A small litigation firm in the Bay Area gets hit with ransomware. Client files are encrypted. Billing systems are down. The managing partner pulls out the cybersecurity insurance policy they renewed six months ago and makes the call. Two weeks later, the insurer denies the claim because the firm hadn’t enabled MFA on its email accounts, a requirement buried in section 14 of the policy addendum.

This is not a hypothetical. It is happening to law firms right now.

The Problem: Insurance Feels Like Protection When It Isn’t

Cybersecurity insurance for law firms has become standard advice. Brokers recommend it. Bar associations mention it. Managing partners check the box and move on. The problem is that buying a policy and being protected are two completely different things.

Insurance is designed to transfer financial risk after something goes wrong. It is not designed to prevent incidents from happening in the first place. When law firms treat a policy as a substitute for actual security controls, they create what underwriters quietly call a “moral hazard” and what the rest of us call a false sense of security.

The breach still happens. Client data still gets exfiltrated. The firm still faces potential State Bar notification obligations, client notification costs, and reputational damage. And then, when the claim is filed, firms discover that the policy they paid thousands of dollars for has exclusions that apply directly to their situation.

Common exclusions that catch small firms off guard include:

  • Social engineering sublimits. A partner wires $85,000 to a fraudulent account after receiving a spoofed email. The main policy limit is $1 million. The social engineering sublimit is $25,000. The firm absorbs the rest.
  • Failure-to-maintain-security clauses. If the insurer determines that the firm did not have “reasonable security controls” in place at the time of the incident, the claim can be partially or fully denied.
  • War and nation-state exclusions. Several major carriers have attempted to invoke these exclusions for incidents tied to foreign threat actors, including in cases where the attribution was murky at best.
  • Prior acts and known vulnerabilities. If a vulnerability was present before the policy inception date and was exploited later, some carriers argue the loss falls outside the coverage window.

None of these show up in the sales conversation. They show up in the denial letter.

Why This Matters for Law Firms Specifically

Law firms occupy a uniquely high-value position for attackers. You hold sensitive client information, financial records, merger and acquisition details, litigation strategy documents, and in many cases, personally identifiable information for dozens or hundreds of clients. That data has real market value on criminal forums.

At the same time, law firms face specific professional obligations that make a breach more than a financial problem. California attorneys are bound by the State Bar’s Rules of Professional Conduct, particularly Rule 1.6, which requires reasonable efforts to prevent unauthorized disclosure of client information. The American Bar Association (ABA) has also issued Formal Opinion 483, which outlines attorney obligations to monitor for data breaches and notify clients when their information may have been compromised.

If your firm operates in California and handles any health-related information, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) may impose additional breach notification timelines. Firms that work with clients subject to the Health Insurance Portability and Accountability Act (HIPAA) may have business associate obligations of their own.

Here is the critical point: none of these obligations disappear because you have a policy. The insurance may (or may not) cover notification costs, legal defense, and client credit monitoring services. But the professional liability exposure, the reputational damage, and the State Bar inquiry move forward regardless of whether your insurer pays the claim.

How to Close the Gap Before Your Next Renewal

The most practical way to think about cybersecurity insurance is this: the underwriting questionnaire is your security gap analysis. Insurers now ask detailed questions about your firm’s controls. Those questions tell you exactly what they expect you to have in place.

Here is what most law firm policies now require or strongly favor at underwriting time:

1. Multi-factor authentication on all remote access and email. This is no longer optional. Most carriers have made MFA a hard requirement for coverage. If your firm uses Microsoft 365 or Google Workspace without MFA enforced, you may be uninsurable at standard rates, and any claim related to account compromise could be denied.

2. Endpoint detection and response (EDR) on all devices. Basic antivirus is not sufficient. Carriers want to see EDR tools that provide behavioral monitoring, not just signature-based threat detection. Every device that touches client data needs coverage.

3. Regular, tested, offsite backups. “We back up to an external hard drive” is not the answer insurers are looking for. Immutable backups stored separately from your primary environment, with documented restore testing, are what carriers expect.

4. Security awareness training for all staff. Phishing simulations and annual training are increasingly standard requirements. Your receptionist clicking a malicious link is your problem. Carriers know this, which is why they ask.

5. A documented incident response plan. You do not need a 40-page document. You do need a written procedure that identifies who gets called, in what order, and what decisions get made in the first 24 hours of an incident. Firms without any plan often find that the chaos of an incident itself leads to additional covered losses.

6. Patch management and vulnerability scanning. Known, unpatched vulnerabilities are increasingly treated the same as gross negligence by underwriters. A formal process for applying patches within defined windows is a basic expectation.

Complete the underwriting questionnaire honestly. Misrepresentation, even unintentional, can void a policy entirely under the legal doctrine of material misrepresentation. If you are not sure how to answer a technical question accurately, that is a signal to get professional help before you sign.

What to Look for in an IT Partner

If you are preparing to purchase or renew a policy, the right IT partner will help you pass underwriting, not just help you answer the questions.

Ask prospective providers these questions:

  • Can you provide documentation of our current controls that maps to standard underwriting questionnaires?
  • Do you manage MFA enforcement across all our systems and remote access points?
  • What EDR platform do you use, and can you show us the coverage across our environment?
  • How do you handle patch management, and what is the typical time from patch release to deployment?
  • Can you help us develop or review our incident response plan?
  • Have you worked with other law firms that have gone through a claims process?

A qualified managed IT provider should be able to generate the evidence your insurer needs if a claim is ever filed, including logs, configuration records, and documented procedures. If your current provider cannot do this, your policy may be more exposed than you realize.

The Bottom Line

Cybersecurity insurance for law firms is a worthwhile financial safety net, but only if the foundation is already in place. Carriers are scrutinizing claims more aggressively than they did five years ago. Basic security controls are now minimum requirements, not differentiators. Get the controls right first. Then get the insurance. Treat the underwriting questionnaire as a gap analysis, answer it honestly, and work with an IT partner who can back up your answers with documentation.

Frequently Asked Questions

What does cybersecurity insurance actually cover for a law firm?

Most policies for law firms cover costs associated with data breach response, including forensic investigation, client notification, credit monitoring services, legal defense, and regulatory fines in some cases. Many policies also include business interruption coverage for income lost during a ransomware recovery. Coverage limits and sublimits vary significantly by policy, so reviewing the specific terms with a broker who specializes in legal professional services is worth the time.

Can a law firm’s insurance claim be denied after a breach?

Yes, and it happens more often than most firms expect. Common reasons for denial include failure to maintain required security controls (such as MFA), material misrepresentation on the underwriting application, incidents that fall under a social engineering sublimit rather than the main policy limit, and in some cases, war or nation-state exclusions. Reading the policy exclusions and endorsements carefully before signing is essential, not just the summary page.

Do small law firms really need cybersecurity insurance?

Size does not reduce your exposure as much as most small firms assume. Attackers often target smaller firms because they typically have weaker controls than large enterprises but still hold highly sensitive client information. Beyond the financial risk, California attorneys have professional obligations under Rule 1.6 of the Rules of Professional Conduct and the ABA’s Formal Opinion 483 to protect client data. Insurance helps manage the financial fallout, but it needs to be paired with actual security controls to be effective.

How do I know if my law firm has the security controls insurers expect?

Start with your insurer’s underwriting questionnaire at renewal time and treat every question as a self-assessment. If you cannot answer a technical question with confidence, that is a gap. Standard expectations now include MFA on all email and remote access, EDR tools on all devices, offsite and tested backups, documented security awareness training, and a written incident response plan. An IT provider familiar with legal industry requirements can audit your environment against these benchmarks and produce documentation your insurer can reference.

One82 provides managed IT, cybersecurity, compliance, and AI integration services exclusively for professional services firms in the San Francisco Bay Area. Schedule a 15-Minute Discovery Call to discuss your firm’s cybersecurity insurance posture.