A law firm is, from an underwriter’s point of view, a dense concentration of other people’s secrets: privileged communications, deal terms, settlement figures, M&A diligence, and trust-account balances — all sitting in one mailbox and one document management system. That makes firms a top ransomware and business-email-compromise target, and it makes carriers unusually exacting about how that data is locked down before they will write a policy.
47 controls mapped to what underwriters verify · one-time purchase · instant download
Why cyber insurance is different for law firms
A law firm is, from an underwriter’s point of view, a dense concentration of other people’s secrets: privileged communications, deal terms, settlement figures, M&A diligence, and trust-account balances — all sitting in one mailbox and one document management system. That makes firms a top ransomware and business-email-compromise target, and it makes carriers unusually exacting about how that data is locked down before they will write a policy.
Two duties drive the underwriting questions you will see. ABA Model Rule 1.6(c) requires lawyers to make "reasonable efforts" to prevent unauthorized disclosure of client information, and most state bars have adopted parallel competence and confidentiality obligations (see ABA Formal Opinion 483 on breach notification). A breach is therefore not only an insurance event — it is a potential bar-discipline event, which is exactly why carriers want evidence that controls existed before the incident.
The single largest dollar loss for firms is not encryption ransomware — it is wire fraud. A spoofed email in the middle of a real estate closing or settlement disbursement redirects client funds, and the firm is on the hook. Underwriters now treat email authentication (DMARC/SPF/DKIM), MFA on every mailbox, and out-of-band payment verification as table stakes; missing them is what triggers premium loads or sub-limits on social-engineering coverage.
The regulatory and contractual pressures underwriters expect law firms to have already accounted for.
Priority controls
Drawn verbatim from the 47-control Cyber Insurance Prep Checklist — with why each one matters specifically for your vertical.
Require multi-factor authentication on every email account.
A single compromised attorney mailbox exposes privileged communications across every matter that lawyer touches — carriers treat unprotected email as the firm’s highest-severity gap.
Publish DMARC set to p=quarantine or p=reject.
Wire-fraud losses almost always begin with a spoofed firm domain; DMARC at quarantine/reject is the control underwriters most often check on a firm application.
Keep at least one air-gapped or append-only backup.
An air-gapped backup is the difference between restoring a matter database and paying ransom over privileged client files you legally cannot afford to lose.
Encrypt sensitive customer data at rest (PII, PHI, payment card).
Privileged client data and settlement records must be encrypted at rest to satisfy both the carrier and the firm’s Rule 1.6 confidentiality duty.
Limit third-party vendor remote access to approved windows, with MFA.
Firms grant outside vendors (e-discovery, IT, court-reporting) standing access; uncontrolled vendor access is a frequent disqualifier.
Provide security awareness training to all employees annually.
Staff handling wire instructions and intake are the human attack surface for BEC; annual training is explicitly asked about on most legal-vertical applications.
Maintain a written incident response plan.
A written IR plan with breach-notification steps maps directly to Formal Opinion 483 obligations and shortens the firm’s notification clock.
These are 7 of the 47 controls. The full checklist covers all of them — required, premium-affecting, and disqualifying — with verification and remediation steps.
Most popular
Best value
Free
By purchasing you agree to our Terms. Digital products are non-refundable once accessed. A checklist supports your application; it does not guarantee an underwriting decision.
Business email compromise — a spoofed message redirecting closing or settlement funds — is the most common large loss at law firms. Underwriters want to see MFA on email, DMARC enforcement, and an out-of-band callback step before disbursing client funds, because those controls directly reduce the loss they are insuring.
Yes. ABA Model Rule 1.6(c) requires reasonable safeguards for client information, and Formal Opinion 483 covers breach response. The same controls an underwriter scores — MFA, encryption at rest, an incident response plan — are also the evidence a firm needs to show it met its ethical duty if a breach occurs.
Carriers apply the same baseline (MFA, backups, email authentication) to solos and AmLaw 100 firms alike — the per-mailbox sensitivity is identical. The good news is small firms can satisfy most of these controls inside Microsoft 365 or Google Workspace without buying new tooling; the checklist tells you exactly which settings to flip.
Accounting & CPA Firms
View requirements ›Healthcare Practices
View requirements ›Dental Practices
View requirements ›Financial Advisors & RIAs
View requirements ›Manufacturers
View requirements ›Construction Firms
View requirements ›Nonprofits
View requirements ›Real Estate Firms
View requirements ›MSPs & IT Providers
View requirements ›