Cyber Insurance for Law Firms: 2026 Coverage, Costs, and Underwriter Checklist
What cyber insurance for law firms actually covers in 2026, typical premiums by firm size, the 14 controls underwriters now require before they'll bind a policy, and how to avoid the most common claim denials.

Cyber insurance for law firms is no longer a discretionary line item — it is a precondition for outside-counsel guidelines, lender covenants, and many bar-association risk programs. But the market in 2026 looks nothing like 2021. Premiums have re-stabilized, sub-limits have tightened, and underwriters now treat unverified control attestations as grounds for rescission after a claim.
This guide explains what cyber insurance actually covers for a law firm in 2026, what it costs, the 14 controls every underwriter wants to see before they bind, and the four reasons claims get denied — so the policy you pay for actually pays you back when it matters.
What cyber insurance for law firms covers (and what it doesn't)
A modern cyber policy for a law firm bundles two very different things: first-party coverage that pays your firm's own losses, and third-party coverage that pays when clients or regulators come after you.
First-party coverage (your firm's costs)
- Incident response. Breach coach (a privileged attorney quarterbacking the response), forensics, ransom negotiation, and notification logistics. This is the single most-used coverage.
- Business interruption. Lost billable hours when your DMS, time-and-billing, or email is down. Look for a waiting period of 8 hours or less; 12+ is a red flag for firms.
- Cyber extortion / ransomware. Ransom payment, negotiator fees, and cryptocurrency settlement. Sub-limits of $250K–$1M are common in 2026 even on larger towers.
- Data restoration. Rebuilding corrupted matter files, time entries, and document versions.
- Funds transfer fraud / social engineering. The coverage that responds to BEC and fraudulent wire instructions. Read this section twice — most denials happen here.
Third-party coverage (claims against the firm)
- Privacy liability. Defense and settlement when a client, opposing party, or class sues over a breach of confidential information.
- Regulatory defense. State AG investigations, HHS/OCR for HIPAA-adjacent matters, GDPR/CCPA exposure for cross-border work.
- Media liability. Defamation, IP infringement, and unauthorized disclosures in firm communications.
- PCI fines. Relevant if the firm processes card payments through client portals.
What it does NOT cover
- Malpractice arising from the breach. Your LPL carrier handles that — and increasingly excludes cyber-triggered claims, creating a gap policies must be coordinated to close.
- Bodily injury / property damage. Unless a cyber-physical endorsement is added.
- Acts of war / nation-state attacks. The post-NotPetya "war exclusion" language is now standard. Some carriers carve back "cyber-terrorism."
- Pre-existing vulnerabilities the firm knew about and didn't fix. Documented in pen tests or assessments and ignored = denied.
What cyber insurance actually costs a law firm in 2026
Premiums depend on five variables: firm size, practice area, revenue, controls maturity, and limits purchased. Rough benchmarks from the 2026 market:
- Solo / 2–5 attorneys: $1,800–$4,500/year for $1M limits.
- 6–25 attorneys: $5,000–$15,000/year for $1M–$3M.
- 26–100 attorneys: $18,000–$60,000/year for $3M–$5M, often with a $10K–$25K retention.
- 101–500 attorneys: $75,000–$250,000/year for $5M–$15M primary, frequently with excess layers.
- AmLaw 200: $500K–$2M+ for towers of $25M–$100M.
Practice areas that drive premiums up: M&A, IP, healthcare, financial services, plaintiff class action, and any firm holding client funds in escrow or IOLTA. Litigation boutiques without trust accounts get the best rates.
The single biggest discount lever in 2026 is not size — it is MFA + EDR + tested backups + an IR plan. Firms with all four routinely see 20–35% lower premiums than firms with attestations the underwriter can't verify.
The 14 controls underwriters require before they'll bind a policy in 2026
Every major carrier (Beazley, Coalition, At-Bay, Chubb, AIG, Tokio Marine HCC, CFC) now uses a control-based application. Missing any of these usually triggers a sub-limit, an exclusion, or a flat declination.
- 1. MFA on email. Universal. No MFA = no quote, full stop.
- 2. MFA on remote access. VPN, RDP, and any admin portal.
- 3. MFA on privileged accounts. Including the DMS admin and Microsoft 365 global admins.
- 4. EDR on all endpoints. Not "antivirus." Carriers want CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, or equivalent — with 24/7 monitoring.
- 5. Offline or immutable backups. Tested restores at least quarterly. Cloud-only backups in the same tenant as production no longer qualify.
- 6. Written incident response plan. Tabletop-tested in the last 12 months.
- 7. Email filtering with impersonation protection. Microsoft 365 Defender for Office or equivalent.
- 8. Patch management SLA. Critical CVEs patched within 7–14 days.
- 9. Privileged access management. Local admin rights removed from end users.
- 10. Security awareness training. Annual minimum, with phishing simulations.
- 11. Vendor risk management. A documented process for cloud providers, e-discovery vendors, and contract attorneys (Model Rule 5.3).
- 12. Wire transfer verification protocol. Out-of-band callback to a known number for any change in payment instructions. This is the gatekeeper for social engineering / funds transfer fraud coverage.
- 13. Network segmentation. Especially separating the DMS and trust accounting from general user networks.
- 14. Logging and retention. 90+ days of email, endpoint, and identity logs. Forensics is impossible without them, and "we don't know what happened" claims get denied.
See what your firm looks like to an underwriter — run a free external attack-surface assessment.
The four reasons cyber claims get denied at law firms
Coverage exists. Claims still get denied. The pattern is consistent.
1. Misrepresentation on the application
The application asked "Do you require MFA on all email accounts?" The firm checked yes. The breach forensics show three service accounts and the founding partner's mailbox had MFA disabled. Result: rescission. The premium gets refunded; the claim does not get paid. Treat the application as a sworn statement and have IT verify every answer in writing before the broker submits.
2. The social engineering sub-limit
A paralegal wires $480,000 to a fraudulent account based on a spoofed email. The policy has a $5M limit — but a $250,000 sub-limit on social engineering, and only if the firm followed its callback verification procedure. The firm has no documented procedure. Result: $250K paid, $230K eaten by the firm. Always negotiate the social engineering sub-limit up to at least $1M and write a one-page wire verification SOP everyone signs.
3. The war / nation-state exclusion
A ransomware variant gets attributed by the carrier's threat intel team to a sanctioned group. The war exclusion is invoked. Result: denial. Push for a "cyber operations" carve-back that preserves coverage for criminal ransomware even when attribution points to state-aligned actors.
4. Late notice
The IT director sees suspicious activity on a Thursday, tries to handle it internally, and notifies the carrier the following Wednesday. The policy required notice "as soon as practicable." Result: reservation of rights, then denial of defense costs incurred before notice. Put the broker's claim hotline in the IR plan. Notice first, investigate second.
How to buy (or renew) a cyber policy in 2026 without overpaying
A 60-day process that consistently produces better terms than the last-minute renewal:
- Day 1–14: Self-assess against the 14 controls. Document evidence for each (screenshots, policy excerpts, training records). Fix obvious gaps before the application goes out.
- Day 15–30: Engage a broker who specializes in legal. Not your general commercial broker. Ask for three carrier quotes minimum, and require the broker to share each carrier's application questions verbatim.
- Day 31–45: Pre-bind risk call. Most carriers offer a free 30-minute call with their security engineers. Use it to negotiate sub-limits and remove exclusions, not to discuss the firm history.
- Day 46–60: Bind, then schedule the policy review. Calendar a 90-day post-bind review with the IT lead, COO, and managing partner to confirm every attested control is actually in place.
FAQ: Cyber insurance for law firms
Is cyber insurance required for law firms?
No state bar currently mandates cyber insurance for private practice, but it is increasingly required by Fortune 500 outside-counsel guidelines, lenders financing partner buy-ins, landlords on large office leases, and several state bar lawyer's professional liability programs offering discounts when cyber is bundled.
How much cyber insurance does a law firm need?
A common rule of thumb in 2026: $1M in limits per $5M of firm revenue, with a minimum of $1M for solos and $3M once a firm crosses 10 attorneys or handles client trust funds. M&A, IP, and healthcare practices should layer toward $10M+.
Does my malpractice policy cover a data breach?
Usually not in any meaningful way. Most LPL policies in 2026 contain a cyber exclusion or a sub-limit under $100K. Cyber-triggered malpractice claims (e.g., a breach causing a missed filing deadline) sit in the gap between LPL and cyber — coordinate both policies with the same broker.
What's the difference between cyber liability and cyber insurance?
"Cyber liability" historically meant just the third-party coverage (claims against you). "Cyber insurance" in 2026 universally bundles first-party (your costs) and third-party (claims). Make sure any quote includes both.
Can a small law firm afford cyber insurance?
Yes. A 3-attorney firm with MFA, EDR, and tested backups can typically bind $1M of coverage for under $3,000/year. The bigger cost is not the premium — it is being uninsurable because basic controls are missing.
Does cyber insurance cover ransomware payments?
Yes, under the cyber extortion coverage, subject to a sub-limit (commonly $250K–$1M in 2026) and OFAC sanctions screening of the ransom recipient. Payments to sanctioned groups are never covered.
Related reading and next steps
- Law Firm Ransomware in 2026: How Attacks Happen, Real Costs, and a 90-Day Prevention Plan
- Cybersecurity Incident Response for Law Firms in 2026
- Law Firm Data Breach: The 72-Hour Response Playbook
- See a sample external risk report — the same evidence underwriters review.
- Run a free assessment on your firm's domain and use the output as supporting evidence at renewal.
The firms that get the best 2026 renewal terms are not the biggest — they are the ones that walk into the underwriting call with documented evidence for all 14 controls. Build that evidence now, and the policy will be there when you need it.
Free Assessment
See what an attacker sees.
Run a no-obligation external attack-surface scan on your firm's domain in under two minutes.
Start the assessment


