Your Professional Indemnity insurer wants proof, not promises. At 2026 renewal they expect documented evidence of MFA on every account, EDR on every endpoint, immutable backups, a tested incident response plan, vendor risk records, and current security awareness training logs. If you can’t produce these on demand, expect higher premiums, tighter sub-limits, or a declinature.
That’s the short answer. The longer answer is that law firm cybersecurity australia conversations have changed shape since 2023. PI underwriters in the Australian legal market — Lawcover, LMI, Marsh-placed syndicates, and the London market behind most boutique brokers — used to ask a single tick-box question about “having antivirus”. Renewal questionnaires in 2025 and 2026 run twenty to forty technical questions deep, and a “yes” with no evidence is functionally a “no” at claim time.
This post is the practical brief for partners, principals, and practice managers at Melbourne firms with five to a hundred staff. It’s written from the engineering side: what underwriters now demand, what that actually looks like in a working firm, where Melbourne practices keep getting caught, and what to have ready before your broker rings.
Why PI underwriting changed
The Optus breach in September 2022 and Medibank a month later reframed cyber risk in the Australian insurance market. Reinsurers based in London and Munich repriced Australian cyber and PI cover almost immediately. By the 2024 renewal cycle, every Australian PI insurer touching the legal sector had rebuilt their underwriting questionnaires around the same control set — the one the Australian Cyber Security Centre had been publishing as the Essential Eight since 2017.
Three things shifted at once. First, the Notifiable Data Breaches scheme — administered by the OAIC under the Privacy Act 1988 — generated enough public data that underwriters could finally model breach frequency by sector. Legal services consistently sit in the top five by notifications per thousand businesses. Second, the Legal Profession Uniform Law’s professional conduct rules around client confidentiality were tested in several disciplinary matters where the underlying cause was a cyber incident, not deliberate disclosure. The VLSB+C (Victorian Legal Services Board and Commissioner) takes a dim view of practitioners who lose privileged material through preventable controls failures. Third, business email compromise losses on conveyancing and family law settlements stopped being rare. They became the most common notification type from the legal sector.
The combined effect: insurers stopped treating cyber as an adjacent line and started treating it as a core PI risk. A breach that exposes client trust account details, leaks privileged advice, or redirects settlement funds is now a PI loss, not just a cyber loss. That’s why the questionnaires got longer.
The controls underwriters now require evidence of
Below is the control set we see consistently across renewal questionnaires for Melbourne legal practices in 2025 and 2026. The exact wording varies between insurers in the Australian legal market, but the substance is consistent. “Evidence” in the right column means what we hand to the broker — not a verbal assurance.
| Control | What underwriters expect | Evidence we provide |
|---|---|---|
| Multi-factor authentication | MFA on every account that can access email, practice management, document management, trust accounting, and remote access. No exceptions for partners or senior staff. | Conditional access policy export from Entra ID showing 100% coverage; sign-in logs demonstrating MFA enforcement. |
| Endpoint Detection and Response | EDR on every endpoint and server — not signature-based antivirus. Behavioural detection, 24/7 monitoring, automated isolation. | Vendor licence count matching device count; SOC console screenshots; recent detection and response examples. |
| Immutable backups | Backups that ransomware operators cannot delete or encrypt, even with administrative credentials. Offline or object-locked copies. | Backup architecture diagram; restore test results from the last six months; 3-2-1-1-0 verification. |
| Email security and BEC controls | Advanced anti-phishing, DMARC at p=reject, internal phishing simulation, and process controls for changing bank details on settlements. | DMARC report; phishing simulation results; documented dual-approval process for payment changes. |
| Patching | Operating systems and applications patched within fourteen days of vendor release; critical patches within forty-eight hours. | Patch compliance reports by device class; exception register for unpatchable systems. |
| Privileged access management | Separate admin accounts, just-in-time elevation where practicable, no shared credentials, no domain admin used for daily work. | Admin account inventory; PAM tool reports; evidence that partners do not have local admin on their daily-driver laptop. |
| Incident response plan | A written, tested IR plan with named roles, escalation paths, breach notification flowchart, and an external IR retainer. | The plan itself; tabletop exercise minutes; signed IR retainer with a DFIR firm. |
| Vendor risk management | A register of every third party touching firm data — counsel chambers, e-discovery providers, court filing platforms, accounting software — with security posture assessed. | Vendor register; SOC 2 or ISO 27001 certificates collected from key vendors; data flow map. |
| Security awareness training | Annual mandatory training, with quarterly phishing simulation and remedial training for staff who click. Records kept for every employee including partners. | LMS completion reports; phishing simulation click-rate trend; remedial training records. |
| Logging and monitoring | Centralised logs from identity, endpoint, email, and firewall, retained for at least twelve months, reviewed by a SOC. | SIEM or XDR coverage matrix; retention configuration; SOC engagement summary. |
This is the spine of the Essential Eight in legal-firm clothing. If you’ve already mapped your controls to the ACSC framework, you’ve done most of the work — see our Essential 8 compliance guide for how the maturity levels translate into renewal evidence. The broader operational picture for Melbourne firms is covered in our piece on managed IT for Melbourne law firms, which goes deeper on day-to-day workflows. This post stays focused on what the underwriter wants to see.
How Melbourne law firms actually get caught
The questionnaire controls aren’t theoretical. Each one exists because insurers paid claims on a specific failure mode. Three patterns dominate the legal-sector losses we see across Melbourne.
BEC during property settlement
A boutique conveyancing practice in Hawthorn, eight staff, ran a standard residential settlement through PEXA. Two weeks before settlement, the conveyancer’s email account was compromised through a credential-stuffing attack — the practitioner reused a password that had appeared in a 2021 breach dump. The attacker sat in the mailbox for nine days, set up an Outlook rule to auto-forward and delete anything containing the matter reference, and at the right moment sent the purchaser’s solicitor a “corrected” trust account BSB and account number from a lookalike domain registered three weeks earlier.
The purchaser’s funds — $847,000 — landed in a mule account in Sydney and were withdrawn within ninety minutes. The PI claim covered the loss but the renewal premium tripled, the firm was placed on a remediation programme by the insurer, and the principal had a conversation with the VLSB+C that no principal wants to have.
What would have stopped it: MFA on the email account (would have blocked the credential stuffing); DMARC at p=reject on the firm’s domain (would have made the lookalike-domain trick harder); a dual-approval process for any change to settlement bank details that requires verbal confirmation on a known phone number; an inbox rule audit running weekly. Every one of those is now a tick-box on the renewal questionnaire.
Ransomware on the practice management system
A 22-lawyer commercial firm in William Street ran LEAP on an on-premises Windows server. The server was patched, the firm had antivirus, and they had backups on a Synology NAS that was reachable from the domain. On a Tuesday afternoon a paralegal opened an invoice attachment that wasn’t an invoice. By Wednesday morning the LEAP database was encrypted, the file shares were encrypted, the Synology backups had been encrypted because the backup service account had write access to the NAS, and the only clean restore point was a three-month-old archive on a USB drive in the office manager’s desk drawer.
The firm was offline for nine business days. Court deadlines were missed. The reconstruction of work-in-progress cost more than the ransom demand. PI cover responded but the insurer required, as a condition of renewal, EDR with managed response, immutable backups with offline copies, and segregation of the backup environment from the production domain. They also required documented evidence that the firm had moved off the legacy AV product within sixty days.
What would have stopped it: EDR with behavioural detection (would have killed the ransomware process before encryption started); immutable backups (the Synology was the single point of failure); least-privilege on the backup service account (it had no business being able to write to anything except the backup repository); a tested restore process.
Departing-staff conflict-of-interest exfiltration
A family law boutique in Camberwell, six lawyers, had an associate resign and move to a competing practice down the road. In her last fortnight she synced her firm OneDrive to a personal Dropbox, emailed forty-seven matter files to a Gmail address, and copied the client list to a USB stick. The firm only found out when a former client rang asking why the new practice already knew about her matter.
This isn’t a hacker story. It’s a controls story. The OneDrive sync to personal storage was permitted because nobody had configured a conditional access policy blocking personal Microsoft accounts on managed devices. The email exfiltration ran unnoticed because the firm had no DLP rules on outbound attachments. The USB copy worked because removable storage wasn’t blocked. The PI insurer paid the resulting client claims but the firm now has formal data loss prevention controls in place — because the renewal questionnaire asked, and a “no” wasn’t an option.
Where the LIV, VLSB+C, and Uniform Law sit in this
The Law Institute of Victoria publishes practice guidance on technology use and increasingly references the Essential Eight directly. The VLSB+C, as the regulator, doesn’t run a separate cyber compliance regime — but the Legal Profession Uniform Law’s professional conduct rules around client confidentiality apply to electronic records the same way they apply to paper. If privileged material walks out the door because controls were absent, that’s potentially a conduct matter, not just a cyber incident.
The OAIC sits across this as the regulator for the Notifiable Data Breaches scheme. Any breach involving personal information that’s likely to result in serious harm must be notified within thirty days. For a law firm, almost any breach meets that threshold because the data is, by definition, sensitive. The OAIC’s reasonable steps test under APP 11 looks remarkably similar to the Essential Eight in practice.
None of these bodies mandate a specific technical control set. Together they make absence of one indefensible. PI underwriters know this, which is why their questionnaires read like an APP 11 audit with a managed-services flavour. Our guide to IT compliance for legal practices goes deeper on the regulatory side; this post is focused on the insurance side because that’s the meeting that’s coming up next.
The PI questionnaire decoded
If you’ve been handed a 2026 renewal questionnaire, the questions tend to cluster into seven domains. Here’s how to read them.
| Questionnaire domain | What they’re really asking | Where firms trip up |
|---|---|---|
| Identity and access | Do you have MFA on every account, or just on email for some staff? | Partners and IT admins exempted from MFA “for convenience”. This is now a hard fail. |
| Endpoint security | Is your endpoint product EDR or AV? Who responds when it triggers at 2am? | Naming a legacy AV product. Buying EDR but not having anyone watching the console. |
| Backups | Can a ransomware operator with domain admin credentials destroy your backups? | NAS backups on the same domain. Cloud backups in the same tenant as production with no immutability lock. |
| Email and BEC | What stops a fraudulent settlement-redirection email from reaching your inbox, and what stops your staff actioning it? | No DMARC. No dual-approval process for changes to client banking details. |
| Incident response | If you discover a breach at 4pm Friday, who do you call? | No retainer in place. Plan exists but has never been tested. |
| Vendor management | Who touches your data outside the firm, and how do you know they’re secure? | No register. Counsel chambers and e-discovery vendors never assessed. |
| People | Do staff know what a phishing email looks like, and is there a record proving you trained them? | Ad-hoc training with no records. Partners exempt themselves and then click the worst links. |
What “evidence-ready” actually looks like
The phrase brokers use is “evidence-ready”. Insurers want a folder — usually shared via a secure portal — containing the documents that back each questionnaire answer. For a 30-person Melbourne firm, that folder typically holds:
- An information security policy, signed by the managing partner, dated within the last twelve months.
- The incident response plan, with a tabletop exercise record from the last six months.
- A network diagram showing the firm’s environment, including cloud tenancy boundaries.
- A data flow map showing where client data lives — practice management, document management, email, archives.
- Backup architecture and the most recent restore test report.
- MFA coverage report exported from Entra ID or the equivalent identity platform.
- EDR licence and coverage report.
- Patch compliance report by device.
- Phishing simulation results for the last twelve months.
- Security awareness training completion records for every employee.
- Vendor risk register with current SOC 2 or ISO 27001 reports for material vendors.
- Penetration test report or vulnerability assessment dated within the last twelve months.
- Cyber insurance certificate if held separately from PI.
- IR retainer agreement with a DFIR firm.
This is roughly what we maintain for our legal-sector clients on a rolling basis. The first time a firm builds this folder it takes about six weeks. After that it’s a quarterly review.
The trust account angle
Trust accounts deserve their own paragraph because they’re where the PI conversation gets sharpest. The VLSB+C’s trust account inspection regime focuses on financial controls, not cyber controls — but a compromised email account that authorises a trust withdrawal is a trust account failure with a cyber root cause. The principles are similar to what we’ve written about for the accounting sector in our accounting firm data security and trust account protection piece, but legal practices have additional confidentiality obligations on top.
For trust account-handling firms, the additional controls underwriters look for are:
- Segregation of duties so no single person can authorise a trust payment and change a bank detail.
- Out-of-band verification — a phone call to a known number, not the number in the email — for any change to settlement banking details.
- Logging of every change to bank account details in the practice management system.
- Restrictions on remote access to the trust accounting module.
The IR retainer question
This one trips firms up consistently. A growing number of PI questionnaires ask whether the firm has a “pre-engagement with an incident response provider”. A yes-or-no answer with no documentation isn’t enough; underwriters want to see the agreement, the SLA on response time, and the name of the DFIR firm.
The reason is practical. A breach at 4pm on a Friday in a firm without a retainer means the principal spends Friday night ringing law firms (ironic) for referrals, then ringing IR firms who all quote a five-figure engagement fee before they’ll start work, then waiting until Monday morning for forensics to begin. By then the attacker has been in the environment for sixty-plus additional hours. With a retainer, the call goes to a 24/7 hotline, the engagement is pre-papered, and the analyst is in your environment within an hour.
TechAssist’s NOC at Tecoma runs 24/7 with sub-fifteen-minute P1 response, and we maintain DFIR relationships for clients who need separate forensics capability. The retainer doesn’t replace your MSP’s incident response — it’s the specialist forensics and legal-privilege layer that sits above it.
Cost framing
The question every managing partner asks is what this costs. Rough order of magnitude for a Melbourne firm of 25 staff, looking at what insurers now expect as table stakes:
| Control area | Indicative annual cost (25-staff firm) | Notes |
|---|---|---|
| MFA and conditional access (Entra ID P1/P2) | Already covered in most Microsoft 365 Business Premium licences | Configuration effort, not licence cost, is the spend. |
| EDR with managed response | $60-120 per endpoint per year | Includes 24/7 SOC monitoring; AV-only is no longer accepted. |
| Immutable backup with offline copy | $8,000-15,000 per year depending on data volume | Usually replaces an existing backup product, not additive. |
| Security awareness training and phishing simulation | $30-50 per user per year | Records retention is part of the value. |
| Penetration test (external + light internal) | $8,000-15,000 every twelve to eighteen months | Required by some questionnaires; recommended by all. |
| IR retainer | $3,000-8,000 per year | Plus hourly rates if invoked. Retainer keeps the meter off. |
| Vendor risk management programme | Included in managed service for our legal clients | Standalone tools exist but add complexity for small firms. |
The savings sit on the other side of the ledger — in PI premium itself, in the avoided cost of a single BEC loss, and in the avoided cost of unwinding a ransomware event. A 25-staff firm seeing premium reductions of 10-20% on a $40,000-$80,000 PI line is paying for most of the control uplift through the insurance line alone.
How TechAssist works with law firms on this
We’ve been running managed IT for Melbourne legal practices since 2014. The team is thirteen Australian engineers, all local, with the 24/7 NOC at Tecoma in Melbourne’s east. Our controls are Essential Eight aligned and our delivery is ISO 27001 capable, which matters because the same questionnaire that asks about your controls also asks about your MSP’s controls — and your MSP either passes that sub-questionnaire or becomes the weak link in your renewal.
For PI-renewal-ready engagements we work to a four-stage pattern: gap assessment against the questionnaire your broker uses; remediation plan with priority order driven by the questions most likely to determine pricing; implementation with evidence captured from day one; and a documentation pack handed to your broker. The full picture of how we handle ongoing operations for legal sector clients is in our broader piece on IT support for Australian law firms, which covers the day-to-day. The cybersecurity layer is detailed at cybersecurity services Melbourne.
P1 response sits under fifteen minutes by SLA. We’ve had to use that response time on legal-sector incidents, including BEC attempts caught mid-attack and one ransomware event isolated before encryption spread off the patient-zero machine. The pre-existing IR retainer made the difference in both cases.
If your renewal is coming up
Pull the questionnaire from your broker now, not when the renewal date arrives. Read it cold and mark each question green, amber, or red. Green is “yes, with evidence in the folder”. Amber is “yes, but the evidence is thin”. Red is “no, or I don’t know”.
Take the reds first. The high-leverage ones are usually MFA-everywhere, EDR with managed response, immutable backups, an IR retainer, and a dual-approval process on settlement banking details. Those five, properly implemented and documented, move the needle on premium more than any other combination.
If the questionnaire mentions specific frameworks — Essential Eight, ISO 27001, NIST CSF — ask the broker which one the underwriter weights most heavily. For the Australian legal market it’s almost always Essential Eight, and the maturity level expected is typically ML2 for firms over twenty staff.
If you’d like a hand with any of this — the gap assessment, the remediation, the evidence pack — get in touch via our contact page or call 1300 028 324. Mention you’re working on a PI renewal and we’ll structure the conversation around the questionnaire rather than running through a generic discovery.
Frequently asked questions
What does Lawcover require for cyber controls at renewal?
We don’t speak for any specific insurer’s underwriting position and you should confirm directly with your broker. What we observe across questionnaires from insurers active in the Australian legal market — including Lawcover-placed risks, LMI, and London-market boutique syndicates — is convergence on the Essential Eight control set, EDR rather than signature AV, immutable backups, documented IR plans, and security awareness training records. Specific wording and thresholds vary; the underlying expectations don’t.
Our PI insurer wants “evidence of MFA”. What does that mean in practice?
They want a report, not a statement. For Microsoft 365 environments that’s typically the Authentication Methods Activity report or a conditional access policy export from Entra ID showing the policy, its assignment to all users, and sign-in logs proving MFA fires on every sign-in. For other identity platforms the equivalent applies. A screenshot of the MFA setup page isn’t evidence; a sign-in log is.
Do we need a separate incident response retainer if we already have a managed service provider?
Most renewal questionnaires ask the question in a way that expects yes. The MSP handles operational response — isolating endpoints, restoring from backup, locking down accounts. A DFIR retainer adds forensics under legal privilege, breach notification advice, and the chain-of-custody work that holds up in a regulator investigation or insurance claim dispute. The two are complementary. For smaller firms we sometimes structure this through the MSP’s partnerships rather than a direct DFIR retainer, which is generally acceptable to underwriters if the arrangement is documented.
How long does it take to get evidence-ready for a renewal?
For a firm starting from “we have antivirus and basic backups”, expect six to twelve weeks to reach evidence-ready, depending on the existing environment. The technical implementations can happen quickly — MFA rollout in two weeks, EDR deployment in a week, backup re-architecture in three to four weeks. The documentation and policy work is what extends the timeline. Most firms underestimate the policy side and overestimate the technical side.
If we fail the questionnaire, will we lose cover?
Outright declinature is rare; what happens more often is higher premium, lower limits, ransomware sub-limits, or specific exclusions written into the policy. Some insurers in the Australian legal market will offer cover conditionally — with a remediation deadline and a follow-up assessment in six months. The worst outcome we see isn’t refusal; it’s a policy that pays out at claim time only to the extent the firm can prove it met the controls it said it had at renewal. Failure-to-disclose claims are a recurring source of disputes.
We’re a five-partner firm with one practice manager and no IT staff. Is this all proportionate?
The control set scales down well. MFA is free with your Microsoft licensing. EDR for ten endpoints is around $600-1200 a year. Immutable backup for a small firm is a few thousand. The documentation is shorter because the environment is simpler. The premium savings are proportional too — small firms see absolute premium reductions that more than cover the spend. The trap small firms fall into is assuming size buys them out of the questionnaire. It doesn’t.
