Estimated reading time: 6 minutes
Ask a law firm one question before you write the policy. Does it run a cybersecurity program, and what framework does it follow? That is the first thing Jason Griffin, VP of Cybersecurity Services at Integris, would want to know.
“Do you have a cybersecurity program, and what is it aligned to?” Griffin said. The answer reveals most of the risk story in a single reply.
Griffin says he sees underwriters moving the same way. Cyber liability insurers and third-party vendor assessments now focus on frameworks and programs, not checklists. A firm that names its standard tells you it has thought about defense. A firm that cannot is a different bet.
What the New Data Shows
Integris, a managed services firm, surveyed 416 law firm decision makers and 600 law firm clients in late 2025 and early 2026. The decision-maker’s findings are stark. Among surveyed firms, 63% reported a significant email-based breach in the past year. Another 57% reported a mobile-device breach.
Read those numbers with care. The firm sample covers firms that outsource IT to a managed provider. Griffin found the email number unsurprising. The mobile figure surprised him. Business email compromise remains the most common path he sees into a firm. “Artificial intelligence has given the cyber criminals the ability to query and inspect these mailboxes to find those high-confidence email threads,” said Griffin.
Those “high-confidence” threads are important and trusted. Users expect to see links in them; infiltrating them creates “urgency” and a need for action.
How the Breaches Actually Happen
The attack method matters for underwriting. Griffin describes a pattern that has sharpened recently.
Attackers compromise one trusted account, or “high-confidence email” thread. Then AI helps them query the mailbox and find live email threads with money or deadlines at stake. A great place to slip in a phishing link.
They insert a malicious SharePoint or OneDrive link into a thread the recipient already expects. The victim clicks because the action fits the conversation.
Griffin frames the root problem simply. “You can technically control a mailbox,” he said. “You cannot technically control the fingers on the keyboard or the mouse.” The tools harden, but people stay clickable.
This connects directly to the wire fraud and business email compromise exposure that already drives malpractice claims against firms. One known-good identity becomes the key to the next.
Griffin adds a warning that should change the underwriting language. He built a test rig that captures credentials and multi-factor authentication tokens. Attackers inject a stolen token into a browser and connect from an outside device. Basic MFA no longer closes the door. Underwriters should ask for phishing-resistant MFA, properly installed and used.
Why Detection Fails at Many Firms
Griffin draws a sharp line between firms that can see an attack and firms that cannot.
If a firm is not defensible, its first alert is not a security tool. As Griffin put it, the indicator of compromise becomes “one of your clients calling you to challenge an email that they’ve received.” By then, the attacker has already moved.
He aligns clients to the CIS Controls, currently version 8. The framework uses implementation groups that build maturity in stages. It rewards a solid foundation before advanced steps. This is the kind of tested program and incident-response readiness that lowers both losses and premiums.
The Ransom Math Underwriters Should Note
Griffin offered one detail that ties cybercrime directly to insurance limits. He has watched attackers scan a network “to find the underwritten insurance policy so that they know how much money they can extort,” he said. They want to know the coverage before they set a demand.
The policy limit can become the ransom ceiling. Professional services firms make better targets because the expected payout is higher than that of a small retailer. Law firms hold patents, contracts, and privileged files that carry real dollar value.
Griffin also wants readers to drop the basement-hacker image. These crews are organized in tiers, and the operators “punch a clock,” he said. Cybercrime now runs like a business, which is why it scales.
Professionalism comes with an upside, we suppose, even when dealing with criminals. Griffin said, in his experience, ransomware crews tend to deliver on their word and restore data after payment.
The Client Pressure Is Real
The client survey adds a business case that underwriters can use. Among clients, 83% said a firm’s technology sophistication affects their confidence. Another 35% have switched or considered switching due to technology or operational problems, not legal quality.
Griffin’s view fits the data. He argues firms should provide secure portals with encryption, identity controls, and multi-factor authentication. Clients cannot send secure email from a personal account. The duty sits with the firm.
For brokers, that client pressure is a selling point. Strong controls protect the client relationship as much as the balance sheet.
What This Means for the Market
The takeaway for carriers and brokers is direct. The breach rate is high, the attack method now defeats basic MFA, and AI has lowered the cost of a convincing lure.
Underwriters who ask about programs and frameworks will price risk better than those who count tools. Firms that can name their standard and show a tested response plan deserve better terms. The rest carry a quiet, growing exposure.
FAQ – Law Firm Cybersecurity
What should underwriters ask a law firm first?
Whether the firm runs a cybersecurity program and what framework it follows. Integris VP Jason Griffin says that one question reveals most of the risk story. A firm that names a standard has thought about defense.
How common are breaches at law firms?
In the Integris 2026 survey, 63% of responding firms reported a significant email-based breach in the past year, and 57% reported a mobile-device breach. The sample covered firms that outsource IT, so the figures signal high exposure rather than a market-wide rate.
Why is basic MFA no longer enough?
Attackers now capture multi-factor authentication tokens and inject them into a browser from an outside device. Griffin demonstrated this with a test rig. Underwriters should require phishing-resistant MFA that is installed and used correctly.
How does AI change business email compromise?
AI lets attackers scan a compromised mailbox, find live threads with money or deadlines at stake, and insert a malicious link into a conversation the victim already expects. The lure fits the thread, so it works.
Do ransom demands relate to cyber insurance limits?
Yes. Griffin says criminals scan a victim’s network to find the cyber policy before setting a demand. The coverage limit can shape the ransom, so firms should control who can see policy details.
What framework do firms use to mature their security?
Griffin aligns clients to the CIS Controls, version 8. It uses implementation groups that build maturity in stages and rewards a strong foundation before advanced steps.
Related Cyber Insurance Posts
- Most CISOs Are Fighting The Last War. AI-Powered Cyber Attacks Just Changed The Rules – PODCAST
- Integris Report Flags Fragile Trust As Banking Cybersecurity Fears Rise(Opens in a new browser tab)
- Email Security Insights: Key Trends and Solutions – Report(Opens in a new browser tab)
- Cowbell 2026 Claims Report: Ransom Payments Fall 44% As Cyber Insurance Claims Rise 40%(Opens in a new browser tab)
- CrowdStrike Outage Spurs Cyber Insurance Market Response: A Reporting Roundup(Opens in a new browser tab)