Cyber Liability Insurance for Law Firms: What Underwriters Actually Require (And What Most Firms Get Wrong)

A twelve-attorney firm in Tulsa submits its cyber liability renewal application, checks all the right boxes, and gets approved. Six months later, a ransomware attack locks every case file. The insurer denies the claim. The reason: multi-factor authentication was enabled on email but not enforced on Microsoft 365 — and the firm's written incident response plan existed only as a verbal understanding between two partners.

This scenario plays out more often than most firm administrators expect. Cyber insurance is no longer a fill-out-the-form-and-get-covered transaction. Underwriters have tightened requirements, and the gap between what firms claim on applications and what they actually have in place is where coverage falls apart.

Why Cyber Insurance Is Now Mandatory Infrastructure for Law Firms

Law firms hold exactly what attackers want: sensitive client data, financial transaction authority, and privileged communications. A single breach can trigger malpractice exposure, bar complaints, and client notification costs that dwarf the cost of prevention.

Most general business liability policies explicitly exclude cyber events. Without a dedicated cyber policy — backed by the controls your insurer requires — your firm absorbs the full financial and reputational hit of a breach on its own.

Industry estimates put the average cost of a law firm data breach well above $4 million when you factor in legal fees, client notification, regulatory response, and lost billable time. IBM's Cost of a Data Breach report consistently ranks professional services firms among the highest per-record breach costs. For a small Oklahoma practice, even a fraction of that figure can be firm-ending.

What Underwriters Are Actually Looking For (The Full Checklist)

When you apply or renew, underwriters aren't taking your word for it. They're asking specific questions about specific controls. Here's what they expect — and what "yes" actually means.

1. Multi-Factor Authentication (MFA)

Required on email, VPN, and any cloud tools your firm uses. Underwriters will ask specifically about Microsoft 365 and Google Workspace. "Enabled" is not enough — MFA must be enforced for every user, including partners who resist it. Conditional access policies that block login without a second factor are what underwriters want to see documented.

2. Endpoint Detection & Response (EDR)

Traditional antivirus is no longer sufficient. Underwriters want behavioral detection tools that identify suspicious activity on workstations and servers — ransomware behavior, lateral movement, credential dumping. If your firm runs free antivirus or nothing at all, expect pushback on your application.

3. Encrypted, Tested Backups

Offsite or cloud backups that are encrypted and tested regularly. Air-gapped copies — backups physically or logically separated from your network — are strongly preferred. Underwriters increasingly ask for proof of restore testing, not just confirmation that backups exist.

4. Email Security Controls

Spam filtering beyond default Microsoft or Google settings, DMARC/DKIM/SPF records configured to prevent domain spoofing, and phishing simulation training for staff. Email is the primary attack vector for law firms, and underwriters know it — see how law firm phishing attacks work.

5. Documented Incident Response Plan

A written, tested plan — not a mental checklist. It should define who does what when a breach occurs: containment, evidence preservation, client notification obligations (see our guide on ABA compliance obligations), insurer reporting, and communication with counsel. Underwriters will ask if you have one. "We've talked about it" doesn't count.

6. Privileged Access Management

Limiting who has admin rights across your systems. Partners and IT staff should use separate admin accounts for administrative tasks, not their daily email accounts. Shared admin credentials are a red flag on any application.

7. Regular Security Assessments

At least annual assessments of your security posture. Some carriers now require third-party assessments before binding coverage, especially for firms handling large volumes of client financial data or health information.

Checking "yes" on MFA without enforcing it everywhere is the fastest way to lose coverage when you need it most.

The 3 Most Common Mistakes Law Firms Make on Applications

These three errors show up on denied applications and unpaid claims more than any others.

Checking "yes" on MFA without actually enforcing it everywhere. MFA may be turned on in your tenant settings, but if partners can still log in without it — or if legacy authentication protocols bypass it — you don't have MFA in the eyes of an insurer reviewing your claim.

Having backups but never testing restoration. Backups fail more often than firms realize. Corrupted backup chains, incomplete snapshots, and ransomware that encrypts cloud-synced files all happen. If you can't demonstrate a successful restore, your backup control doesn't exist for underwriting purposes.

Not having a written incident response plan. A mental plan shared between two partners is not documentation. Insurers require a written plan that has been reviewed, assigned to specific roles, and ideally tested through a tabletop exercise.

How Coverage Terms Are Affected by Your Security Posture

Firms with strong, documented controls get broader coverage, lower premiums, and smaller deductibles. Weak controls lead to exclusions, sub-limits on specific attack types, or outright denial at renewal.

Some insurers now conduct technical audits before binding — reviewing your MFA enforcement, backup logs, and endpoint protection directly rather than relying on your application answers. The firms that pass these audits pay less. The firms that fail often can't get coverage at any price until gaps are closed.

How ABT Cyber Helps

We implement and document the exact controls underwriters look for — so your application is accurate, your coverage is real, and your premiums are as low as possible. From MFA enforcement and EDR deployment to backup validation and incident response planning, we handle the technical work and produce the documentation your broker needs. Learn more about our cyber liability insurance readiness services.