{"id":142764,"date":"2026-01-27T17:00:31","date_gmt":"2026-01-28T01:00:31","guid":{"rendered":"https:\/\/xira.com\/p\/2026\/01\/27\/think-you-are-covered-better-read-your-cybersecurity-policy-carefully\/"},"modified":"2026-01-27T17:00:31","modified_gmt":"2026-01-28T01:00:31","slug":"think-you-are-covered-better-read-your-cybersecurity-policy-carefully","status":"publish","type":"post","link":"https:\/\/xira.com\/p\/2026\/01\/27\/think-you-are-covered-better-read-your-cybersecurity-policy-carefully\/","title":{"rendered":"Think You Are Covered? Better Read Your Cybersecurity Policy \u2014 Carefully"},"content":{"rendered":"

\u201c<\/strong>Never assume your organization is fully covered. Cyber insurance policy language is fraught with exclusions, limitations of coverage, and conditions that will void a policy.\u201d \u2013 Delinea 2025 Cyber Insurance Research Report<\/a><\/strong><\/p>\n

As I have written before<\/a>, law <\/strong>firms and cybersecurity: it\u2019s a subject that often makes managing partners\u2019 eyes glaze over. They don\u2019t understand it, it\u2019s expensive, and frankly, it\u2019s boring. They assume cybersecurity events won\u2019t happen to their firm and when they do, the only question they ask is \u201cdo we have insurance?\u201d Increasingly, the answer is: yes, maybe, and sort of.<\/p>\n

That\u2019s why a recent survey by the cybersecurity company Delinea<\/a> is significant and lends credence to my concerns. At the very least, it should serve as a wake-up call for firm leadership. Delinea\u00a0is a cybersecurity consulting company that focuses on securing privileged access and identity security for organizations.\u00a0Delinea partnered with Censuswide<\/a> and surveyed more than 750 security leaders about cyber insurance and claims practices.<\/p>\n

While you often have to take with a grain of salt what consultants find in their surveys since they often strengthen their case for being hired, the Delinea survey reveals some potentially troubling gaps between what insureds think they have and what their policies actually cover. Those gaps apply just as well to law firms.<\/p>\n

It\u2019s a Question of When, Not If<\/strong><\/p>\n

First things first, if a law firm doesn\u2019t think a cybersecurity event is going to happen, think again. Seventy-seven percent of those surveyed by Delinea revealed they suffered a cybersecurity incident in the last year.<\/p>\n

While the survey didn\u2019t focus on law firms, there\u2019s little reason to think firms are any different. In fact, law firms may be more at risk since they hold highly confidential client material that, frankly, is valuable to the bad guys. But all too often firms think a cybersecurity event isn\u2019t going to happen to them. It\u2019s sort of the security through obscurity notion about which I have written before<\/a>.<\/p>\n

Cyber Insurance: It May Not Be What You Think<\/strong><\/p>\n

According to the Delinea report, often cyber insurance policies don\u2019t cover what you expect. Only 33% of policies of those responding covered a critical loss component: lost revenue. Only 45% of the policies covered ransomware (where a bad guy demands the payment of ransom to return stolen data) despite the fact that 1 in 5 surveyed reported a ransomware incident.<\/p>\n

That\u2019s an important limitation since often management concludes the payment of the ransom offers the quickest return of needed data and the return to business operations, which may or may not be true. Forty percent of the policies don\u2019t cover costs to recover data.\u00a0 Less than half covered incident response services or additional remedial security controls.<\/p>\n

What all this means is that a firm may end up not being covered for a significant loss. I recently wrote<\/a> about a company that sadly had to go out of business because it did not have sufficient coverage for a ransomware claim.<\/p>\n

Years ago, I attended a cybersecurity conference. I had lunch with a bunch of insurance marketing guys licking their chops over the huge market for cyber insurance. I asked what would happen when the claims pour in as they most certainly would. I was met with stone silence. We now know what will happen: as the report puts it, \u201cInsurance adjusters are on the lookout for a range of controls lapses that could get their companies off the hook for paying a claim.\u201d<\/p>\n

And it\u2019s not just coverage issues that can trip up a claim. The lack of security controls can do the same thing.<\/p>\n

Security Controls<\/strong><\/p>\n

Not taking cybersecurity seriously and having robust protections in place not only means an increased threat of an incident, it also could mean that appropriate coverage can\u2019t be obtained or if it is, will be voided once there is a claim.<\/p>\n

Indeed, almost everyone surveyed by Delinea said that their organization had to have some level of security controls in place to get coverage. Some 97% of those surveyed indicated that their carriers were demanding things like identity security controls, authorization controls, and better password management, and that carriers were increasingly scrutinizing their insureds\u2019 security controls.<\/p>\n

Moreover, increasingly, the policies that are in place may be voided if sufficient security controls aren\u2019t in place, a failure that often is not discovered until a claim is filed. According to the Delinea report, 45% of those surveyed said their policies could be voided due to lack of security controls. Other reasons for voiding coverage include human error, misconfiguration, internal bad actors, not following compliance procedures, failure to timely report, and acts of terrorism and war.<\/p>\n

It\u2019s a hot mess: firm management doesn\u2019t take cybersecurity seriously, doesn\u2019t spend the money for adequate controls, and then relies on insurance once a claim happens. Only to discover that they aren\u2019t covered.<\/p>\n

Artificial Intelligence<\/strong><\/p>\n

In addition, the advent of the GenAI world has some insurance implications as well. Here\u2019s a noteworthy finding: 42% of those surveyed said their policies excluded AI misuse and liability from coverage. That\u2019s important because firms have to assume that their lawyers and legal professionals, like just about everyone else, are using GenAI in their personal and often in their work lives. But if they don\u2019t use AI tools properly, the misuse could result in liability that won\u2019t be covered. All the more reason to undertake robust AI training and create appropriate use guidelines.<\/p>\n

So, What To Do?<\/strong><\/p>\n

So, what can law firm management do? First, it may be stating the obvious, but management needs to read their cyber insurance policies carefully. They need to identify the exclusions and coverage gaps. They need to do research into how the policies and the mandated controls are being interpreted.<\/p>\n

They can\u2019t assume coverage based on marketing material, or what the carrier has offered in the past or to others. Management also needs to carefully review the security controls that the carrier has demanded and be sure they are met. Conduct an annual policy audit with your IT director and insurance broker present.<\/p>\n

Treat that review and everything else with the same level of scrutiny as they would if a client asked them to review their own policies.<\/p>\n

The report makes an excellent point in this regard:<\/p>\n

\n

Because the cyber insurance market is still maturing, policy language and coverage options can vary widely from insurer to insurer \u2014 and even policy to policy. One of the challenges that organizations face is in the interpretation of policy requirements. While policy exclusions tend to be fairly clear-cut (i.e., exclusions around acts of war or nation-state activity), the language around controls requirements can sometimes remain vague.<\/p>\n

Never assume your organization is fully covered Cyber insurance policy language is fraught with exclusions, limitations of coverage, and conditions that will void a policy. It is incumbent upon risk leaders to collaborate with executive management and the board to identify how existing controls weaknesses could jeopardize their insurability and to utilize gap analysis for prioritizing investments.<\/p>\n<\/blockquote>\n

Couldn\u2019t have said it any better.<\/p>\n

\n

Stephen Embry is a lawyer, speaker, blogger, and writer. He publishes\u00a0TechLaw Crossroads<\/a>, a blog devoted to the examination of the tension between technology, the law, and the practice of law<\/strong><\/em>.<\/p>\n

The post Think You Are Covered? Better Read Your Cybersecurity Policy \u2014 Carefully<\/a> appeared first on Above the Law<\/a>.<\/p>\n

\u201c<\/strong>Never assume your organization is fully covered. Cyber insurance policy language is fraught with exclusions, limitations of coverage, and conditions that will void a policy.\u201d \u2013 Delinea 2025 Cyber Insurance Research Report<\/a><\/strong><\/p>\n

As I have written before<\/a>, law <\/strong>firms and cybersecurity: it\u2019s a subject that often makes managing partners\u2019 eyes glaze over. They don\u2019t understand it, it\u2019s expensive, and frankly, it\u2019s boring. They assume cybersecurity events won\u2019t happen to their firm and when they do, the only question they ask is \u201cdo we have insurance?\u201d Increasingly, the answer is: yes, maybe, and sort of.<\/p>\n

That\u2019s why a recent survey by the cybersecurity company Delinea<\/a> is significant and lends credence to my concerns. At the very least, it should serve as a wake-up call for firm leadership. Delinea\u00a0is a cybersecurity consulting company that focuses on securing privileged access and identity security for organizations.\u00a0Delinea partnered with Censuswide<\/a> and surveyed more than 750 security leaders about cyber insurance and claims practices.<\/p>\n

While you often have to take with a grain of salt what consultants find in their surveys since they often strengthen their case for being hired, the Delinea survey reveals some potentially troubling gaps between what insureds think they have and what their policies actually cover. Those gaps apply just as well to law firms.<\/p>\n

It\u2019s a Question of When, Not If<\/strong><\/p>\n

First things first, if a law firm doesn\u2019t think a cybersecurity event is going to happen, think again. Seventy-seven percent of those surveyed by Delinea revealed they suffered a cybersecurity incident in the last year.<\/p>\n

While the survey didn\u2019t focus on law firms, there\u2019s little reason to think firms are any different. In fact, law firms may be more at risk since they hold highly confidential client material that, frankly, is valuable to the bad guys. But all too often firms think a cybersecurity event isn\u2019t going to happen to them. It\u2019s sort of the security through obscurity notion about which I have written before<\/a>.<\/p>\n

Cyber Insurance: It May Not Be What You Think<\/strong><\/p>\n

According to the Delinea report, often cyber insurance policies don\u2019t cover what you expect. Only 33% of policies of those responding covered a critical loss component: lost revenue. Only 45% of the policies covered ransomware (where a bad guy demands the payment of ransom to return stolen data) despite the fact that 1 in 5 surveyed reported a ransomware incident.<\/p>\n

That\u2019s an important limitation since often management concludes the payment of the ransom offers the quickest return of needed data and the return to business operations, which may or may not be true. Forty percent of the policies don\u2019t cover costs to recover data.\u00a0 Less than half covered incident response services or additional remedial security controls.<\/p>\n

What all this means is that a firm may end up not being covered for a significant loss. I recently wrote<\/a> about a company that sadly had to go out of business because it did not have sufficient coverage for a ransomware claim.<\/p>\n

Years ago, I attended a cybersecurity conference. I had lunch with a bunch of insurance marketing guys licking their chops over the huge market for cyber insurance. I asked what would happen when the claims pour in as they most certainly would. I was met with stone silence. We now know what will happen: as the report puts it, \u201cInsurance adjusters are on the lookout for a range of controls lapses that could get their companies off the hook for paying a claim.\u201d<\/p>\n

And it\u2019s not just coverage issues that can trip up a claim. The lack of security controls can do the same thing.<\/p>\n

Security Controls<\/strong><\/p>\n

Not taking cybersecurity seriously and having robust protections in place not only means an increased threat of an incident, it also could mean that appropriate coverage can\u2019t be obtained or if it is, will be voided once there is a claim.<\/p>\n

Indeed, almost everyone surveyed by Delinea said that their organization had to have some level of security controls in place to get coverage. Some 97% of those surveyed indicated that their carriers were demanding things like identity security controls, authorization controls, and better password management, and that carriers were increasingly scrutinizing their insureds\u2019 security controls.<\/p>\n

Moreover, increasingly, the policies that are in place may be voided if sufficient security controls aren\u2019t in place, a failure that often is not discovered until a claim is filed. According to the Delinea report, 45% of those surveyed said their policies could be voided due to lack of security controls. Other reasons for voiding coverage include human error, misconfiguration, internal bad actors, not following compliance procedures, failure to timely report, and acts of terrorism and war.<\/p>\n

It\u2019s a hot mess: firm management doesn\u2019t take cybersecurity seriously, doesn\u2019t spend the money for adequate controls, and then relies on insurance once a claim happens. Only to discover that they aren\u2019t covered.<\/p>\n

Artificial Intelligence<\/strong><\/p>\n

In addition, the advent of the GenAI world has some insurance implications as well. Here\u2019s a noteworthy finding: 42% of those surveyed said their policies excluded AI misuse and liability from coverage. That\u2019s important because firms have to assume that their lawyers and legal professionals, like just about everyone else, are using GenAI in their personal and often in their work lives. But if they don\u2019t use AI tools properly, the misuse could result in liability that won\u2019t be covered. All the more reason to undertake robust AI training and create appropriate use guidelines.<\/p>\n

So, What To Do?<\/strong><\/p>\n

So, what can law firm management do? First, it may be stating the obvious, but management needs to read their cyber insurance policies carefully. They need to identify the exclusions and coverage gaps. They need to do research into how the policies and the mandated controls are being interpreted.<\/p>\n

They can\u2019t assume coverage based on marketing material, or what the carrier has offered in the past or to others. Management also needs to carefully review the security controls that the carrier has demanded and be sure they are met. Conduct an annual policy audit with your IT director and insurance broker present.<\/p>\n

Treat that review and everything else with the same level of scrutiny as they would if a client asked them to review their own policies.<\/p>\n

The report makes an excellent point in this regard:<\/p>\n

\n

Because the cyber insurance market is still maturing, policy language and coverage options can vary widely from insurer to insurer \u2014 and even policy to policy. One of the challenges that organizations face is in the interpretation of policy requirements. While policy exclusions tend to be fairly clear-cut (i.e., exclusions around acts of war or nation-state activity), the language around controls requirements can sometimes remain vague.<\/p>\n

Never assume your organization is fully covered Cyber insurance policy language is fraught with exclusions, limitations of coverage, and conditions that will void a policy. It is incumbent upon risk leaders to collaborate with executive management and the board to identify how existing controls weaknesses could jeopardize their insurability and to utilize gap analysis for prioritizing investments.<\/p>\n<\/blockquote>\n

Couldn\u2019t have said it any better.<\/p>\n

\n

Stephen Embry is a lawyer, speaker, blogger, and writer. He publishes\u00a0TechLaw Crossroads<\/a>, a blog devoted to the examination of the tension between technology, the law, and the practice of law<\/strong><\/em>.<\/p>\n

The post Think You Are Covered? Better Read Your Cybersecurity Policy \u2014 Carefully<\/a> appeared first on Above the Law<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

\u201cNever assume your organization is fully covered. Cyber insurance policy language is fraught with exclusions, limitations of coverage, and conditions that will void a policy.\u201d \u2013 Delinea 2025 Cyber Insurance Research Report As I have written before, law firms and cybersecurity: it\u2019s a subject that often makes managing partners\u2019 eyes glaze over. They don\u2019t understand […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[16],"tags":[],"class_list":["post-142764","post","type-post","status-publish","format-standard","hentry","category-above_the_law"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/posts\/142764","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/comments?post=142764"}],"version-history":[{"count":0,"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/posts\/142764\/revisions"}],"wp:attachment":[{"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/media?parent=142764"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/categories?post=142764"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/tags?post=142764"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}