed by a breach can implicate both. Before binding a cyber policy, the firm should ask both carriers, in writing, how the two policies coordinate, which one responds first, and whether anything important falls into the gap between them. That fifteen-minute question has saved firms from discovering an uncovered seam in the middle of an actual claim.

It is worth being precise about what a cyber policy does and does not do for a law firm, because the temptation is to treat the policy as the end of the security conversation. It is not. A cyber policy is a financial instrument. It transfers the monetary consequences of an incident from the firm's balance sheet to the carrier's, subject to all the limits, sublimits, and conditions discussed above. That is genuinely valuable. It is also the whole of what insurance does.

What it does not do is discharge the firm's ethical obligations. ABA Model Rule 1.6, as amended, requires a lawyer to make reasonable efforts to prevent the unauthorized disclosure of, or access to, client information. That is a duty of conduct. It is owed to the client and enforced by the bar, and no insurance policy can satisfy it on the firm's behalf. A firm that has bought a generous cyber policy but made no reasonable effort to secure client data has transferred its financial risk and left its ethical exposure entirely intact. If anything, the existence of the policy can make a bar inquiry sharper, because the firm cannot claim it was unaware that cyber risk was real and insurable.

The reassuring part is that the two obligations point in the same direction. The controls an insurer requires on its application are, almost line for line, the controls that constitute reasonable efforts under Rule 1.6: multi-factor authentication, encryption, tested backups, training, a written plan. A firm that does the work to be genuinely insurable is, in the same motion, doing the work to be genuinely defensible if a client or a bar reviewer ever asks. The policy and the rule are not competing claims on the firm's attention. They are two reasons to do the same set of things.

So the right mental model is a pair, not a substitute. Reasonable security efforts reduce the chance the incident happens at all, and reduce its severity if it does. Cyber insurance absorbs the financial blow of the incident the firm could not prevent. A firm needs both. A firm that has only the insurance has bought a fire extinguisher and disconnected the smoke alarm. A firm that has only the controls is well defended but will still feel the full financial weight of the rare event that gets through. The firms that come through a cyber incident with both their finances and their professional standing intact are the ones that treated security and insurance as one program with two halves.

How Atlant Security Helps

Walk Into the Renewal With Evidence, Not Hope

Our cyber insurance readiness review for law firms maps your environment against the exact eight controls underwriters now require. We tell you, before you sign anything, which application questions you can answer with an honest yes, which you cannot, and what it takes to close each gap. You get a documented evidence pack the broker can hand straight to the underwriter, and the controls work itself if you want us to do it.

• Honest controls inventory against every gatekeeper question on the application
• A written evidence pack: configuration proof, training records, restore-test result
• Incident response plan and wire verification procedure, drafted and rehearsed with your team
• Fixed-fee engagement, senior consultant on every call, never juniors
• Aligned with ABA Model Rule 1.6, so one block of work satisfies the insurer and the bar

Book a 30-minute call →

Before your next cyber renewal

Make sure every yes on the application is true.

We run fixed-fee cyber insurance readiness reviews for law firms against the exact controls underwriters require. You get an honest gap list, a documented evidence pack for the broker, and a clear plan to close anything outstanding before you sign. If your firm is already in good shape, we will tell you that on the call.