Insura
Social Engineering & Wire Fraud: Cyber Insurance Coverage for Law Firms (2026)

Social Engineering & Wire Fraud: Cyber Insurance Coverage for Law Firms (2026)

John Abbott
4/19/2026

Quick Answer

Does cyber insurance cover social engineering and wire fraud for law firms?

Cyber insurance covers social engineering and wire fraud for law firms only if the policy includes a social engineering or funds transfer fraud endorsement — standard policies often sublimit this at $100K–$250K or exclude it entirely. Law firms should verify sublimits match their typical wire transfer size. Bundle with E&O: when a BEC loss also exposes client data, ABA Rule 1.6(c) creates a disciplinary risk that only the bundle closes. Chubb and Coalition offer the strongest combined coverage.

Why Law Firms Are Prime Targets for Social Engineering Attacks

Law firms handle wire transfers, trust account disbursements, and sensitive client data daily — making them high-value targets for business email compromise (BEC) and social engineering schemes. The FBI's IC3 reported that BEC losses exceeded $2.9 billion in 2024, with professional services firms disproportionately affected.

Common attack patterns targeting law firms include fraudulent wire transfer instructions impersonating clients or opposing counsel, compromised email accounts redirecting settlement funds, fake invoice schemes targeting accounts payable, and vendor impersonation targeting trust account managers.

What Cyber Insurance Covers for Social Engineering

Not all cyber policies treat social engineering equally. Coverage varies significantly by carrier and policy form.

Typically Covered

Coverage Area What It Pays For
Social engineering fraud Losses from fraudulently induced wire transfers
Business email compromise Investigation, forensics, and direct financial loss
Funds transfer fraud Unauthorized electronic fund transfers
Incident response costs Forensic investigation, legal counsel, notifications
Regulatory defense State bar ethics complaints arising from compromised client data

Common Exclusions and Sublimits

Most carriers impose sublimits on social engineering coverage — typically $100,000 to $500,000 even on policies with $1M+ aggregate limits. Key exclusions to watch for:

  • Voluntary parting: Some policies exclude losses where an employee voluntarily initiated the transfer (even if deceived)
  • Verification failure: Claims may be denied if the firm lacked dual-authorization procedures
  • Retroactive dates: Pre-existing compromises discovered after policy inception may not be covered
  • Cryptocurrency: Most policies exclude losses involving crypto transfers

Real Claims: Social Engineering at Law Firms — What Actually Happened

Understanding how BEC claims play out helps law firms select coverage with the right sublimits and controls.

Case 1 — Real Estate Closing Diversion ($287,000 lost): An attacker monitored a firm's email server for six weeks, learning the cadence of a commercial real estate closing. Days before closing, they sent wire instructions "from the title company" with a substituted account number. The associate executed the transfer without a callback verification. The firm's cyber policy covered $250,000 under the social engineering sublimit; the remaining $37,000 was unrecovered. Lesson: sublimits often fall short of a single deal's wire amount.

Case 2 — Trust Account Takeover ($410,000): Hackers compromised the managing partner's email using credentials stolen in a phishing campaign. Over 18 days, they authorized three transfers from the firm's IOLTA trust account. The cyber carrier paid the full $410,000 because the policy included a $500,000 funds transfer fraud sublimit and the firm had MFA enabled on all accounts. Lesson: MFA is not just a premium discount lever — it's a coverage eligibility condition at many carriers.

Case 3 — Settlement Misdirection ($1.1M): A mid-size litigation firm received "updated wiring instructions" via email allegedly from opposing counsel three days before a $1.1M settlement disbursement. The firm called the phone number in the email (which the attacker controlled) to confirm — a failed verification procedure. The cyber carrier denied the claim citing the "verbal verification failure" exclusion. Lesson: callback verification must use an independently sourced phone number, not one provided in the suspect communication.

ABA Rule 1.6(c): Your Confidentiality Duty and Cyber Insurance

ABA Model Rule 1.6(c) requires lawyers to "make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client." ABA Formal Opinion 477R (2017) extended this obligation explicitly to cybersecurity.

What this means for cyber coverage:

When a BEC attack compromises client data — even indirectly — the firm faces potential bar discipline in addition to financial loss. A standalone cyber policy covers the financial loss but does not defend state bar disciplinary proceedings. The Cyber + E&O bundle fills this gap:

  • Cyber policy: covers forensic investigation, breach notification, wire fraud recovery, and third-party liability
  • E&O / legal malpractice policy: covers client claims arising from the breach (failure to safeguard trust funds, negligent handling of sensitive files) and typically includes regulatory defense coverage for bar complaints

Most state bars have adopted some form of Rule 1.6(c), and several have issued specific guidance on cybersecurity controls. The bar's enforcement pattern: a breach alone rarely triggers discipline; failing to have reasonable safeguards (MFA, encryption, written security policy) is what draws scrutiny.

State Bar Requirements: Key Jurisdictions

Several high-volume legal markets have issued specific cybersecurity guidance:

Jurisdiction Key Requirement Source
New York Lawyers must "stay current" with cybersecurity developments; encryption required for client data in transit NYSBA Ethics Opinion 1019
California Competence includes understanding cybersecurity measures; written security policy expected State Bar Formal Opinion 2010-179
Florida Must have "reasonable" data security; MFA strongly implied Florida Bar Handbook Ch. 4
Texas Lawyers must take "reasonable precautions" to prevent unauthorized access Texas Ethics Opinion 648
New Jersey Encryption required for client data transmitted over public networks Advisory Committee Op. 701

Cyber insurance carriers in California and New York increasingly require proof of state bar compliance (written security policy, MFA deployment, staff training) as an underwriting condition for law firm applicants.

Carrier Comparison: Social Engineering Coverage for Law Firms

Carrier SE Sublimit (Typical) Verification Required? Bundle with E&O? Starting Premium
Chubb $250K–$500K Yes — callback verification Yes (Chubb LawPro) $3,500–$8,000/yr
Hartford $100K–$250K Recommended, not required Yes (via CyberChoice) $2,200–$5,500/yr
Coalition $250K (standard) Requires MFA + verification Cyber-first, E&O separate $1,800–$4,500/yr
Cowbell $100K–$250K AI-monitored controls Cyber only $1,500–$3,500/yr
Hiscox $100K Basic controls required Yes (Hiscox Pro) $1,200–$3,000/yr

Recommendation: For firms handling regular wire transfers above $50K, prioritize Chubb or Coalition for their higher social engineering sublimits. Coalition's active monitoring platform can flag suspicious email patterns before a transfer occurs.

The Cyber + E&O Bundle: Essential for Law Firms

Social engineering attacks often trigger both cyber and professional liability exposures simultaneously. When a compromised email leads to misdirected client funds, the firm faces:

  1. Cyber claim: The breach itself, forensic investigation, and direct financial loss
  2. E&O / malpractice claim: The client's claim that the firm failed to safeguard their funds
  3. Regulatory exposure: State bar ethics complaints under ABA Rule 1.6(c) for failing to make reasonable efforts to prevent unauthorized access

A standalone cyber policy leaves the malpractice and regulatory gaps uncovered. Bundling cyber + E&O (legal malpractice) typically saves 15–25% versus purchasing separately, and eliminates coverage gaps between the two policies.

Bundle Pricing by Firm Size

Firm Size Cyber + E&O Bundle (Annual) Standalone Cyber + Standalone E&O
Solo / 2–5 attorneys $2,800–$5,500 $3,500–$7,000
6–20 attorneys $5,500–$12,000 $7,000–$16,000
21–50 attorneys $12,000–$25,000 $15,000–$32,000

Reducing Your Social Engineering Risk (and Premiums)

Carriers offer premium credits of 5–15% for firms that implement these controls:

  • Dual-authorization for wire transfers above a threshold (e.g., $10K) — this is the single most impactful control
  • Callback verification using a known phone number (not the one in the email) before executing any transfer instruction change
  • Multi-factor authentication (MFA) on all email accounts — required by most carriers for coverage eligibility
  • Security awareness training focused on BEC scenarios — at least quarterly
  • Email filtering with DMARC, SPF, and DKIM properly configured

Incident Response: Your First 24 Hours After a Wire Fraud

Time is critical in wire fraud recovery. Follow this sequence immediately:

  1. 0–2 hours: Call your bank's wire recall hotline (most banks have a 24/7 fraud line). Request an immediate recall or freeze on the destination account. Recovery rates fall sharply after 24 hours.
  2. 2–4 hours: Notify your cyber insurance carrier. Most policies require notice "as soon as practicable" — do not delay for internal investigation. The carrier's incident response team will guide next steps.
  3. 4–8 hours: Preserve all evidence — email headers, wire confirmation, transfer records, phone logs. Do not alter or delete anything.
  4. 8–24 hours: File an IC3 complaint at ic3.gov. The FBI's Internet Crime Complaint Center coordinates with financial intelligence units and law enforcement globally; early filing dramatically improves recovery odds.
  5. Day 1–3: Engage breach counsel (covered under your cyber policy) to assess bar notification obligations and manage client communications. Attorneys have reporting duties in most jurisdictions when client funds are affected.

How to File a Social Engineering Claim

If your firm suspects a BEC or wire fraud incident:

  1. Contact your bank immediately — request a wire recall (success rate drops sharply after 24 hours)
  2. Notify your cyber carrier within 24 hours — most policies have strict reporting windows
  3. Preserve all evidence — emails, headers, transfer confirmations, phone records
  4. File an IC3 complaint at ic3.gov — this supports both law enforcement and your claim
  5. Engage breach counsel — your cyber policy typically covers this cost

Frequently Asked Questions

Does my law firm's standard cyber policy cover social engineering losses?
Not automatically. Most base cyber policies exclude or heavily sublimit social engineering — the standard policy is built for breach response (forensics, notification, ransomware). To cover wire fraud and BEC losses, you need a specific social engineering or funds transfer fraud endorsement. Review your declarations page for "social engineering," "funds transfer fraud," and "voluntary parting" language before assuming you're covered.

What happens if my employee authorized the transfer — is the claim denied?
It depends on the policy language. Policies with a "voluntary parting" exclusion can deny claims where an employee intentionally (even if deceptively induced) initiated a transfer. Better-worded policies cover "fraudulently induced" transfers regardless of employee intent. Always ask your broker to confirm that the policy explicitly covers employee-initiated transfers resulting from phishing or social engineering before binding.

How much social engineering coverage does a law firm actually need?
A good rule of thumb: your social engineering sublimit should be at least equal to your largest single wire transfer in the past 12 months. For firms handling real estate closings or large settlements, that often means $500K or more — a limit that eliminates most standard-market carriers (who cap at $100K–$250K) and points toward Chubb's or Coalition's higher-limit programs.

Does my E&O (legal malpractice) policy cover a BEC loss?
Generally no. Legal malpractice policies are designed for professional errors and omissions — giving bad advice, missing a deadline, failing to file properly. They do not cover first-party financial losses from a wire fraud. However, if a client sues the firm for failing to safeguard trust funds (a negligence theory), the E&O policy may cover the defense and damages. This is precisely why the Cyber + E&O bundle matters: it closes both the direct loss and the client-facing liability gap.

Can I add social engineering coverage mid-policy?
Yes, in most cases. You can endorse your existing cyber policy to add or increase the social engineering sublimit at renewal or mid-term. Mid-term endorsements are subject to underwriter approval and may require updated controls documentation. If you've had a recent BEC incident, carriers may decline to add the endorsement or impose a waiting period.

How do I verify that a wire transfer request is legitimate?
The gold standard: call the requester using a phone number from your existing records — never the number in the email or document that arrived with the request. Attackers routinely embed substitute phone numbers. For any transfer above your dual-authorization threshold, require two separate employees to independently verify the request before execution. Document the verification in writing.

Related Coverage Guides

Get Protected: Compare Cyber + E&O Quotes

Social engineering coverage gaps are among the most common reasons law firms discover their cyber policy is inadequate — usually after an incident. Don't wait for a wire fraud loss to audit your coverage.

Compare cyber + E&O bundle quotes from Chubb, Hartford, Coalition, and more →

Get quotes in under 10 minutes. No obligation. Coverage can bind same-day.

Compare cyber insurance quotes from top-rated carriers — in minutes, not days.

Recommended Articles

What would cyber coverage cost your business? Answer 3 questions for personalized quotes. Get Cyber Quotes →