Cyber Insurance for Law Firms: What Coverage You Actually Need

In 2024, a six-attorney estate planning firm in New Jersey called Wacks Law Group was hit by the Qilin ransomware group. Social Security numbers, driver's licenses, and confidential client documents were exposed. The firm waited five months to notify victims—triggering a class-action lawsuit and estimated costs exceeding $2 million. A firm of six attorneys. These incidents are not reserved for large national practices; they are happening at small firms that serve everyday clients, and they reveal a dangerous gap between what law firms assume their insurance covers and what policies actually pay out. Currently, only 40% of US law firms carry cyber liability insurance, down from 46% in prior years, even as attacks on the legal sector have risen 13% year-over-year. This article is for managing partners and firm administrators who want to understand what coverage they actually need—and what the fine print will cost them if they get it wrong.

What Does Cyber Insurance for Law Firms Actually Cover?

Cyber insurance policies for law firms typically consist of two broad components: first-party coverage (losses the firm suffers directly) and third-party coverage (claims made against the firm by clients or third parties).

First-party coverage typically includes:

• Business interruption losses: Revenue lost when firm systems go down due to a ransomware attack or breach. This is increasingly critical as legal practice becomes more dependent on cloud-based case management and document systems.
• Data recovery and forensics costs: Paying for forensic investigators to identify how a breach occurred and what data was accessed, and for IT restoration of compromised systems.
• Ransomware/extortion payments: Some policies cover ransom payments, though coverage terms vary significantly. Carriers increasingly require proof that payment was the only viable option.
• Notification costs: Law firms are subject to state breach notification laws and, depending on client type, may trigger notification requirements under HIPAA (if they handle medical information) or state attorney general notification requirements. Notification logistics—credit monitoring services, legal notices, call center support—are typically covered.
• Crisis communications: PR support to manage reputational fallout following a public breach.

Third-party coverage typically includes:

• Client claims for breach of confidentiality: If a breach exposes client data, the firm faces potential malpractice exposure. Cyber insurance may cover defense costs and settlements in these claims—but only if the firm can demonstrate reasonable security controls were in place.
• Regulatory defense costs: State bar investigations and regulatory proceedings following a breach can be defended under some cyber policies. This is distinct from professional liability (E&O) coverage.
• Network security liability: Claims from third parties whose systems were infected or compromised because of the firm's security failure.

How Is Cyber Insurance Different from Legal Malpractice (E&O) Coverage?

This distinction trips up many managing partners. Professional liability (errors and omissions) insurance covers claims that a lawyer provided negligent legal advice or services. Cyber insurance covers losses arising from technology failures, data breaches, and cyberattacks. They are not interchangeable, and having one does not substitute for the other.

The overlap creates confusion in breach scenarios: if a hacker gains access to a firm's email system, intercepts a client's wire transfer instructions, and the client loses $200,000, is that a malpractice claim or a cyber claim? The answer usually depends on whether the firm's failure was in its professional judgment (E&O territory) or its security infrastructure (cyber territory). Many firms discover this distinction—and its coverage implications—only after a loss. A qualified insurance broker with law firm experience can help structure policies to minimize gaps between the two.

Some carriers now offer combined cyber/E&O riders for smaller firms, but these bundled products sometimes carry narrower sub-limits on cyber coverage. Read the sub-limits carefully—a policy with a $1 million per-claim E&O limit and only a $100,000 cyber sublimit may leave a firm catastrophically underinsured for a ransomware event.

What Do Cyber Insurers Require from Law Firms in 2026?

Cyber insurance underwriting has become substantially more rigorous. Carriers now require documented evidence of specific security controls before issuing or renewing policies—and firms that misrepresent their security posture on applications risk claim denial at the worst possible time.

The core controls most carriers require in 2026 include:

• Multi-factor authentication (MFA): Required for email accounts, remote access (VPN, RDP), administrative accounts, and cloud platforms. Firms without enforced MFA are routinely declined or quoted at significantly higher premiums. Having MFA available is not sufficient—it must be enforced and documented.
• Endpoint Detection and Response (EDR): Traditional antivirus is no longer acceptable. Carriers expect behavioral monitoring with real-time threat detection, automated containment, and 24/7 alerting. Unmanaged laptops and personal devices used for firm work are a red flag during underwriting.
• Tested and segregated backups: Backups must be stored separately from the primary network, protected against ransomware modification, and tested regularly to verify recovery. Untested backups that fail during a ransomware recovery are an underwriting concern and a catastrophic operational failure.
• Email security and phishing protection: Advanced email filtering with anti-phishing and impersonation protection. Because phishing is the leading cause of law firm breaches, claims originating from email attacks when these controls are absent are frequently denied.
• Documented incident response plan: Carriers want a written, tested plan with defined roles and escalation paths—not a generic template on a shelf. Currently, only 34% of law firms report having an incident response plan, down from 42% the previous year.
• Employee security awareness training: Ongoing training programs demonstrating regular phishing simulation and security education.
• Patch management: A documented process for regularly updating operating systems, applications, and firmware. Unpatched systems are one of the most common breach entry points and a frequent basis for claim denial.

For higher coverage tiers—most carriers use an informal threshold around $1 million in coverage, and almost universally above $5 million—penetration testing becomes required, not just recommended. Insurers want to see the test report, remediation evidence for critical findings, and a retest confirming fixes were implemented.

What Are the Most Common Coverage Gaps Law Firms Discover Too Late?

Several coverage exclusions and limitations catch law firms off guard after a loss:

• War and nation-state exclusions: Many cyber policies contain exclusions for acts of war or nation-state attacks. As nation-state actors increasingly target law firms holding sensitive client information (trade secrets, M&A details, litigation strategy), this exclusion can be material. Review policy language carefully and seek carriers with narrower exclusion language or explicit carve-outs.
• Failure to maintain security controls: If a firm certifies on its application that it uses MFA across all systems and then suffers a breach through an account without MFA, the carrier can deny the claim based on material misrepresentation. This is not a hypothetical—it is a growing basis for claim denials.
• Social engineering sublimits: Wire transfer fraud via social engineering (BEC attacks) is often covered under a separate sublimit significantly lower than the policy's main coverage limit. BEC attacks targeting law firm trust accounts and settlement funds represent one of the highest-value fraud risks in the legal sector, yet many firms discover their BEC sublimit is $100,000 or $250,000 when the loss exceeds $500,000.
• Regulatory fines sublimits: State attorney general investigations and bar association proceedings following a breach can generate significant costs. Check whether your policy covers regulatory fines and the defense costs of bar proceedings, and at what limit.
• Third-party vendor failures: If a breach originates at a third-party vendor—a legal software provider, document management platform, or outsourced IT provider—coverage may be limited or subject to a separate sublimit. The 2023 breach at Genova Burns LLC originated through a vendor relationship, illustrating that cascade risk is real in the legal sector.

How Much Should Law Firms Expect to Pay, and What Limits Are Appropriate?

Cyber insurance costs for law firms vary based on firm size, revenue, practice areas, and the security controls in place. Firms in transactional practice (real estate, M&A, trusts and estates) typically face higher premiums because of their exposure to wire fraud. Firms handling medical records, immigration files, or criminal defense cases may have additional sensitivity modifiers.

The cost of not carrying adequate coverage is stark: the average cost of a data breach for law firms is $5.08 million, a 10% increase over the prior year. For small firms, even a contained breach—forensics, notification, credit monitoring, and legal defense—averages $36,000, which represents an existential expense for a solo or two-attorney practice. The 2023 breach at Orrick, Herrington & Sutcliffe exposed data from more than 637,000 individuals and generated estimated costs exceeding $15 million.

Most small to mid-sized law firms should carry a minimum of $1 million in cyber liability coverage, with firms handling significant trust account activity or high-value transactions considering $2–5 million. Work with a broker who specializes in professional services or legal industry placements—they understand the intersection of E&O and cyber coverage that general commercial brokers may miss.

Does ABA Ethics Guidance Address Cyber Insurance?

The ABA has not mandated cyber insurance, but the relationship between coverage and ethical obligations is well established. ABA Model Rule 1.6(c) requires lawyers to make "reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client." State bar ethics committees have increasingly cited cyber insurance as one component of what constitutes "reasonable" protection for client data.

ABA Resolution 609 (2023) explicitly urged all lawyers to enhance their cybersecurity infrastructure to protect client information, and the accompanying report listed cyber insurance among recommended best practices. Some state bars—particularly in jurisdictions where formal cybersecurity guidance has been issued—may treat the absence of cyber insurance as a factor in evaluating whether a firm met its Rule 1.6 obligations following a breach.

For firms serving corporate or institutional clients, cyber insurance is increasingly a client requirement, not just a firm decision. Enterprise clients and government entities routinely include minimum cyber insurance requirements in outside counsel selection criteria and engagement letters.

What Should Law Firms Do Before Renewing Their Cyber Policy?

The 90 days before a cyber policy renewal are the most important window for law firms to take action. Insurers review prior claims, request updated security questionnaires, and apply new underwriting standards at each renewal. Firms that proactively demonstrate security improvements typically secure better coverage at lower premiums.

Before your next renewal:

• Conduct a gap assessment against insurer requirements—MFA, EDR, backup testing, incident response planning
• Review your current policy for social engineering sublimits, war exclusions, and regulatory defense coverage
• Ensure your application accurately reflects your current security posture (misrepresentation voids claims)
• Ask your broker specifically about coverage for state bar proceedings and regulatory investigations
• Consider whether a penetration test is appropriate given your coverage level and client profile

At NorthStar Technology Group, we help law firms close the security control gaps that drive up premiums and create claim denial risk. We build and maintain the MFA, EDR, backup, and training programs that insurers require—and we document them in a format that satisfies underwriting questionnaires. Learn more about our approach in our article on law firm cybersecurity fundamentals, or contact us at northstartechnologygroup.com/services to schedule a security assessment before your next renewal.