With the 1st October Professional Indemnity (PI) renewals now behind us, this presents an ideal opportunity to evaluate and transfer your cyber risk effectively.
Getting your Trinity Audio player ready...

Authors: James Wall Charrlotte Corfield

null

A continuation of soft market conditions persists, driven by new entrants into the market, resulting in increased competition and excess underwriting capacity. This, in turn, can attract favourable terms, broader access, and competitive pricing for clients.

However, despite this optimism, the rapid adoption of technology and increasingly sophisticated cyber threats now amplified by artificial intelligence (AI), signal the potential for market hardening as early as 2026. Cyber insurance, being an agnostic product that spans most industries, must be viewed holistically. Hacking groups will adopt similar methods to gain unauthorised access across all industry sectors, making it essential to consider the broader market trends.

Recent high-profile cyberattacks on the retail and manufacturing sectors have highlighted the severe and unforgiving nature of these incidents. Business leaders and key stakeholders need to ensure a comprehensive cyber risk transfer solution is in place. A key element of this approach is a cyber insurance solution with adequate limits and coverage. The implications for businesses that do not correctly quantify their risk will be massive, as these losses will unfortunately be incurred, in part or in full, by the victims. This emphasises the importance of deploying adequate limits and gaining a better understanding of their own cyber risk quantification.

While the legal sector has so far escaped any high-profile instances, attacks on other industries have been particularly severe, with multiple businesses targeted within a short timeframe. Hackers have adopted a more targeted approach, focusing on specific companies within an industry. Preparing and acting ahead of time to mitigate risks before hackers deploy these tactics is key for law firms. Coveware's 1 recent report indicates that in Q1 2025, professional services (including the legal sector) accounted for 14.4% of all ransomware incidents, ranking among the highest sector-specific figures. The situation worsened in Q2 2025, when professional services firms became the most heavily impacted sector, accounting for 19.7% of the attacks1.

Law firms are particularly attractive targets due to the legally privileged, highly sensitive, and confidential personal information they hold. An alarming shift is that data theft is surpassing encryption as the prevailing method of extortion. According to Coveware, in 74% of all Q2 2025 incidents1, data exfiltration played a role. Threat actors now focus on harvesting sensitive client records and then threatening to release them, a tactic known as double extortion, with ransom demands reflecting this heightened leverage. For example, hackers recently stole data2 from the Kido nursery chain, illustrating the focus on sensitive data. Hackers don't discriminate. If you have a vulnerability, you are a target.

The 2022 attack on DPP Law Solicitors LLP3 is a good example of the vulnerability within law firms and the bounty a threat actor is after. Hackers gained access to DPP's clients' personal data via an IT administrator account, which lacked MFA (multi-factor authentication) and was subsequently published on the dark web. This resulted in a fine of £60,000 from the IOC in 2025 and reputational damage to the firm.

The primary vectors for hackers to gain entry are remote access compromise, phishing and social engineering. The use of AI-generated deepfakes is on the rise. In 2025, the number of deepfake videos shared online is expected to reach 8 million — a massive increase from 500,000 in 20234. All three of these vectors are enhanced by the use of AI deepfakes. Mitgo's piece5 highlights the risk these pose to law firms. Our clients must be aware of the dangers these pose and take steps to prevent becoming victims of these tactics.

Another area of concern is the lack of cyber coverage in the SME space6, as SMEs account for 99% of all UK businesses7. Notably, 43% of surveyed8 UK businesses reported suffering some form of cyberattack in 2024. With the majority of the 9,000 English and Welsh law firms being considered SMEs, and the prevalence of under or no insurance (7 out of 109) law firms not purchasing Cyber insurance as of 2023), increasing cyber-attacks and targeting of personal data, there is a real need to address prevention and risk transfer to protect the legal industry in England and Wales. In summary, recent high-profile UK cyber events are unlikely to disrupt the current competitive rates and policy coverages in the insurance market. What is apparent is the weaknesses in cyber defences and the devastating impact of cyberattacks.  As attempted attacks show no signs of letting up, expectations are that insurance market losses will come soon, resulting in a hardening of the market.

Hackers are increasingly targeting data-rich organisations, and the rise in data theft and extortion underscores the urgency for law firms to act. Firms must review their cybersecurity measures, quantify their cyber risks and transfer appropriate risk to the insurance market. The advice for those not currently leveraging cyber insurance is to act now.

Author Information

Sources

1"Targeted social engineering is en vogue as ransom payment sizes increase," Coveware, 23 July 2025.

2Tidy, Joe. "Children's names, pictures and addresses stolen in nursery chain hack," BBC, 25 September 2025.

3"Law firm fined £60,000 following cyber attack," Information Commissioner’s Office, 16 April 2025.

4"Deepfake Statistics & Trends 2025: Growth, Risks, and Future Insights," keepnet, 24 September 2025.

5"A deep dive into deepfakes," The Law Society, 23 August 2024.

6Kotoulas, Yiannis. "Biba 2025: A 'very large uninsured opportunity’ remains for SME cyber coverage — Sam Franks," Insurance Times, 16 May 2025.

7"UK Small Business Statistics - Business Population Estimates for the UK and Regions in 2025," fsb, accessed 17 October 2025.

8"Official Statistics - Cyber security breaches survey 2025," GOV.UK, 19 June 2025.

9"Latest trends in professional indemnity insurance for law firms," The Law Society, 21 July 2023.

Disclaimer

The sole purpose of this article is to provide guidance on the issues covered. This article is not intended to give legal advice, and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and/or market practice in this area. We make no claims as to the completeness or accuracy of the information contained herein or in the links which were live at the date of publication. You should not act upon (or should refrain from acting upon) information in this publication without first seeking specific legal and/or specialist advice. Arthur J. Gallagher (UK) Limited accepts no liability for any inaccuracy, omission or mistake in this publication, nor will we be responsible for any loss which may be suffered as a result of any person relying on the information contained herein.