Law Firm Risk, Explained
Your Malpractice Policy Was Never Built for a Breach
Legal professional liability protects your clients from your mistakes. It does not protect your firm from an attack. This page maps where the malpractice contract stops, what a breach actually costs, and how the standalone cyber policy carries the difference.
Independent Texas brokerage serving Houston, Spring, The Woodlands, and the greater Houston metro. Local broker. National infrastructure.
The Assumption That Costs Firms
Two Contracts, One Seam, and a Quiet Assumption
Most firm owners carry strong malpractice coverage and assume it reaches further than it does. The assumption is understandable. Both policies live in the same drawer, both came from the same renewal season, and nobody ever walked the boundary between them.
The boundary is simple once someone draws it. Legal professional liability responds to claims that your legal work harmed a client. A cyber policy responds when your systems, your data, or your money come under attack. A breach is not a malpractice claim, so the costs it creates, the forensic team, the breach counsel, the client notifications, the downtime, land outside the malpractice contract unless a cyber policy is standing there to catch them.
For a firm that holds client files, moves settlement funds, and answers to bar ethics duties, the seam between these two contracts is the single most consequential page of the program. That is the page we read first.
The Pattern, Step by Step
How the Headcount Gap Forms
No one decides to be underinsured. The gap assembles itself over a few good years. Here is the sequence we see on review after review.
-
The policy is born at a snapshot
Limits and pricing are set around the headcount, structure, and payroll the firm had on the day the application was signed. That snapshot is accurate for exactly one season of the firm's life.
-
The firm outgrows the snapshot
Attorneys are added. Staff and paralegals follow. Every new name raises the count of potential claimants and the size of a potential dispute, while the limit stands still.
-
Transitions raise the stakes
Partnership changes, lateral departures, and compensation restructures are the seasons when employment claims actually surface. They are also the moments nobody thinks to call about insurance.
-
Renewal renews the number
The invoice arrives, the premium looks reasonable, and the policy renews. Pricing gets reviewed every year. The limit question, whether the number still fits the firm, often goes unasked for a decade.
-
The claim is priced at today's firm
When a claim arrives, it reflects the firm you are now. Today's headcount, today's payroll, today's partnership. The mismatch between that claim and the old limit is the gap, and it only ever shows itself at the worst time.
The fix costs a meeting, not a crisis. An annual limit review tied to headcount and structure is the whole discipline, and it is the broker’s job to bring it up before a claim does. The five growth signals that trigger it are walked through at five signs your law firm has outgrown its insurance.
Law Firm Cyber, The McDade Way
Direct Answers for Firm Owners
Does professional liability cover cyber attacks?
Generally no. Legal professional liability responds to claims that your legal work harmed a client. The forensic investigation, breach notification, ransomware response, and lost billable time after an attack typically fall outside it. A standalone cyber policy is built to carry those costs.
What should a law firm cyber policy include?
Breach response and forensics, breach counsel and client notification, privacy and regulatory defense, ransomware and cyber extortion coverage, business interruption for lost billable capacity, and a social engineering fraud endorsement sized to the wires the firm sends. Each part carries its own limit or sublimit, and the numbers matter more than the label.
Why do law firms need cyber insurance?
Law firms concentrate exactly what attackers want. Client records, deal information, litigation files, and settlement funds, often behind smaller security budgets than the corporations they represent. Bar ethics duties then require a real response when something goes wrong. The policy is what funds meeting those duties without draining the firm.
The Duties That Do Not Wait
The Bar Has Already Told You What a Breach Requires
A law firm breach is not just an IT event. It is an ethics event, and the profession has written the expectations down.
-
Confidentiality is the standing duty
ABA Model Rule 1.6 requires reasonable efforts to prevent unauthorized access to client information, and Texas lawyers carry parallel confidentiality duties under the state disciplinary rules. Safeguarding data is treated as part of practicing law, not an optional upgrade.
-
Opinion 483 governs the aftermath
ABA Formal Opinion 483 addresses a lawyer's obligations after an electronic data breach, including reasonable steps to respond and a duty to notify current clients when material client information is compromised. The notification work it describes, breach counsel, letters, and communication, is precisely what a cyber policy funds.
-
Clients are asking before regulators do
Corporate clients increasingly require security questionnaires, third party assessments, and proof of cyber coverage before sending work. For a growing firm, coverage has quietly become a business development document as much as a protection.
-
The duties exist either way
Nothing above depends on whether you bought a policy. The duties arrive with the breach. Insurance decides whether meeting them is funded by a carrier's response team or by the firm's own reserves and weekends.
McDade is an insurance brokerage, not a law firm, and nothing here is legal advice on your professional responsibilities. We fund the response. Your ethics counsel guides it.
Inside the Contract
What a Law Firm Cyber Policy Actually Carries
Six coverage parts do the real work. Each one carries its own limit or sublimit, which is why two policies with the same headline number can behave completely differently at claim time.
Breach Response and Forensics
The investigation that determines what happened, what was taken, and whether it is over. Usually the first dollars spent and the foundation every other duty stands on.
Breach Counsel and Notification
Specialized counsel, client notification, and credit monitoring. This is the part that funds the Opinion 483 work when client information is compromised.
Ransomware and Cyber Extortion
Response teams, negotiation support, and coverage for extortion demands when case files and systems are locked. Paired with backups, it is the difference between an incident and a shutdown.
Business Interruption
Replaces income lost while systems are down. For a firm, that means the billable hours that never happen while email, files, and billing are being rebuilt.
Privacy and Regulatory Defense
Defends claims from affected individuals and responds to regulatory inquiries into how data was handled, including defense costs and covered penalties where insurable.
Social Engineering Fraud
The endorsement for deceived wire transfers, with its own sublimit and verification conditions. Sized wrong, it is the most expensive small number on the policy.
The Evidence
The Numbers Behind the Boundary
Share of law firms reporting a security breach at some point in the American Bar Association's technology survey, with about 19 percent more unsure whether one had ever occurred.
Source: ABA 2023 Legal Technology Survey ReportGlobal average cost of a data breach, with professional services firms averaging above the all industry figure.
Source: IBM Cost of a Data Breach Report, cited by the State Bar of TexasLosses reported to the FBI Internet Crime Complaint Center in 2024, a record year, up 33 percent from the year before.
Source: FBI IC3 2024 Internet Crime ReportScale those numbers to your firm. The honest measure is not a headline average. It is your records, your trust account activity, and the billable weeks a rebuild would consume, held against the limits and sublimits actually printed in your policy.
Sizing the Policy
Right Sized to the Firm You Run Today
Cyber limits are not a guess and not a default. Five inputs drive the number, and every one of them changes as the firm grows.
What Sets the Limit
The volume and sensitivity of the records you hold, the funds moving through your accounts, the practice areas you serve, the security requirements in your client engagement agreements, and your firm's realistic downtime cost per week. We work through each one in the review and match the limits to the answers.
What Moves the Quote
Multifactor authentication, tested backups, a written wire verification procedure, and security training move pricing more than any other inputs. Commercial reviews at McDade route to Dallas Downey, CLCS, who quotes across our carrier bench and shows you how each control changes the number before you commit to anything.
Cyber is one seat at a larger table. The full coordinated program lives at our Houston law firm insurance hub, alongside law firm EPLI.
Questions Firm Owners Ask
Law Firm Cyber Questions, Answered Plainly
What is the difference between legal professional liability and cyber insurance?
Legal professional liability responds when your legal work is alleged to have harmed a client. Cyber insurance responds when your systems, your data, or your funds are attacked. A breach is not a malpractice claim, so the forensic investigation, client notification, and recovery costs it creates typically fall outside the malpractice policy. The two contracts are designed to meet at a boundary, and that boundary needs to be read, not assumed.
What does cyber insurance cover for a law firm?
A well structured law firm cyber policy funds the forensic investigation, breach counsel, client notification, and credit monitoring after an incident, defends privacy and regulatory claims, responds to ransomware and cyber extortion, and replaces income lost while systems are down. A social engineering fraud endorsement can be added for deceived wire transfers. Each part carries its own limit or sublimit, which is why the policy has to be read as a set of numbers, not a label.
Is cyber insurance required for law firms in Texas?
No Texas law requires it for most firms, but the pressure comes from three directions. Ethics guidance treats reasonable data safeguards as part of a lawyer's duties, corporate clients increasingly require proof of cyber coverage in engagement agreements, and lenders and vendors ask for it in contracts. For a growing firm, the practical answer is that the market requires it before the law does.
Is the cyber endorsement on our malpractice policy enough?
Sometimes, but read the numbers before relying on it. Endorsements attached to a professional liability policy often carry low sublimits, narrower definitions, and fewer response services than a standalone cyber policy. For a firm that holds client data and moves settlement funds, the endorsement is frequently a fraction of the real exposure. The comparison is a document review we do side by side.
What happens if ransomware locks our case files before a deadline?
A standalone cyber policy typically brings a response team, negotiators, forensic support, and coverage for the extortion demand and the income lost while systems are down. What no policy can do is move a filing deadline, which is why carriers and bar associations both push firms toward tested backups and an incident response plan. Coverage funds the recovery. Preparation protects the practice.
What do ABA rules require after a law firm data breach?
ABA Formal Opinion 483 addresses a lawyer's obligations after an electronic data breach, including reasonable efforts to respond and a duty to notify current clients when material client information is compromised. Texas lawyers also carry confidentiality duties under the disciplinary rules. Those duties exist whether or not you carry insurance. The policy is what pays for meeting them.
How much does cyber insurance cost for a Houston law firm?
Pricing depends on revenue, the volume and sensitivity of the records you hold, the funds that move through your accounts, your claims history, and your controls. Multifactor authentication, tested backups, and a written verification procedure are the levers that move quotes the most. We quote across our carrier bench and show you how each control changes the number.
Can McDade review the cyber coverage we already have?
Yes, and that is where we usually start. We read the policy you carry today, map where it stops against your malpractice coverage, check the sublimits against your real exposure, and tell you plainly if it holds up. About 40 percent of the time we tell clients to stay with their current carrier because that is the right answer.
Proof From the People We Serve
What Houston Clients Say
The Next Step
Read the Boundary Before a Breach Does
Send us the malpractice and cyber policies you carry today. We will draw the line between them, check every sublimit against the firm you actually run, and walk you through the seams in plain English. If the program holds up, you will hear exactly that.
Commercial reviews route to our commercial desk and follow your calendar, not ours.