Cyber Insurance for Law Firms: What Underwriters Require in 2025
UK cyber insurance for law firms has fundamentally changed since 2021. Premiums have risen by 40–100% for many firms, coverage limits have been reduced, and underwriters are declining or excluding firms that cannot demonstrate specific security controls. The worst outcome — suffering a ransomware attack and discovering your policy does not pay out — is now a real risk for firms that have not kept pace with insurer requirements.
UK cyber insurance premiums for professional services firms increased by an average of 66% between 2020 and 2023.
What Underwriters Now Require as a Minimum
The following controls are now assessed by most UK cyber insurers when underwriting law firm policies. Absence of any of them can result in exclusions, higher premiums, or outright declines:
- Multi-factor authentication (MFA): required on email, remote access (VPN/RDP), and privileged accounts — non-negotiable
- Endpoint detection and response (EDR): basic antivirus is no longer sufficient; underwriters want to see EDR or XDR tooling
- Tested backups: offline or immutable backups tested for restoration — backups that have not been tested are treated as having no backup
- Patching: critical patches applied within 14 days; a documented patch management process
- Privileged access management: restrictions on who holds administrator rights to critical systems
- Security awareness training: documented annual training — insurers may ask for records
- Incident response plan: a written plan — insurers will ask whether you have one and when it was last tested
Controls That Attract Premium Reductions
Beyond the minimum requirements, insurers offer meaningful premium reductions for firms that demonstrate:
- Cyber Essentials or Cyber Essentials Plus certification
- ISO 27001 certification from an accredited certification body
- External attack surface monitoring (such as Hadrian)
- Data loss prevention and exfiltration prevention tools (such as BlackFog)
- Third-party risk management programme (such as Panorays)
- Managed security service covering 24/7 monitoring
The Conveyancing Coverage Exclusion
An increasing number of insurers are either excluding conveyancing fraud losses from cyber policies or treating them as a separate coverage question. Conveyancing fraud — where criminals intercept email communications and substitute fraudulent bank details — accounts for millions in losses annually. Check your policy specifically: if your firm does conveyancing work, you need explicit coverage for bank details substitution attacks, not just general cyber cover.
Frequently Asked Questions
What is the average cyber insurance premium for a law firm?
Premiums vary significantly with firm size, revenue, practice areas, and security posture. A firm of 20–50 staff with adequate controls might pay £3,000–£10,000 annually. Firms with conveyancing books, weak controls, or prior incidents will pay significantly more — or face difficulty obtaining cover at all.
If we have professional indemnity insurance, do we need separate cyber insurance?
Yes. Professional indemnity insurance (PII) covers third-party claims against the firm. Cyber insurance covers first-party costs: incident response, forensics, ransom negotiations, business interruption, and notification costs. They cover different things and most firms need both.
Can an insurer decline to pay after a ransomware attack?
Yes. Common grounds for claim denial include: misrepresentation on the application about controls in place; failure to maintain controls stated on the application; not having MFA on the system through which the attacker entered; and war exclusions (if the attack is attributed to a nation-state). Review your policy carefully and ensure your actual controls match what you declared.
Ensure your firm meets insurer requirements
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.