Compliance
What law firm cyber insurance actually covers in 2026, the underwriting questionnaire controls carriers review, and how to pass the application without overspending.
Law firms have become a routine target for ransomware and business email compromise crews. The reasons are not subtle: firms hold concentrated client confidences, trust account funds, and active wire instructions, in environments small enough for defenses to be inconsistent. Downtime hurts immediately because court deadlines do not move and closings do not wait.
Cyber insurance sits next to legal professional liability on the renewal checklist now. What has changed in 2026 is not whether a firm needs it, but what carriers will underwrite and at what price.
This article is for managing partners, firm administrators, and IT-responsible attorneys filling out a renewal application this year. Obsidian Ridge does not sell insurance. We help firms pass the underwriting questionnaire honestly and operate the controls behind the answers.
Many partners assume their existing policies cover cyber events. They do not.
Legal professional liability (LPL, or legal malpractice) responds to errors and omissions in the practice of law — a missed deadline, a conflict of interest, alleged failure to meet a professional standard of care. General business liability covers slip-and-fall and property damage. Neither responds to a forensic investigation, a ransomware lockout, a state AG inquiry, or a wire redirected by a compromised vendor email.
A cyber liability policy is a separate contract. In 2026, the coverage parts on a typical law firm policy include:
Some carriers bundle these. Some sell them as endorsements. Read the policy declarations and the schedule of endorsements, not the marketing brochure.
Do not size a law-firm cyber policy from a blog post — but walk into the broker conversation with the right anchors. Most small firms carry $1 million in aggregate cover; firms in the 50-to-250-employee range commonly carry $2 million to $5 million. A $1 million policy with documented controls typically prices around $1,000 to $3,000 per year. Use revenue, attorney count, matter sensitivity, trust-account exposure, client requirements, and prior-incident history to refine it.
The aggregate is half the conversation. Sublimits decide what the firm actually collects:
A policy with a reduced ransom sublimit and a small crime sublimit is a different product than the same aggregate limit with full sublimits. For a firm that handles closings or PI settlements, the crime sublimit may be the single most important number on the declarations page.
The controls below appear repeatedly across current law-firm and general SMB cyber applications. They are the controls most likely to affect eligibility, sublimits, exclusions, and price.
This is not a wish list. It is the control stack current applications keep asking firms to prove.
A control that catches partners off guard at claim time: ransomware endorsements commonly carry coinsurance — typically a 10 to 25 percent insured share, though some policies use 50 percent — plus sublimits below the aggregate and controls-warranty language if named controls were not in place at the time of loss.
A clause may condition or reduce coverage if the insured cannot demonstrate that MFA, EDR or MDR, immutable backups, and a tested incident response plan were operating at the time of loss.
Translated: the headline limit is not the whole payout story. Read the ransomware endorsement, not just the declarations page. If the policy includes a controls warranty, every answer on the application is now a coverage condition.
The single most common cyber loss in legal is not ransomware. It is wire fraud through business email compromise. An attacker compromises an email account — the firm's, a vendor's, or opposing counsel's — and inserts altered payment instructions into a routine transaction.
Exposures by practice area:
The base cyber policy generally does not cover the loss. The crime or social-engineering rider does. Two things to verify:
A rider that covers only direct funds-transfer fraud is nearly useless for the law firm BEC pattern. Insist on social-engineering language.
After the 2023 Lloyd's of London war exclusion guidance, most cyber policies exclude nation-state attacks. Wording varies; some carriers still pay if attribution is unclear, others have moved to harder exclusions.
For law firms, watch the supply-chain language. If a breach travels through the DMS vendor, the e-discovery platform, the court e-filing system, or the firm's RMM tool, some policies treat that as a systemic event and exclude it. Ask the broker in plain language whether the policy responds if a DMS or e-discovery breach affects this firm, and whether there is a separate sublimit for systemic events. Get it in writing.
Some carriers now offer an endorsement covering defense costs for state bar disciplinary proceedings arising from a cyber event. The duty to safeguard stays with the lawyer; no policy transfers it. But the cost of defending a disciplinary inquiry is real, and a defense-cost endorsement is worth the conversation at renewal. If your jurisdiction has issued ethics opinions on cyber incidents, read them before the renewal call.
The single biggest mistake firms make is layering tools the carrier does not actually score. The sequence that works in practical order:
Enable MFA on Microsoft 365 or Google Workspace, on DMS admin accounts, on practice management and time-and-billing platforms, and on every remote-access path. This is usually one of the cheapest control moves and one of the most important underwriting answers.
A managed detection and response service with a real 24/7 SOC checks the EDR and 24/7 monitoring boxes at the same time. Identity threat detection on top covers the cloud productivity suite controls and MFA-bypass detection. Our Managed Detection and Response and Managed ITDR services are designed against this control set.
The immutable backup checkbox is meaningless without the restore test log. Pick a backup product that supports immutability natively, include the DMS and accounting databases in the test scope, schedule a monthly restore, and keep the log. Carriers ask for it at claim time.
A written information security plan satisfies the statutory requirement in IL, MA, NY, and other jurisdictions and the carrier policy item. Pair it with a one-page incident response plan naming who calls the carrier hotline, who declares an incident, who talks to partners, who handles client communication, and who decides about closing the office. A 60-minute tabletop with the managing partner, firm administrator, and IT vendor satisfies the tabletop requirement.
If the firm handles closings, settlements, or escrow, write down the dual-approval wire policy and the callback verification rule for any change to payment instructions. Train every staff member who touches wires. This single procedural control prevents the most common law firm cyber loss and is heavily scored on the application.
A recurring phishing simulation — invoice changes, vendor banking updates, opposing-counsel impersonation, settlement redirection — covers the training requirement and addresses the actual loss patterns. Our Managed Security Awareness Training service handles the cadence.
That covers the main underwriting control categories on a 2026 questionnaire.
Firms often spend in the wrong places. Things that look like security but do not move underwriting in 2026:
Carriers score operating controls and evidence, not invoices.
A firm with a prior claim and no demonstrable program improvement should expect a harder renewal conversation. Carriers will ask what changed after the incident, whether the attested controls now operate, and whether the firm can produce evidence.
If a claim was paid in a prior period, expect the next application to ask what changed since the incident. Answers like "we are more careful now" do not pass. Answers like "we moved to a 24/7 MDR provider, added MFA on the DMS admin accounts, rewrote the dual-approval wire policy, and ran a tabletop in March" do.
The other 2026 reality: misrepresentation on the application is a coverage defense. If the questionnaire said MFA was enabled on all email accounts and forensics shows it was not, the carrier may rescind. Answer honestly. If a control is partially in place, say so.
A partner cannot ethically use cyber insurance to "transfer" the duty to safeguard client confidences. Model Rule 1.1's duty of competence and Model Rule 1.6's duty of confidentiality both require reasonable efforts to prevent unauthorized disclosure, and several state bars have commented that buying a cyber policy does not, on its own, satisfy that obligation. Insurance covers financial consequences, not the ethical obligation, and it does not cover a bar finding that the firm's controls were unreasonable.
We are not an insurance broker. We do not sell policies and we do not collect commissions. We help firms operate the controls underwriters score and produce the evidence package the application asks for.
The control set that appears most often on 2026 applications — 24/7 MDR, identity threat detection, MFA enforcement, and workforce training — lines up with our Foundation and Protected tiers. Foundation covers the endpoint and MDR layer. Protected adds ITDR and security awareness training, addressing the core control categories on many questionnaires. The law firm industry page lays out the full mapping.
For firms renewing in the next 90 days, the two-week Cyber Insurance Readiness sprint maps each questionnaire control to evidence the carrier will accept, identifies the gaps most likely to block underwriting, and produces a clean evidence package. If you are not sure where you stand, the Assessment Tool is a faster way to scope the gap.
Cyber insurance is not a substitute for controls. It is a backstop for residual risk. Firms that treat the policy as the plan tend to learn the expensive way that the controls warranty is doing more work than the declarations page.
If the questionnaire is making you nervous, that is the right instinct. The fix is operational, not paperwork. Start with MFA, MDR, a tested backup, and a written dual-approval wire policy.
Ready to map your firm's controls to the carrier questionnaire? Start the Cyber Insurance Readiness sprint.
Last updated
May 14, 2026. We refresh this content as the threat landscape and tools evolve.
FAQ
Yes. LPL responds to errors and omissions in the practice of law — missed deadlines, conflicts of interest, alleged malpractice in legal advice. It does not respond to forensics, breach notification, ransomware, regulatory defense, or wire fraud. Those losses sit on a standalone cyber liability policy. Most carriers and many state bars now treat cyber as a separate, expected line of coverage.
Most small firms carry $1 million in aggregate cover; firms in the 50-to-250-employee range commonly carry $2 million to $5 million, with larger firms moving to excess layers. A $1 million policy with documented controls typically runs about $1,000 to $3,000 per year. Sublimits move differently than the headline aggregate — the social-engineering and crime sublimit on a $1 million policy commonly lands at $50,000 to $100,000, which matters most for firms that handle closings, settlements, or trust funds. Legal tends to sit closer to the broad market baseline than healthcare, but firms with heavy wire exposure are increasingly surcharged.
Ransom payment is generally covered when it is legal under OFAC sanctions rules and the carrier's incident response panel approves the payment in advance. Ransomware endorsements commonly carry coinsurance — typically a 10 to 25 percent insured share, though some policies use 50 percent — plus sublimits below the aggregate and controls-warranty language if the firm cannot demonstrate that named controls (MFA, EDR or MDR, immutable backups, and an incident response plan) were operating at the time of loss. Read the ransomware endorsement, not just the declarations page.
Policies define a covered event broadly: unauthorized access to systems holding client information, a ransomware or extortion event, business email compromise, a wire fraud loss, or any event that triggers a state notification or bar disciplinary obligation. The firm's duty is to notify the carrier as soon as the event is reasonably suspected — not after it is confirmed by forensics.
It is required on multiple surfaces. 2026 questionnaires ask about MFA on email accounts, MFA on every remote access path including VPN, RDP, and RMM, and MFA on privileged admin accounts in the document management system. Misrepresenting MFA status on the application is one of the most common reasons claims are denied or policies are rescinded.
Yes. Most 2026 applications ask whether immutable offsite backups exist and whether a documented restore test has been completed within the last 90 days. After a covered event, carriers commonly request the test log as evidence. Backups that exist on paper but were never actually restored fail this control in practice and often trigger the co-insurance clause.
Yes, and you need to read it carefully. The base cyber policy generally does not cover wire fraud. The crime or social-engineering rider does, but only if the wording covers social engineering fraud — where a staff member was tricked into authorizing the transfer — and not only direct computer-funds-transfer fraud where the attacker moves money directly. For real estate, personal injury, and estate planning firms, this rider is often the most important coverage in the policy.
Most policies require notice as soon as reasonably practicable, with a hard window — commonly 30 to 60 days — for written notice. Late notification is one of the most common reasons coverage is denied even when the underlying loss is otherwise covered. Build the carrier hotline number into the firm's incident response plan and call before you call IT.
Related reading
What ABA Model Rule 1.6, Formal Opinion 477R, and Formal Opinion 483 actually require of law firms in 2026 — reasonable efforts, breach response duties, supervisory obligations, and where most firms get it wrong.
Read articleWhy ransomware operators target law firms specifically, how the attack chain works against a typical practice, what a real incident week looks like, and the controls that actually break the chain.
Read articleWhy multi-office firms and acquiring firms inherit the worst cybersecurity posture of their weakest office — and the 4-quarter program that fixes it without slowing down growth.
Read article