By Ryan Windt | Head of Growth Marketing | Updated March 2026
Law firms sit at the intersection of everything attackers want. Sensitive client communications. Financial transaction records. M&A deal data. Litigation strategy. Settlement terms. Wire transfer capability. And in most cases, a security posture built for a professional services firm, not a high-value cyber target.
That mismatch is why law firms are among the most frequently targeted organizations in the country, and why the cyber insurance conversation for a law firm is meaningfully different from a standard commercial policy.
This guide covers what law firms actually face, what underwriters scrutinize in your application, what coverage components matter most, and what you should expect to pay in 2026.
Why Law Firms Are a Target
The short answer is that law firms hold some of the most monetizable data in existence, and they often hold it on behalf of clients whose networks are far harder to attack directly.
Attackers who cannot penetrate a Fortune 500 company’s perimeter find it easier to go after the firm’s outside counsel. The law firm may have weaker security controls, smaller IT teams, and the same access to deal-sensitive information. The 2020 Grubman Shire Meiselas & Sacks attack, in which hackers exfiltrated entertainment contracts and threatened to auction them publicly, was a high-profile example of a strategy attackers have refined and replicated across hundreds of firms since.
The specific risks law firms face break down into four categories.
Client data and privilege
Law firms hold privileged communications, litigation strategy, and client financial information. A breach that exposes any of this creates immediate malpractice and reputational exposure, independent of the breach itself. Clients who discover their privileged communications were accessed because of inadequate firm security have grounds for legal action.
Wire transfer and escrow fraud
Many law firms handle escrow accounts and orchestrate wire transfers on behalf of clients for real estate transactions, settlements, and acquisitions. Business email compromise targeting these transactions has cost law firms hundreds of millions of dollars. Attackers compromise a partner’s email account or impersonate the firm and redirect wire instructions. Unlike most financial fraud, BEC losses in legal transactions are difficult to recover because they move quickly across multiple accounts.
Ransomware
Law firms are disproportionately targeted by ransomware because the pressure to restore access is immediate and the reputational cost of disclosure is severe. A firm that cannot access its case management system, document repository, or client files faces a crisis that plays out in front of clients, courts, and regulators simultaneously. Ransomware gangs understand this. Ransom demands against law firms frequently reflect the sensitivity of the data rather than the firm’s revenue.
Regulatory and bar obligations
Every state bar has ethics rules requiring attorneys to protect client confidential information, including against data breaches. A security incident does not just create a legal liability. It creates a professional responsibility problem. Some state bars, including California and New York, have issued guidance that a data breach involving client information may constitute an ethics violation if the firm lacked reasonable security measures. Regulatory notification obligations under state privacy laws apply to law firms the same as any other business.
What Underwriters Look at for Law Firms
Cyber underwriting for law firms has tightened considerably since 2021. Carriers have seen enough law firm claims to know where the exposures concentrate. Here is what they examine.
Multi-factor authentication
MFA is the first question on virtually every cyber application now, and for law firms it is evaluated with more granularity than most applicants expect. Underwriters want MFA on email, remote access, document management systems, and any portal that connects to client matters. Partial deployment is a significant red flag. A firm that has MFA on Microsoft 365 but not on its case management system or client portal is carrying a gap that has produced claims.
For firms seeking limits above $2 million, carriers increasingly ask about phishing-resistant MFA specifically, either hardware keys or FIDO2-compatible authenticators, rather than app-based codes.
Email security controls
Given that BEC is the highest-cost attack vector for law firms, underwriters pay close attention to email security infrastructure. They want to see DMARC, DKIM, and SPF configured and enforced, not just in monitoring mode. They also look for advanced email filtering capable of flagging impersonation attempts and spoofed domains, which are the primary delivery mechanism for wire fraud instructions.
Wire transfer and payment controls
For firms that handle escrow, settlements, or real estate transactions, underwriters look specifically at your wire transfer authorization process. Dual-control requirements, callback verification for new payees, and out-of-band confirmation for changes to wire instructions are all controls that affect both your eligibility and your social engineering sublimit. Firms that cannot articulate their wire verification process are a harder risk to underwrite.
Endpoint detection and response (EDR)
Basic antivirus does not satisfy current underwriting requirements for most carriers. EDR deployed across all endpoints with centralized logging and alerting is now a baseline expectation. Firms with significant remote work populations are also expected to address the personal device question: do attorneys who access firm systems on personal devices have some form of endpoint management or are those devices uncontrolled?
Backup and recovery
Ransomware recovery depends entirely on your backup posture. Underwriters want to know that backups are conducted frequently, stored offline or in an immutable format that ransomware cannot encrypt, and tested regularly. A firm that cannot restore from backup without paying a ransom is a much more likely ransom payment than one that can recover within hours. That probability difference is priced into your premium.
Incident response planning
Law firms are expected to have a documented incident response plan. Not a template pulled from the internet, but an actual plan that identifies who gets called, what gets preserved, how client notifications are handled, and how bar counsel or ethics counsel fits into the response. Underwriters increasingly ask whether the plan has been tested in the last 12 months. Tabletop exercises are viewed as a positive signal.
Data inventory and retention
Underwriters want to understand what client data the firm holds, where it lives, and how long it is retained. Firms that have conducted a data inventory and implemented a defensible data retention policy are easier and cheaper to underwrite than firms that retain everything indefinitely across uncontrolled repositories.
Coverage Components Law Firms Should Prioritize
A standard cyber policy addresses many law firm risks, but the specific structure of your coverage matters. These are the areas where law firms most commonly find gaps.
Social engineering and funds transfer fraud coverage
This is the most commonly underlimited coverage for law firms and the area where the discrepancy between policy limits and actual exposure is most dangerous. Many policies include a social engineering or eCrime sublimit that is far lower than the firm’s largest routine wire transaction. If your firm handles real estate closings or M&A transactions with wire amounts in the millions, a $250,000 social engineering sublimit provides almost no protection for your most likely high-dollar loss scenario. Review this sublimit carefully and benchmark it against your actual transaction sizes.
Regulatory defense and ethics proceedings
Standard cyber policies cover regulatory defense costs and fines from government regulators. Law firms should also ask specifically about coverage for state bar disciplinary proceedings arising from a data breach. Not all policies address this, and bar proceedings can be expensive regardless of outcome.
Client notification costs
If a breach exposes client information, the firm has notification obligations under state privacy laws and potentially under bar ethics rules. Notification costs including legal review, credit monitoring for affected clients, and the cost of the notification itself are covered under most cyber policies, but the scope varies. Confirm that your policy covers notification costs for clients whose information was held in a legal services capacity, not just employees or customers in the traditional commercial sense.
Business interruption and system failure
A ransomware attack that takes down your document management system, case management platform, or email is not just an IT problem. It is a business crisis that stops billable work, delays filings, and creates client service obligations you cannot meet. Business interruption coverage under a cyber policy replaces lost revenue during the period of restoration. Pay attention to the waiting period. Many policies have a 12- or 24-hour waiting period before business interruption coverage begins to accrue. For a law firm, 12 hours of complete system unavailability is a material loss.
Malpractice coordination
Cyber incidents can create professional liability exposure independent of any malpractice policy. If a breach results in a client claiming damages because their privileged information was disclosed or their transaction was disrupted, that claim could fall under cyber, professional liability, or both, depending on how it is framed. Coordinate your cyber and professional liability coverage to make sure claims that sit at that intersection do not fall through a gap.
Extortion and ransomware response
Most cyber policies include extortion coverage for ransomware, covering the ransom payment itself subject to legal review, forensic investigation, and negotiation costs. Review the sublimit on extortion payments and confirm it is consistent with the kind of demand a firm of your size and profile would realistically face.
What Cyber Insurance Costs for Law Firms in 2026
Law firm premiums vary significantly based on firm size, practice areas, and security posture. These are general benchmarks for 2026.
| Firm Profile | Typical Annual Premium | Coverage Limit |
|---|---|---|
| Solo or small firm, under 10 attorneys | $1,500 to $4,000 | $1M |
| Mid-size firm, 10 to 50 attorneys | $4,000 to $12,000 | $1M to $3M |
| Large regional firm, 50 to 200 attorneys | $12,000 to $35,000 | $3M to $10M |
| AmLaw 200 and above | Individually underwritten | $10M+ |
The factors that move you toward the lower end of those ranges: MFA deployed everywhere, active EDR, documented incident response plan, offline backups, and wire transfer controls. The factors that move you toward the higher end: a prior incident, any gaps in MFA deployment, no EDR, practice areas involving high-value financial transactions, and large volumes of sensitive client data with no documented retention policy.
Practice area matters independently of firm size. A 15-attorney firm specializing in mergers and acquisitions carries a materially different risk profile than a 15-attorney personal injury firm, and underwriters price that difference.
The Bar Ethics Dimension
Most conversations about law firm cyber risk focus on the financial exposure. The professional responsibility dimension deserves equal attention.
Every state bar requires attorneys to take competent and reasonable measures to safeguard client information. A growing body of formal ethics opinions, particularly from California, New York, and Florida, has made clear that reasonable measures include adequate cybersecurity controls, data breach response planning, and vendor oversight for cloud-based systems that store client data.
A breach does not automatically trigger a bar complaint, but inadequate security that led to the breach is the issue that does. Firms that cannot demonstrate they had reasonable controls in place are exposed not just to civil liability from affected clients but to ethics proceedings that can affect licensure.
Cyber insurance does not eliminate professional responsibility exposure. But it funds the investigation, the remediation, and the legal defense that determine how that exposure resolves. Firms that face a bar complaint following a breach with no insurance and no documentation of their security practices are in a fundamentally different position than those that can show they had appropriate controls, a response plan, and coverage.
Getting Covered
Law firms evaluating cyber insurance for the first time or approaching renewal should come to the process with documentation of their security controls, not just assertions. Underwriters have seen enough law firm claims to look carefully at applications. A firm that can show evidence of MFA deployment, EDR coverage, backup testing, and wire transfer controls will qualify for better terms and fewer exclusions than one that checks boxes without supporting documentation.
SeedPod Cyber underwrites directly, which means attorneys and administrators get direct access to underwriters who understand the legal industry’s specific risk profile, rather than going through layers that add time and reduce clarity.
If you are evaluating coverage for the first time, renewing an existing policy, or trying to understand whether your current coverage is actually structured for your exposure, start with a conversation.
Related Resources
How Much Does Cyber Insurance Cost? 2026 Pricing Guide — Premium benchmarks by company size, industry, and security posture.
Cyber Insurance Requirements: The Minimum Controls Checklist — Exactly what underwriters want to see documented before they quote you.
Why Every Business Needs Standalone Cyber Insurance in 2026 — What your general liability policy will not cover and what a real breach actually costs.
Cyber Insurance Exclusions: What Most Policies Won’t Cover The exclusions that most commonly catch businesses off guard at claim time, including war exclusions, prior acts clauses, and unencrypted data restrictions that are especially relevant for firms handling sensitive client data.
Does Cyber Insurance Cover Ransomware Payments? How ransomware coverage actually works, what conditions affect whether it pays, and what to verify in your policy before an incident happens.
How to File a Cyber Insurance Claim: A Step-by-Step Guide for Businesses What to do in the first 24 hours of a cyber incident, how the claims process works, and the documentation mistakes that get claims delayed or denied.