Compliance
How Small Law Firms Are Answering Insurer Security Questionnaires in 2026
The renewal questionnaire arrives. It's longer than last year. Some questions you can answer easily: yes, you have antivirus. Yes, you have a firewall.
But then it asks for MFA enforcement logs. It asks whether your backups are immutable and when you last tested a restore. It asks for an incident response plan and evidence that it was tested in the last twelve months.
You have most of these controls. You just can't prove it. And in 2026, “we have it” isn't the answer carriers want.
What Changed in Cyber Underwriting
A few years ago, cyber insurance questionnaires were largely checkbox exercises. Do you have antivirus? Check. Do you have a firewall? Check. Premium calculated, policy issued.
That's mostly over.
Carriers lost money. Ransomware claims, business email compromise payouts, and breach response costs pushed underwriters to look harder at what they were actually insuring. Munich Re projected the global cyber insurance market at $16.3 billion in 2025, and markets that large attract actuaries who do the math carefully. The result is technical underwriting: carriers now want to see that controls were deployed, used consistently, and tested — not just that someone said yes on a form.
For small law firms, this shift has practical consequences. Law firms handle privileged client data, financial records, and sensitive matters that make them attractive breach targets. They're also often under-resourced on IT. That combination makes insurers cautious, and caution now shows up as documentation requirements.
The Gap Between Controls and Evidence
Most small law firms have more security controls than they think. The problem is that controls and evidence aren't the same thing.
You might enforce MFA on Office 365. But can you produce a screenshot of the Conditional Access policy, plus a log showing it applied to all users? Your IT vendor might have deployed EDR on every endpoint. But do you have a report showing all devices covered, last active date, and alerting enabled?
This is the actual gap: informal practices that work fine operationally but produce nothing an underwriter can review. The firms that handle renewal smoothly aren't necessarily more secure than the ones that struggle. They're better at assembling evidence.
What Insurers Actually Ask For
The questionnaire categories have stabilized enough that firms can prepare for them. Here is what comes up consistently:
Identity and Access
MFA is table stakes. Carriers want it enforced on email (not just offered as optional), remote access including VPN and RDP, and privileged accounts. "We have MFA available" doesn't satisfy the question. The question is whether a user can bypass it — and if they can, the answer is no.
Evidence that works
A Conditional Access policy screenshot showing MFA required for all users, an admin portal export showing MFA enrollment status, or a configuration report from your identity provider.
Endpoints
Antivirus doesn't satisfy this anymore. Carriers want EDR or MDR — something with behavioral detection, active response capability, and alerting. The distinction matters because traditional antivirus is signature-based and mostly reactive. EDR tools monitor process behavior and can isolate an endpoint during an active incident.
Evidence that works
A deployment report from your EDR platform showing device coverage and last-seen dates, plus documentation of alerting configuration and who receives alerts.
Backups
The 72% of ransomware incidents that target backups aren't an accident. Attackers know that if they encrypt your backups along with your production data, recovery becomes nearly impossible. Carriers know this too. Immutable backups and restore testing are now standard questions.
Evidence that works
Backup configuration screenshots showing retention and immutability settings, plus a restore test log with date, what was restored, and whether it completed successfully.
Incident Response
A documented incident response plan is expected. An untested one is viewed skeptically. A tabletop exercise — even a two-hour internal session where you work through a ransomware scenario — produces documentation that satisfies this requirement and is genuinely useful for the firm.
Evidence that works
A written IR plan with roles, escalation contacts, and step-by-step procedures, plus tabletop exercise notes showing date, attendees, and any action items identified.
Patching
Regular patching with documented cadence. The question isn't whether you patch — it's whether you have a process and can show it ran.
Evidence that works
A patch management report from your RMM or endpoint tool showing last patch date per device, plus a written policy stating patch frequency and who's responsible.
Vendor Risk and Training
These two often get less attention but show up on almost every questionnaire. Vendor risk means having some record of security review for critical vendors. Training means documented security awareness sessions, not just an email reminder someone sent. Human error is involved in roughly 95% of cyber incidents — that statistic drives why training and phishing simulations now appear in underwriting questions.
Evidence that works
A vendor list with what data each vendor accesses and any contractual security clauses, plus training attendance records and phishing simulation results.
Compliance Readiness
We assemble the evidence packages that answer these questions — organized before renewal arrives.
Why Law Firms Have More at Stake Than Other Small Businesses
A data breach costs a small law firm an average of $36,000 — and that's before accounting for regulatory exposure, bar association notification requirements, and client relationship damage.
Bar rules in most jurisdictions now explicitly require lawyers to take reasonable steps to protect client information. “Reasonable steps” is increasingly being defined by reference to what security frameworks and insurers consider standard. A firm that can't satisfy a cyber insurance questionnaire is arguably having trouble satisfying its professional obligations.
This is not an IT issue dressed up in compliance language. It's a practice management issue.
What Misrepresentation Costs
If a firm answers “yes” to MFA enforcement and then has a breach where the attacker used credentials without MFA, the carrier has grounds to dispute the claim. This happens. Coverage denials after incidents frequently come back to questionnaire answers that didn't match actual practice.
“Getting coverage is the easy part. Getting the claim paid is what matters. The gap between ‘we said we had it’ and ‘we can prove we had it’ is where claims die.”
The Evidence Folder: What to Build Before Renewal
This is not a long-term project. A firm that spends one afternoon gathering documentation can produce most of what a renewal questionnaire requires:
- MFA enforcement proof — Screenshots or export showing MFA required for email, remote access, and admin accounts, with no bypass exceptions for regular users
- EDR deployment report — Device list, coverage percentage, last-seen date, alerting configuration
- Backup configuration — Retention settings, immutability configuration, storage location, who is responsible
- Restore test log — Date of last test, what was restored, result, any failures or gaps identified
- Incident response plan — Written document with roles, escalation contacts, decision criteria, and steps for the most likely scenarios
- Tabletop exercise notes — Date, attendees, scenario tested, gaps identified, action items
- Patch management report — Last patch run per device, operating system versions, update policy
- Vendor list — Critical vendors, what data they access, any security documentation or contractual security clauses on file
- Training records — Dates of security awareness sessions, who attended, any phishing simulation results
Keep this folder updated. When renewal comes, you're not assembling documentation under a deadline — you're reviewing something that already exists.
Our full Cyber Insurance Questionnaire Guide walks through each category in detail — what carriers ask, what evidence works, and how to organize it before renewal.
Read the Cyber Insurance GuideNeed help building this?
Managed Security (Tier 3) covers ongoing compliance documentation support — including incident response plan maintenance, annual review evidence, and cyber insurance questionnaire preparation.
See Managed SecurityThe Practical Test
If your insurer called tomorrow and asked for proof of MFA enforcement, EDR coverage, and your last backup restore test, could you produce all three in under five minutes?
If yes, you're in reasonable shape.
If you'd need to contact your IT vendor, dig through email threads, or explain that the policy exists but isn't written down anywhere — that's the gap. Not because the controls aren't there, but because the evidence isn't organized. Cyber insurance in 2026 is as much a documentation discipline as a security one.
What Battice includes for law firms
- Baseline Security ($600/mo) — MFA audit and enforcement documentation, monthly phishing simulations with click/report tracking, and evidence reports formatted for insurer review
- Active Monitoring ($1,200/mo) — EDR deployment with Wazuh agent coverage report and 24-hour alert triage, plus a monthly threat report you can hand directly to your carrier
- Compliance Readiness — a structured engagement that builds your evidence folder: MFA documentation, backup configuration, restore test log, incident response plan, and tabletop exercise notes
Get started
Compliance Readiness for Law Firms
Battice Systems helps small law firms build and organize the evidence documentation that cyber insurance carriers require — before the deadline.