Skip to content

Law Firm Risk, Explained

Your Malpractice Policy Was Never Built for a Breach

Legal professional liability protects your clients from your mistakes. It does not protect your firm from an attack. This page maps where the malpractice contract stops, what a breach actually costs, and how the standalone cyber policy carries the difference.

Independent Texas brokerage serving Houston, Spring, The Woodlands, and the greater Houston metro. Local broker. National infrastructure.

The Assumption That Costs Firms

Two Contracts, One Seam, and a Quiet Assumption

Most firm owners carry strong malpractice coverage and assume it reaches further than it does. The assumption is understandable. Both policies live in the same drawer, both came from the same renewal season, and nobody ever walked the boundary between them.

The boundary is simple once someone draws it. Legal professional liability responds to claims that your legal work harmed a client. A cyber policy responds when your systems, your data, or your money come under attack. A breach is not a malpractice claim, so the costs it creates, the forensic team, the breach counsel, the client notifications, the downtime, land outside the malpractice contract unless a cyber policy is standing there to catch them.

A breach does not accuse you of bad lawyering. It just takes everything your good lawyering built.

For a firm that holds client files, moves settlement funds, and answers to bar ethics duties, the seam between these two contracts is the single most consequential page of the program. That is the page we read first.

The Pattern, Step by Step

How the Headcount Gap Forms

No one decides to be underinsured. The gap assembles itself over a few good years. Here is the sequence we see on review after review.

  1. The policy is born at a snapshot

    Limits and pricing are set around the headcount, structure, and payroll the firm had on the day the application was signed. That snapshot is accurate for exactly one season of the firm's life.

  2. The firm outgrows the snapshot

    Attorneys are added. Staff and paralegals follow. Every new name raises the count of potential claimants and the size of a potential dispute, while the limit stands still.

  3. Transitions raise the stakes

    Partnership changes, lateral departures, and compensation restructures are the seasons when employment claims actually surface. They are also the moments nobody thinks to call about insurance.

  4. Renewal renews the number

    The invoice arrives, the premium looks reasonable, and the policy renews. Pricing gets reviewed every year. The limit question, whether the number still fits the firm, often goes unasked for a decade.

  5. The claim is priced at today's firm

    When a claim arrives, it reflects the firm you are now. Today's headcount, today's payroll, today's partnership. The mismatch between that claim and the old limit is the gap, and it only ever shows itself at the worst time.

The fix costs a meeting, not a crisis. An annual limit review tied to headcount and structure is the whole discipline, and it is the broker’s job to bring it up before a claim does. The five growth signals that trigger it are walked through at five signs your law firm has outgrown its insurance.

Law Firm Cyber, The McDade Way

Direct Answers for Firm Owners

Does professional liability cover cyber attacks?

Generally no. Legal professional liability responds to claims that your legal work harmed a client. The forensic investigation, breach notification, ransomware response, and lost billable time after an attack typically fall outside it. A standalone cyber policy is built to carry those costs.

What should a law firm cyber policy include?

Breach response and forensics, breach counsel and client notification, privacy and regulatory defense, ransomware and cyber extortion coverage, business interruption for lost billable capacity, and a social engineering fraud endorsement sized to the wires the firm sends. Each part carries its own limit or sublimit, and the numbers matter more than the label.

Why do law firms need cyber insurance?

Law firms concentrate exactly what attackers want. Client records, deal information, litigation files, and settlement funds, often behind smaller security budgets than the corporations they represent. Bar ethics duties then require a real response when something goes wrong. The policy is what funds meeting those duties without draining the firm.

The Duties That Do Not Wait

The Bar Has Already Told You What a Breach Requires

A law firm breach is not just an IT event. It is an ethics event, and the profession has written the expectations down.

  1. Confidentiality is the standing duty

    ABA Model Rule 1.6 requires reasonable efforts to prevent unauthorized access to client information, and Texas lawyers carry parallel confidentiality duties under the state disciplinary rules. Safeguarding data is treated as part of practicing law, not an optional upgrade.

  2. Opinion 483 governs the aftermath

    ABA Formal Opinion 483 addresses a lawyer's obligations after an electronic data breach, including reasonable steps to respond and a duty to notify current clients when material client information is compromised. The notification work it describes, breach counsel, letters, and communication, is precisely what a cyber policy funds.

  3. Clients are asking before regulators do

    Corporate clients increasingly require security questionnaires, third party assessments, and proof of cyber coverage before sending work. For a growing firm, coverage has quietly become a business development document as much as a protection.

  4. The duties exist either way

    Nothing above depends on whether you bought a policy. The duties arrive with the breach. Insurance decides whether meeting them is funded by a carrier's response team or by the firm's own reserves and weekends.

McDade is an insurance brokerage, not a law firm, and nothing here is legal advice on your professional responsibilities. We fund the response. Your ethics counsel guides it.

Inside the Contract

What a Law Firm Cyber Policy Actually Carries

Six coverage parts do the real work. Each one carries its own limit or sublimit, which is why two policies with the same headline number can behave completely differently at claim time.

Breach Response and Forensics

The investigation that determines what happened, what was taken, and whether it is over. Usually the first dollars spent and the foundation every other duty stands on.

Breach Counsel and Notification

Specialized counsel, client notification, and credit monitoring. This is the part that funds the Opinion 483 work when client information is compromised.

Ransomware and Cyber Extortion

Response teams, negotiation support, and coverage for extortion demands when case files and systems are locked. Paired with backups, it is the difference between an incident and a shutdown.

Business Interruption

Replaces income lost while systems are down. For a firm, that means the billable hours that never happen while email, files, and billing are being rebuilt.

Privacy and Regulatory Defense

Defends claims from affected individuals and responds to regulatory inquiries into how data was handled, including defense costs and covered penalties where insurable.

Social Engineering Fraud

The endorsement for deceived wire transfers, with its own sublimit and verification conditions. Sized wrong, it is the most expensive small number on the policy.

The Evidence

The Numbers Behind the Boundary

1 in 3

Share of law firms reporting a security breach at some point in the American Bar Association's technology survey, with about 19 percent more unsure whether one had ever occurred.

Source: ABA 2023 Legal Technology Survey Report
$4.45 Million

Global average cost of a data breach, with professional services firms averaging above the all industry figure.

Source: IBM Cost of a Data Breach Report, cited by the State Bar of Texas
$16.6 Billion

Losses reported to the FBI Internet Crime Complaint Center in 2024, a record year, up 33 percent from the year before.

Source: FBI IC3 2024 Internet Crime Report

Scale those numbers to your firm. The honest measure is not a headline average. It is your records, your trust account activity, and the billable weeks a rebuild would consume, held against the limits and sublimits actually printed in your policy.

Sizing the Policy

Right Sized to the Firm You Run Today

Cyber limits are not a guess and not a default. Five inputs drive the number, and every one of them changes as the firm grows.

The exposure inputs

What Sets the Limit

The volume and sensitivity of the records you hold, the funds moving through your accounts, the practice areas you serve, the security requirements in your client engagement agreements, and your firm's realistic downtime cost per week. We work through each one in the review and match the limits to the answers.

The pricing levers

What Moves the Quote

Multifactor authentication, tested backups, a written wire verification procedure, and security training move pricing more than any other inputs. Commercial reviews at McDade route to Dallas Downey, CLCS, who quotes across our carrier bench and shows you how each control changes the number before you commit to anything.

Cyber is one seat at a larger table. The full coordinated program lives at our Houston law firm insurance hub, alongside law firm EPLI.

Questions Firm Owners Ask

Law Firm Cyber Questions, Answered Plainly

What is the difference between legal professional liability and cyber insurance?

Legal professional liability responds when your legal work is alleged to have harmed a client. Cyber insurance responds when your systems, your data, or your funds are attacked. A breach is not a malpractice claim, so the forensic investigation, client notification, and recovery costs it creates typically fall outside the malpractice policy. The two contracts are designed to meet at a boundary, and that boundary needs to be read, not assumed.

What does cyber insurance cover for a law firm?

A well structured law firm cyber policy funds the forensic investigation, breach counsel, client notification, and credit monitoring after an incident, defends privacy and regulatory claims, responds to ransomware and cyber extortion, and replaces income lost while systems are down. A social engineering fraud endorsement can be added for deceived wire transfers. Each part carries its own limit or sublimit, which is why the policy has to be read as a set of numbers, not a label.

Is cyber insurance required for law firms in Texas?

No Texas law requires it for most firms, but the pressure comes from three directions. Ethics guidance treats reasonable data safeguards as part of a lawyer's duties, corporate clients increasingly require proof of cyber coverage in engagement agreements, and lenders and vendors ask for it in contracts. For a growing firm, the practical answer is that the market requires it before the law does.

Is the cyber endorsement on our malpractice policy enough?

Sometimes, but read the numbers before relying on it. Endorsements attached to a professional liability policy often carry low sublimits, narrower definitions, and fewer response services than a standalone cyber policy. For a firm that holds client data and moves settlement funds, the endorsement is frequently a fraction of the real exposure. The comparison is a document review we do side by side.

What happens if ransomware locks our case files before a deadline?

A standalone cyber policy typically brings a response team, negotiators, forensic support, and coverage for the extortion demand and the income lost while systems are down. What no policy can do is move a filing deadline, which is why carriers and bar associations both push firms toward tested backups and an incident response plan. Coverage funds the recovery. Preparation protects the practice.

What do ABA rules require after a law firm data breach?

ABA Formal Opinion 483 addresses a lawyer's obligations after an electronic data breach, including reasonable efforts to respond and a duty to notify current clients when material client information is compromised. Texas lawyers also carry confidentiality duties under the disciplinary rules. Those duties exist whether or not you carry insurance. The policy is what pays for meeting them.

How much does cyber insurance cost for a Houston law firm?

Pricing depends on revenue, the volume and sensitivity of the records you hold, the funds that move through your accounts, your claims history, and your controls. Multifactor authentication, tested backups, and a written verification procedure are the levers that move quotes the most. We quote across our carrier bench and show you how each control changes the number.

Can McDade review the cyber coverage we already have?

Yes, and that is where we usually start. We read the policy you carry today, map where it stops against your malpractice coverage, check the sublimits against your real exposure, and tell you plainly if it holds up. About 40 percent of the time we tell clients to stay with their current carrier because that is the right answer.

Proof From the People We Serve

What Houston Clients Say

 
Panel only seen by widget owner

The Next Step

Read the Boundary Before a Breach Does

Send us the malpractice and cyber policies you carry today. We will draw the line between them, check every sublimit against the firm you actually run, and walk you through the seams in plain English. If the program holds up, you will hear exactly that.

Commercial reviews route to our commercial desk and follow your calendar, not ours.