# Cyber Insurance Requirements for Law Firms 2026

> Cyber insurers now require MFA, EDR, immutable backups and more before they will bind or renew a law firm. Here are the controls, and how to prove each one.

[Home](https://rankshieldlegal.com/) / [Blog](https://rankshieldlegal.com/blog/) / Firm Security Firm cybersecurity
# What Your Cyber Insurer Now Requires to Renew, and How to Prove You Have It
Cyber insurers have tightened underwriting to the point where many law firms can no longer bind a new policy or renew an existing one without a baseline set of security controls, and increasingly they will not take a firm's word for it. Multi-factor authentication, endpoint detection and response, tested immutable backups, and a written incident-response plan now sit near the top of most applications. The quiet shift is from attestation to proof, and a firm that can produce evidence for each control is in a materially stronger position than one that can only describe them.

By [Jamie Kloncz](https://rankshieldlegal.com/about/), Founder, RankShield ** 21 min read ** Published July 6, 2026

If you are asking what cyber insurance requirements law firms now face at renewal, the short answer is a defined baseline of technical controls plus documentation that shows the controls are real. Underwriters commonly ask for multi-factor authentication on email and remote or privileged access, endpoint detection and response across devices and servers, immutable or segregated backups with tested restores, email filtering, timely patching, a written incident-response plan, security-awareness training, and privileged-access management. Applications increasingly require a firm to attest to these controls, and a misstatement can jeopardize a claim later. This article explains each requirement, why insurers want it, and, most importantly, how to produce evidence for it.
A note on how to read what follows. The dollar figure cited below comes from the FBI Internet Crime Complaint Center, a primary source, and it is attributed as such [[1]](#ref-1). Where this piece describes what carriers ask for, it describes a widely reported trend rather than the terms of any one policy, and it names no carriers, no premiums, and no invented statistics. Underwriting standards vary between insurers and change over time, so treat the control list as a well-supported baseline to prepare against, not as a guarantee of what any single carrier will demand. This is general information for firm operators, written by a founder rather than an attorney, and it is not legal or insurance advice.

## Why cyber insurers tightened underwriting, and what that changed at renewal
For several years cyber insurance was relatively easy to buy. A firm answered a short questionnaire, paid a modest premium, and received broad coverage. That period ended as ransomware and business-email-compromise losses mounted and carriers found themselves paying claims faster than they had priced for. The response was not to abandon the market but to reprice and re-underwrite it, and the clearest expression of that shift is the application itself, which has grown from a handful of general questions into a detailed technical inventory.
The losses driving this are concrete rather than abstract. The FBI Internet Crime Complaint Center reported that business email compromise alone accounted for roughly 2.77 billion dollars in reported losses in 2024, out of 16.6 billion dollars in total reported cybercrime losses that year [[1]](#ref-1). Those are reported figures rather than a complete accounting of all loss, and they are directional, but they point clearly at the categories carriers now price most carefully. Ransomware and email fraud are where the money went, and the control requirements on today's applications map directly onto those two threats.
For a law firm, the practical consequence is that coverage now depends on controls the firm may not have documented, or in some cases may not have fully implemented. A managing partner who last renewed two years ago and expects the same experience is often surprised. The renewal is no longer a formality that legal and accounts payable handle between them. It is a review of the firm's actual security posture, and the firm that treats it that way well ahead of the deadline avoids the scramble that catches so many others.
This article describes a widely reported underwriting trend as of mid-2026. It is general information, not legal or insurance advice, and it does not interpret any specific policy. Requirements vary by carrier. Read your own application and policy with your broker.

## The application became a technical audit rather than a checkbox form
The modern cyber application is verifiable. That cuts against firms that overstate their controls, and it favors firms that can show their controls with records. Evidence, not adjectives, is what an underwriter can actually rely on.
The most important thing to understand about a modern cyber application is that its questions are now verifiable. Older forms asked whether a firm had, for example, antivirus and a backup, and a yes was generally accepted at face value. Current forms ask which product, deployed on how many endpoints and servers, monitored by whom, and tested when. Some carriers supplement the questionnaire with an external scan of the firm's internet-facing systems, which means a stated answer can be checked against observable reality before a policy is even bound.
This changes the nature of the exercise. When an answer can be verified, the gap between what a firm says and what a firm does stops being a private matter and becomes an underwriting fact. A firm that reports full endpoint coverage but has left three servers unmonitored has not simply given an optimistic answer; it has created a discrepancy that can surface at the worst possible moment, which is after a breach, when the claim file is reviewed against the application. The application, in other words, is the beginning of the coverage relationship, and its accuracy is load-bearing.
The upside of this shift is that it rewards firms that have done the work. When answers are verifiable, a well-governed firm can distinguish itself from a poorly governed one in a way that a checkbox form never allowed. The firm that can show its controls, rather than merely claim them, presents as the better risk. That is the whole logic behind the sections that follow: each control is easier to obtain coverage for when the firm can point to evidence, and harder when it can only offer assurances.

Source: FBI IC3 2024 Internet Crime Report; ABA Formal Op. 483 Download SVG

## The baseline controls carriers expect before they will bind or renew
Across the market, a recognizable baseline has emerged. No two carriers phrase their questions identically, and some weight one control more heavily than another, but the following set appears on most applications a law firm will encounter. The table below states each control, the reason underwriters ask for it, and, in the column that matters most for renewal preparation, how a firm can prove it rather than merely assert it.
Read the right-hand column as the working part of this article. For every control, there is a form of evidence that turns a questionnaire answer into a demonstrable fact, and assembling that evidence before the application arrives is the single most useful thing a firm can do. The sections after the table take the highest-weighted controls in turn and explain the evidence in more detail.
Control requirement Why insurers want it How to prove it
Multi-factor authentication on email, remote, and privileged access Stops the credential theft behind most account takeover and email fraud Configuration export or admin console screenshots showing MFA enforced, plus a coverage report by account type
Endpoint detection and response (EDR) on devices and servers Detects and contains intrusions that traditional antivirus misses Deployment report listing every endpoint and server covered, with the monitoring provider named
Immutable or offline, segregated backups Ensures recovery when ransomware reaches primary systems Backup configuration showing immutability or isolation, plus a dated log of a successful test restore
Email security and filtering Blocks phishing and business email compromise at the gateway Filtering product configuration and, where available, a report of blocked or quarantined threats
Timely patching and vulnerability management Closes the known holes attackers scan for first Patch-management reporting showing cadence and current status across systems
Written incident-response plan Shows the firm can contain and report a breach in an orderly way The dated plan document, with evidence it has been reviewed or exercised
Security-awareness training Reduces the human error that begins most incidents Training completion records by staff member, with dates
Privileged-access management Limits the damage a compromised admin account can do An inventory of privileged accounts and the controls governing them

Carriers vary in how they weight these controls and in the exact wording they use. Treat this as a preparation baseline, not a universal checklist.

## Multi-factor authentication is the first control underwriters check
Multi-factor authentication sits at the top of nearly every cyber application because it addresses the most common entry point into a firm's systems, which is a stolen or guessed password. When a second factor is required, a leaked password alone no longer opens the door. Underwriters ask about it first, and in many cases a firm that cannot confirm MFA on email and remote access will not be quoted at all. It has become close to a threshold requirement rather than a scored one.
The nuance that catches firms out is coverage. It is not enough to have MFA enabled somewhere. Carriers ask whether it is enforced on email specifically, on any remote or VPN access, and on privileged or administrator accounts, because those are the access paths an attacker most wants. A firm that protects its main email tenant but leaves a legacy remote-access method or an admin console without a second factor has left exactly the gap the question is designed to find. Some carriers now distinguish between weaker text-message factors and stronger application or hardware-based methods, so the specific method can matter as well.
To prove it, a firm should be able to produce a configuration export or administrator-console view showing that MFA is enforced, together with a short statement of which account categories it covers. That evidence answers the question directly and survives later scrutiny. Broader firm cybersecurity practice sits behind this, and the [foundations of law firm cybersecurity](https://rankshieldlegal.com/law-firm-cybersecurity/) are worth reviewing alongside the specific application questions, because MFA is one control within a larger posture rather than a standalone fix.

## Endpoint detection and response, and the server coverage gap
Endpoint detection and response, usually shortened to EDR, is the control that replaced traditional antivirus in the underwriter's mind. Where older antivirus matched known signatures, EDR watches for the behavior of an intrusion and can isolate an affected machine while responders investigate. Carriers ask for it because the ransomware they are pricing frequently walks past signature-based tools, and EDR is the control most likely to catch and contain that activity before it spreads.
The recurring gap is servers. Firms often deploy EDR to laptops and desktops, where staff obviously work, and overlook the servers that hold the matter files, the document management system, and the backups. Attackers do not overlook them. Underwriters have learned this pattern and increasingly ask for coverage across servers as well as workstations, and some request a deployment report to confirm it. A firm that can name its EDR product but cannot say how many of its servers are actually covered has answered only half the question.
Proof here is a deployment or coverage report that lists the protected endpoints and servers and names the party monitoring the alerts, whether that is an internal team or an outside managed provider. The monitoring point matters because a tool that raises an alert no one reads offers little protection and little underwriting value. A firm that can show near-complete coverage and a named monitoring arrangement has turned a soft claim into a demonstrable control.
2.77B Reported business email compromise losses in 2024 per the FBI Internet Crime Complaint Center, out of 16.6 billion dollars in total reported cybercrime losses that year.

## Immutable backups and the tested restore that proves them
Backups are the control that decides whether a ransomware incident is a costly inconvenience or a firm-threatening event, and carriers know it. The requirement has sharpened from simply having a backup to having one an attacker cannot reach or destroy. That means backups that are immutable, meaning they cannot be altered or deleted once written, or that are kept offline and segregated from the production network so that an intruder who reaches primary systems cannot follow the connection into the backup store.
The reason for the sharpening is that attackers learned to target backups first. If the backup is reachable from a compromised network, it can be encrypted or deleted along with everything else, which removes the firm's ability to recover without paying. Immutability and segregation break that path. Carriers ask about it directly because a backup that fails in this specific way is the difference between a claim they can help absorb and a total loss they cannot.
The evidence that matters most for backups is the tested restore. A backup that has never been restored is an assumption, not a control, and underwriters increasingly ask when the last successful test restore occurred. A firm should keep a dated log showing that it periodically restores from backup and confirms the data is usable, alongside the configuration that demonstrates immutability or isolation. If a firm is recovering from an incident, the same disciplines that govern [law firm data breach and ransomware response](https://rankshieldlegal.com/law-firm-data-breach-ransomware/) depend on backups that were tested before they were needed, not discovered to be faulty during the emergency.

## Email security, patching, and the human-layer controls
Below the headline controls sits a second tier that applications still ask about and that firms should still be ready to evidence. Email security and filtering comes first, because email is the delivery mechanism for both the phishing that steals credentials and the business email compromise that redirects payments. A firm should be able to describe its filtering arrangement and, where the product allows, produce a report of the threats it has blocked, which turns a general claim into a record of the control working.
Timely patching is the next. Attackers scan constantly for the known vulnerabilities that vendors have already published fixes for, and an unpatched system is among the easiest ways in. Carriers ask about patch cadence because a firm that applies updates promptly closes those holes before they are exploited. The evidence is patch-management reporting that shows how quickly updates are applied and what the current status is across the firm's systems, rather than a general assurance that patching happens.
Security-awareness training completes this tier and speaks to the human layer, where most incidents actually begin. A staff member who recognizes a phishing message or a suspicious payment change is a control in their own right. Underwriters ask whether training happens and how regularly, and the evidence is simple: completion records by person, with dates. None of these three controls is glamorous, and each is straightforward to document once a firm decides to keep the records rather than reconstruct them under deadline.

## Incident-response plans and privileged-access management
Incident-response plans and privileged-access management do not stop the first intrusion. They limit what an intrusion can become, which is exactly why carriers weight them and why the evidence for each should be ready before the application arrives.
Two governance controls round out the common baseline, and both are about limiting damage rather than preventing the initial intrusion. The first is a written incident-response plan. Carriers ask for it because a firm that has decided in advance who does what when an incident is detected will contain and report the event far more effectively than one improvising under pressure. The plan also connects to a law firm's professional duties, since the ABA has made clear that lawyers must make reasonable efforts to prevent unauthorized access to client information and must respond competently when a breach occurs [[2]](#ref-2).
The evidence for an incident-response plan is the plan itself, dated, plus some sign that it is a living document rather than a file created once and forgotten. A record that the plan has been reviewed or walked through in a tabletop exercise carries more weight than an untouched document, because it shows the firm can actually execute the plan rather than merely possess it.
The second control is privileged-access management, which governs the administrator accounts that can change systems and reach the most sensitive data. A compromised ordinary account is a problem; a compromised administrator account can be a catastrophe, because it can disable defenses and reach backups. Carriers ask how privileged accounts are inventoried, restricted, and monitored. The evidence is an inventory of those accounts and a description of the controls around them, which demonstrates that the firm knows where its most dangerous access lives and has deliberately constrained it.

## Why an inaccurate attestation is more dangerous than any single gap
The most serious risk in the whole renewal process is not a missing control. It is an inaccurate answer about a control. A cyber application is a factual representation that the policy is built on, and if a later forensic review of a claim reveals that the firm attested to a control it did not actually have, the carrier may have grounds to reduce or contest the claim. The firm then faces two losses at once: the breach itself, and a coverage dispute over what it told its insurer.
This is why the honest answer, precisely documented, is worth more than the flattering one. If a firm's EDR does not yet cover every server, the safer course is to say so accurately, describe what is covered, and close the gap before renewal, rather than to check a box that a forensic examiner could later contradict. An accurate answer supported by evidence protects the coverage. An optimistic answer unsupported by evidence puts the coverage at risk precisely when the firm needs it most, which is after a loss has already occurred.
The connection to the firm's other insurance is worth noting briefly. Just as accuracy on a cyber application protects cyber coverage, accuracy on a professional-liability application protects that coverage, a theme explored in the discussion of [the questions malpractice carriers now ask about AI](https://rankshieldlegal.com/legal-malpractice-insurance-ai-questions/). The common thread is that every insurance application is a factual record, and the firm that answers with evidence rather than optimism is protecting more than one policy at a time.

## A renewal-preparation sequence that produces evidence, not assurances
Preparing for a cyber renewal is not a matter of finding the right words when the questionnaire lands. It is a matter of assembling, ahead of time, the evidence for each control the application will ask about, and of closing any gap that assembling the evidence reveals. The sequence below is worth running well before the renewal date, because its real value is the time it gives a firm to fix what it finds rather than to describe a weakness it cannot yet correct.
Run this with your broker involved. Brokers see how different carriers phrase these questions and which controls a given insurer weights most heavily, and they can help a firm answer precisely rather than expansively. The goal throughout is to arrive at the application with a folder of evidence already assembled, so that each answer points to a record rather than to a recollection.

- **Inventory your actual controls** List each control the application asks about and record what the firm truly has, not what policy says it should have. The gap between the two is the first thing worth knowing, and the earliest to surface.
- **Gather the evidence for each** For every control, collect the artifact that proves it: the MFA configuration, the EDR deployment report, the dated restore-test log, the training records, the incident-response plan. If an artifact does not exist, that is a finding.
- **Close the gaps you can** Where a control is missing or partial, implement or extend it before renewal and keep a record of the change. Server EDR coverage and tested restores are the two gaps firms most often find here.
- **Reconcile answers to evidence** Go through the application and confirm that every answer is supported by a specific artifact you can produce. Where an honest answer is weaker than you would like, state it accurately rather than optimistically, and note the remediation underway.
- **Review with your broker before submitting** Have your broker read the answers against the evidence and flag anything a carrier is likely to probe or verify, so that the submitted application is both accurate and precise.

## Where verifiable evidence fits, stated honestly
Everything above points at a single idea: at renewal, the firm that can prove its controls is in a stronger position than the firm that can only describe them. That is a general truth about underwriting, and it holds regardless of what tools a firm uses to produce the proof. Most of the evidence discussed here comes straight from the systems a firm already runs, in the form of configuration exports, deployment reports, dated logs, and training records, and assembling it is more a matter of discipline than of technology.
RankShield Legal's role in this is deliberately narrow, and it should be stated without overreach. RankShield is not a cyber-insurance product, it does not underwrite, price, or place coverage, and it cannot promise that any control or any record will change a quote, because those decisions belong entirely to carriers. What verifiable evidence does is more modest and more durable. It lets a firm answer an underwriter's question, and later a forensic reviewer's question, with a record that was created at the time and can be checked independently, rather than with an assurance that depends on memory. Turning an assurance into a verifiable record is the whole of what the tooling claims to do.
The honest summary is that no vendor, RankShield included, can guarantee coverage, lower a premium, or substitute for the security controls themselves. The controls have to exist, and the responsibility for the firm's security rests with the firm. What good documentation adds is the ability to demonstrate the controls to a carrier that increasingly wants proof rather than promises. For a firm that wants to enter renewal season from a position of evidence, that is worth having, understood plainly for what it is. This article is informational and is not legal or insurance advice; read your own policy and application with your broker and counsel.

Test yourself
## Are you ready for renewal?
Check what carriers now expect a law firm to prove.

- 1 Which control is close to a threshold requirement on most cyber applications? A published security blog Multi-factor authentication on email and remote access A larger office **Answer:** Multi-factor authentication on email and remote access MFA sits at the top of nearly every application because it addresses stolen passwords, and many carriers will not quote a firm that cannot confirm it on email and remote access.
- 2 What best proves an immutable backup will actually work? A dated log of a successful test restore The backup software purchase receipt The vendor's marketing brochure **Answer:** A dated log of a successful test restore A backup that has never been restored is an assumption, not a control. Underwriters increasingly ask when the last successful test restore occurred, so keep a dated log.
- 3 What is the most serious risk in the renewal process? A single missing control An inaccurate attestation about a control you do not actually have Paying the premium late **Answer:** An inaccurate attestation about a control you do not actually have A cyber application is a factual representation the policy is built on. If a forensic review after a breach shows you claimed a control you lacked, the carrier may have grounds to reduce or contest the claim.
- 4 Where does EDR coverage most often have a gap? Laptops Servers Printers **Answer:** Servers Firms often deploy EDR to laptops and desktops and overlook the servers that hold matter files, the document management system, and backups. Attackers do not overlook them.
Honest self-check. There is no sign-up, and nothing is stored.

Questions answered
## Straight answers to the common questions
The questions readers ask about this topic, answered directly. **No forms, no sales pitch.**

JAMIE KLONCZ · SEO AGENCY NAPLES ************** ONLINE
Pick a question on the left, or search above. You will get the direct answer, the way an answer engine would give it.

← PREV NEXT → [REQUEST ACCESS →](https://rankshieldlegal.com/contact/)

- **What are the most common controls a cyber insurer requires from a law firm in 2026?** The baseline that appears on most applications includes multi-factor authentication on email and remote or privileged access, endpoint detection and response across devices and servers, immutable or segregated backups with tested restores, email filtering, timely patching, a written incident-response plan, security-awareness training, and privileged-access management. Carriers vary in how they weight and phrase these, and some add an external scan of your systems, so treat the list as a well-supported preparation baseline rather than a universal checklist, and confirm the specifics with your broker.
- **Can a law firm still get cyber insurance without multi-factor authentication?** It is increasingly difficult. Multi-factor authentication is close to a threshold requirement on most cyber applications, and many carriers will not quote a firm that cannot confirm it on email and remote access. The nuance is coverage: it is not enough to have it somewhere, because carriers ask specifically about email, remote or VPN access, and administrator accounts. A firm that has left any of those paths without a second factor has left the exact gap the question is designed to find. Requirements vary by carrier, so speak with your broker about your situation.
- **Why do cyber insurers care so much about backups?** Because backups decide whether a ransomware incident is recoverable. Attackers learned to target backups first, so if the backup is reachable from a compromised network it can be encrypted or deleted along with everything else. Carriers now ask for backups that are immutable, meaning they cannot be altered once written, or kept offline and segregated from the production network. Just as important is the tested restore: a backup that has never been restored is an assumption, not a control, so keep a dated log of successful test restores to prove it works.
- **What happens if my firm attests to a control it does not actually have?** An inaccurate attestation is the most serious risk in the renewal process. A cyber application is a factual representation the policy is built on. If a forensic review after a breach reveals that the firm claimed a control it did not have, the carrier may have grounds to reduce or contest the claim, leaving the firm with both the breach and a coverage dispute. The safer course is to answer accurately, describe what you actually have, and close any gap before renewal rather than checking a box a reviewer could later contradict.
- **How can a law firm prove it has the controls the insurer asks about?** Each control has a corresponding piece of evidence. Multi-factor authentication is shown by a configuration export or admin-console view of enforcement by account type. Endpoint detection and response is shown by a deployment report listing covered devices and servers and the party monitoring alerts. Backups are shown by an immutability or isolation configuration plus a dated test-restore log. Training is shown by completion records with dates, and the incident-response plan by the dated document with evidence it has been reviewed. Assemble these before the application arrives so each answer points to a record.
- **When should a firm start preparing for a cyber insurance renewal?** Well before the questionnaire arrives, ideally a few months out. The value of starting early is the time it gives you to fix what the preparation reveals, rather than to describe a weakness you cannot yet correct. Inventory the controls the application asks about, gather the evidence for each, close the gaps you find, reconcile every answer to a specific artifact, and review the whole thing with your broker before submitting. Firms that start late tend to face a choice between overstating their controls and delaying the renewal, and both create problems.
- **Does RankShield Legal sell cyber insurance or lower my premium?** No. RankShield is not a cyber-insurance product, it does not underwrite, price, or place coverage, and it cannot promise that any control or record will change a quote, because pricing and coverage decisions belong entirely to carriers. Its role is narrow: helping a firm turn assurances into verifiable records it can show an underwriter, and later a forensic reviewer. The security controls themselves still have to exist, and responsibility for the firm's security rests with the firm. Good documentation supports the renewal conversation; it does not replace the controls or guarantee coverage.

## References

- FBI Internet Crime Complaint Center. 2024 Internet Crime Report. 2025. [https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf](https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf)
- American Bar Association. Formal Opinion 483: Lawyers' Obligations After an Electronic Data Breach or Cyberattack. October 17, 2018. [https://www.americanbar.org/content/dam/aba/administrative/professional_responsibility/ethics-opinions/aba-formal-op-483.pdf](https://www.americanbar.org/content/dam/aba/administrative/professional_responsibility/ethics-opinions/aba-formal-op-483.pdf)

Written by
## [Jamie Kloncz](https://rankshieldlegal.com/about/)
Founder, RankShield
Jamie Kloncz is the founder of RankShield, the verifiable AI and quantum security platform behind RankShield Legal. An engineer by training, he built RankShield after his own devices and business were attacked, including an AI voice-cloning scam that targeted his family, on one conviction: unverifiable security is the real danger, so every consequential action should leave a receipt anyone can independently check.
[More about Jamie →](https://rankshieldlegal.com/about/)

Try it · Free
## Check a citation against live case-law
Paste a citation from an AI-drafted brief and see whether the case actually exists, resolved against live case-law. Free, no sign-up. Then request early access to certify a full filing.
[Try the citation checker](https://rankshieldlegal.com/ai-legal-citation-checker/)

Keep reading
## Related guides
[Firm Security Outside counsel guidelines are adding AI clauses: what clients now demand Read guide →](https://rankshieldlegal.com/blog/outside-counsel-guidelines-ai-clauses/)[Firm Security How to Verify a Legal AI Vendor's "We Don't Train on Your Data" Claim Read guide →](https://rankshieldlegal.com/blog/verify-legal-ai-vendor-no-training-claim/)[Firm Security How to vet a legal AI vendor: the security questionnaire that protects clients Read guide →](https://rankshieldlegal.com/blog/vet-legal-ai-vendor-security-questionnaire/)
