Cyber Insurance for Law Firms: What to Verify Before You Apply or Renew
A practical guide for law firm owners, managing partners, attorneys, firm administrators, and practice managers who need to protect client data, answer cyber insurance applications accurately, and prepare for today’s cyber insurance requirements.
MoreMax helps law firms verify the technical controls cyber insurance applications commonly ask about, identify practical gaps, and organize evidence before the firm submits rushed or uncertain answers.
Cyber insurance is no longer just paperwork
Cyber insurance used to feel like an administrative insurance task. For law firms, that has changed.
Today, the application itself has become a practical test of how well the firm protects client email, confidential documents, Microsoft 365, remote access, backups, devices, and payment workflows.
The questions may sound technical: MFA. EDR. Backups. Encryption. Phishing protection. Incident response. Endpoint monitoring. Conditional Access.
But the real concerns are familiar to every law firm owner: Can a stolen password expose client email? Can the firm recover if ransomware locks files? Can a fake payment request trick someone into sending money? Can the firm keep working if systems are down? Can the firm prove the safeguards it says it has are actually in place?
MoreMax offers law firm IT built around cybersecurity and compliance. We help law firms protect confidential client data, strengthen Microsoft 365, prepare for cyber-insurance and compliance expectations, and support their team without making technology the firm owner’s second job.
What Law Firms Need to Know First
Cyber insurance can help a law firm respond to certain cyber incidents, such as ransomware, email compromise, data breaches, business interruption, cyber extortion, and third-party claims.
But cyber insurance does not replace cybersecurity.
Before applying or renewing, a law firm should verify its answers about:
Access
- Multi-factor authentication
- Remote access
- Admin rights
- Former employee access
Protection
- Microsoft 365 security
- Email protection
- Endpoint protection
- Device encryption
Recovery
- Backups
- Restore testing
- Patch management
- Incident response planning
What Is Cyber Insurance?
Cyber insurance is insurance designed to help organizations respond to certain technology-related losses and liabilities.
For a law firm, those losses might involve:
- A ransomware attack that locks files or systems
- A compromised email account
- A data breach involving client information
- A fraudulent payment request
- Business interruption caused by a cyber incident
- Costs to investigate what happened
- Costs to notify affected people
- Legal or regulatory response costs
- Certain claims brought by clients or third parties
The exact coverage depends on the policy, endorsements, exclusions, sublimits, claim facts, and carrier requirements. Two policies with similar names may treat ransomware, social engineering, business interruption, wire fraud, and breach response very differently.
That is a conversation to have with your insurance broker.
Why Cyber Insurance Matters for Law Firms
Law firms are not ordinary businesses when it comes to data.
A restaurant, retail store, or local service company may hold customer contact information and payment data. A law firm may hold confidential communications, privileged material, settlement information, immigration records, estate documents, litigation strategy, medical records, employment records, financial data, criminal history, business sale documents, trust-account information, and highly personal family-law records.
That changes the risk.
A cyber incident at a law firm can affect:
Client obligations
- Client confidentiality
- Attorney-client privilege
- Client communications
- Client relationships
Firm operations
- Court deadlines
- Discovery obligations
- Billing and collections
- Trust and operating account processes
Business risk
- Reputation
- Ethical duties
- Contractual obligations
- Insurance coverage
A smaller firm does not need enterprise-level complexity. But “we are too small for this” is no longer a safe assumption.
Why Law Firms Are Different From Ordinary Small Businesses
Law firms are attractive targets because of what they hold and how they work.
A law firm may hold personally identifiable information, financial records, tax records, healthcare or injury-related records, immigration documents, employment records, criminal defense records, confidential business records, client credentials, settlement and payment instructions, privileged communications, and documents subject to court orders or protective orders.
Law firms also depend heavily on email, deadlines, documents, remote access, billing, calendars, and practice management systems.
That is why cyber insurance applications now ask detailed questions about access, backups, email security, monitoring, incident response, and staff training. The application is not just paperwork. It is a risk review.
Cyber Insurance Is Not a Replacement for Cybersecurity
Cyber insurance can help after an incident. It does not stop the incident from happening.
A policy cannot:
- Stop a stolen password from being used
- Rebuild lost trust overnight
- Restore missed billable time
- Make bad backups work
- Undo an inaccurate application answer
- Prevent a fake wire-transfer request
- Replace the firm’s duty to protect client information
Think of cyber insurance like malpractice insurance or professional liability coverage. It matters. It may be essential. But it does not replace careful practice management.
For law firms, cyber insurance should sit alongside practical security controls, written procedures, staff training, and a clear response plan.
What Cyber Insurers Are Asking Today
Across cyber insurance applications and carrier questionnaires, insurers are asking more detailed questions than they used to.
They commonly ask about:
Access & Identity
- Multi-factor authentication
- Web-based email access
- Remote access
- Admin accounts
- Cloud services
Protection & Recovery
- Endpoint protection
- EDR or MDR
- Backup frequency
- Backup separation
- Backup encryption
- Restore testing
Email & Fraud Controls
- Email filtering
- SPF, DKIM, and DMARC
- Phishing training
- Wire-transfer verification
- Payment-change procedures
Governance & Response
- Patch management
- Encryption
- Local admin rights
- Incident response plans
- Prior cyber incidents
- Known circumstances
Start Before the Application Is Due
Cyber insurance readiness should not begin the day the application is due.
A better approach is to start 60–90 days before renewal or before applying for a new policy.
That gives the firm time to:
Review
- Review prior application answers
- Ask the broker what underwriting requirements have changed
- Confirm what the current application actually asks
Verify
- Verify current security controls
- Identify gaps
- Confirm which systems are covered
Prepare
- Fix practical issues before submission
- Gather evidence
- Avoid rushed answers
What Insurers Are Really Asking in Plain English
Many cyber insurance questions sound technical. But behind each question is a practical concern.
| What the application may ask | What it means in plain English | Why it matters to a law firm |
|---|---|---|
| Do you use MFA for email? | Can someone access attorney email with only a stolen password? | Email often contains confidential client communications, payment instructions, documents, and password reset links. |
| Do you use MFA for remote access? | Can someone connect to the firm from outside without a second proof of identity? | Remote access can become a direct path into firm systems. |
| Do you use MFA for admin accounts? | Can one stolen admin password give someone control over the firm’s technology? | Admin accounts are the keys to the building. |
| Do you back up business-critical data? | Can you recover email, files, and systems after ransomware or deletion? | A law firm that cannot access documents, email, or calendars may not be able to serve clients. |
| Are backups separate or protected? | Can ransomware delete or encrypt the backups too? | Backups only help if they survive the incident. |
| Have you tested restores? | Do you know the backups actually work? | A backup that has never been tested is a promise, not proof. |
| Do you use endpoint protection or EDR? | Are firm computers monitored for suspicious activity? | Client documents are created, downloaded, signed, and stored on endpoints. |
| Do you patch systems? | Are known software weaknesses being fixed? | Attackers often use known weaknesses that already have fixes. |
| Do you use email filtering? | Are malicious links, infected attachments, and fake senders being screened? | Many law firm incidents begin with email. |
| Do you use SPF, DKIM, and DMARC? | Are you reducing the chance that someone can spoof your firm’s domain? | Fake emails from a law firm’s domain can harm clients and reputation. |
| Do you train employees? | Does your team know how to spot phishing and payment fraud? | Staff are often the first target. |
| Do you have wire-transfer procedures? | Can one fake email trick the firm into sending money? | This matters for retainers, settlements, real estate, estates, and trust-related transactions. |
| Do you have an incident response plan? | Does the firm know what to do when something goes wrong? | During a breach, confusion wastes time and can make the situation worse. |
| Do you encrypt laptops? | If a laptop is lost, is the data readable? | Lost devices can become confidentiality incidents. |
| Do former employees still have access? | Are old accounts properly disabled? | Former-user access is a preventable risk. |
| Do ordinary users have local admin rights? | Can every user install software or make system-level changes? | Too many admin rights can make attacks easier to spread. |
On smaller screens, this table is shown as stacked cards for easier reading.
What Law Firms Should Not Guess On
A cyber insurance application should not be completed from memory.
Some answers may seem obvious until someone checks the actual configuration. A firm may think MFA is enabled for everyone, but discover it only applies to some users. A firm may believe Microsoft 365 is backed up, but discover it is relying on retention or sync instead of a separate backup. A firm may assume all laptops are encrypted, but find that only newer devices are covered.
Before submitting an application, a law firm should verify:
Identity and access
- Whether MFA is required for all users
- Whether MFA is required for admin accounts
- Whether MFA protects remote access
- Whether web-based email is protected by MFA
- Whether former employees still have access
- Whether users have local admin rights
Backups and recovery
- Whether Microsoft 365 data is backed up
- Whether SharePoint, OneDrive, Teams, and Exchange are included
- Whether backups are protected from deletion
- Whether backups are encrypted
- Whether backup access requires MFA
- Whether a restore test has been completed
Devices and protection
- Whether the firm uses antivirus, EDR, or MDR
- Whether all computers are covered
- Whether laptops are encrypted
- Whether patches are being monitored
- Whether unsupported software exists
- Whether remote support tools are controlled
Email and fraud controls
- Whether SPF, DKIM, and DMARC are configured
- Whether email filtering includes link and attachment scanning
- Whether suspicious mailbox forwarding rules are monitored
- Whether payment-change procedures are written and followed
- Whether staff know how to report suspicious emails quickly
Planning and history
- Whether the firm has a written incident response plan
- Whether the broker and carrier claim contacts are documented
- Whether there have been prior incidents, claims, or known circumstances
- Whether evidence exists for the controls the firm says are in place
- Whether the right people reviewed the application before submission
MoreMax can help verify and document technical controls. Your insurance broker should guide insurance questions. Your legal counsel should guide legal obligations, claims-history questions, privilege, and policy interpretation.
Cyber Insurance Readiness Checklist for Law Firms
Before applying for cyber insurance or renewing an existing policy, a law firm should review the practical controls that insurers commonly ask about. The goal is not to make the application more complicated. The goal is to make sure the firm is answering from evidence, not memory.
Access and identity
- Confirm all active users
- Confirm all admin accounts
- Confirm MFA is enforced for users
- Confirm MFA is enforced for admin accounts
- Confirm MFA protects remote access
- Confirm former users are disabled
- Confirm shared accounts are removed or tightly controlled
- Confirm risky-login rules are in place where appropriate
Microsoft 365 and cloud systems
- Confirm the firm’s Microsoft 365 license level
- Confirm email security settings
- Confirm SharePoint, OneDrive, Teams, and Exchange data protection
- Confirm user access reviews
- Confirm Security Defaults or Conditional Access policies
- Confirm mailbox forwarding rules are monitored
- Confirm external sharing is controlled
- Confirm administrator roles are reviewed
Backup and recovery
- Confirm what data is backed up
- Confirm whether Microsoft 365 data is included
- Confirm backup frequency
- Confirm backup retention
- Confirm backups are protected from deletion or ransomware
- Confirm backup access is protected by MFA
- Confirm the last restore test date
- Confirm how quickly critical data can be restored
Devices and monitoring
- Confirm all firm computers are known and listed
- Confirm all computers have endpoint protection
- Confirm whether protection is antivirus, EDR, MDR, or SOC-backed monitoring
- Confirm patching is monitored
- Confirm laptop encryption
- Confirm local admin rights are limited
- Confirm remote support tools are controlled
- Confirm lost-device procedures are documented
Email and payment fraud
- Confirm email filtering
- Confirm phishing protection
- Confirm external email warnings where appropriate
- Confirm SPF, DKIM, and DMARC are configured
- Confirm payment-change procedures
- Confirm wire-transfer verification steps
- Confirm staff training
- Confirm suspicious-message reporting steps
Policies and response planning
- Confirm incident response contacts
- Confirm the broker and carrier claim hotline
- Confirm breach counsel process if applicable
- Confirm internal decision-makers
- Confirm business continuity steps
- Confirm security awareness training records
- Confirm written payment verification procedures
- Confirm evidence is stored where it can be found during renewal or claim response
Why Cyber Insurance Applications Ask About Microsoft 365
Many law firms run on Microsoft 365. That usually means Outlook, Exchange Online, OneDrive, SharePoint, Teams, Word, Excel, and sometimes Intune, Entra ID, and Microsoft Defender.
Microsoft 365 is powerful, but it is not automatically configured for every law firm’s risk.
What the insurer may ask
The insurer may ask about web email access, MFA, cloud data, email filtering, endpoint protection, backups, admin accounts, remote access, security monitoring, data encryption, and access controls.
What it means in plain English
The insurer wants to know whether Microsoft 365 is being managed as the firm’s main business system, not just as “email and Office apps.”
Why it matters to a law firm
For many law firms, Microsoft 365 is where the firm’s email, files, calendars, client documents, and internal communications live.
If Microsoft 365 is misconfigured, the firm may have weak login protection, former employees with access, overly broad file sharing, missing backups, unprotected admin accounts, hidden mailbox forwarding rules, poor device controls, and limited visibility after an incident.
What a firm with 1–25 users should have in place
- MFA for all users
- MFA for admin accounts
- Review of admin roles
- Security Defaults or Conditional Access where appropriate
- External sharing controls
- Mailbox forwarding review
- Device management for firm-owned computers
- Microsoft 365 backup strategy
- Email security protections
- Basic logging and alert review
- Proper onboarding and offboarding process
What larger firms may need to add
- More formal identity governance
- Conditional Access by role, device, location, and risk
- Advanced logging
- SIEM integration
- Data loss prevention policies
- Retention and eDiscovery planning
- Privileged identity management
- Formal change control
Can a Stolen Password Open the Firm? MFA Explained
Multi-factor authentication, or MFA, means a password alone is not enough.
The easiest way to explain it: a password is something you know. MFA adds something you have or something you are. That might be an authenticator app, hardware security key, number-matching prompt, or another approved method.
What the insurer may ask
An insurer may ask whether MFA is enabled for web-based email, remote access, Microsoft 365, cloud services, admin accounts, backup systems, privileged access, and third-party remote access.
What it means in plain English
The insurer wants to know whether a stolen password alone can give someone access to firm email, client files, billing systems, remote access, or administrator tools.
Why it matters to a law firm
Attorney email may contain confidential client communications, attachments, settlement terms, court notices, invoices, payment instructions, password reset links, and internal strategy discussions.
If an attacker gets into email, they may quietly read messages, create mailbox forwarding rules, impersonate an attorney, or send fake payment instructions.
What a firm with 1–25 users should have in place
- MFA for every Microsoft 365 user
- MFA for all admin accounts
- MFA for remote access
- No shared admin accounts
- Stronger MFA for the highest-risk accounts where possible
- A process for reviewing exceptions
What larger firms may need to add
- Conditional Access policies
- Phishing-resistant authentication for key roles
- Privileged access management
- More formal access reviews
- Logging and alerting for risky sign-ins
- Separate admin accounts for administrative work
Email Security, Phishing, and Business Email Compromise
For law firms, email is often the front door. It is how clients send documents, how courts send notices, how invoices go out, how payment details are discussed, and how attackers often start.
What the insurer may ask
Cyber insurance applications commonly ask whether the firm has email filtering, malicious link scanning, malicious attachment scanning, external email tagging, SPF, DKIM, DMARC, phishing training, business email compromise protections, and wire-transfer verification procedures.
What it means in plain English
The insurer wants to know whether the firm is reducing the chance that a fake email, infected attachment, or stolen mailbox will turn into a financial loss or confidentiality incident.
Why it matters to a law firm
A fake email can look like it came from a managing partner, a client, opposing counsel, a title company, a vendor, a court-related service, a bookkeeper, or a firm administrator.
For law firms, phishing and spoofing often collide with client confidentiality, trust-account handling, settlement discussions, and payment workflows.
What a firm with 1–25 users should have in place
- Strong inbound email filtering
- Link and attachment protection
- External sender warnings where helpful
- MFA on email
- Monitoring for suspicious forwarding rules
- SPF, DKIM, and DMARC
- Staff training on phishing and payment fraud
- Written verification procedures for payment changes
What larger firms may need to add
- Advanced threat hunting
- Security operations monitoring
- DMARC enforcement with reporting
- Automated response to compromised mailboxes
- More formal payment approval workflows
- Dedicated email security reporting
Ransomware and Why Backups Matter
Ransomware is not just a technology event. For a law firm, ransomware can become an operational crisis.
If the firm cannot access email, documents, calendars, billing records, or practice management systems, attorneys may not be able to work. If confidential data is stolen before systems are encrypted, the problem may also involve client notification, legal obligations, insurance response, and reputational harm.
What the insurer may ask
- Do you have backups?
- What data is backed up?
- How often are backups performed?
- Are backups encrypted?
- Are backups stored separately?
- Have you tested restores?
What it means in plain English
The insurer wants to know whether your firm can get its work back after ransomware, accidental deletion, insider error, or account compromise.
Why it matters to a law firm
If files, email, calendars, and matter documents are unavailable, the issue becomes more than downtime. It can affect deadlines, client communication, billing, filings, and firm operations.
What a firm with 1–25 users should have in place
- Microsoft 365 backup for Exchange, SharePoint, OneDrive, and Teams where applicable
- Backup of any server, NAS, or critical business system
- Defined backup retention
- Backup encryption
- Separate backup credentials
- MFA for backup access
- Protection against unauthorized deletion
- Periodic restore testing
- Clear understanding of what can and cannot be restored
What larger firms may need to add
- Formal recovery time objectives
- Formal recovery point objectives
- Disaster recovery runbooks
- Regular restore exercises
- Backup immutability reporting
- Separate backup administration
- Business continuity testing
- Department-level recovery prioritization
How Insurers Think About the Computers Your Firm Uses Every Day
A law firm’s computers are where the legal work happens. Attorneys draft documents. Staff download attachments. Paralegals prepare filings. Administrators handle billing. People sign documents, open PDFs, access portals, and work from home.
That is why insurers ask about endpoint protection.
Endpoint protection
Security for the computers and devices used by the firm, the machines where legal work actually happens.
EDR
Endpoint detection and response. It watches computers for suspicious behavior, not just known viruses.
MDR
Managed detection and response. People help watch and respond to security alerts.
Why smaller firms care
A firm with 1–25 users usually does not have an internal security team watching alerts all day.
What the insurer may ask
An insurer may ask whether the firm uses antivirus, next-generation antivirus, endpoint detection and response, centralized monitoring, MDR, SOC monitoring, or logging and alerting.
What it means in plain English
The insurer wants to know whether suspicious activity on firm computers can be detected and addressed before it becomes a larger incident.
Why it matters to a law firm
A computer compromise can lead to stolen documents, stolen passwords, ransomware spread, unauthorized access to cloud systems, data theft, and business interruption.
What a firm with 1–25 users should have in place
- All firm computers enrolled in management
- Endpoint protection installed on every firm computer
- Centralized monitoring
- Alerts reviewed by someone responsible
- Patching oversight
- Device encryption
- Local admin rights limited
- Lost-device process
Are Your Firm’s Computers Being Kept Current?
Attackers often do not need to invent a new trick. They can use known weaknesses in old software, unsupported systems, browsers, plug-ins, remote access tools, or unpatched computers.
What the insurer may ask
Applications often ask whether the firm monitors vulnerabilities, applies critical security patches, updates systems within a defined timeframe, uses unsupported software, maintains an asset inventory, secures laptops and desktops, and controls local admin rights.
Why it matters to a law firm
If a computer, server, firewall, NAS, or remote access tool is out of date, it may create an opening into client data.
The real small-firm problem
For law firms with 1–25 users, the issue is often not that no one cares. The issue is that no one clearly owns the process.
What a firm with 1–25 users should have in place
- Device inventory
- Patch monitoring
- Regular operating system updates
- Third-party software update process
- Windows 11 readiness where applicable
- Removal or replacement of unsupported systems
- Encryption for laptops
- Limited local administrator rights
What larger firms may need to add
- Formal vulnerability management
- Patch timelines
- Vulnerability scanning
- Change management
- Exception tracking
- Executive reporting
- Application control
If a Laptop Is Lost, Can Client Data Be Read?
Encryption sounds technical, but the idea is simple. Encryption makes data unreadable unless the person or system has the right key or authorization.
If a laptop is stolen from a car, the question is not only “Can we replace the laptop?” The real question is: could someone read client files from that device?
What a firm with 1–25 users should have in place
- BitLocker for Windows laptops
- FileVault for Macs if Macs are used
- Encryption for backups
- Secure file sharing instead of random personal email attachments
- Controls around downloading sensitive client files to unmanaged devices
- Device inventory showing encryption status
What larger firms may need to add
- Data classification
- Data loss prevention
- Mobile device management
- Conditional Access based on device compliance
- Encryption reporting
- Secure client portals
- Retention and destruction policies
Who Has the Keys to Your Firm’s Technology?
Every law firm has ordinary users and higher-privilege users. Ordinary users need to do legal work. Admin accounts can change systems, create users, reset passwords, access sensitive settings, and sometimes override protections.
That makes admin access a high-value target.
What the insurer may ask
Applications may ask whether the firm uses MFA for admin accounts, limits local admin rights, monitors administrator activity, uses separate admin accounts, uses unique admin passwords, reviews privileged accounts, and uses privileged access management.
What it means in plain English
The insurer wants to know whether the most powerful accounts in the firm are protected, limited, and reviewed.
Why it matters to a law firm
One compromised admin account can give an attacker access to email, files, devices, backups, security settings, and user accounts.
What a firm with 1–25 users should have in place
- Very few admin accounts
- MFA on all admin accounts
- No shared admin accounts
- Separate admin accounts where appropriate
- Limited local admin rights on computers
- Admin account review at least periodically
- Clear offboarding process
Can People Access the Firm Safely From Outside the Office?
Remote work is normal now. Attorneys work from home, court, client sites, hotels, airports, and sometimes from other states or countries. That creates convenience and risk.
What the insurer may ask
Insurers may ask whether the firm allows remote access, uses VPN, uses remote desktop, requires MFA for remote access, allows third-party remote access, permits personal devices, controls unmanaged devices, and monitors risky sign-ins.
What it means in plain English
The insurer wants to know whether remote access is controlled, protected, and monitored, instead of being a wide-open path into the firm.
Why it matters to a law firm
Remote access can expose email, client files, practice management systems, billing tools, and confidential documents if it is not properly secured.
What a firm with 1–25 users should have in place
- MFA for remote access
- No exposed remote desktop without strong protections
- Managed remote support tools
- Device encryption
- Endpoint protection on firm-owned devices
- Clear policy on personal devices
- Controlled access to Microsoft 365
- Review of logins from unusual locations
What larger firms may need to add
- Conditional Access
- Device compliance requirements
- VPN or zero-trust access controls
- VPN logging where applicable
- Third-party access review
- Country-based access policies
- Security monitoring of remote access tools
Security Awareness Training
Most law firm cyber incidents do not start with a dramatic movie-style hack. They often start with something ordinary: a fake login page, a bad attachment, a payment-change email, a fake DocuSign message, a fake Microsoft alert, a voicemail phishing message, or a vendor impersonation.
What the insurer may ask
Applications may ask whether employees receive cybersecurity training, phishing training, social engineering training, business email compromise training, wire-transfer fraud training, and annual or more frequent refreshers.
What it means in plain English
The insurer wants to know whether the people inside the firm are prepared to recognize common attacks before they become incidents.
Why it matters to a law firm
Law firm staff often handle sensitive communications and payment workflows. A receptionist, paralegal, bookkeeper, or administrator may be targeted because they are practical gateways into the firm.
What a firm with 1–25 users should have in place
- Short, regular training
- Phishing examples relevant to law firms
- Payment fraud training
- New employee training
- Annual refreshers
- Clear reporting process
- No-shame culture for reporting suspicious emails quickly
Incident Response and Recovery Planning
A cyber incident is not the moment to decide who is in charge.
When something goes wrong, the firm needs to know who makes decisions, who calls the insurer, who contacts IT, who contacts breach counsel if needed, who communicates with staff, who communicates with clients if appropriate, who preserves evidence, and who tracks deadlines and client impact.
What the insurer may ask
Applications may ask whether the firm has an incident response plan, disaster recovery plan, business continuity plan, written procedures, defined contacts, and prior incident history.
What it means in plain English
The insurer wants to know whether the firm has a practical plan for the first hours and days after an incident.
Why it matters to a law firm
In a legal environment, confusion can affect client communications, court deadlines, privilege questions, notification decisions, evidence preservation, and business continuity.
What a firm with 1–25 users should have in place
- A one-page incident response plan
- Broker and carrier contact information
- IT provider contact information
- Breach counsel process if applicable
- Internal decision-maker list
- Staff reporting instructions
- Backup recovery steps
- Communication plan
- Evidence preservation instructions
Wire Transfer and Funds Transfer Controls
Business email compromise matters for law firms because many firms handle or discuss money.
That may include retainers, settlement funds, real estate proceeds, estate distributions, vendor payments, filing fees, client refunds, payroll, and trust account instructions.
What the insurer may ask
Applications may ask whether the firm has written wire-transfer procedures, dual authorization, call-back verification, out-of-band verification, separation of duties, payment-change controls, and documentation for payment approvals.
What it means in plain English
The insurer wants to know whether one fake email can trick the firm into sending money or changing payment instructions.
Why it matters to a law firm
Payment fraud can involve client funds, trust-related processes, settlements, retainers, vendors, payroll, or operating accounts.
What a firm with 1–25 users should have in place
- Written payment-change procedure
- Known-number call-back verification
- No payment changes based only on email
- Dual approval above defined amounts
- Documentation of approvals
- Staff training
- Clear escalation path for suspicious requests
Common Cyber Insurance Application Mistakes
Cyber insurance applications can create problems when answers are rushed, assumed, or based on old information.
The danger is not only that the firm may answer incorrectly. The bigger issue is that the firm may believe a control is in place when it is only partly configured, poorly documented, or no longer true.
Common technical mistakes
- Saying MFA is enabled when it is only partially enabled
- Assuming Microsoft 365 is fully backed up
- Treating sync as backup
- Saying “yes” to EDR when the firm only has antivirus
- Not knowing whether laptops are encrypted
- Not checking local admin rights
- Not documenting restore tests
- Not reviewing old users and accounts
Common process mistakes
- Completing the application from memory
- Not asking IT to verify technical answers
- Not involving the broker early enough
- Not reviewing prior application answers
- Guessing about prior incidents or known circumstances
- Not gathering evidence before submission
- Assuming “we are too small” means the control does not matter
- Waiting until the renewal deadline to start
Incorrect cyber insurance application answers can create coverage disputes, especially if the answers relate to important controls such as MFA, backups, endpoint protection, remote access, or prior incidents.
Who Should Be Involved Before the Application Is Submitted?
A cyber insurance application should not be completed by one person guessing at technical, legal, operational, and insurance questions alone.
The right people depend on the size of the firm, but the goal is the same: make sure each person answers the part they are actually qualified to confirm.
| Person or provider | What they help with | Why they matter |
|---|---|---|
| Firm owner or managing partner | Business decisions, risk tolerance, final review, and approval | The application affects the firm’s business risk and should not be treated as a clerical form. |
| Firm administrator or office manager | Staff workflows, payment procedures, vendor coordination, records, and internal documentation | They often know how the firm actually handles payments, access requests, onboarding, and offboarding. |
| IT provider or internal IT | MFA, Microsoft 365 security, backups, endpoint protection, encryption, patching, remote access, and evidence | They can verify the technical controls instead of relying on assumptions. |
| Insurance broker | Application wording, carrier expectations, coverage options, exclusions, sublimits, and renewal timing | They understand the insurance market and can explain what the carrier is asking. |
| Legal counsel, where appropriate | Legal obligations, prior incidents, known circumstances, privilege questions, contractual duties, and policy interpretation | Some questions may have legal consequences beyond the technical configuration. |
| Finance or bookkeeping | Wire transfers, payment changes, dual approval, call-back verification, and documentation | Business email compromise often targets payment workflows. |
On smaller screens, this table is shown as stacked cards for easier reading.
What Firms With 1–25 Users Should Prioritize First
A smaller law firm does not need to copy the complexity of a large enterprise. But it does need the basics done properly.
For most law firms with 1–25 users, the first priority is to reduce the most common and most damaging risks: stolen passwords, compromised email, weak Microsoft 365 configuration, ransomware, payment fraud, lost devices, and lack of recovery planning.
Identity and email
- MFA for all Microsoft 365 users
- MFA for all admin accounts
- Email filtering and phishing protection
- SPF, DKIM, and DMARC
- Mailbox forwarding review
- Former-user access review
Devices and recovery
- Endpoint protection on all firm computers
- Patch monitoring
- Device encryption for laptops
- Limited local admin rights
- Microsoft 365 backup where needed
- Periodic restore testing
People and process
- Security awareness training
- Written payment-change procedures
- Known-number call-back verification
- One-page incident response plan
- Broker and claim contact details
- Evidence folder for renewal
What Larger Law Firms May Need to Add
Larger law firms often need more formal controls because they have more users, more devices, more data, more vendors, more departments, more client requirements, and more complexity.
The fundamentals still matter: MFA, email security, backups, endpoint protection, patching, encryption, remote access, and incident response. But larger firms may need to add more structure, reporting, and governance around those controls.
Identity and access governance
- Formal access reviews
- Role-based access controls
- Privileged identity management
- Separate admin accounts
- Conditional Access by role, risk, device, and location
- More formal onboarding and offboarding workflows
Security monitoring and response
- Centralized logging
- Security operations monitoring
- SIEM integration where appropriate
- Incident response runbooks
- Tabletop exercises
- Defined escalation paths
Data and compliance controls
- Data loss prevention policies
- Retention and eDiscovery planning
- Client-specific security requirements
- Vendor risk review
- Formal backup and recovery objectives
- Executive reporting
Create a Cyber Insurance Evidence Folder
A cyber insurance application is easier to complete when the firm has a simple evidence folder that supports the answers being submitted.
This does not need to be complicated. For a small law firm, the evidence folder can be a secure internal folder that contains screenshots, reports, policy documents, renewal notes, and confirmation records from the firm’s IT provider, broker, and internal team.
Technical evidence
- MFA enforcement screenshots or reports
- Admin account review notes
- Microsoft 365 security configuration notes
- Email security settings
- Endpoint protection coverage report
- Device encryption report
- Patch management report
- Backup status report
- Restore test confirmation
Process evidence
- Incident response plan
- Broker and claim hotline information
- Payment-change procedure
- Wire-transfer verification procedure
- Security awareness training records
- New-hire and offboarding checklist
- Lost-device process
- Remote access policy or notes
Renewal evidence
- Prior application copy
- Current application draft
- Broker questions and clarifications
- Known exceptions
- Remediation notes
- Dates controls were verified
- Names of people who reviewed answers
- Final submitted version
A Plain-English Cyber Insurance Requirements Table
Cyber insurance applications often use short technical questions. Law firms should translate those questions into practical operational concerns before answering.
| Requirement or control | What to verify | Useful evidence |
|---|---|---|
| MFA for email | Confirm MFA is required for all users who access firm email. | Microsoft 365 MFA or Conditional Access report, screenshots, or admin confirmation. |
| MFA for admin accounts | Confirm every privileged account is protected and that shared admin accounts are avoided. | Admin role review, MFA report, privileged account list. |
| MFA for remote access | Confirm remote access cannot be used with only a password. | VPN, remote access, or Conditional Access configuration notes. |
| Microsoft 365 backup | Confirm whether Exchange, OneDrive, SharePoint, and Teams are backed up by a separate backup system where needed. | Backup portal report, scope confirmation, retention settings, restore test notes. |
| Endpoint protection | Confirm all firm-owned computers are covered by endpoint protection, EDR, MDR, or SOC-backed monitoring as applicable. | Endpoint protection dashboard, device coverage report, exception list. |
| Patch management | Confirm operating system and third-party software updates are monitored and followed up on. | Patch report, device management report, exception notes. |
| Device encryption | Confirm laptops and other portable firm devices are encrypted. | BitLocker, FileVault, Intune, RMM, or device management report. |
| Email protection | Confirm spam filtering, phishing protection, attachment scanning, link protection, and spoofing protections as applicable. | Email security configuration notes, Microsoft Defender report, DNS records for SPF, DKIM, and DMARC. |
| Wire-transfer controls | Confirm payment changes are not approved by email alone and that call-back or dual approval procedures exist. | Written payment procedure, approval workflow, training record. |
| Incident response plan | Confirm the firm knows who to call, who decides, who communicates, and how evidence is preserved. | One-page incident response plan, contact list, broker and carrier claim information. |
| Security awareness training | Confirm users receive practical training on phishing, payment fraud, and reporting suspicious activity. | Training completion records, onboarding checklist, annual refresher documentation. |
| User offboarding | Confirm former employees and vendors no longer have access to email, files, devices, or remote systems. | Offboarding checklist, disabled account report, access review notes. |
On smaller screens, this table is shown as stacked cards for easier reading.
AI Tools and Confidential Client Data
Many law firms are experimenting with AI tools. That can be useful, but it should not be casual.
Cyber insurance applications may not always ask directly about AI yet, but they often ask about data sharing, vendors, privacy controls, cloud tools, access management, and confidential information.
For law firms, the practical issue is not whether AI is good or bad. The issue is whether attorneys and staff are using AI tools in a controlled, approved, and confidential way.
Questions law firms should ask
- Are attorneys or staff pasting confidential client data into unmanaged AI tools?
- Does the firm know which AI tools are being used?
- Are firm-approved tools different from personal tools?
- Are users trained on what not to enter into AI systems?
- Are client, court, or contractual restrictions being followed?
- Is the firm’s Microsoft 365 or cloud environment configured to protect sensitive information?
What this means in practice
A law firm should know where confidential client information is going, who has access to it, whether the tool is approved for firm use, and whether the firm can explain its controls if a client, insurer, court, or regulator asks.
That does not mean law firms should ignore AI. It means AI use should be governed like any other technology that may touch confidential information.
How MoreMax Helps Law Firms Prepare for Cyber Insurance
MoreMax helps law firms approach cyber insurance readiness in a practical way.
We are not your insurance broker. We are not your legal counsel. We do not decide coverage. We do not guarantee approval or claim payment.
What we can do is help verify, strengthen, and document the technology controls that cyber insurance applications commonly ask about.
We verify what is actually in place
- MFA
- Microsoft 365 security settings
- Admin account protection
- Remote access protections
- Email security
- Microsoft 365 backups
- Endpoint protection
- Patch management
- Device encryption
- Former-user access
- Local admin rights
- Incident response readiness
We identify gaps before submission
A gap is not a failure. It is a decision point.
Some gaps can be fixed quickly. Some need a project. Some need a policy decision. Some need broker guidance. Some need legal review.
The key is to know before answering.
We strengthen Microsoft 365
For law firms with 1–25 users, Microsoft 365 is often the best place to start because it touches email, files, identity, devices, sharing, and access.
MoreMax helps configure Microsoft 365 as a law firm business system, not just a mailbox and Office subscription.
We organize evidence
We help firms gather practical evidence for the technology side of the application, such as MFA status, backup coverage, endpoint protection coverage, encryption status, and restore testing records.
We reduce owner burden
The goal is not to turn the firm owner into an IT manager. The goal is to give the firm clear answers, practical priorities, and a cleaner path through the cyber insurance process.
We support the firm after renewal
Cyber insurance readiness should not be a once-a-year scramble. The controls that matter during renewal also matter during daily law firm operations.
Frequently Asked Questions About Cyber Insurance for Law Firms
These questions come up often when law firms start preparing for a cyber insurance application or renewal.
Do law firms need cyber insurance?
Most law firms should seriously consider cyber insurance because they hold confidential client data and rely heavily on email, documents, cloud systems, remote access, and payment workflows.
Whether a specific firm needs a particular policy, limit, or endorsement is a question for the firm’s insurance broker and legal counsel. Cyber insurance should complement cybersecurity, not replace it.
Is cyber insurance required by law?
Cyber insurance is not universally required for every law firm. However, a firm may face cyber insurance expectations from clients, contracts, vendors, lenders, regulators, or business partners.
Some clients may require proof of cyber insurance before engaging the firm. Ask your broker and legal counsel what applies to your firm.
What does cyber insurance cover for a law firm?
Depending on the policy, cyber insurance may cover breach response, forensic investigation, legal counsel, notification, data recovery, business interruption, cyber extortion, fraud, regulatory response, litigation, settlements, and third-party claims.
Coverage varies by policy, endorsement, exclusion, sublimit, carrier, and claim facts. Review the wording with your insurance broker.
Does cyber insurance replace cybersecurity?
No. Cyber insurance may help pay for certain covered losses after an incident. It does not prevent attacks, protect client data by itself, make weak backups work, or guarantee that every claim will be paid.
For law firms, cyber insurance should sit alongside practical security controls, documented procedures, user training, and recovery planning.
What do cyber insurers ask law firms?
Cyber insurers commonly ask law firms about MFA, backups, Microsoft 365 security, email protection, endpoint protection, patching, encryption, remote access, security training, incident response, prior incidents, and wire-transfer controls.
Why do insurers care so much about MFA?
Because stolen passwords are common. MFA helps reduce the chance that a stolen password alone can open firm email, client files, billing systems, cloud services, remote access, or administrator tools.
Law firms should verify whether MFA is required for all users, admin accounts, remote access, and web-based email before answering the application.
Is Microsoft 365 automatically backed up?
Microsoft 365 provides cloud services, but law firms are still responsible for their data, identities, access controls, devices, and many configuration decisions.
Firms should verify whether they have a separate backup solution that can restore Exchange, SharePoint, OneDrive, and Teams data in the way the firm expects.
What is the difference between antivirus, EDR, and MDR?
Antivirus usually focuses on blocking known malicious files. EDR, or endpoint detection and response, watches computers for suspicious behavior that may indicate an attack. MDR, or managed detection and response, adds people who help monitor and respond to security alerts.
A firm should not answer “yes” to EDR or MDR unless it has verified what is actually deployed and monitored.
What should a law firm verify before applying?
Before applying, law firms should verify MFA, backup coverage, restore testing, Microsoft 365 security, endpoint protection, email filtering, device encryption, patching, admin rights, former employee access, incident response planning, and funds-transfer procedures.
Do not guess. If the answer starts with “I think,” pause and confirm it.
Can incorrect application answers create coverage problems?
Yes, they can. Coverage issues depend on the policy, facts, law, and insurer. But inaccurate answers can create disputes, especially if they relate to important security controls such as MFA, backups, EDR, remote access, or prior incidents.
The safest practical approach is to verify the technical answers before the application is submitted.
How far before renewal should a law firm start preparing?
A practical target is 60–90 days before renewal. That gives the firm time to review prior answers, ask the broker what has changed, verify security controls, fix gaps, and collect evidence before the application is due.
Can MoreMax help with the technical answers on a cyber insurance application?
MoreMax can help verify and document the technology controls that cyber insurance applications commonly ask about, such as MFA, Microsoft 365 security, backups, endpoint protection, email security, device encryption, patching, remote access, admin rights, and incident response readiness.
MoreMax does not complete, submit, sign, or certify cyber insurance applications on behalf of a law firm. The firm remains responsible for its application answers.
Your insurance broker should guide insurance wording, coverage questions, exclusions, sublimits, and carrier requirements. Your legal counsel should guide legal obligations, prior incidents, known circumstances, privilege, and policy interpretation.
