Cyber Insurance for Law Firms: IT Controls Required in 2025–26

Cyber insurance for Australian law firms used to be relatively straightforward to obtain. You answered a questionnaire, affirmed that you had antivirus and backups, and received a policy. That era is over.

Since 2021, cyber insurance underwriters have dramatically increased the specificity of their requirements following a wave of high-value claims from ransomware attacks and business email compromise incidents — many of them involving professional services firms. Australian law firms, given the combination of large trust transfers, sensitive client data, and often under-invested IT security, are a category that underwriters now examine closely.

This article covers what cyber insurance underwriters are actually asking Melbourne law firms in 2025–26, which controls have moved from “questions” to “conditions,” and what happens at renewal when you can’t demonstrate them.

How Cyber Insurance Has Changed

The shift in cyber insurance requirements happened in two stages.

Stage 1 (2021–2022): After a significant increase in ransomware and BEC claims, insurers added detailed questionnaires asking about specific security controls. Firms that answered “no” to key controls still obtained coverage — often with premium increases or coverage sublimits. The questions were informational; the answers rarely prevented coverage.

Stage 2 (2023–present): Certain controls have become coverage conditions rather than questionnaire items. This means that if you do not have a specific control in place, you either cannot obtain coverage at all, or your policy excludes losses that occur in the absence of that control. The language has shifted from “do you have X?” to “coverage is conditional on maintaining X.”

For Melbourne law firms, this shift is significant because cyber insurance coverage for a BEC incident — the highest-frequency, highest-value cyber risk for legal practices — may now be excluded if you cannot demonstrate that you had required BEC controls in place at the time of the incident.

What Cyber Insurers Are Requiring in 2025–26

The following controls appear on most Australian cyber insurance applications targeting professional services firms, including law firms. Their status varies by insurer but the pattern is consistent.

Multi-Factor Authentication — Now a Coverage Condition

MFA on email (Microsoft 365 Exchange) and remote access (VPN, Remote Desktop) is now a coverage condition with most major Australian cyber insurers. This means:

• Not an optional question with a premium impact if you answer “no”
• A condition of the policy — if you suffer a claim and it is determined that MFA was not in place on the affected account, the insurer may deny the claim

What underwriters are specifically asking:

• Is MFA enforced on all Microsoft 365 accounts, including shared mailboxes?
• Is MFA required for all remote access to corporate systems?
• What MFA methods are in use — authenticator app, SMS, hardware token?

The devil is in “enforced” — having MFA available for self-enrolment but not enforced via policy does not satisfy most insurer requirements. Conditional Access policies in Entra ID that enforce MFA for all sign-ins, with no bypass exceptions for trusted networks or legacy authentication, is what underwriters are looking for.

Endpoint Detection and Response (EDR)

EDR — specifically a managed or monitored EDR product rather than standard antivirus — appears on most current applications as either a condition or a significant premium factor.

The distinction underwriters make:

• Standard antivirus: Signature-based, detects known threats, low management overhead — this no longer satisfies the endpoint security question on most applications
• EDR: Behaviour-based detection, managed with monitoring and response capability — this satisfies the endpoint security requirement

Law firms still running Symantec, McAfee, or unmanaged Windows Defender may find their endpoint security question triggers further underwriter scrutiny or supplementary questions about breach history and patching practices.

Email Authentication — DMARC Policy Level

This is the question that reveals whether an underwriter has looked at BEC patterns in Australian law firm claims. It’s no longer enough to have DMARC configured — underwriters are asking what policy level you’re running.

The specific questions:

• Do you have DMARC configured for all company email domains?
• Is DMARC set to p=reject (reject policy) or p=quarantine/p=none?

A DMARC configuration at p=none (monitoring mode) provides no protection against domain spoofing. Insurers writing BEC coverage for law firms know this. Law firms with DMARC at p=none will increasingly find BEC coverage excluded or sublimited — the insurer cannot price BEC risk on a firm whose domain can be freely spoofed.

Backup Separated from Production Network

Backup requirements have become substantially more specific as insurers have seen ransomware attacks encrypt or destroy backup copies when they’re accessible from the same network as production data.

What underwriters are now asking:

• Are backups stored on separate infrastructure from production systems?
• Are backups immutable (cannot be modified or deleted by ransomware that gains production access)?
• Are backups tested for restoration, and how often?
• Are backups encrypted?

Law firms with backups on a NAS connected to the production network — accessible from any workstation that’s compromised — will increasingly be required to demonstrate a secondary offsite or cloud backup with immutability controls.

Documented Incident Response Procedure

An incident response plan is not the same as knowing that you’d call your IT provider if something went wrong. Insurers are asking for documented procedures because documented procedures indicate that the firm has thought through the scenario — and more importantly, that they will know what to do in the first critical hours after an incident when evidence preservation matters.

What satisfies this question:

• A written procedure covering incident identification, notification (to the insurer, to the OAIC if NDB-notifiable, to affected clients), containment steps, and recovery
• Evidence that the procedure has been reviewed in the last 12 months
• Named contact for IT incident response (internal or external)

Phishing Simulation Training

Staff security awareness training appears on most applications, but underwriters are increasingly distinguishing between a one-time training module and ongoing simulated phishing programs.

The distinction:

• One-time or annual training: passes the question but doesn’t demonstrate ongoing vigilance
• Quarterly or more frequent simulated phishing campaigns with measured click rates and targeted follow-up training: demonstrates active security culture and provides data that underwriters view positively

For law firms, phishing simulation specifically targeting conveyancing and finance staff — the primary BEC targets — is the most relevant form.

What Happens When You Can’t Demonstrate Controls

At initial application: Applications that cannot demonstrate MFA and EDR will either be declined or offered coverage with significant restrictions. Premiums for firms without these controls are materially higher — often 2–3x — compared to equivalent firms that have them.

At renewal: If controls were claimed at the previous renewal and cannot now be evidenced, the renewal may be declined, limited, or restructured with new conditions. Insurers who can demonstrate the control was not in place when a claim occurred may deny the claim on misrepresentation grounds.

After a claim: Post-claim underwriting investigation is thorough. If a firm claims for a BEC incident and the investigation reveals DMARC was at p=none and MFA was not enforced, the insurer has grounds to question whether the application accurately represented the firm’s security posture.

Documentation: The Gap Most Melbourne Law Firms Have

Having the controls in place is necessary but not sufficient. Demonstrating the controls to an underwriter requires evidence.

What underwriters want to see:

• MFA: Entra ID Conditional Access policy screenshot showing MFA enforcement scope and any exceptions
• EDR: Deployment report or management console screenshot showing coverage across endpoints
• DMARC: DMARC record query result showing current policy and SPF/DKIM configuration
• Backup: Backup job logs and a documented restore test with date and result
• Incident response: The document itself, with a review date

Most Melbourne law firms that have the controls in place cannot easily produce this evidence on demand at renewal time. They have to reconstruct it from their IT provider, which takes time, creates uncertainty, and sometimes reveals that a control is less comprehensive than assumed.

A managed IT provider should be able to produce a security evidence pack as a standard deliverable — this is something we provide as a component of our law firm managed IT service, updated quarterly.

Getting Ready for Your Next Renewal

For Melbourne law firms approaching cyber insurance renewal in 2025–26, a structured readiness process:

1. Run a DMARC check on your domain — dmarcian.com will show you your current policy level instantly
2. Audit MFA coverage in your Microsoft 365 admin portal — look at Active Users and filter by MFA status
3. Confirm your backup architecture — ask your IT provider whether any backup copy is separated from your production network and immutable
4. Locate your incident response procedure — if you can’t find it, it doesn’t exist in a form that satisfies the question
5. Confirm your EDR product — standard Windows Defender without Microsoft Defender for Endpoint management does not satisfy most EDR questions

CX IT Services provides cyber insurance readiness assessments for Melbourne law firms — a structured review of your IT controls against current insurer requirements, with a documented evidence pack suitable for the renewal application. See our cybersecurity for law firms service for the controls we implement, or visit our IT support for law firms hub for how security fits into our full managed IT offering. Book a Right Fit Call to discuss your next renewal timeline and what needs to be in place.