Author: blogs2025

The stark reality for legal practices today is this: The sensitive client information you handle makes you a prime target for a law firm data breach. Yet, despite the increasing cyber threat to lawyers, many still rely on insufficient insurance policies that leave them exposed to data breaches when it matters most. In fact, more than half of all firms have inadequate coverage.

When it comes to cybersecurity, the gap between awareness and action is growing, and the consequences can be extremely costly. In this article, we’ll break down the unique ways law firms are vulnerable to data breaches and where standard insurance policies fall short. Plus, we’ll cover the steps you can take to assess and improve your coverage before a breach hits.

The disconnect between awareness and action in legal cybersecurity

It’s not that law firms don’t understand the risks. In fact, cybersecurity routinely ranks as a top concern for managing partners and compliance teams. But despite this growing awareness, recent data shows that 52% of law firms believe their current insurance policies would only partially cover their firm in the event of a data breach, if at all. Even more surprising is that only 14% said they planned to expand their coverage in the near future.

So, what’s causing this hesitation? For many firms, it’s a mix of practical constraints and misplaced confidence. 

For many lawyers, it’s tempting to assume that a general liability policy or a basic cyber endorsement is “good enough.” But the fact of the matter is that general liability and malpractice policies do not cover security incidents or data breaches.

Insurance policies can be time-consuming and confusing to read, so in some cases, firms may not fully understand the scope of their coverage. Attorneys may mistakenly think they’re already fully covered until a breach occurs and the fine print tells a different story.

The result is a dangerous gap between perceived protection and actual risk exposure. This gap can lead to serious financial, reputational, or regulatory fallout for lawyers.

Why are law firms prime targets for data breaches?

Law firms are typically holding onto a goldmine of sensitive data about their clients. It makes them incredibly attractive to cybercriminals.

It’s a problem highlighted by the increase in attacks the legal industry has been experiencing. Law360 Pulse reported in 2023 that breaches for law firms had doubled from the year before, while another report found a 68% increase in that period, with 636 weekly attacks.

Here’s a breakdown on why law firms are increasingly in the crosshairs for potential breaches.

Handling extremely sensitive client data

Clients trust their law firms with some of the most confidential information they have. This may include financial records, intellectual property, M&A strategy, litigation documents, and personal identifiers. This data is highly valuable to cybercriminals, as it can contain information that they can weaponize against both firms and clients.

For retail or healthcare companies, data breaches might result in quick sales on the dark web. But the data held by law firms is much easier to use for targeted extortion and insider trading. It can also lead to long-game phishing attacks. 

With the stakes this high and clients increasingly aware of it, more and more clients are building cybersecurity standards into non-negotiable parts of engagement. Firms that can’t prove strong data protection may lose out on business.

Subject to ethical and confidentiality obligations

Confidentiality is a cornerstone of any legal practice, so law firms are ethically and professionally obliged to protect client data. Any breach has the potential to jeopardize attorney-client privilege, and this can violate bar regulations and trigger disciplinary action.

The challenge for firms is that ethical duties don’t pause for technical limitations. If a breach occurs because your systems are outdated, or you have unclear protocols or weak insurance coverage, it doesn’t lessen the consequences. 

Courts and regulatory bodies expect firms to take reasonable steps to safeguard client information before, during, and after a cyber event.

Reliance on legacy systems and inconsistent IT practices

Many law firms still operate on outdated software, older infrastructure, or IT setups that haven’t kept pace with evolving cyber threats. Midsize and boutique firms are particularly prone to these issues.

Other factors like bring-your-own-device (BYOD) policies, remote work habits, and different tech capabilities across offices lead to fragmented environments that are more difficult to keep secure.

Even firms with internal IT teams in place can lack dedicated cybersecurity expertise. This can leave blind spots, especially in areas like endpoint security and threat detection. Hackers are incredibly savvy and are aware of this. They specifically look for easy entry points in firms with weak controls or inconsistent IT systems.

Working with high-profile and high-net-worth clients

Working with corporate executives, celebrities, political figures, or well-known brands can put a target on your firm’s back. These high-value targets may attract cyber criminals who are after sensitive information — especially if they can use it for extortion purposes.

Attackers are also motivated by how connected you might be to other, higher-priority systems. For example, if you work with a Fortune 500 client and your systems are easier to breach than theirs, you’re the more efficient target. 

Leveraging complex vendor and third-party relationships

Like any company today, your law firm likely relies on a wide range of third-party vendors when it comes to tech. This can be anything from cloud storage to e-discovery tools or even how you manage payroll. Every single touchpoint in your technology stack represents a new layer of exposure. In fact, 61% of respondents to a survey said they experienced a third-party data breach or other security incident in the last 12 months.

You might have your internal systems locked down, but a breach through a vendor can still compromise your firm’s (and your client’s) data. And under many regulations, this means you’re still on the hook for the breach. That’s why proper vendor vetting and contractual protections are crucial. Otherwise, these relationships can quietly become one of your firm’s biggest cyber risks.

Not adequately investing in cybersecurity infrastructure

Talent and billable hours are traditionally the biggest expenses for law firms. However, this generally means that other operational areas, such as cybersecurity, can be underfunded or placed lower on the priority list.

But this short-term cost-saving approach can backfire since the average cost of a data breach in 2024 was $4.88 million.

From firewalls to email filtering and staff training, every layer of defense against cyberattacks matters. Threats to law firms are getting more and more sophisticated, and so are the tools and technology your firm needs to use to stop them. Without consistent monitoring and investment in people and systems to prevent data breaches, even the most well-intentioned firms can find themselves vulnerable.

Evolving regulatory and compliance pressures

The regulatory framework around law firm cybersecurity is only getting more complex. American Bar Association (ABA) guidance, data breach regulations, and regional privacy laws are constantly evolving, making it challenging to stay current.

If you’ve got what passed for “secure enough” even five years ago, it likely no longer meets today’s expectations.

Many firms find themselves scrambling to interpret or comply with new requirements, particularly when it comes to matters such as breach notification timelines or industry-specific obligations. Falling short risks financial penalties and can damage client trust and open the door to litigation.

What standard law firm insurance policies miss

Many firms still assume their general liability or professional liability policies will protect them in the event of a cyberattack. But according to recent data, only 40% of law firms have cyber liability insurance, which is actually down from 46% the previous year.

This is because, at first glance, your policy may appear to cover cyberattacks. But standard policies often exclude critical cyber-related losses like ransomware payments, regulatory fines, or data restoration. 

Even those with so-called “cyber endorsements” (an addition to your existing policy) often find they only cover a small portion of costs, like breach notification or credit monitoring. It can leave massive gaps in areas that matter most to law firms. 

Benefits of specialized cyber insurance 

Specialized cyber insurance is designed to fill those gaps. Cyber liability coverage gives firms support when they need it most. A thorough cyber insurance policy includes:

• Ransomware and extortion payments
• Regulatory investigations and penalties
• Business interruption and lost income
• Digital forensics and breach response
• Client notification and crisis comms
• Third-party liability coverage
• Reputation management

And when an incident does occur, providers will often provide specialized legal, IT, or PR experts to help you manage the crisis. It’s an extremely helpful aspect of these policies that ensures you’re not left scrambling.

Self-assessment: Does your firm have gaps in its current insurance coverage?

It’s important not to let cyber insurance be a guessing game. But, like with lots of insurance policies, many law firms only really dig into theirs after a breach — and by then, it’s too late. A proactive review helps to uncover important blind spots and align your coverage with real-world risks.

Here’s a step-by-step guide to help your firm evaluate your current cyber insurance and take proactive measures to identify where gaps may exist.

1. Review your existing policies

Start with what you have and examine your policies across general liability, professional liability, and any cyber endorsements you have. Identify:

• What’s covered
• What’s excluded
• Whether you have a standalone cyber policy
• When your policy was last reviewed

2. Identify your firm’s unique risks

No two firms are the same in terms of the clients they serve, the areas of law they operate in, and how their existing IT set-up looks. 

Here are some things to look at when performing a law firm risk assessment:

• Practice areas (e.g., IP, M&A, litigation)
• Data sensitivity
• Office locations
• IT infrastructure 

3. Understand what triggers coverage

Know the exact conditions required for your policy to respond. Some policies won’t activate without a formal breach declaration or regulatory involvement. This can delay your response and increase financial and reputational risks.

4. Review policy exclusions and sub-limits

Even if a policy looks strong at first glance, it can have significant gaps buried in the fine print. Look out for exclusions in your cyber coverage as well as carve-outs that relate to social engineering, employee error, vendor failure, or caps on ransomware payments.

5. Assess business interruption and downtime scenarios

Malware attacks, for example, cause significant business disruption, which can be the costliest part of a breach. Check your policy thoroughly or, if you don’t have a cyber-specific policy yet, identify the types of outages and delayed work you would need compensation for during an attack. Closing these gaps helps mitigate significant revenue losses from business disruption.

6. Compare your coverage against industry benchmarks

What are similar-sized firms in your space insuring against? Brokers and legal industry reports can help you see how your policy measures up against peer standards and industry best practices. 

7. Consult an insurance broker who specializes in legal risks

Generalist brokers may not be fully aware of law firm-specific exposures. Work with someone who understands attorney-client privilege, confidentiality obligations, and the unique structure of legal operations to make sure you close as many gaps as possible in your policy. At Embroker, we create insurance policy packages with law firms in mind.

8. Use risk modeling tools and outside audits

Cyber risk isn’t a one-size-fits-all approach, so consider consulting a broker or IT provider to explore modeling tools that quantify your exposure. External audits can also help validate your policy against your real-world risk.

9. Review vendor and third-party risk exposure

We’ve discussed the type of risk you’re exposed to from third-party technology and vendors in the event that they themselves experience a breach. Make sure your policy accounts for vendor breaches and includes clear coverage for third-party liability.

10. Evaluate client contract requirements

Some clients require proof of cyber insurance (or even specific limits) as a condition of doing business. Failing to meet these expectations can cost you work or create liability conflicts.

11. Check for coverage of reputational harm and PR support

Rebuilding client trust after a data breach is hard work, so look for policies that include PR and crisis communications support. This helps you to manage the fallout from a breach effectively and protect long-term relationships.

12. Incorporate your insurance into your incident response plan

Your cyber policy and your breach response plan should be in sync. Review both your cyber policy and incident response plan to make sure your firm is sufficiently covered. Ask yourself:

• Who’s responsible for what issues
• How do you contact your insurer in a crisis
• What resources will be provided

This is a good opportunity to evaluate your incident response plan, since only 26% of law firms believe their firm is “very prepared” to respond to cyber incidents.

13. Test and update your coverage annually

Cyber risks evolve constantly, and they’re increasing in volume and complexity. Set a schedule to revisit your coverage every year, especially if you’re adding new technology or taking on bigger clients. Even small updates to your operational processes can produce new risks, and an annual review helps you to stay on top of them.

Best practices for managing cyber risk and coverage

Insurance is just one piece of the puzzle. Here are a few essential best practices you can implement to strengthen your risk posture and complement your insurance coverage:

• Prioritize cyber hygiene with strong passwords, multifactor authentication, and keeping software and systems up-to-date.
• Train your team regularly to avoid breaches that start with human error. Invest in ongoing training to help staff spot phishing attempts and follow security protocols.
• Develop a clear incident response plan so you know exactly what steps to take if a breach occurs, and align your cyber policy with this plan.
• Audit vendors and third parties with the same scrutiny as you do to your own systems because their security gaps can quickly become yours.
• Document everything from IT policies to employee training logs, as this is typically required for insurance claims and compliance audits.

Strong cyber coverage is essential, but you can make it even more effective by integrating it as a core component of your overall risk management strategy.

Close your coverage gaps before they cost you

Cyber threats against law firms aren’t slowing down. Take the time to audit your current coverage and assess your firm’s risks by diving into our 2024 Legal Risk Index Report to stay ahead of emerging risks. At Embroker, we work closely with law firms to craft insurance packages that close coverage gaps and protect you and your clients. Get a quote today!

Throughout history, insurers have been pivotal in driving social change, enabling human progress, innovation, and prosperity. From seatbelts to vaccines and fire-retardant materials, insurers have fostered numerous innovations. Nowadays, they face a new monumental challenge: climate change. 2024 has been another record loss year for insurers driven by natural catastrophes linked to climate change. Insurers are hence seeking greener pastures. If done right, aiding businesses in their transformation to reduce greenhouse gas emissions becomes a positive for insurers. They can be facilitators of the transition to a carbon-neutral future by exerting influence across the wide variety of industries they finance.  

There is an opportunity for insurers to safeguard their top-line and bottom-line while supporting customers on their net zero journeys. In Underwriting, that minimizes risk exposure and scope for regulatory fines by proactively responding to changes, and clients who effectively embark on the green transition are expected to bring higher sales in the mid to long term. In Investments, the case is even better understood: 93% of investors say that climate issues are most likely to affect the performance of investments over the next two to five years. Non-transitioning companies or those who start transitioning too late are in danger of losing an investment grade credit rating, while the outperformers – what we call ‘green stars’ are expected to benefit from green technologies shift in a Paris-agreement-aligned world scenario. 

A new tool for profitable portfolio decarbonization

Insurers need to be able to translate their investee and clients’ emission reduction measures into financial implications for appropriate risk calculations, to decarbonize profitably on their own end.  

As we at Accenture are committed to fostering net zero business practices we have introduced the GreenFInT (Green Financial Institution Tool ), also known as the Profitable Portfolio Decarbonization Tool. Comparing sample client portfolio dynamics up until 2050 for high carbon intensive sectors, it shows ‘green stars’ might outperform ‘climate laggards’ by 30-40 percentage points. The true value of the tool lies in familiarizing insurance managers across investment, risk and pricing with setting assumptions for different world views, from a ‘hot world’ scenario to reaching the Paris alignment.  

Allow me to delve into the tool in greater detail. The GreenFInT tool caters to both the emissions measurement and reporting use cases (e.g., ESRS E1 quantitative KPIs for CSRD) as well as to business value cases with regards to decarbonization. The tool applies climate scenarios (e.g., 1.5°C, 2.4°C) to portfolio companies’ technology mix, depending on their Net Zero pledges and transition plans. Differences in technology mix, pledges, and plans translate into divergent profitability curves via required capital investments and differences in operational costs.  

‘Green stars’ win out in the long term

For illustration, an insurer’s ‘green star’ client from the power generation sector with a SBTi verified Net Zero target by 2040 has and will have a larger share in renewables than a client classified as ‘laggard’. With its proactive transition towards net zero, the ‘green star’ client has initial high capital costs to finance the build out of installed capacities from renewable energy sources to meet its milestones while electricity prices are relatively high – outlining a business opportunity for insurers as the client is in need of financing and insuring of the renewables built out. In comparison, a ‘laggard’ company had no and will not have capital investments beyond usual replacement and maintenance costs of its power plants. On the other hand, renewables have much lower operational cost compared to power generated from nuclear energy and natural gas. Thus, the ‘green star’ that has invested in renewables in a timely fashion will benefit from lower operational costs while the ‘laggard’ will have higher operational costs from traditional energy sources.  

Let’s take an exemplary insurance portfolio with 40 large company clients from four high-intensity sectors, namely power generation, steel, real estate, and automotive, focused within Europe. In a 1.5°C scenario, the capital need for the net zero transition of these companies amounts to approximately 650bn USD 2023-2050 – according to the GreenFInT modelling. While in the mid-term up until 2030, the EBT margin of ‘laggards’ outperform ‘green stars’ by approximately 6 percentage points, in the long-term, 2023-2050, ‘green stars’ outperform ‘laggards’ by 30-40 percentage points (see graph below). 

This forward-looking approach – leveraging scientific sector carbon budgets vs. traditional forecasts based on historical values – enables insurers to integrate long-term scenarios (up to 2050) into their current considerations. This is a most important step towards breaking the ‘tragedy of the horizon’. GreenFInT makes it possible to identify insurers’ investees and clients with trustworthy net zero commitments as the business case assessment can reveal who may not be able to afford their net zero commitments. Building a trusted relationship with these companies as insurer or investor today, is key for a profitable decarbonization. Insights gained through GreenFInT can be helpful to prioritize clients to engage with and a grounded conversation opener to better understand the clients’ transition plans. 

Beyond a net zero business case analysis, GreenFInT also covers the accounting of Scope 3 Category 15 emissions in absolute terms and physical intensities as well as target setting and a ‘What-If’ capability, enabling insurers to simulate effects on their carbon footprint with adjustments to their portfolio. 

The time to act is now

Insurance has consistently demonstrated resilience in the face of numerous challenges, and the current push towards decarbonization is no different. By embracing the transition to net zero, insurers can not only safeguard their profitability but also play a pivotal role in fostering a sustainable future. The integration of science-based sustainability targets into underwriting and investment practices will enable insurers to drive significant change across various industries. As regulatory pressures and public expectations continue to rise, insurers must act decisively to avoid the risks of inaction and greenwashing. The tools and strategies outlined provide a clear pathway for insurers to achieve profitable portfolio decarbonization, ensuring long-term growth and trust in a rapidly evolving landscape. The time to act is now, and the opportunities for those who lead the charge are immense. For further discussion on how to implement these strategies in your enterprise, please get in touch.