Monthly Archives: April 2026

Lawyers: You May Not Have the Cyber Coverage You Think You Do

Posted on by

When I review insurance policies for law firms, there’s one issue I see come up again and again…cyber liability.

And more often than not, the conversation starts the same way:

“We already have cyber coverage.”

That may be true. But the real question is… what does that coverage actually include?

Because in many cases, when we take a closer look, there are some significant gaps.

The Problem Isn’t Whether You Have Coverage—It’s What It Covers

I recently reviewed a policy for a small law firm. Smart attorneys, well-run practice, and they were confident they had everything in place from an insurance standpoint.

On the surface, it looked like they had cyber coverage.

But once we dug into the details, the picture changed.

There was no coverage for social engineering fraud.
Wire transfer fraud protection was missing.
Business interruption coverage was minimal.
And the deductible was set so high that it would take a major incident before the policy even became useful.

This isn’t unusual. Many cyber policies are written in a way that appears comprehensive, but when you read the fine print, certain types of claims are carved out, capped, or excluded altogether.

Why Law Firms Are a Target

Law firms are in a unique position when it comes to cyber risk.

You’re handling sensitive client information.
You’re moving money.
You’re constantly communicating via email.

That combination makes law firms an attractive target for cybercriminals.

And unlike large financial institutions, most firms don’t have the same level of cybersecurity infrastructure or internal controls in place. That doesn’t mean firms are careless—it just means they’re often easier to exploit.

All it takes is one convincing email.
One request that looks legitimate.
One click.

From there, a situation can escalate quickly—sometimes into a six- or even seven-figure loss.

Where Cyber Policies Often Fall Short

This is where things get tricky.

A policy might say “cyber coverage,” but that doesn’t always mean you’re protected in the ways you expect.

Some of the most common gaps I see include:

  • Social engineering fraud – when someone impersonates a trusted party to trick you into sending money
  • Funds transfer fraud – unauthorized movement of money through your systems
  • Ransomware payments – coverage limits or conditions that don’t fully address real-world scenarios
  • Business interruption – limited protection for lost income if your systems are down

In many cases, these areas are either excluded entirely or subject to strict sublimits that may not go very far in an actual event.

A Better Question to Ask

If you’re a law firm owner, I’d encourage you to shift the way you think about cyber insurance.

Instead of asking:

“Do we have cyber coverage?”

Ask:

“What exactly is covered, where are the gaps and can we afford that risk?”

That’s where the real value is.

Because with cyber liability, what you don’t know can end up being the most expensive part.

Final Thought From Don I, Your Insurance Guy

Cyber risk isn’t going away. If anything, it’s becoming more sophisticated and more targeted.

The goal isn’t to overcomplicate things or create unnecessary concern—it’s simply to make sure you understand what you have in place before you need it.

If you’re unsure, it’s worth taking a closer look.

Sometimes a quick review can uncover small adjustments that make a big difference.

About the Author

Don I helps law firms and small businesses understand their insurance coverage so there are no surprises when it matters most. If you’d like a second set of eyes on your policy, he’s always happy to provide straightforward, no-pressure feedback.