Why Your Chicago Law Firm’s Cyber Insurance Might Not Pay Out

What Happens to Chicago Law Firms When They Get Hit with Ransomware? And Does Cyber Insurance Automatically Cover It?

A Chicago-area law firm gets hit with ransomware. Attorneys are locked out of iManage. Court filings due in 48 hours can’t be accessed. The managing partner calls the insurance carrier, relieved the firm has a cyber liability policy. Then comes the investigation. The insurer’s forensic team reviews the environment and asks a straightforward question: is MFA enabled on all remote access systems?

It isn’t. It was enabled for Microsoft 365, but not for the VPN. The application said it was. The claim is denied.

This scenario is not a cautionary edge case. Across 2024 and 2025, industry sources, including Fitch Ratings, it was found that between 25% and more than 40% of cyber insurance claims were rejected outright, with missing or undocumented security controls listed as the leading cause. For Chicago law firms, where an incident can trigger ABA ethics obligations, client lawsuits, and regulatory scrutiny simultaneously, a denied claim is not just a financial setback. It can be an existential one.

What most law firms don’t realize until it’s too late: cyber insurance has stopped being a financial backstop and started being a technical audit.

The Questionnaire Is a Warranty, Not a Survey

When your firm fills out a cyber insurance application, every “yes” you check is a legal attestation. You are not estimating your security posture. You are warranting it. The policy is issued based on those representations, and if the post-breach investigation reveals that any of them were inaccurate, the insurer has grounds to rescind the policy or deny the claim entirely.

In the 2024 case of Travelers v. International Control Services, the insurer sought to rescind a cyber policy after discovering that the insured had stated on its application that MFA was deployed across all systems. It was not fully implemented. The court sided with the insurer. The ransomware claim was denied not because MFA caused the breach, but because the attestation did not match the reality.

This ruling is now the template carriers use. The application is treated as a continuing warranty, meaning what you represented at signing must remain true throughout the policy period. If your IT environment drifts, if MFA gets disabled on one system, if a new server is added without endpoint protection, the original warranty can be invalidated.

For Chicago law firms, this is particularly dangerous because the questionnaires have grown substantially more detailed. Carriers, including Coalition, Chubb, and AXA XL, now ask not just whether MFA is in place, but whether it covers all remote access pathways, all administrative accounts, and all privileged systems. “We have MFA” is no longer a sufficient answer. The question is where, on what, and how it’s enforced.

What Chicago Cyber Insurance Underwriters Are Actually Checking Right Now

The controls underwriters evaluate have become highly specific. For law firms renewing or applying for coverage in 2025 and 2026, these are the areas receiving the most scrutiny:

Multi-Factor Authentication (MFA)

MFA is no longer a differentiator. It is a baseline requirement. Carriers expect it enforced universally across email, remote access, administrative accounts, cloud services, and legacy systems. Partial deployment, including having it on Microsoft 365 but not on a VPN or a legacy practice management tool, is treated as non-compliance. One unprotected login path is enough to deny a claim. Our Microsoft 365 security services for Chicago firms are built around exactly this kind of comprehensive enforcement.

Endpoint Detection and Response (EDR)

Traditional antivirus software is explicitly insufficient. Insurers now require EDR tools that monitor devices in real time and detect behavioral anomalies, not just known malware signatures. According to Prelude Security’s analysis, approximately 90% of ransomware attacks originate from unmanaged or unprotected endpoints, which is precisely why carriers treat EDR as non-negotiable.

Verified, Tested Backups

Insurers don’t just want to know that backups exist. They want evidence that backups are isolated from the primary environment, tested regularly, and capable of restoring critical data within a defined recovery window. A backup process that has never been validated against a real restore scenario gives carriers grounds to argue the firm cannot recover without paying ransom, which changes the risk profile of the policy significantly.

Documented Incident Response Plan

An incident response plan that exists as a PDF in a shared drive is not an incident response plan. Carriers want documentation that has been reviewed, tested, and updated. IBM’s 2025 Cost of a Data Breach Report found that firms with documented and tested incident response plans reduced breach costs by an average of $1.49 million compared to those without one.

Patch Management and 24/7 Monitoring

Coalition’s 2025 Cyber Threat Index reported that most ransomware claims in 2024 began with compromised perimeter security appliances such as VPNs or firewalls. Carriers also expect continuous monitoring, not just business-hours coverage. Attacks don’t follow a 9-to-5 schedule, and insurers are increasingly unwilling to treat daytime-only IT support as adequate risk mitigation.

The Cybersecurity Gap Between What Chicago Law Firms Think They Have and What They Actually Have

CTI Technology’s onboarding assessments of new law firm IT clients in Chicago reveal a consistent pattern. Most firms believe their IT environment is adequately secured. They have IT support. They have antivirus. They pay for Microsoft 365. They assume the protections that matter are in place.

What our kick-off assessments typically uncover:

• Excessive administrative permissions granted to non-technical staff, often set up during initial system configuration and never reviewed
• Unmanaged end-user accounts for attorneys or staff who have left the firm, representing open credential exposure
• No documented backup validation procedures, meaning the firm believes it has recovery capability that has never been tested
• MFA enabled on some systems but not others, often with exceptions carved out for senior partners as a convenience measure
• Software beyond end-of-life, including operating systems or practice management tools that no longer receive security patches

Each of these gaps is individually significant. Combined, they represent exactly the environment a cyber insurance underwriter flags as high-risk, and an insurer’s forensic team uses to deny a post-breach claim. We covered the broader pattern of how these vulnerabilities accumulate in our post on why law firm IT fails and what Chicago firms can do about it.

The ABA’s 2023 Legal Technology Survey Report found that nearly 30% of law firms reported experiencing a security breach. What that figure doesn’t capture is how many of those firms filed an insurance claim and received nothing in return.

Three Reasons Claims Get Denied That Have Nothing to Do With Security Controls

Even firms with relatively strong security postures get caught by policy mechanics they never read carefully enough.

1. Late notification: Most cyber policies require the insurer to be notified within 48 to 72 hours of discovery, not 48 hours after the firm has figured out what happened. The instinct to investigate internally before calling the carrier is understandable and almost always the wrong move. Industry data attributes approximately 17% of all claim denials to late notification alone.
2. Nation-state attribution exclusions: Many policies include exclusions for hostile or warlike actions by nation-state actors. Because cybersecurity attribution is rarely definitive, the label “Russian-linked” or “state-sponsored” has been invoked by carriers to deny claims where attribution was contested. Several major 2025 ransomware claims were denied on this basis.
3. Social engineering gaps: Business email compromise, wire fraud, and invoice scams are now among the most common sources of financial loss for law firms, and they are frequently excluded from standard cyber policies unless the firm has specifically purchased a social engineering or funds transfer fraud endorsement. Many Chicago firms carry policies that provide no coverage for the attack type most likely to hit them.

What “Cyber Insurance Ready” Actually Looks Like as a Chicago Managed IT Client

The firms that qualify for coverage, secure favorable premiums, and successfully pay claims when they need to share a common characteristic: their IT environment is continuously documented, monitored, and aligned with what their policy actually requires.

At CTI Technology, our managed IT services for law firms are structured around exactly this. The controls underwriters require, MFA enforced universally, EDR on every device, isolated and tested backups, 24/7 monitoring, and documented incident response procedures, are baseline components of our service, not optional add-ons. When a CTI client renews their cyber policy, they’re not hoping their IT environment meets the standard. They can demonstrate it does.

Our cybersecurity services are not layered on top of a managed IT engagement as an upsell. They are embedded at every level, from identity and access management to endpoint protection to email security configuration. This matters because insurers are increasingly moving from “do you have security?” to “prove it, continuously.”

Our quarterly Technology Business Reviews cover cybersecurity posture explicitly, including a review of current controls relative to your coverage requirements. Our IT strategy and consulting work ensures that when insurers change underwriting standards, that context reaches our clients before renewal, not after a denied claim. For more on how we approach document management security, our guide to Clio vs. NetDocuments vs. iManage for Chicago law firms covers the security and implementation tradeoffs in detail.

As an Illinois State Bar Association Listed IT Provider headquartered in Elgin and serving law firms throughout Chicago and the surrounding metro area, we understand the specific environment your firm operates in, including the compliance obligations under ABA Rule 1.6 that make client data protection not just an IT consideration but an ethical one.

Before Your Next Renewal, Know Where You Stand

The right time to evaluate your cyber insurance readiness is not during a breach response. It is not the week before renewal when the underwriting questionnaire arrives. It is now, while there is time to close the gaps that would otherwise cost your firm its coverage.

CTI Technology offers law firm IT assessments that evaluate your environment against current insurer requirements. Contact us to learn more. 

Aaron Kane

CEO of CTI Technology

Aaron Kane is the CEO of CTI Technology, a Chicago-based IT services provider helping businesses navigate technology with confidence. With expertise in IT strategy, infrastructure, cloud solutions, and voice technologies, Aaron focuses on helping organizations improve efficiency, strengthen operations, and make smarter technology decisions. Under his leadership, CTI Technology has continued to grow while maintaining a strong focus on service and long-term client relationships.

Connect with Aaron on Linkedin