Understanding cyber insurance for law firms

17 Dec 2025

2 minutes read

GallagherLaw Society partner

Books

Data Protection, Privacy and Information Law

Go to bookshop

Books

Compliance and Ethics in Law Firms

Go to bookshop

With the October Professional Indemnity (PI) renewals now behind us, it’s an ideal moment to evaluate and effectively transfer your cyber risk.

Soft market conditions, driven by new entrants into the market, have resulted in increased competition and excess underwriting capacity.

This means favourable terms, broader access and competitive pricing for clients.

Reviewing your cyber insurance

The rapid adoption of technology and increasingly sophisticated cyber threats, amplified by artificial intelligence (AI), signal the potential for market hardening as early as 2026.

It’s important to holistically review cyber insurance, a product that spans most industries, as hacking groups will use similar methods of attack to gain unauthorised access across sectors.

Recent high-profile cyber attacks in the retail and manufacturing sectors have highlighted the severity of cyber incidents.

Business leaders and key stakeholders should ensure they have a comprehensive cyber risk transfer solution in place.

Knowing your data risks

Hackers have adopted a more specific and targeted approach across sectors.

Preparing and acting ahead of time to mitigate risks before hackers deploy these tactics is key for law firms.

The National Cyber Security Centre recently reported dealing with 204 ‘nationally significant’ cyber attacks over a 12 month period. This is a significant increase from 89 the year before.

Law firms are particularly attractive targets due to the legally privileged, highly sensitive, and confidential personal information they hold.

While tactics used to focus on encrypting data and asking for a ransom to restore it, stealing and threatening to leak data is becoming an increasingly prevalent method of extortion.

Threat actors now focus on harvesting sensitive client records and then threatening to release them. This is known as ‘double extortion’.

The case in which hackers stole data from the Kido nursery chain reflects this newer tactic.

Hackers don't discriminate. If you have a vulnerability, you are a target.

One attack on a firm of solicitors highlights the vulnerabilities within law firms and the bounty a bad actor is after.

In this case, hackers gained access to clients' personal data via an IT administrator account which lacked multi-factor authentication and then published it on the dark web.

This resulted in a fine of £60,000 from the Information Commissioner’s Office (ICO) and reputational damage to the firm.

Common tactics

The main ways for hackers to obtain data are via remote access through a computer system or network, and social engineering tactics such as phishing (where victims are tricked into revealing information like passwords).

Access via these methods is enhanced by the use of AI-generated deepfakes, which on the rise.

In 2025, the number of deepfake videos shared online is expected to reach 8 million, a massive increase from 500,000 in 2023.

Businesses must be aware of the dangers these pose and take steps to prevent becoming victims of these tactics.

The importance of cyber insurance for firms

As the targeting of personal data and risk of cyber attacks increase, there is a real need for law firms to address prevention and risk transfer.

The lack of cyber insurance coverage in the SME space is a concern, as SMEs account for 99% of all UK businesses.

43% of surveyed UK businesses reported having experienced some form of cyber attack in 2024.

The majority of the 9,000 English and Welsh law firms are considered SMEs, and under-insurance or lack of cyber insurance is prevalent.

Seven out of ten law firms did not purchase cyber insurance as of 2023.

It's crucial to make sure your cyber insurance solution has adequate limits and coverage.

The implications for businesses that do not correctly quantify their risk could be massive. Losses could unfortunately be incurred, in part or in full, by the victims of the cyberattack.

Hackers are increasingly targeting data-rich organisations, and the rise in data theft and extortion underscores the urgency for law firms to act.

Firms should review their cybersecurity measures, quantify their cyber risks, and transfer appropriate risk to the insurance market.

For those not currently leveraging cyber insurance, now is the time to act.

Find out more

Gallagher is a Law Society partner.

Contact James Wall or Charlotte Corfield for more information.

This article is written by Arthur J. Gallagher (UK) Limited (Gallagher) as a hosted feature on the Law Society website. Views expressed are Gallagher’s own. The sole purpose of this article is to provide guidance on the issues covered.

This article is not intended to give legal advice, and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and/or market practice in this area.

Gallagher make no claims as to the completeness or accuracy of the information contained herein or in the links which were live at the date of publication. You should not act upon (or should refrain from acting upon) information in this publication without first seeking specific legal and/or specialist advice. Gallagher accepts no liability for any inaccuracy, omission or mistake in this publication, nor will it be responsible for any loss which may be suffered as a result of any person relying on the information contained herein.