As cyberattacks grow, cyber insurance is increasingly becoming a cost of doing business at law firms. But securing that cyber insurance is also becoming more difficult. Small law firms are facing insurance carriers that are placing a heavier emphasis on proactive cybersecurity measures, dropping clients, and even exiting the cyber insurance space when the risk outweighs the premium.

In the last eight months, insurance carriers have increasingly dropped policyholders that don’t have multifactor authentication in place, which typically includes small law firm clients, noted Amy Landefeld, cyber product lead and digital underwriting manager at insurance provider Beazley.

“Without multifactor authentication in place, it’s an open door for threat actors to come in,” Landefeld said. “I can assume other carriers are seeing a large rise in claims for those insureds and they are getting rid of the risk.”

What’s more, the past approximately two years of increased ransomware attacks has taught insurance carriers an expensive lesson regarding cyber insurance, noted Kevin Novak, managing director of cyber risk management services at information governance and data risk management provider Breakwater Solutions.

“It’s a result, not necessarily because of [small law firms], but the insurance firms are beginning to readjust [and] better understand what the market is relative to cyber breaches,” Novak said. “They’re starting to recognize they can’t carry the same policies for everyone. It’s becoming a big problem in the market,” he added.

But to spur greater cybersecurity adoption among small firms, insurers aren’t only threatening policy cancellations, sources noted.

For example, Davison, Eastman, Muñoz, Paone partner and tech chair Matt Blaine noted if firms don’t have multifactor authentication or other cybersecurity measures in place, “I think insurance companies are paying a little more attention to that by incentivizing to [put those systems in place in exchange for a] lower premium or potentially being dropped from the coverage.”

But as insurance companies place a greater emphasis on adopting more cybersecurity controls, the pool of cyber insurance providers is thinning.

“It’s becoming more common to hear a different carrier isn’t renewing an entire class or doesn’t have capacity to offer cyber insurance,” noted Landefeld.

A shrinking array of cyber insurance providers could increase premiums and potentially price out small law firms. “It’s become impossible to be profitable, it’s moving in that direction,” Novak said.

However, Landefeld countered that cyber insurance options would still be available to small law firms. Still, she noted firms will need to adapt as requirements intensify.

“It comes down to the IT infrastructure. They need to control risks [and] have the controls in place, that’s something that’s coming up in the future across the board. People will have to improve their IT infrastructure,” she said.