Cyber Risk in Legal Firms: Talking Points for Brokers and Businesses | News | Brit
culture
Inclusion and Diversity
Corporate Social Responsibility
Team BRIT
Environmental, Social & Governance
Insurance
accident and health
casualty
public and products liability
employers liability
environmental liability
contingency
event cancellation
non appearance
film
prize indemnity
cyber
c360
cpr
xdr
bcap industrial
xdr pro tech
first50
FI Cyber Max
cyber claims
cyber knowledge hub
cyber Risk Management
delegated authority
commercial property
flood
financial property
homeowners
directors & officers
energy
Renewable Energy
e-trading
financial institutions
FI Cyber Max
fine art and specie
healthcare liability
marine
BUILD
cargo
hull and marine war
keel
marine and energy liability
political risk trade credit
political violence / terrorism
political violence/london
private client
home
motor
travel
professional liability
small north american liabilty
north american professional liability london
property
north american open market property
international property
uk property
Property D&F Bermuda
transportation
Reinsurance
casualty treaty
international casualty treaty/london
north america casualty treaty/london
casualty treaty bermuda
property treaty
property treaty
property treaty bermuda
Claims
Claims Philosophy
Claims Innovation
Cyber Claims
industries
aerospace
aquaculture, equine and livestock
architects and engineers
commercial
construction
consumer goods
education
energy
events & entertainment
farming and agriculture
financial services
healthcare
municipalities
personal lines
professional services
real estate
religious and not-for-profit
retail
technology
transportation
utilities and industrial
careers
Careers
Why join Brit?
Why work in Insurance?
our business areas - speaking for ourselves
business area - actuarial
business area - claims
business area - finance
business area - internal audit
business area - operations
business area - risk
news
Brit Group
Brit Global specialty
Brit Re
Brit India
Camargue
financials and governance
Financials
Governance
executive & board
Risk
History of Brit
Working with FinTechs and InsurTechs
Fair Value Assessments
brokers and coverholders
leadership
innovation
contact
Complaints
Privacy Notice
Modern Slavery
Terms and Conditions
The latest from Brit

Results for the year ended 31 December 2025

find out more

Brit Group

Brit renews US HPL Consortium 7882

find out more

news

find out more
Hero D O

news

Article in a snapshot:

  • Cyber claims from legal firms are becoming a more important issue for insurers
  • What makes legal firms so exposed?
  • How do threat actors approach attacks on legal firms?
  • Conversations with clients should be candid, not alarmist
  • The most important conversation to have

Cyber claims from legal firms are becoming a more important issue for insurers, and that is shaping how the market looks at these risks. For brokers, the message to clients is straightforward: legal practices remain highly attractive targets, the attack methods are evolving, and firms that cannot show strong controls are likely to face greater scrutiny when they seek cover.

What makes legal firms so exposed is not just their size. It is the nature of the data they hold. Law firms manage sensitive client information, privileged communications, litigation strategy, transaction documents, financial details and, in many cases, regulated personal data. That combination gives threat actors something valuable to steal and something they can use to pressure victims if the data is exposed.

Phishing Image – 1

A trend we are seeing is extortion-led attacks that do not rely on encrypting systems in the traditional ransomware model. Instead, attackers focus on gaining access, identifying high-value information quickly, extracting it, and then threatening disclosure. For legal firms, that creates a particularly difficult scenario: the damage may include client loss, reputational harm, regulatory exposure, and acute pressure around confidentiality.

One of the threat patterns highlighted in our analysis is associated with Luna Moth, also known as Silent Ransom Group. The group is financially motivated and uses a relatively simple but effective path: social engineering, remote access, data exfiltration, and extortion. Rather than depending on advanced software exploitation, the approach often targets people and process weaknesses. That matters because many firms still think cyber risk is mainly about malware, when in reality it is often about manipulation.

The attack methods are worth spelling out to clients. These actors use phishing and vishing, often posing as internal IT support or a trusted service desk. A user may be encouraged to call a number in an email, install a legitimate remote access tool, or follow instructions from someone sounding credible and urgent. In some cases, there may even be an in-person element designed to appear helpful or routine. Once access is established, tools such as WinSCP or Rclone can be used to move data out quickly over encrypted channels, making activity harder to distinguish from normal business traffic.

For brokers, the practical conversation with clients should not be alarmist, but it should be candid. Insurers are paying close attention to whether legal firms can demonstrate that their controls match the sensitivity of the risk. Firms do not need perfection, but they do need evidence of discipline.

The most important talking points are these:

  • Train staff for modern social engineering, not just email phishing. Employees should understand that fake IT support calls, urgent verification requests and requests to install software are common attack routes.
  • Tighten identity and access controls. Local administrator rights should be restricted, and software installation should not be left to end users by default.
  • Control remote access tools. Firms should allow only approved tools and block or closely monitor everything else.
  • Strengthen data loss prevention and monitoring. High-value data should be classified, monitored and protected against unauthorised export.
  • Reduce easy bulk extraction. Sensitive repositories and databases should not be simple to export at speed without review or control.
  • Validate physical access and removable media use. People entering offices or asking users to connect devices should be verified, not assumed legitimate.

The key point for clients is that this is not just an IT problem. It is a business resilience, professional duty and client trust issue. Legal firms are being targeted because attackers believe the data they hold is both valuable and sensitive enough to drive payment pressure.

Summary

Cyber risk in legal firms is a live and growing concern. Attackers are using persuasive, low-friction methods to gain access, steal data and extort victims. That is one reason insurers are becoming more careful in their approach to writing legal firms. Brokers can add real value by helping clients understand the trend, explain their controls clearly, and address weaknesses before they become a claim.

If you would like to discuss cyber risks affecting legal industry clients, we can help talk through the threat landscape, the controls insurers are looking for, and practical steps to strengthen risk mitigation before renewal or placement.

Brit enters HNW market with Private Client launch

28-05-2020 |People
Read more

Brit expands newly launched Private Client offering with further hires

14-07-2020 |Private Client
Read more

Brit Private Client ranked first in high net worth report

02-05-2022 |Private Client
Read more

Brit Private Client Home Automation

24-11-2021 |Private Client
Read more

Brit appoints Tara Parchment to build Private Clients proposition

26-07-2018 |Private Client
Read more
London Footer White

A Fairfax Company

©2026 Brit Group Services Limited. All rights reserved.