THE TECHNOLOGY BLIND SPOT
Hamilton, Ontario did everything right after the ransomware hit. The city refused to pay the $18.5 million ransom. It contained the attack within 48 hours. It hired forensic specialists, engaged law enforcement, and rebuilt its systems from backups. By every measure of incident response execution, Hamilton performed well under pressure.
Then the insurance company denied the entire claim.
In July 2025, Hamilton disclosed that its cyber insurer rejected the city’s claim for the full $18.3 million in recovery costs. The insurer did not question the city’s response. It pointed to a single compliance gap: multi-factor authentication had not been fully deployed at the time of the breach. The policy excluded coverage for losses where the absence of MFA contributed to the compromise. Hamilton had known since late 2022 that its insurer required full MFA deployment. City staff acknowledged in 2023 that they had not achieved compliance. The ransomware hit in February 2024. The policy did exactly what it said it would do. It did not pay.
Hamilton is not a law firm. But the gap between buying a policy and collecting on it mirrors a gap that exists in most law practices today. The ABA’s 2023 Legal Technology Survey found that only 40% of law firms carry cyber insurance. Of those that do, the number that can demonstrate ongoing compliance with every condition in their policy is almost certainly far smaller. And the consequences of that gap, as Hamilton’s taxpayers learned, are not theoretical.
The Direct Answer
Your cyber insurance policy is a contract, not a guarantee. The conditions that determine whether a claim gets paid are contractual obligations requiring ongoing compliance, contemporaneous documentation, and verifiable evidence that the security controls you attested to on your application are actually in place.
Fitch Ratings data indicates that nearly one in four cyber insurance claims filed in 2024 failed to meet coverage requirements. Industry analyses tracking all denial categories place the figure higher, with multiple sources reporting denial rates exceeding 40%. The most common reasons: misrepresented security controls, missing documentation, and failure to meet policy conditions that the insured agreed to when the carrier issued the policy. For law firms, the ethical overlay compounds the problem. ABA Formal Opinion 483 and Model Rule 1.1 require competence in technology risk management. A firm that cannot produce documentation of its security posture faces both an insurance problem and an ethics problem.
If this sounds familiar, it should. This series has documented how cybersecurity failures create compounding legal exposure: from free email providers scanning privileged communications to the encryption gap between secure firms and insecure clients to password failures that open the front door to attackers. Cyber insurance is the final layer of protection, the safety net for when every other control fails. If the safety net has holes, the entire risk architecture collapses.
This article examines how cyber insurance policies actually work, where law firms most commonly fail to meet their obligations, and what documentation practices separate firms that collect on claims from those that discover their policy is worthless after the breach has already occurred.
How Cyber Insurance Policies Actually Work
Cyber insurance applications are not intake forms. They are underwriting instruments that create binding representations about your firm’s security posture. When you sign the application, you attest, under penalty of policy rescission, that the information you provided is accurate.
The Travelers v. International Control Services case in 2022 established this principle with painful clarity. ICS, an electronics manufacturer, represented on its application that it used multi-factor authentication across its systems. After a ransomware attack, Travelers discovered that ICS had deployed MFA only on its firewall, not on its servers or other systems. Travelers filed suit to rescind the policy entirely, and the court voided the policy from inception. Not a reduced payout. Not a coverage dispute. The policy ceased to exist, retroactively, as if Travelers had never issued it.
The implications for law firms are direct. Your application likely asked whether you use MFA for remote access, email, and administrative accounts. Whether you maintain encrypted backups. Whether you have an incident response plan. Whether you conduct employee security awareness training. Whether you perform vulnerability assessments. Every affirmative answer is a representation that your insurer will verify at claim time. And if the answer reflected aspiration rather than fact, the insurer’s response will mirror Travelers’: rescission. As this series explored in Your Password Is the Weakest Link in Your Security Chain, 95% of data breaches involve human error, and passwords remain the primary point of failure. The MFA question on your insurance application is not hypothetical. It connects directly to the credential vulnerabilities that this blog has documented across multiple posts.
Cyber insurance policies typically contain several categories of conditions that law firms need to understand before a breach forces the education.
Prerequisite controls. These are security measures the insurer requires as a condition of coverage. MFA is the most common, but policies increasingly mandate endpoint detection and response software, regular patching schedules, and offline or immutable backups. If these controls are not in place when the breach occurs, the insurer denies the claim regardless of how the breach happened.
Notification timelines. Most policies require notification to the insurer within 48 to 72 hours of discovering an incident. Waiting to “assess the situation” before calling your carrier can void your coverage before the investigation begins. The insurer needs to approve forensic vendors, legal counsel, and remediation steps. Engaging your own team first without carrier approval often results in costs the insurer refuses to reimburse.
Cooperation clauses. Policies require the insured to cooperate fully with the insurer’s investigation, preserve evidence, and follow the insurer’s approved remediation process. Firms that wipe systems, restore from backups without forensic imaging, or attempt to handle the breach internally before involving the carrier risk losing coverage for the entire event.
Exclusions. Common exclusions include losses resulting from unpatched known vulnerabilities, insider threats, acts of war (which remains contested after Merck’s litigation), prior known incidents not disclosed on the application, and social engineering attacks unless the firm purchased a specific endorsement. The exclusion list in a typical cyber policy runs several pages. Most policyholders have not read it.
The Documentation Trap
The pattern that emerges from denied claims is consistent: organizations believed they had security controls in place but could not prove it when the insurer asked for evidence.
This is the documentation trap. Implementing MFA is not enough. You need a record showing when you deployed MFA, which systems it covers, and when you last verified it. Conducting security awareness training is not enough. You need attendance logs, training content records, and evidence of phishing simulation results. Running vulnerability scans is not enough. You need dated reports showing findings and, critically, evidence of remediation actions taken in response.
The insurer’s claim investigation will request documentation across several categories. What you cannot produce, you effectively did not do.
Security governance documentation. Written security policies, acceptable use policies, data classification standards, and the dates they last received review and approval. An undated Word document on a shared drive does not constitute a governance framework.
Control implementation evidence. Configuration screenshots, system logs, or vendor reports confirming that required controls (MFA, EDR, encryption, patching) remained active at the time of the breach. If your MFA provider’s admin console shows that three partners carried exemptions, that is a compliance gap the insurer will find.
Risk assessment records. Dated vulnerability assessments, penetration test reports, and documented remediation timelines. A risk assessment that identified critical vulnerabilities six months before the breach, with no evidence of remediation, is evidence against your claim, not for it.
Incident response plan and testing records. A written plan is the minimum. Insurers increasingly expect evidence of tabletop exercises or simulated incident drills. The ABA’s 2023 survey found that only 34% of firms have an incident response plan. The percentage that have tested that plan is almost certainly lower.
Training records. Employee security awareness training completion records, phishing simulation results, and evidence that training occurred within the policy period. Annual training completed 14 months before the breach may not satisfy a policy condition requiring training “within the preceding 12 months.”
Vendor management documentation. Third-party risk assessments, vendor security questionnaires, and evidence of due diligence on cloud providers, IT managed service providers, and any vendor with access to client data. The New York City Bar Association’s Formal Opinion 2024-3 specifically addressed the obligation to conduct due diligence on third-party vendors who store or transmit client data.
The Numbers That Should Concern You
Industry data from 2024 and 2025 quantifies the gap between coverage and collection.
Fitch Ratings data indicates that nearly one in four cyber insurance claims filed in 2024 failed to meet coverage requirements, resulting in rejection. Multiple industry analyses tracking broader denial categories, including misrepresentation, delayed notification, and documentation gaps, place overall denial rates above 40%. The most frequently cited denial grounds: misrepresentation on applications, failure to maintain required security controls, delayed notification to the carrier, and the inability to prove compliance at the time of the breach.
IBM’s 2024 Cost of a Data Breach Report found the average breach cost reached $4.88 million globally. For law firms specifically, the financial exposure extends beyond remediation costs to include malpractice liability, regulatory penalties, client notification expenses, and the business interruption losses that accumulate while systems sit offline and attorneys cannot bill. As this series documented in Why Hackers Target Law Firms, law firms concentrate the most sensitive information from multiple clients in one place, making them high-value targets. That concentration of sensitive data is precisely what drives insurers to classify the legal services sector among the highest-premium industries for cyber coverage.
The ABA’s 2023 Legal Technology Survey provides the law-firm-specific data points that insurers are also reading. Only 40% of firms carry cyber insurance. Only 34% have an incident response plan. Only 54% use MFA. Only 29% have had a full third-party security assessment. These numbers represent the baseline against which insurers calibrate their underwriting requirements. A firm that falls below these benchmarks is not just underinsured. It is underwriting its own claim denial.
The Ethics Overlay You Cannot Separate
Cyber insurance compliance and ethical compliance are not separate obligations. They converge on the same set of practices, and failure in one domain creates exposure in the other.
Model Rule 1.1 requires competent representation, which Comment 8 extends to understanding “the benefits and risks associated with relevant technology.” A firm that signs a cyber insurance application attesting to security controls it does not actually maintain has both a contract problem and a competence problem. The attestation reveals that the firm knows what controls the industry expects. The absence of those controls reveals that the firm has not implemented what it knows is required. This is the same competence gap this series has examined across email security, phone call encryption, and password management: attorneys who understand the risk in the abstract but fail to act on it in practice.
ABA Formal Opinion 483 requires reasonable efforts to monitor for breaches, stop intrusions, investigate scope, and notify affected clients. These are the same obligations that cyber insurance policies condition coverage on. An insurer that denies a claim because the firm lacked monitoring tools identifies the same gap that a bar disciplinary panel would identify under Rule 1.6(c).
Model Rule 5.1 extends supervisory responsibility to ensuring that lawyers within the firm conform to the Rules of Professional Conduct. Model Rule 5.3 extends similar obligations to nonlawyer assistants. When an insurer denies a claim because a staff member’s credentials fell to compromise due to the absence of MFA, the firm faces a parallel question under Rules 5.1 and 5.3: who held responsibility for ensuring that basic security measures covered everyone with access to client data?
The convergence creates a compounding problem. A firm that suffers a breach and cannot collect on its insurance policy faces the full financial exposure of remediation, notification, and potential litigation. That same firm then faces bar complaints questioning whether it maintained the security practices it was ethically obligated to maintain. The insurance claim denial becomes evidence in the ethics proceeding. The documentation gap that voided the policy is the same documentation gap that suggests a failure of competence.
What the Application Is Really Asking
Cyber insurance applications have grown substantially more detailed in recent years. Insurers no longer ask whether you “have” security measures. They ask for specifics that create verifiable, ongoing obligations.
A typical 2025 cyber insurance application asks questions across several domains. Each affirmative answer creates a representation that the insurer will test if you file a claim.
Identity and access management. Do you require MFA for all remote access, email access, and privileged/administrative accounts? Do you restrict and monitor service accounts? Do you enforce password policies with minimum complexity requirements? The answer must hold true across every system, not just the ones your IT staff remembers.
Endpoint protection. Do you deploy endpoint detection and response software on all endpoints, including servers? Does a security operations center or managed detection and response provider monitor endpoint agents? Do you patch operating systems and applications within a defined timeline (typically 30 days for critical patches)?
Backup and recovery. Do you maintain backups that you test regularly? Do you store backups offline, air-gapped, or in immutable storage that ransomware cannot encrypt? Can you restore critical systems within a defined recovery time objective?
Security awareness. Do you conduct security awareness training for all employees at least annually? Do you perform phishing simulations? Do you document completion rates and remediate for employees who fail?
Governance and planning. Do you have a written information security policy? Do you have an incident response plan? Have you conducted a risk assessment within the past 12 months? Have you designated an individual responsible for information security?
Each of these questions creates a thread the insurer can pull during claims investigation. If you answered yes to MFA but three partners carry exemptions, the thread unravels. If you answered yes to annual training but the last session occurred 18 months ago, the thread unravels. If you answered yes to an incident response plan but the plan has never survived a test or an update since someone first drafted it, the thread unravels.
The Continuous Compliance Problem
The most dangerous assumption law firms make about cyber insurance is that compliance is a point-in-time event. You fill out the application, check the boxes, and the policy takes effect. This misunderstands how insurers evaluate claims.
Insurers increasingly expect continuous compliance. The controls you attested to at application time must remain in place at the time of the breach. A firm that deployed MFA in January to satisfy the application but allowed exceptions to accumulate by March has a coverage gap, not a coverage period. Policies now include language requiring that security controls be “maintained throughout the policy period,” converting what once functioned as an application-time snapshot into an ongoing obligation.
Cyber insurers have also begun deploying real-time monitoring tools as part of their underwriting process. Carriers now offer premium discounts for firms that install monitoring agents reporting security posture data directly to the insurer. This eliminates the application’s reliance on self-reported questionnaires and creates a continuous data feed the insurer can reference at claim time. For firms that maintain strong controls, this works to their advantage. For firms whose security posture has degraded since the application, it functions as an automated evidence-gathering mechanism that builds the insurer’s case for denial.
The shift toward continuous monitoring also intersects with renewal cycles. Renewal applications now match initial applications in detail, with carriers requiring updated attestations and, in some cases, evidence of remediation for deficiencies identified during the prior policy period. A firm that ignores recommendations from its insurer’s risk assessment at renewal faces the same outcome Hamilton experienced: a claim denial rooted in a known, documented compliance gap.
The Counterargument: Are Insurers Just Looking for Exits?
A legitimate critique of the cyber insurance industry’s claim practices exists. Cybersecurity researcher Daniel Woods of the University of Edinburgh has argued that the narrative of routine denials for security hygiene failures overstates the problem. Woods has documented that the majority of reported coverage disputes involve policyholders claiming under general liability or property policies rather than dedicated cyber coverage, and that denials specifically tied to security control deficiencies occur less frequently in specialist cyber policies than the industry narrative suggests.
The critique carries weight. Insurers have financial incentives to deny claims, and ambiguous policy language sometimes creates legitimate disputes about whether a particular control deficiency actually caused the loss. The Merck case, in which insurers initially denied a $1.4 billion claim under a “war exclusion” before courts ruled in Merck’s favor, demonstrates that carriers will test aggressive denial theories.
But the counterargument has limits for law firms specifically. The trend line is clear: cyber insurance applications are becoming more specific, policy conditions are becoming more detailed, and insurers are investing in monitoring tools that eliminate the ambiguity on which policyholders might otherwise rely. Even if routine denials for security hygiene are less common than the industry suggests, the cases that do produce denials (Travelers v. ICS, Hamilton) involve circumstances common in law firms: partial MFA deployment, undocumented controls, and gaps between what the application says and what the firm actually does.
The practical answer is that debating whether insurers deny claims often enough to worry about is the wrong question. The right question is whether your firm can produce the documentation that makes a denial indefensible. If you can, the debate is academic. If you cannot, the debate is irrelevant.
Practice-Specific Implications
Solo and small firms. The documentation burden falls hardest on practices without dedicated IT staff. A solo practitioner who attests to annual security training, regular backups, and an incident response plan must prove all three. Consider engaging a managed service provider who can generate the compliance reports your insurer will request. The cost of outsourced documentation is a fraction of a denied claim.
Firms handling regulated data. Practices that touch healthcare data (HIPAA), financial records, or data subject to state privacy laws face overlapping compliance requirements that can satisfy insurance conditions if properly documented. A HIPAA risk assessment, for example, can serve dual duty as evidence of both regulatory compliance and insurance policy compliance, but only if it carries a date, a signature, and accompanying evidence of remediation. As this series examined in the Email Privacy Illusion series, healthcare figured out secure communication years ago through patient portals. The same documentation discipline that HIPAA demands is what cyber insurers now expect.
Firms with remote or hybrid workforces. Remote access is a common attack vector and a common application question. If your policy requires MFA for all remote access and your firm permits attorneys to access systems from personal devices without MFA, you have both a security gap and a coverage gap. The shift to hybrid work expanded the attack surface. Make sure your insurance representations reflect how your firm actually operates, not how it operated before 2020.
What to Do Before Your Next Renewal
First, read your policy. Not the summary. Not the broker’s overview. The actual policy document, including every exclusion, every condition, and every definition. Pay particular attention to the definitions of “computer system,” “security event,” and “wrongful act.” These definitions determine the scope of coverage and can exclude entire categories of incidents that most attorneys would assume fall within coverage.
Second, audit your application answers. Pull the application you submitted and compare every answer to your firm’s current state. If you attested to MFA across all systems, verify that MFA remains active on every system with no exceptions. If you attested to regular backups, confirm that someone is testing backups. If any answer no longer reflects reality, disclose the change to your broker and carrier before a breach forces the discovery.
Third, build a compliance evidence repository. Create a centralized location (secured and backed up) where your firm maintains dated evidence of every security control your policy requires. MFA configuration exports. Patch management reports. Training completion records. Vulnerability scan results with remediation notes. Incident response plan versions with review dates. This repository is the document your firm will hand to the claims adjuster. If it does not exist, your claim has a problem before the adjuster opens the file.
Fourth, implement a documentation cadence. Quarterly, at minimum, document the state of every control your policy conditions. Monthly is better. The cadence should produce dated records that create a timeline of compliance. When the insurer asks whether MFA covered all systems on the date of the breach, you should produce a report generated within 30 days of that date showing exactly which systems had MFA active and which accounts carried enrollment.
Fifth, test your incident response plan. Conduct a tabletop exercise at least annually. Document the exercise, the participants, the scenario, and the findings. Update the plan based on the exercise results and document the updates. An untested plan is a hypothesis. A tested plan, documented with dated records, is evidence of reasonable preparation.
Sixth, align your engagement letters with your insurance requirements. If your policy requires notification to the carrier within 72 hours, your internal processes must support that timeline. Your engagement letters should address how the firm will handle breach notification to clients and clarify data retention policies that affect the scope of exposure if archived files suffer compromise.
Seventh, designate a responsible individual. Someone in the firm must own the relationship between your security posture and your insurance requirements. In larger firms, this may be a chief information security officer or a dedicated compliance role. In smaller firms, a managing partner or designated attorney must accept this responsibility. Model Rule 5.1 requires supervisory accountability. Your insurer requires a point of contact. These obligations converge on the same person.
The Cost of Getting This Wrong
Hamilton’s $18.3 million recovery bill is instructive, but the cost structure for law firms differs in ways that amplify the damage.
A law firm that suffers a breach and cannot collect on its insurance faces direct costs (forensic investigation, system restoration, notification, credit monitoring) that can reach seven figures for even a midsize practice. But the indirect costs are where the exposure compounds. Malpractice claims from clients whose data the breach exposed. Bar complaints questioning the firm’s technology competence. Loss of clients who conclude the firm cannot protect sensitive information. Increased insurance premiums at renewal, assuming the firm can obtain coverage at all after a claim denial. Potential regulatory exposure under state notification statutes if the breach affected clients in jurisdictions with mandatory timelines.
The Travelers v. ICS outcome illustrates the worst case. The court did not merely deny the claim. It voided the policy from inception, as if Travelers had never issued it. ICS faced no coverage, no recourse, and a ransomware attack to remediate out of pocket. For a law firm, add the reputational damage of a breach becoming public knowledge combined with the disclosure that the insurer rescinded the firm’s policy because of misrepresentations about its own security practices. That combination is existential for a small or midsize practice.
The Contract You Already Signed
Cyber insurance is not a passive risk transfer. It is an active contractual relationship that imposes ongoing obligations, requires continuous compliance, and demands documentation that most law firms are not producing.
The firms that will collect on their policies after a breach are the firms that treated the insurance application as a compliance roadmap, built evidence repositories to support their attestations, and maintained documentation cadences that create an auditable trail of reasonable security practices. The firms that will not collect are the firms that treated the application as a formality, attested to controls they had partially implemented, and assumed the policy would pay because the premium cleared.
Hamilton paid its premiums. So did ICS. Neither collected when it mattered. The difference between a policy that pays and a policy that does not is not the premium. It is the evidence.
Your insurer is not your adversary. But your insurer is your counterparty. The policy document defines the relationship. If you have not read it, you do not know what you agreed to. If you cannot prove compliance, you agreed to nothing that will protect you.
The next breach is not a question of if. Neither is the next claim investigation. The only question is whether your documentation will survive it.
This blog provides general information for educational purposes only and does not constitute legal advice. Consult qualified counsel for advice on specific situations.
About the Author
JD Morris is Co-Founder and COO of LexAxiom. With over 20 years of enterprise technology experience and credentials including an MLS from Texas A&M, MEng from George Washington University, and dual MBAs from Columbia Business School and Berkeley Haas, JD focuses on the intersection of legal technology, cybersecurity, and professional responsibility.
Connect: LinkedIn | X | Bluesky
References
ABA Model Rules of Professional Conduct, Rules 1.1 (Comment 8), 1.4, 1.6(c) (Comment 18), 5.1, 5.3
ABA Standing Committee on Ethics and Professional Responsibility, Formal Opinion 483 (October 17, 2018): Lawyers’ Obligations After an Electronic Data Breach or Cyberattack
ABA Standing Committee on Ethics and Professional Responsibility, Formal Opinion 477R (May 22, 2017)
New York City Bar Association, Formal Opinion 2024-3: Ethical Obligations Relating to a Cybersecurity Incident (August 2024)
American Bar Association, 2023 Legal Technology Survey Report, Technology Basics & Security Volume
American Bar Association, 2024 Legal Technology Survey Report
Travelers Property Casualty Company of America v. International Control Services, Inc., No. 22-cv-2145 (C.D. Ill. 2022), Stipulation and Order of Dismissal with Prejudice (August 26, 2022)
City of Hamilton, Ontario, Cybersecurity Incident Costing Update, Reports CM24005(b), CM25007, CM25008 (July 30, 2025)
CBC News, “Lack of 2-step log-in system a ‘root cause’ of Hamilton cyberattack, says report as $5M in claims denied” (July 31, 2025)
Merck & Co., Inc. v. Ace American Insurance Co., No. UNN-L-2682-18 (N.J. Super. Ct. 2024), settlement resolving $1.4 billion coverage dispute
IBM Security & Ponemon Institute, “Cost of a Data Breach Report 2024,” IBM (July 2024)
Fitch Ratings, Cyber Insurance Claims Data, 2024 (as cited in industry reporting)
Daniel Woods, “Where Are the Insurance Disputes over Cyber Hygiene?” University of Edinburgh (2024)
Howden Group, “Cyber Insurance: The Market in 2024” (2024)
Lockton Companies, “Travelers v. ICS Underscores Need to Respond Carefully to Cyber Insurance Application Questions” (2022)
Heritage Company Ransomware Incident (2019), coverage dispute with Corvus Insurance
Woodruff Sawyer, 2024 Annual Cyber Insurance Carrier Poll
NIST Cybersecurity Framework 2.0, NIST CSWP 29 (February 2024)
Perkins Coie LLP, “2025 Breach Notification Law Update” (October 2025)
