We're now into the third consecutive year where cyber insurance renewals for law firms have gotten meaningfully harder. The 2026 renewal cycle is bringing new control questions, more scrutiny of attestations, and tighter underwriting. Firms that came through 2025 cleanly are seeing the bar move again.
What changed in the 2026 questionnaires
Questionnaires now consistently probe areas that were optional or absent two years ago: privileged access management with session recording, attack-surface management evidence, third-party risk monitoring evidence, and AI governance. The questions are also longer — there are more places where a 'yes' is expected to be supported by evidence.
What carriers are doing with the answers
Several major carriers are now spot-checking attestations during underwriting. A 'yes' that turns out to be aspirational rather than operational results in coverage limits, exclusions, or non-renewal. Firms that have over-stated their posture in past renewals are now getting closer scrutiny than firms that were honestly imperfect.
What firms can do now
Three things, all of which take time. First: complete an honest gap assessment now, not in the month before renewal. Second: build the evidence trail for each control — what's the policy, where's the implementation, who reviews compliance, when was the last test. Third: align with your broker on which carriers your posture actually fits, and don't waste energy submitting to carriers that won't write you cleanly.
The firms doing this well are the ones treating cyber insurance as an operational risk function, not a procurement event. Those that wait until 60 days before renewal are going to keep getting surprised.