Columns

Cyber insurance basics: What every law firm needs to know

 

by JoAnn L. Hathaway   |   Michigan Bar Journal

Law Practice Solutions

With law firms increasing their use of technology within their practices, the essential question turns to how firms keep their information and data secure, especially with the number of cyberattacks growing from day to day.

As cyber threats become more sophisticated, and other industries invest heavily in data protection, law firms are increasingly seen as attractive targets for cybercriminals due to the sensitive and valuable information they manage.1 While many firms are making progress in strengthening their defenses, the legal sector as a whole has historically lagged behind other industries in adopting advanced cybersecurity measures, often due to limited IT resources or competing business priorities.2

A lack of awareness about the specific cyber risks facing law firms, and the potential impact of a cyber event, has also contributed to slow adoption of dedicated cyber insurance. Some firm managers believe that their current insurance policies, especially with added cyber endorsements, offer enough protection. In reality, these policies usually provide only minimal cyber coverage compared to a comprehensive cyber insurance policy.

The best way to ensure that a law firm is as secure as it can be is to have a basic understanding of the coverage obtained and what to look for when crafting coverage. The following breaks down the essential provisions:

UNDERSTANDING BASIC CYBER INSURANCE COVERAGE

Insurance coverage for first-party losses First-party coverage is designed to help your firm respond to and recover from a cyber event. This protection covers costs and expenses resulting from a breach response, typically including costs incurred to investigate and remedy a security breach. Here are some examples of what first-party coverage can help with:

  • Attorney and forensic examiner fees to investigate and address the breach
  • Public relations firm fees to restore your reputation and mitigate damages
  • Regulatory fines
  • Business interruption loss if your operations are disrupted
  • Payments for cyber extortion, such as ransomware
  • Electronic information restoration if data is lost or corrupted
  • Identity theft resolution services fees for affected individuals
  • Notification of breach costs, as required by law
  • Credit file monitoring costs for those impacted
  • Out-of-pocket operating or replacement costs needed to keep your firm running

Insurance coverage for third-party losses

Third-party coverage is about protecting your firm from claims asserted against you by third parties. These may arise from, for example, an unintentional breach of information, network security damage, media liability, intellectual property infringement, or costs associated with regulatory proceedings and legal violations.

Common types of payments made under this coverage include:

  • Payments for damage judgments or settlements
  • Defense and claims administration costs
  • Payments made under a consumer redress fund in a regulatory action

Working your way to coverage — cost

The cyber insurance market is still less developed than most other lines of insurance, which means there isn’t as much historical information available to create standard premium estimates. Because there are so many variables in coverage and options, it’s difficult to quote an “average” premium for a law firm.

The good news is that many carriers are entering the cyber insurance marketplace, resulting in a softer market. This allows potential policyholders to compare carriers and find more competitive premiums.

Several factors affect your premium quote, including:

Risk management

If your firm can demonstrate strong network safeguards, both in terms of policies and procedures and human resource support, a carrier may provide credit in its underwriting formula. This can result in a more favorable premium compared to a firm that does not have optimal technology oversight.

Liability limit and deductible

As with most insurance, the higher the liability limit you purchase, the higher your premium will be. Conversely, a higher deductible will generally result in a lower premium.

Claims history

If your firm has a history of claims, this will certainly be factored into your premium. Insurance carriers will also look at the facts and circumstances of each claim to determine if there are weaknesses or poor network security practices that need to be addressed.

Firm footprint

A firm that practices globally is subject to risks that a firm practicing only locally would not face. Different geographic locations have different exposures and privacy laws. Accordingly, a firm’s geographic spread is evaluated during the underwriting process, and these variables are considered in the final premium.

THE APPLICATION: WHAT TO EXPECT

While applications may vary, completing an application for a cyber insurance policy can be a time-consuming task. The questions asked often require information not needed for other lines of insurance and can be quite technical. You may need a team to respond, including IT, HR, and management.

Here’s what you may be asked:

Computer and network security

  • Who in your firm is responsible for information security, and to whom do they report?
  • Do you have backup systems, business continuity, and disaster recovery plans?
  • Is there an incident response plan for network intrusions and virus incidents?
  • Do you have up-to-date, active firewall technology?
  • Are patch management procedures in place?
  • Is multi-factor login required for privileged access?
  • Is remote access limited to VPN?
  • Is updated antivirus software installed on all computers and networks?
  • Do you use intrusion detection software?
  • Are there procedures for backing up sensitive data and testing or auditing network security controls?

Personnel policies and vendor management

  • Are employees trained in security issues and procedures?
  • Is computer access terminated when an employee leaves the firm?
  • Are there procedures for creating and updating passwords?
  • Are background checks conducted on prospective employees?
  • Are service providers required to demonstrate adequate security policies and procedures?
  • Do contracts with service providers include hold harmless and indemnification agreements?
  • Do you use cloud service providers, and if so, which ones?

Information security

What types of data does your firm collect, receive, process, transmit, and maintain as part of its business activities? (Examples: credit and debit card data, medical information, social security numbers, employee/HR information, bank accounts and records, intellectual property of others)

  • For each data type, how many unique individuals’ data do you handle?
  • Is your firm compliant with HIPAA and payment card industry data security standards?
  • Do you encrypt data at rest, in transit, and on mobile devices?

Website and content information

  • Do you have a written intellectual property clearance procedure for website content?
  • Is there a formal policy to avoid posting improper or infringing content?
  • Are there procedures for editing or removing controversial, offensive, or infringing content?

Loss information

  • Applicants need to supply information on loss history, sometimes limited to a specific period.
  • Be prepared to provide documentation about each claim and any corrective measures taken to prevent similar losses in the future.
  • Audited financial statements may be requested if you are seeking higher limits of protection.

Warranty statements

Cyber insurance policy applications contain warranty statements. When you sign the application, you agree that the information provided is accurate and complete. It is in your best interest to ensure that questions are answered fully and that information is current. Failure to provide accurate or complete information could result in denial of a claim, even if there would otherwise have been coverage.

DISSECTING THE CYBER INSURANCE POLICY

Understanding your policy is essential. Here’s what to look for in each section:

The declarations

The Declaration Page outlines the terms of coverage, identifies the policy period, and states limits and deductibles by insurance part. It is common for there to be more than one deductible and more than one limit or sublimit as a result of the different types of coverage (first-party and third-party).

Insuring agreement

The Insuring Agreement section typically states that the insurer will pay, on behalf of the insured, certain expenses, damages, or losses arising from defined events (such as privacy breaches, network security incidents, or cyber extortion) that occur during the policy period and are covered by the policy. The precise language and scope can vary, but the core promise is to cover losses and claims resulting from cyber events as defined in the policy.

Definitions

The Definitions section defines the terms and phrases set forth in bold throughout the policy. It is crucial to carefully read and fully understand these definitions, as they determine what is and is not covered.

Exclusions

A cyber insurance policy will also contain an Exclusions section, which should clearly describe what is not covered. Some carriers do not list what they consider to be obvious exclusions, but fully detailed exclusions can be very helpful to prospective insureds.

Defense and settlement

The policy will describe the relationship between the insured and insurer regarding the control of the defense and settlement of a claim. Some cyber policies are written on a “non-duty to defend” basis, allowing the insured to manage and control the defense of claims, usually with the insurer having input on important decisions. Other policies require the insurer to defend, even if the claim has no perceived merit. Larger firms may prefer a non-duty to defend policy, while smaller firms may prefer the insurer to manage the defense.

Some carriers reimburse insureds for defense costs after they are incurred, while others provide advance payment. If you are not able to pay out of pocket and wait for reimbursement, make sure your policy provides for the advancement of defense costs.

It is common for a cyber insurance policy to require the written consent of the insured before settling a claim. However, there are often conditions. For example, if the insured withholds consent to settle for an amount the insurer recommends, the insured may be responsible for a percentage of defense costs and loss payments that exceed the settlement offer.

Liability limits/self-insured retention

An aggregate liability limit is provided under a cyber insurance policy, typically with sublimits for various types of losses. There is also a deductible that may apply to each coverage part.

Conditions

This provision sets forth what the insured is required to do to remain insured and to help ensure coverage is available if there is a claim. Examples include:

  • Timely payment of premiums and self-insured retentions
  • Taking reasonable steps to protect against further loss or damage in the event of a loss
  • Cooperating in a data breach investigation
  • Timely provision to the insurance carrier of proof of loss

Other insurance coverage

This provision describes how the policy will apply to a loss if there is other effective insurance coverage in place that may also apply.

Territory

The Territory section identifies where coverage would be afforded in the event of a loss. The broadest coverage provides protection for acts occurring anywhere in the world.

SEEKING AN EXPERIENCED PROFESSIONAL

Because there is no standard policy form for cyber insurance, coverage offered by one insurer may differ greatly from that of another. Due to the complexities and many variables contained in cyber insurance policies, it is highly recommended to consult with an experienced insurance agent or broker and with an insurance attorney whose practice area focuses on cyber insurance policy reviews.

FINAL THOUGHTS

Taking the time to understand your exposures, working with knowledgeable professionals to review your coverage, and making informed decisions about your policy are some of the most important steps you can take to protect your firm and clients. Cyber insurance is not just about transferring risk; it’s about ensuring that your firm can weather unexpected storms and continue to serve clients with confidence, no matter what challenges arise.


“Law Practice Solutions” is a regular column from the State Bar of Michigan Practice Management Resource Center (PMRC) featuring articles on practice, technology, and risk management for lawyers and staff. For more resources, visit the PMRC website at michbar.org/pmrc/content or call our helpline at 800.341.9715 to speak with a practice management advisor.


ENDNOTES

1. Up to 40% of law firms have experienced a security breach, and the average cost of a data breach for law firms in 2024 was $5.08 million. See Law firm cyberattacks: Stats and trends for 2025, Embroker https://www.embroker.com/blog/law-firmcyberattacks/ (published April 10, 2025) (all websites accessed June 20, 2025).

2. Many law firms have lagged behind in adopting top-tier security protocols, unlike financial institutions with stringent cybersecurity regulations. See Law Firms Five Times More Likely to Be Targeted by Cyberattacks, TPX https://www.tpx.com/blog/law-firmsfive-times-more-likely-to-be-targeted-by-cyberattacks/ (published January 17, 2025).