Compliance
What law firm cyber insurance actually covers in 2026, the underwriting questionnaire controls that move premiums, and how to pass the application without overspending.
Law firms have become a routine target for ransomware and business email compromise crews. The reasons are not subtle: firms hold concentrated client confidences, trust account funds, and active wire instructions, in environments small enough for defenses to be inconsistent. Downtime hurts immediately because court deadlines do not move and closings do not wait.
Cyber insurance sits next to legal professional liability on the renewal checklist now. What has changed in 2026 is not whether a firm needs it, but what carriers will underwrite and at what price.
This article is for managing partners, firm administrators, and IT-responsible attorneys filling out a renewal application this year. Obsidian Ridge does not sell insurance. We help firms pass the underwriting questionnaire honestly and operate the controls behind the answers.
Many partners assume their existing policies cover cyber events. They do not.
Legal professional liability (LPL, or legal malpractice) responds to errors and omissions in the practice of law — a missed deadline, a conflict of interest, alleged failure to meet a professional standard of care. General business liability covers slip-and-fall and property damage. Neither responds to a forensic investigation, a ransomware lockout, a state AG inquiry, or a wire redirected by a compromised vendor email.
A cyber liability policy is a separate contract. In 2026, the coverage parts on a typical law firm policy include:
Some carriers bundle these. Some sell them as endorsements. Read the policy declarations and the schedule of endorsements, not the marketing brochure.
Limits in this segment have stabilized after the 2022-2023 hard market:
The aggregate is half the conversation. Sublimits decide what the firm actually collects:
A $3,000,000 policy with a $1,500,000 ransom sublimit and a $100,000 crime sublimit is a different product than the same policy with full limits. For a firm that handles closings or PI settlements, the crime sublimit may be the single most important number on the declarations page.
The controls below appear on virtually every law firm carrier's 2026 application. They move premium 20 to 40 percent and decide whether the carrier offers terms at all.
This is not a wish list. It is the actual scoring rubric most carriers apply.
A control that catches partners off guard at claim time: many 2026 policies apply co-insurance to ransomware claims if the named controls were not in place at the time of loss.
A typical clause: if the insured cannot demonstrate that MFA, EDR or MDR, immutable backups, and a tested incident response plan were operating at the time of loss, the insured shall bear 50 percent of the ransomware loss — ransom, restoration, and business interruption.
Translated: a $1,000,000 ransom sublimit becomes a $500,000 payout, with the firm on the hook for the other half. Read the ransomware endorsement, not just the declarations page. If the policy includes a controls warranty, every answer on the application is now a coverage condition.
The single most common cyber loss in legal is not ransomware. It is wire fraud through business email compromise. An attacker compromises an email account — the firm's, a vendor's, or opposing counsel's — and inserts altered payment instructions into a routine transaction.
Exposures by practice area:
The base cyber policy generally does not cover the loss. The crime or social-engineering rider does. Two things to verify:
A rider that covers only direct funds-transfer fraud is nearly useless for the law firm BEC pattern. Insist on social-engineering language.
After the 2023 Lloyd's of London war exclusion guidance, most cyber policies exclude nation-state attacks. Wording varies; some carriers still pay if attribution is unclear, others have moved to harder exclusions.
For law firms, watch the supply-chain language. If a breach travels through the DMS vendor, the e-discovery platform, the court e-filing system, or the firm's RMM tool, some policies treat that as a systemic event and exclude it. Ask the broker in plain language whether the policy responds if a DMS or e-discovery breach affects this firm, and whether there is a separate sublimit for systemic events. Get it in writing.
Some carriers now offer an endorsement covering defense costs for state bar disciplinary proceedings arising from a cyber event. The duty to safeguard stays with the lawyer; no policy transfers it. But the cost of defending a disciplinary inquiry is real, and a defense-cost endorsement is worth the conversation at renewal. If your jurisdiction has issued ethics opinions on cyber incidents, read them before the renewal call.
The single biggest mistake firms make is layering tools the carrier does not actually score. The sequence that works, in order of premium impact:
Enable MFA on Microsoft 365 or Google Workspace, on DMS admin accounts, on practice management and time-and-billing platforms, and on every remote-access path. This is the cheapest move and it materially lowers premium.
A managed detection and response service with a real 24/7 SOC checks the EDR and 24/7 monitoring boxes at the same time. Identity threat detection on top covers the cloud productivity suite controls and MFA-bypass detection. Our Managed Detection and Response and Managed ITDR services are designed against this control set.
The immutable backup checkbox is meaningless without the restore test log. Pick a backup product that supports immutability natively, include the DMS and accounting databases in the test scope, schedule a monthly restore, and keep the log. Carriers ask for it at claim time.
A written information security plan satisfies the statutory requirement in IL, MA, NY, and other jurisdictions and the carrier policy item. Pair it with a one-page incident response plan naming who calls the carrier hotline, who declares an incident, who talks to partners, who handles client communication, and who decides about closing the office. A 60-minute tabletop with the managing partner, firm administrator, and IT vendor satisfies the tabletop requirement.
If the firm handles closings, settlements, or escrow, write down the dual-approval wire policy and the callback verification rule for any change to payment instructions. Train every staff member who touches wires. This single procedural control prevents the most common law firm cyber loss and is heavily scored on the application.
A recurring phishing simulation — invoice changes, vendor banking updates, opposing-counsel impersonation, settlement redirection — covers the training requirement and addresses the actual loss patterns. Our Managed Security Awareness Training service handles the cadence.
That covers roughly 80 percent of the premium-moving controls on a 2026 questionnaire.
Firms often spend in the wrong places. Things that look like security but do not move underwriting in 2026:
Carriers score operating controls and evidence, not invoices.
Underwriters now share loss intelligence on the law firm vertical. Several carriers have raised premiums or non-renewed firms that suffered a covered loss and failed to implement the controls they attested to. The 2024-2025 hard market normalized a 30 to 50 percent surcharge for firms with prior claims and no demonstrable program improvements.
If a claim was paid in a prior period, expect the next application to ask what changed since the incident. Answers like "we are more careful now" do not pass. Answers like "we moved to a 24/7 MDR provider, added MFA on the DMS admin accounts, rewrote the dual-approval wire policy, and ran a tabletop in March" do.
The other 2026 reality: misrepresentation on the application is a coverage defense. If the questionnaire said MFA was enabled on all email accounts and forensics shows it was not, the carrier may rescind. Answer honestly. If a control is partially in place, say so.
A partner cannot ethically use cyber insurance to "transfer" the duty to safeguard client confidences. Model Rule 1.1's duty of competence and Model Rule 1.6's duty of confidentiality both require reasonable efforts to prevent unauthorized disclosure, and several state bars have commented that buying a cyber policy does not, on its own, satisfy that obligation. Insurance covers financial consequences, not the ethical obligation, and it does not cover a bar finding that the firm's controls were unreasonable.
We are not an insurance broker. We do not sell policies and we do not collect commissions. We help firms operate the controls underwriters score and produce the evidence package the application asks for.
The control set that moves the most premium in 2026 — 24/7 MDR, identity threat detection, MFA enforcement, and workforce training — lines up with our Foundation and Protected tiers. Foundation covers the endpoint and MDR layer. Protected adds ITDR and security awareness training, addressing the four heaviest premium-moving controls on most questionnaires. The law firm industry page lays out the full mapping.
For firms renewing in the next 90 days, the two-week Cyber Insurance Readiness sprint maps each questionnaire control to evidence the carrier will accept, identifies the gaps most likely to block underwriting, and produces a clean evidence package. If you are not sure where you stand, the Assessment Tool is a faster way to scope the gap.
Cyber insurance is not a substitute for controls. It is a backstop for residual risk. Firms that treat the policy as the plan tend to learn the expensive way that the controls warranty is doing more work than the declarations page.
If the questionnaire is making you nervous, that is the right instinct. The fix is operational, not paperwork. Start with MFA, MDR, a tested backup, and a written dual-approval wire policy.
Ready to map your firm's controls to the carrier questionnaire? Start the Cyber Insurance Readiness sprint.
Last updated
May 14, 2026. We refresh this content as the threat landscape and tools evolve.
FAQ
Yes. LPL responds to errors and omissions in the practice of law — missed deadlines, conflicts of interest, alleged malpractice in legal advice. It does not respond to forensics, breach notification, ransomware, regulatory defense, or wire fraud. Those losses sit on a standalone cyber liability policy. Most carriers and many state bars now treat cyber as a separate, expected line of coverage.
Solo to five-attorney firms commonly carry $250,000 to $1 million in aggregate limits. Six-to-25 attorney firms typically carry $1 million to $3 million. Mid-size firms in the 26-to-75 attorney range carry $3 million to $10 million, often with a separate corporate tower. Sublimits — especially for ransomware and wire fraud — frequently move at a different rate than the headline aggregate, so the declarations page is only part of the picture.
Ransom payment is generally covered when it is legal under OFAC sanctions rules and the carrier's incident response panel approves the payment in advance. Many 2026 policies now apply 50 percent co-insurance to the ransomware loss if the firm cannot demonstrate that the named controls — MFA, EDR or MDR, immutable backups, and an incident response plan — were operating at the time of loss. Read the ransomware endorsement, not just the declarations page.
Policies define a covered event broadly: unauthorized access to systems holding client information, a ransomware or extortion event, business email compromise, a wire fraud loss, or any event that triggers a state notification or bar disciplinary obligation. The firm's duty is to notify the carrier as soon as the event is reasonably suspected — not after it is confirmed by forensics.
It is required on multiple surfaces. 2026 questionnaires ask about MFA on email accounts, MFA on every remote access path including VPN, RDP, and RMM, and MFA on privileged admin accounts in the document management system. Misrepresenting MFA status on the application is one of the most common reasons claims are denied or policies are rescinded.
Yes. Most 2026 applications ask whether immutable offsite backups exist and whether a documented restore test has been completed within the last 90 days. After a covered event, carriers commonly request the test log as evidence. Backups that exist on paper but were never actually restored fail this control in practice and often trigger the co-insurance clause.
Yes, and you need to read it carefully. The base cyber policy generally does not cover wire fraud. The crime or social-engineering rider does, but only if the wording covers social engineering fraud — where a staff member was tricked into authorizing the transfer — and not only direct computer-funds-transfer fraud where the attacker moves money directly. For real estate, personal injury, and estate planning firms, this rider is often the most important coverage in the policy.
Most policies require notice as soon as reasonably practicable, with a hard window — commonly 30 to 60 days — for written notice. Late notification is one of the most common reasons coverage is denied even when the underlying loss is otherwise covered. Build the carrier hotline number into the firm's incident response plan and call before you call IT.
Related reading
What ABA Model Rule 1.6, Formal Opinion 477R, and Formal Opinion 483 actually require of law firms in 2026 — reasonable efforts, breach response duties, supervisory obligations, and where most firms get it wrong.
Read articleWhat dental cyber insurance actually covers in 2026, the underwriting questionnaire controls that move premiums, and how to pass the application without overspending.
Read articleWhat the HIPAA Security Rule actually requires of dental practices in 2026 — risk analysis, administrative safeguards, MFA, encryption, breach response, and where most practices get it wrong.
Read article