Skip to main content

How Small Law Firms Are Answering Insurer Security Questionnaires in 2026

9 min read

The renewal questionnaire arrives. It's longer than last year. Some questions you can answer easily: yes, you have antivirus. Yes, you have a firewall.

But then it asks for MFA enforcement logs. It asks whether your backups are immutable and when you last tested a restore. It asks for an incident response plan and evidence that it was tested in the last twelve months.

You have most of these controls. You just can't prove it. And in 2026, “we have it” isn't the answer carriers want.


What Changed in Cyber Underwriting

A few years ago, cyber insurance questionnaires were largely checkbox exercises. Do you have antivirus? Check. Do you have a firewall? Check. Premium calculated, policy issued.

That's mostly over.

Carriers lost money. Ransomware claims, business email compromise payouts, and breach response costs pushed underwriters to look harder at what they were actually insuring. Munich Re projected the global cyber insurance market at $16.3 billion in 2025, and markets that large attract actuaries who do the math carefully. The result is technical underwriting: carriers now want to see that controls were deployed, used consistently, and tested — not just that someone said yes on a form.

For small law firms, this shift has practical consequences. Law firms handle privileged client data, financial records, and sensitive matters that make them attractive breach targets. They're also often under-resourced on IT. That combination makes insurers cautious, and caution now shows up as documentation requirements.

The Gap Between Controls and Evidence

Most small law firms have more security controls than they think. The problem is that controls and evidence aren't the same thing.

You might enforce MFA on Office 365. But can you produce a screenshot of the Conditional Access policy, plus a log showing it applied to all users? Your IT vendor might have deployed EDR on every endpoint. But do you have a report showing all devices covered, last active date, and alerting enabled?

This is the actual gap: informal practices that work fine operationally but produce nothing an underwriter can review. The firms that handle renewal smoothly aren't necessarily more secure than the ones that struggle. They're better at assembling evidence.

What Insurers Actually Ask For

The questionnaire categories have stabilized enough that firms can prepare for them. Here is what comes up consistently:

Identity and Access

MFA is table stakes. Carriers want it enforced on email (not just offered as optional), remote access including VPN and RDP, and privileged accounts. "We have MFA available" doesn't satisfy the question. The question is whether a user can bypass it — and if they can, the answer is no.

Evidence that works

A Conditional Access policy screenshot showing MFA required for all users, an admin portal export showing MFA enrollment status, or a configuration report from your identity provider.

Endpoints

Antivirus doesn't satisfy this anymore. Carriers want EDR or MDR — something with behavioral detection, active response capability, and alerting. The distinction matters because traditional antivirus is signature-based and mostly reactive. EDR tools monitor process behavior and can isolate an endpoint during an active incident.

Evidence that works

A deployment report from your EDR platform showing device coverage and last-seen dates, plus documentation of alerting configuration and who receives alerts.

Backups

The 72% of ransomware incidents that target backups aren't an accident. Attackers know that if they encrypt your backups along with your production data, recovery becomes nearly impossible. Carriers know this too. Immutable backups and restore testing are now standard questions.

Evidence that works

Backup configuration screenshots showing retention and immutability settings, plus a restore test log with date, what was restored, and whether it completed successfully.

Incident Response

A documented incident response plan is expected. An untested one is viewed skeptically. A tabletop exercise — even a two-hour internal session where you work through a ransomware scenario — produces documentation that satisfies this requirement and is genuinely useful for the firm.

Evidence that works

A written IR plan with roles, escalation contacts, and step-by-step procedures, plus tabletop exercise notes showing date, attendees, and any action items identified.

Patching

Regular patching with documented cadence. The question isn't whether you patch — it's whether you have a process and can show it ran.

Evidence that works

A patch management report from your RMM or endpoint tool showing last patch date per device, plus a written policy stating patch frequency and who's responsible.

Vendor Risk and Training

These two often get less attention but show up on almost every questionnaire. Vendor risk means having some record of security review for critical vendors. Training means documented security awareness sessions, not just an email reminder someone sent. Human error is involved in roughly 95% of cyber incidents — that statistic drives why training and phishing simulations now appear in underwriting questions.

Evidence that works

A vendor list with what data each vendor accesses and any contractual security clauses, plus training attendance records and phishing simulation results.

Compliance Readiness

We assemble the evidence packages that answer these questions — organized before renewal arrives.

See the service

Why Law Firms Have More at Stake Than Other Small Businesses

A data breach costs a small law firm an average of $36,000 — and that's before accounting for regulatory exposure, bar association notification requirements, and client relationship damage.

Bar rules in most jurisdictions now explicitly require lawyers to take reasonable steps to protect client information. “Reasonable steps” is increasingly being defined by reference to what security frameworks and insurers consider standard. A firm that can't satisfy a cyber insurance questionnaire is arguably having trouble satisfying its professional obligations.

This is not an IT issue dressed up in compliance language. It's a practice management issue.

What Misrepresentation Costs

If a firm answers “yes” to MFA enforcement and then has a breach where the attacker used credentials without MFA, the carrier has grounds to dispute the claim. This happens. Coverage denials after incidents frequently come back to questionnaire answers that didn't match actual practice.

“Getting coverage is the easy part. Getting the claim paid is what matters. The gap between ‘we said we had it’ and ‘we can prove we had it’ is where claims die.”

The Evidence Folder: What to Build Before Renewal

This is not a long-term project. A firm that spends one afternoon gathering documentation can produce most of what a renewal questionnaire requires:

  • MFA enforcement proofScreenshots or export showing MFA required for email, remote access, and admin accounts, with no bypass exceptions for regular users
  • EDR deployment reportDevice list, coverage percentage, last-seen date, alerting configuration
  • Backup configurationRetention settings, immutability configuration, storage location, who is responsible
  • Restore test logDate of last test, what was restored, result, any failures or gaps identified
  • Incident response planWritten document with roles, escalation contacts, decision criteria, and steps for the most likely scenarios
  • Tabletop exercise notesDate, attendees, scenario tested, gaps identified, action items
  • Patch management reportLast patch run per device, operating system versions, update policy
  • Vendor listCritical vendors, what data they access, any security documentation or contractual security clauses on file
  • Training recordsDates of security awareness sessions, who attended, any phishing simulation results

Keep this folder updated. When renewal comes, you're not assembling documentation under a deadline — you're reviewing something that already exists.

Our full Cyber Insurance Questionnaire Guide walks through each category in detail — what carriers ask, what evidence works, and how to organize it before renewal.

Read the Cyber Insurance Guide

Need help building this?

Managed Security (Tier 3) covers ongoing compliance documentation support — including incident response plan maintenance, annual review evidence, and cyber insurance questionnaire preparation.

See Managed Security

The Practical Test

If your insurer called tomorrow and asked for proof of MFA enforcement, EDR coverage, and your last backup restore test, could you produce all three in under five minutes?

If yes, you're in reasonable shape.

If you'd need to contact your IT vendor, dig through email threads, or explain that the policy exists but isn't written down anywhere — that's the gap. Not because the controls aren't there, but because the evidence isn't organized. Cyber insurance in 2026 is as much a documentation discipline as a security one.


What Battice includes for law firms

  • Baseline Security ($600/mo) — MFA audit and enforcement documentation, monthly phishing simulations with click/report tracking, and evidence reports formatted for insurer review
  • Active Monitoring ($1,200/mo) — EDR deployment with Wazuh agent coverage report and 24-hour alert triage, plus a monthly threat report you can hand directly to your carrier
  • Compliance Readiness — a structured engagement that builds your evidence folder: MFA documentation, backup configuration, restore test log, incident response plan, and tabletop exercise notes
See how Battice supports legal practices

Get started

Compliance Readiness for Law Firms

Battice Systems helps small law firms build and organize the evidence documentation that cyber insurance carriers require — before the deadline.