Your cyber liability policy comes up for renewal. You open the application and it’s twice as long as last year. There are questions about endpoint detection, backup isolation, privileged access management, and phishing simulation frequency. You’re not sure what half of these controls are, let alone whether your firm has them in place.

If this is your renewal experience, it’s not a coincidence. Over the past 18 months, cyber insurance underwriters have raised the bar for what they expect from policyholders. What used to be a simple, check-the-box application has turned into a detailed technical questionnaire. And the answers matter more than most firms realize.

This scrutiny isn’t coming from nowhere. In early April 2026, Jones Day disclosed that the Silent Ransom Group, a hacker collective the FBI says specifically targets law firms because of the sensitive nature of legal data, accessed client files through a phishing attack. Orrick Herrington and Wood Smith Henning & Berman were hit by the same group earlier this year. Baker Hostetler’s 2025 incident response report found that cyberattacks on law firms doubled year over year. Carriers are reading the same headlines.

What carriers are requiring now

The list of technical controls that underwriters expect to see has gotten long and specific. If you’re preparing for a renewal, these are the items your carrier is almost certainly going to ask about.

Multi-factor authentication (MFA) on all remote access, email, and administrative accounts. This is the single most common requirement, and the one most likely to get your application flagged if it’s missing. If your attorneys can log into email with just a password, that’s a problem. (For more on why credentials are the top attack vector, see our post on how most cyberattacks start with a login, not an exploit.)

Endpoint detection and response (EDR). Traditional antivirus isn’t enough anymore. Carriers want to see modern endpoint protection that can detect and respond to threats in real time, not just scan for known malware signatures.

Verified, tested backups isolated from the production network. Carriers don’t just want to know that backups exist. They want to know the backups are stored separately from your main systems (so ransomware can’t encrypt them too) and that you’ve actually tested a full restore. When was the last time your firm did that? If you don’t know, that’s an answer worth finding before your renewal.

Security awareness training with phishing simulations. Your staff needs regular training on how to spot phishing emails, and your firm needs to run simulated phishing campaigns to measure how people respond. Underwriters want to see participation records and results.

A documented incident response plan. Not “we’ll figure it out when something happens.” A written plan that identifies who does what, who to call, how to contain an incident, and how to communicate with clients. Carriers want to see the document.

Regular, documented patch management. Operating systems, applications, and firmware all need to be patched on a consistent schedule. Underwriters want evidence of a patching cadence, not just a promise that updates happen “when we get to them.”

Email security and anti-phishing tools. Advanced email filtering that goes beyond basic spam blocking. Carriers want to see protection against business email compromise, spoofing, and credential harvesting attacks. Newer attack methods like device code phishing can bypass traditional email filters entirely, which is part of why underwriters keep expanding these requirements.

Privileged access management. Administrative accounts should be limited to the people who actually need them, and those accounts should be monitored. If every user at your firm has local admin rights on their workstation, that’s going to raise questions.

The attestation trap

This is where it gets expensive. The application asks whether you have each of these controls in place. You check “yes” because you think you do, or because your IT person said you’re covered. The policy gets issued.

Then an incident happens. A ransomware attack. A business email compromise that redirects a wire transfer. A data breach that exposes client records. You file a claim.

Now the carrier investigates. They bring in forensic analysts who examine your systems and compare what they find against what you attested to on the application. If you checked “yes” for MFA but your admin accounts didn’t have it enabled, that’s an attestation gap. If you said you had isolated backups but they were on the same network segment that got encrypted, that’s a gap too.

Carriers can deny claims based on material misrepresentation in the application. It doesn’t matter whether the misrepresentation was intentional. If the controls weren’t operational at the time of the incident, the claim is at risk.

What a denied claim actually costs

When a cyber insurance claim gets denied, your firm absorbs the full cost of the incident. That means paying out of pocket for forensic investigation (easily $50,000 or more), breach notification to affected clients, credit monitoring services, legal defense, regulatory fines, and potential malpractice claims.

This hits close to home for Iowa law firms. Iowa’s data breach notification law requires firms to notify affected individuals and the Iowa Attorney General when personal information is compromised. Insurance typically covers those costs. Without coverage, they land on your firm’s balance sheet. (We covered the broader threat landscape for Iowa firms in our cybersecurity overview.)

How premiums are calculated

Your premium isn’t just based on your firm’s size or your industry. Underwriters are pricing policies based on your actual security controls. Firms with strong posture, documented controls, and evidence of ongoing monitoring get better rates. Firms with gaps can see premium increases of 30% or more at renewal, according to industry estimates from carriers like Coalition and Corvus. In some cases, the result is worse than a rate hike: coverage restrictions, exclusions for certain incident types, or higher deductibles that shift more risk back onto the firm.

Some firms don’t find out they’re missing something until the renewal comes through. The premium jumps, the terms change, and suddenly the firm is scrambling to implement controls that should have been in place months earlier. By then, you’ve already lost the leverage to negotiate better terms.

How to prepare for your next renewal

Start preparing well before the application lands on your desk. A few months of lead time gives you room to find gaps and close them.

Audit your current controls against the common requirements. Walk through the list above and honestly assess where your firm stands. Don’t assume everything is in place. Verify it.

Document everything. Carriers want evidence, not assurances. If you run phishing simulations, keep the reports. If you test your backups, log the results and the date. If you have an incident response plan, make sure it’s written down and accessible, not in someone’s head.

Review your attestations from last year, too. Pull up the application you submitted and check whether the answers are still accurate. If something has changed (a control lapsed, a tool was replaced, an employee with admin access left), update your records accordingly.

Work with your MSP to fill gaps before the application goes out. Your managed IT provider should be able to tell you exactly which controls are in place, which ones need work, and how long it will take to get compliant. If your MSP can’t answer those questions clearly, that’s a separate conversation worth having.

Get your documentation ready in advance. Compile evidence of your controls into a packet you can reference when filling out the application. This makes the process faster and ensures your attestations are backed by proof.

The bottom line

Cyber insurance has gone from a simple policy add-on to a real accountability mechanism for IT security. The carriers are paying attention. They’re asking detailed questions, verifying answers, and denying claims when controls don’t match attestations. For Iowa law firms handling sensitive client data, the stakes are too high to wing it.

Treat it as an ongoing discipline, not a scramble when the renewal shows up.

Not sure where your firm stands on cyber insurance requirements? Artech Solutions helps Iowa law firms audit their security controls and build the documentation carriers want to see. Let’s talk about your next renewal before the application arrives.