Law firms are high-value targets for cyberattacks

Law firms are high-value targets for cyberattacks. Client trust accounts, M&A data, litigation strategy -- the data firms hold is worth more than most firms realize. Adding AI to the mix changes your cyber risk profile in ways most insurance policies weren't written to address.

Cyber insurance underwriters are paying attention. Some are asking about AI use on applications. Others are excluding AI-related incidents from coverage entirely. If your firm uses AI and hasn't reviewed your cyber insurance policy in the last 12 months, you have a gap you don't know about.

How AI Changes Your Firm's Cyber Risk Profile

AI introduces three new risk vectors that traditional cyber policies may not cover. First, data exfiltration through AI tools. When an attorney inputs client data into an AI tool, that data travels to the AI provider's servers. If the provider is breached, your client data is exposed through a third party you chose to use. Second, AI-generated errors in legal work product. If a hallucinated citation or incorrect legal analysis causes client harm, is that a cyber incident or a malpractice claim? The answer matters because different policies cover each. Third, adversarial AI attacks. Prompt injection, model manipulation, and AI-powered phishing are emerging threats that most cyber policies don't specifically address. The risk isn't theoretical -- it's here.

What Your Cyber Policy Probably Covers (and Doesn't)

Most cyber insurance policies cover data breaches, ransomware, business interruption from cyber events, and regulatory fines. They typically cover third-party liability if client data is exposed. But here's where AI creates gaps: AI vendor breaches may fall under third-party risk exclusions unless your policy specifically covers cloud service provider incidents. AI-generated work product errors are typically excluded from cyber policies and may also fall outside your malpractice policy if the carrier argues the error was caused by technology, not professional judgment. The most dangerous gap: many policies have a 'known vulnerability' exclusion. If you're using free-tier AI tools that you know don't protect data, and a breach occurs, your carrier might argue you knowingly accepted the risk.

Questions to Ask Your Insurance Broker Today

1. Does our cyber policy cover data breaches at third-party AI providers we use for legal work? 2. Are AI-related errors in work product covered under our professional liability/malpractice policy, our cyber policy, or neither? 3. Does our policy have exclusions for 'emerging technology' or 'artificial intelligence' that could void coverage? 4. Are we required to disclose AI tool usage on our next renewal application? 5. Does our policy cover regulatory fines related to AI ethics violations (like sanctions for AI-generated filings)? If your broker can't answer these questions clearly, you need a broker who specializes in law firm insurance. The cyber insurance market for law firms is specialized enough that generalist brokers miss critical coverage gaps.

Building an AI-Aware Insurance Strategy

Step 1: Inventory your AI tools. List every AI tool used at the firm, whether it's firm-sanctioned or not. Include the data tier (free vs. enterprise), data handling practices, and which attorneys use it. This inventory is what your insurer will want to see. Step 2: Align your AI policy with your insurance requirements. If your cyber policy excludes free-tier AI tools, your firm policy should prohibit them. If your malpractice carrier requires AI disclosure in filings, your firm should mandate it. Step 3: Request AI-specific endorsements. Some carriers now offer AI endorsements that explicitly cover AI-related incidents. They cost 5-15% more on premium but close the coverage gaps. Step 4: Document everything. Keep records of your AI policy, training sessions, tool approvals, and incident responses. Insurers reward firms that demonstrate proactive risk management with better terms.

The Market in 2026: Where Cyber Insurance Is Heading

Carriers are tightening. After paying massive ransomware claims from 2020-2024, the cyber insurance market hardened. AI is the next frontier of underwriting scrutiny. Expect AI-specific questions on renewal applications by late 2026 if they're not there already. Expect premium increases for firms without AI governance policies. And expect some carriers to offer premium discounts for firms that demonstrate responsible AI use -- enterprise tools, written policies, mandatory training, and verified citation workflows. The firms that get ahead of this curve will pay less for better coverage. The firms that ignore it will discover their gaps when they file a claim.

The Bottom Line: AI changes your cyber risk profile in ways your current insurance probably doesn't cover. Review your cyber and malpractice policies for AI-related gaps now -- before you need to file a claim. The conversation with your broker takes 30 minutes. The consequences of an uninsured AI incident last years.