The stark reality for legal practices today is this: The sensitive client information you handle makes you a prime target for a law firm data breach. Yet, despite the increasing cyber threat to lawyers, many still rely on insufficient insurance policies that leave them exposed to data breaches when it matters most. In fact, more than half of all firms have inadequate coverage.
When it comes to cybersecurity, the gap between awareness and action is growing, and the consequences can be extremely costly. In this article, we’ll break down the unique ways law firms are vulnerable to data breaches and where standard insurance policies fall short. Plus, we’ll cover the steps you can take to assess and improve your coverage before a breach hits.
The disconnect between awareness and action in legal cybersecurity
It’s not that law firms don’t understand the risks. In fact, cybersecurity routinely ranks as a top concern for managing partners and compliance teams. But despite this growing awareness, recent data shows that 52% of law firms believe their current insurance policies would only partially cover their firm in the event of a data breach, if at all. Even more surprising is that only 14% said they planned to expand their coverage in the near future.
So, what’s causing this hesitation? For many firms, it’s a mix of practical constraints and misplaced confidence.
For many lawyers, it’s tempting to assume that a general liability policy or a basic cyber endorsement is “good enough.” But the fact of the matter is that general liability and malpractice policies do not cover security incidents or data breaches.
Insurance policies can be time-consuming and confusing to read, so in some cases, firms may not fully understand the scope of their coverage. Attorneys may mistakenly think they’re already fully covered until a breach occurs and the fine print tells a different story.
The result is a dangerous gap between perceived protection and actual risk exposure. This gap can lead to serious financial, reputational, or regulatory fallout for lawyers.
Why are law firms prime targets for data breaches?
Law firms are typically holding onto a goldmine of sensitive data about their clients. It makes them incredibly attractive to cybercriminals.
It’s a problem highlighted by the increase in attacks the legal industry has been experiencing. Law360 Pulse reported in 2023 that breaches for law firms had doubled from the year before, while another report found a 68% increase in that period, with 636 weekly attacks.
Here’s a breakdown on why law firms are increasingly in the crosshairs for potential breaches.
Handling extremely sensitive client data
Clients trust their law firms with some of the most confidential information they have. This may include financial records, intellectual property, M&A strategy, litigation documents, and personal identifiers. This data is highly valuable to cybercriminals, as it can contain information that they can weaponize against both firms and clients.
For retail or healthcare companies, data breaches might result in quick sales on the dark web. But the data held by law firms is much easier to use for targeted extortion and insider trading. It can also lead to long-game phishing attacks.
With the stakes this high and clients increasingly aware of it, more and more clients are building cybersecurity standards into non-negotiable parts of engagement. Firms that can’t prove strong data protection may lose out on business.
Subject to ethical and confidentiality obligations
Confidentiality is a cornerstone of any legal practice, so law firms are ethically and professionally obliged to protect client data. Any breach has the potential to jeopardize attorney-client privilege, and this can violate bar regulations and trigger disciplinary action.
The challenge for firms is that ethical duties don’t pause for technical limitations. If a breach occurs because your systems are outdated, or you have unclear protocols or weak insurance coverage, it doesn’t lessen the consequences.
Courts and regulatory bodies expect firms to take reasonable steps to safeguard client information before, during, and after a cyber event.
Reliance on legacy systems and inconsistent IT practices
Many law firms still operate on outdated software, older infrastructure, or IT setups that haven’t kept pace with evolving cyber threats. Midsize and boutique firms are particularly prone to these issues.
Other factors like bring-your-own-device (BYOD) policies, remote work habits, and different tech capabilities across offices lead to fragmented environments that are more difficult to keep secure.
Even firms with internal IT teams in place can lack dedicated cybersecurity expertise. This can leave blind spots, especially in areas like endpoint security and threat detection. Hackers are incredibly savvy and are aware of this. They specifically look for easy entry points in firms with weak controls or inconsistent IT systems.
Working with high-profile and high-net-worth clients
Working with corporate executives, celebrities, political figures, or well-known brands can put a target on your firm’s back. These high-value targets may attract cyber criminals who are after sensitive information — especially if they can use it for extortion purposes.
Attackers are also motivated by how connected you might be to other, higher-priority systems. For example, if you work with a Fortune 500 client and your systems are easier to breach than theirs, you’re the more efficient target.
Leveraging complex vendor and third-party relationships
Like any company today, your law firm likely relies on a wide range of third-party vendors when it comes to tech. This can be anything from cloud storage to e-discovery tools or even how you manage payroll. Every single touchpoint in your technology stack represents a new layer of exposure. In fact, 61% of respondents to a survey said they experienced a third-party data breach or other security incident in the last 12 months.
You might have your internal systems locked down, but a breach through a vendor can still compromise your firm’s (and your client’s) data. And under many regulations, this means you’re still on the hook for the breach. That’s why proper vendor vetting and contractual protections are crucial. Otherwise, these relationships can quietly become one of your firm’s biggest cyber risks.
Not adequately investing in cybersecurity infrastructure
Talent and billable hours are traditionally the biggest expenses for law firms. However, this generally means that other operational areas, such as cybersecurity, can be underfunded or placed lower on the priority list.
But this short-term cost-saving approach can backfire since the average cost of a data breach in 2024 was $4.88 million.
From firewalls to email filtering and staff training, every layer of defense against cyberattacks matters. Threats to law firms are getting more and more sophisticated, and so are the tools and technology your firm needs to use to stop them. Without consistent monitoring and investment in people and systems to prevent data breaches, even the most well-intentioned firms can find themselves vulnerable.
Evolving regulatory and compliance pressures
The regulatory framework around law firm cybersecurity is only getting more complex. American Bar Association (ABA) guidance, data breach regulations, and regional privacy laws are constantly evolving, making it challenging to stay current.
If you’ve got what passed for “secure enough” even five years ago, it likely no longer meets today’s expectations.
Many firms find themselves scrambling to interpret or comply with new requirements, particularly when it comes to matters such as breach notification timelines or industry-specific obligations. Falling short risks financial penalties and can damage client trust and open the door to litigation.
What standard law firm insurance policies miss
Many firms still assume their general liability or professional liability policies will protect them in the event of a cyberattack. But according to recent data, only 40% of law firms have cyber liability insurance, which is actually down from 46% the previous year.
This is because, at first glance, your policy may appear to cover cyberattacks. But standard policies often exclude critical cyber-related losses like ransomware payments, regulatory fines, or data restoration.
Even those with so-called “cyber endorsements” (an addition to your existing policy) often find they only cover a small portion of costs, like breach notification or credit monitoring. It can leave massive gaps in areas that matter most to law firms.
Benefits of specialized cyber insurance
Specialized cyber insurance is designed to fill those gaps. Cyber liability coverage gives firms support when they need it most. A thorough cyber insurance policy includes:
- Ransomware and extortion payments
- Regulatory investigations and penalties
- Business interruption and lost income
- Digital forensics and breach response
- Client notification and crisis comms
- Third-party liability coverage
- Reputation management
And when an incident does occur, providers will often provide specialized legal, IT, or PR experts to help you manage the crisis. It’s an extremely helpful aspect of these policies that ensures you’re not left scrambling.
Self-assessment: Does your firm have gaps in its current insurance coverage?
It’s important not to let cyber insurance be a guessing game. But, like with lots of insurance policies, many law firms only really dig into theirs after a breach — and by then, it’s too late. A proactive review helps to uncover important blind spots and align your coverage with real-world risks.
Here’s a step-by-step guide to help your firm evaluate your current cyber insurance and take proactive measures to identify where gaps may exist.
1. Review your existing policies
Start with what you have and examine your policies across general liability, professional liability, and any cyber endorsements you have. Identify:
- What’s covered
- What’s excluded
- Whether you have a standalone cyber policy
- When your policy was last reviewed
2. Identify your firm’s unique risks
No two firms are the same in terms of the clients they serve, the areas of law they operate in, and how their existing IT set-up looks.
Here are some things to look at when performing a law firm risk assessment:
- Practice areas (e.g., IP, M&A, litigation)
- Data sensitivity
- Office locations
- IT infrastructure
3. Understand what triggers coverage
Know the exact conditions required for your policy to respond. Some policies won’t activate without a formal breach declaration or regulatory involvement. This can delay your response and increase financial and reputational risks.
4. Review policy exclusions and sub-limits
Even if a policy looks strong at first glance, it can have significant gaps buried in the fine print. Look out for exclusions in your cyber coverage as well as carve-outs that relate to social engineering, employee error, vendor failure, or caps on ransomware payments.
5. Assess business interruption and downtime scenarios
Malware attacks, for example, cause significant business disruption, which can be the costliest part of a breach. Check your policy thoroughly or, if you don’t have a cyber-specific policy yet, identify the types of outages and delayed work you would need compensation for during an attack. Closing these gaps helps mitigate significant revenue losses from business disruption.
6. Compare your coverage against industry benchmarks
What are similar-sized firms in your space insuring against? Brokers and legal industry reports can help you see how your policy measures up against peer standards and industry best practices.
7. Consult an insurance broker who specializes in legal risks
Generalist brokers may not be fully aware of law firm-specific exposures. Work with someone who understands attorney-client privilege, confidentiality obligations, and the unique structure of legal operations to make sure you close as many gaps as possible in your policy. At Embroker, we create insurance policy packages with law firms in mind.
8. Use risk modeling tools and outside audits
Cyber risk isn’t a one-size-fits-all approach, so consider consulting a broker or IT provider to explore modeling tools that quantify your exposure. External audits can also help validate your policy against your real-world risk.
9. Review vendor and third-party risk exposure
We’ve discussed the type of risk you’re exposed to from third-party technology and vendors in the event that they themselves experience a breach. Make sure your policy accounts for vendor breaches and includes clear coverage for third-party liability.
10. Evaluate client contract requirements
Some clients require proof of cyber insurance (or even specific limits) as a condition of doing business. Failing to meet these expectations can cost you work or create liability conflicts.
11. Check for coverage of reputational harm and PR support
Rebuilding client trust after a data breach is hard work, so look for policies that include PR and crisis communications support. This helps you to manage the fallout from a breach effectively and protect long-term relationships.
12. Incorporate your insurance into your incident response plan
Your cyber policy and your breach response plan should be in sync. Review both your cyber policy and incident response plan to make sure your firm is sufficiently covered. Ask yourself:
- Who’s responsible for what issues
- How do you contact your insurer in a crisis
- What resources will be provided
This is a good opportunity to evaluate your incident response plan, since only 26% of law firms believe their firm is “very prepared” to respond to cyber incidents.
13. Test and update your coverage annually
Cyber risks evolve constantly, and they’re increasing in volume and complexity. Set a schedule to revisit your coverage every year, especially if you’re adding new technology or taking on bigger clients. Even small updates to your operational processes can produce new risks, and an annual review helps you to stay on top of them.
Best practices for managing cyber risk and coverage
Insurance is just one piece of the puzzle. Here are a few essential best practices you can implement to strengthen your risk posture and complement your insurance coverage:
- Prioritize cyber hygiene with strong passwords, multifactor authentication, and keeping software and systems up-to-date.
- Train your team regularly to avoid breaches that start with human error. Invest in ongoing training to help staff spot phishing attempts and follow security protocols.
- Develop a clear incident response plan so you know exactly what steps to take if a breach occurs, and align your cyber policy with this plan.
- Audit vendors and third parties with the same scrutiny as you do to your own systems because their security gaps can quickly become yours.
- Document everything from IT policies to employee training logs, as this is typically required for insurance claims and compliance audits.
Strong cyber coverage is essential, but you can make it even more effective by integrating it as a core component of your overall risk management strategy.
Close your coverage gaps before they cost you
Cyber threats against law firms aren’t slowing down. Take the time to audit your current coverage and assess your firm’s risks by diving into our 2024 Legal Risk Index Report to stay ahead of emerging risks. At Embroker, we work closely with law firms to craft insurance packages that close coverage gaps and protect you and your clients. Get a quote today!
