Cyber & AI

The law firm cyber claim that isn't ransomware: client matter data exfiltration

Law firms over-index on ransomware in their cyber planning. The faster-growing claim is silent exfiltration of client matter data — and the policy response is different.

Julius Roderer Co-Founder & CEO May 20, 2026

When law-firm leadership talks about cyber risk, the conversation reliably turns to ransomware: encrypted document management systems, locked-out timekeeping, the headline-grade incident. That’s a real exposure, and cyber forms generally respond well to it.

The more common 2026 claim — and the one most firms’ insurance posture is least ready for — is the silent exfiltration of client matter data. No ransom note. No system outage. Just a quiet copy of years of privileged communications, M&A diligence, litigation strategy, and unfiled patent disclosures sitting on a threat actor’s server, waiting to be monetised.

Why exfiltration is now the dominant law-firm claim

Three trends converged through 2024 and 2025:

  1. Attacker monetisation shifted. Ransomware payments became harder to collect (insurance pushback, OFAC sanctions, victim refusals). Data theft monetises differently — sold, leaked publicly to pressure unrelated suits, used for insider-trading exploitation of unannounced M&A.
  2. Law firms became higher-value targets. A firm with a single M&A practice holds 20–50 sets of confidential merger data; one with a patent practice holds disclosure data that competing firms or short-sellers will pay for; a firm with high-profile litigation holds strategy data that opposing parties value.
  3. Detection lag is structural. Exfiltration leaves no operational footprint. Where ransomware tells you instantly, exfiltration is typically discovered weeks or months later — sometimes via an external tip (the data shows up on a dump site, in a regulator’s inbox, or in opposing counsel’s hands).

Where the insurance form has to respond

A standard cyber policy responds to most of this, but with conditions that catch firms off guard:

Notification cost

When matter data is exfiltrated, the firm’s obligation to notify affected clients is governed by privilege duties, state bar rules, and the contractual obligations in client engagement letters. Cyber forms cover notification costs, but the legal cost of determining who must be notified is where the bill mounts — and not every form treats that as covered “breach response.”

Third-party liability for client losses

If a client suffers loss because their privileged data was exposed — a botched M&A negotiation, a litigation strategy revealed to opposing counsel, an inventor’s unfiled patent appearing publicly — the client will sue the firm. This is privacy liability and potentially professional liability (failure to maintain confidentiality is a malpractice question, not just a cyber question).

A clean form responds across both. A poorly-structured one creates a gap between cyber (covering the breach) and PL (covering the malpractice), with neither carrier wanting to lead.

Regulatory defence

State bars are increasingly opening investigations after publicly-disclosed law-firm data incidents. Form language on “regulatory defence” varies — some forms cover state bar proceedings explicitly, some don’t.

What law firms should be checking

Three questions for the next renewal:

  1. What’s the form’s definition of “data breach”? Some forms still require unauthorised access to trigger breach response — meaning if exfiltration happened during a legitimate access (compromised employee credentials), it might not trigger. The better forms include any unauthorised acquisition or use of data, regardless of access path.
  2. Does cyber and professional liability overlap correctly? Specifically: does the cyber form cover claims by clients alleging confidentiality failure, or does that get punted to PL with its own retention and limit?
  3. Is regulatory defence broad enough to cover state bar? If not, that’s a meaningful gap for a regulated profession.

The control side, briefly

The cyber insurance market in 2026 will increasingly underwrite law-firm exfiltration risk based on controls: data loss prevention (DLP) tooling on email and document systems, anomaly detection on document-management access, MFA on all remote access. Firms that can show these in place see better pricing. Firms that can’t are seeing capacity tighten.

The exfiltration claim is unglamorous. It doesn’t generate headlines the way a Big Law ransomware incident does. But it’s the one that’s actually arriving — and the one your form needs to be sized for.

Related on Nomos

Where this lives on the site.

Cyber liability Professional liability Professional services
About the author

Julius Roderer

Co-Founder & CEO

Julius's career spans from insurance to frontier computational neuroscience research. He was an investment banking associate at UBS covering insurance, and an AI researcher at Imperial College London. He holds an MSc in Artificial Intelligence from Imperial (with Distinction) and a BSc in Economics from the London School of Economics (First Class Honours).

LinkedIn →
Get a quote

One programme,
for the whole firm.

Tell us about your firm. We'll come back with cover sized to your real risk — and we respond within an hour, any time.

Whole-firm view across every line
Quotes in days, not weeks
Reply within 1 hour, any time
Specialty and admitted markets, one programme

Request a quote

We'll get back to you with options.

We respond within 1 hour — any time, not 24.

No obligations. No spam.