DIAM Security Partners
HIPAA · Cyber Get in touch
ServicesControlsPracticeFor brokersBriefs Get in touch
← Briefs
A practical brief Published

Cyber liability underwriting requirements for small law firms

A practical brief for brokers and the 10-to-100 attorney law firms they advise — civil litigation, transactional, estate-planning and probate, criminal defense and family law, and the mixed small-firm book that includes all of the above.

Foreword

Three pressures are converging on small law firms in 2026. Cyber underwriters have turned the application from an attestation checkbox into a documentary-proof exercise, and the landmark rescission case is cited by name in declination letters across the carrier book. The ABA ethical floor moved twice between 2017 and 2024 (Opinions 477R, 483, 498, 512) and again in Texas in February 2025 (Ethics Opinion 705), so what counted as reasonable security in 2022 is now materially below what Rule 1.6(c) requires. AI-era attackers now operate at a speed and scale a six-person practice group cannot outrun, while the courts reviewing firm filings have begun policing AI use directly.

This brief lays out the eight specific technical controls underwriters are asking about in 2026, what implemented actually looks like inside a firm of this scale, why the ABA floor has raised the bar since the last renewal cycle, and why claims still get denied even after coverage is bound. Brokers and managing partners both should finish it able to name which controls their client (or their own firm) can truthfully attest to today, and which controls require 60 to 90 days of work before the next cyber application, the next professional-liability renewal, or the next post-breach SEC subpoena, whichever arrives first.

In one page

  • Coverage now turns on eight verifiable technical controls, not a broad attestation. A mismatch between what a firm attests to on the cyber application and what the claims adjuster verifies post-loss is the single most common reason coverage is voided, and Travelers v. ICS is the precedent carriers cite by name when they rescind.
  • The ABA ethical floor has moved. Rule 1.6(c) requires reasonable efforts against inadvertent disclosure; Comment 8 to Rule 1.1 (Texas: February 2019) extends competence to technology; Formal Opinions 477R, 483, 498, and 512 set the operational bar, overlaid in Texas by Ethics Opinion 705 (February 2025).
  • Breach frequency at law firms is steady-to-rising. Williams & Connolly (October 2025 state-actor intrusion), Orrick, Herrington & Sutcliffe ($8 million class-action settlement, November 8, 2024), and Kirkland & Ellis (first-named law-firm MOVEit class action, June 2024) are the eighteen-month headline record; small firms are on the same list without the headlines.
  • The dominant loss pattern is no longer encryption ransomware. BEC and FTF drove 58% of all cyber claims in 2025; client wire-fraud losses grew 300%, from $35 million in 2023 to $109 million in 2024, at an 18-day median detection lag.
  • Texas compounds the exposure. Tex. Bus. & Com. Code § 521.053, tightened by SB 768 effective September 1, 2023, now requires notification to the Attorney General within 30 days when 250 or more Texans are affected. Civil penalties run up to $50,000 per violation. Tex. Disciplinary Rule 1.05 covers all information relating to a representation, not only privileged communications.
  • Claims most often fail for reasons the firm could have controlled. Misattestation at application, missed 72-hour notification windows, and the voluntary parting exclusion on fraudulent wires account for most of the denied claims we see.
  • Closing the gap is a four-to-six-week engagement for a 10–100 attorney firm. Implementation runs $18,000–$45,000 against a 2025 class incident-cost average of $307,000.

The 2026 environment

A few data points frame the conversation.

  • The ABA’s 2023 Legal Technology Survey Report found 29% of law firms reported a security breach, and the 2024 TechReport found that only 34% of firms had a written incident response (IR) plan despite 80% carrying some form of technology insurance. Adoption is severely stratified by firm size: 72% of firms with more than 100 attorneys have a plan, against 26% of 2–9-attorney firms and 9% of solos.
  • Coalition’s 2026 Cyber Claims Report puts BEC and FTF at 58% of all cyber claims in 2025, with FTF alone at 27% and ransomware at 21%. Among all FTF events, 52% originated from a prior BEC. Coalition recovered $21.8 million in stolen funds for policyholders in 2025 at an average of $202,000 per recovery, but only when the insured reported the fraudulent transfer within 72 hours.
  • BakerHostetler’s 2026 Data Security Incident Response Report is the single most law-firm-relevant data set. The average ransom payment rose 36% to $682,702 and the average initial demand spiked 70% to $4.2 million; class actions followed 14% of incidents (up from 9% the prior year); and most importantly, client wire-fraud losses grew more than 300%, from $35 million in 2023 to $109 million in 2024, with the average fraudulent transfer exceeding $1.25 million and a median 18-day detection lag.
  • Travelers v. ICS remains the landmark rescission: a $1 million cyber policy was declared void from inception after the insured attested to enterprise-wide multi-factor authentication (MFA) and had it only on the firewall. On the plaintiff side, the Orrick, Herrington & Sutcliffe $8 million class-action settlement, finally approved in the Northern District of California on November 8, 2024 after the victim count grew from 152,818 to 637,620 individuals, sets the current benchmark for what a mid-size-firm breach settles at.

The controls a firm attests to on the application are the controls the claims adjuster will verify if a loss occurs. If the attestation does not match reality, the claim is denied after the premium has been paid and the breach absorbed.

The eight controls underwriters are asking about

Drawn from current applications by Beazley, Coalition, Chubb, Travelers, CNA, and Hartford, and from the public advisory guidance of Aon, Marsh McLennan, the ABA Standing Committee on Ethics and Professional Responsibility, and the ABA Cybersecurity Legal Task Force. The wording varies by carrier; the questions are consistent. The full brief documents each control with the specific question underwriters ask, why it matters, what implemented looks like inside a firm of this scale, and where firms of this size most commonly fall short.

  1. Multi-Factor AuthenticationIdentity & access
  2. Endpoint Detection and ResponseEndpoint security
  3. Immutable and Tested BackupsResilience
  4. Written and Tested Incident Response PlanPreparedness
  5. Email Security and Awareness TrainingHuman layer
  6. Timely Patch ManagementVulnerability management
  7. Written Information Security Program & AI-Use PolicyGovernance & compliance
  8. Wire Verification and IOLTA / Closing ControlsFunds-transfer integrity

The full brief (21 pages, April 2026) covers each control with the question underwriters ask, why it matters, what implementation looks like inside a small firm, and where firms of this size commonly fall short. It also walks through what is happening in Texas right now (Williams & Connolly, Orrick, Kirkland, SB 768, Ethics Opinion 705), the ABA ethical floor and how the eight controls map to Rules 1.1, 1.6(c), 1.15, and 5.1/5.3 plus Formal Opinions 477R, 483, 498, and 512, why claims still get denied after coverage binds, when to refer a client to DIAM, and the practical sequence a firm should follow before its next application, PL renewal, or subpoena. Request a copy to keep reading.