A grounded look at how insurance carriers assess cybersecurity preparedness—and what legal practices should have in place.

Cyber insurance is now a business standard

As cyberattacks on law firms continue to rise, carriers have tightened underwriting requirements. Premiums have increased, exclusions are more common, and claims are scrutinized. Carriers now expect firms to demonstrate that they understand the risks and have implemented basic controls.

This shift reflects the growing overlap between IT infrastructure and professional liability. A firm’s ability to secure data, respond to incidents, and prove that reasonable precautions were in place directly affects insurability.

What carriers often expect to see

Most applications today include security questionnaires or require attestations. Law firms are often asked to provide evidence of:

  • Multifactor authentication (MFA) for email, remote access, and administrative logins

  • Regular offsite backups with test logs and recovery capabilities

  • Endpoint detection and response (EDR) tools deployed across systems

  • Documented incident response plans and basic staff training

  • Email filtering or threat protection services

In some cases, carriers conduct external vulnerability scans. An exposed remote desktop port, an unpatched system, or a misconfigured mail record can influence underwriting decisions—or halt the process entirely.

Insurance exclusions tied to cybersecurity failures

What’s changing is not just how carriers evaluate risk, but how they assign blame. A growing number of policies include language that limits or voids coverage if required security controls were not implemented at the time of the incident.

For example, if a law firm suffers a breach and cannot show evidence of functioning MFA, an active backup, or a basic monitoring system, the carrier may deny the claim. These denials typically cite misrepresentation or failure to meet policy conditions.

Preparing for review and renewal

Firms that have not recently evaluated their security posture should consider doing so well before the next renewal. This may involve updating internal documentation, replacing outdated tools, or reviewing coverage language to understand what’s required.

Security standards are no longer a suggestion—they are a prerequisite for coverage. Law firms that treat cybersecurity as a compliance issue, rather than a technical one, will be better positioned to maintain coverage and reduce exposure.