Cybersecurity Readiness Assessment for Law Firms

1
Q1. Identity & MFA* This field is required.💡 Multi-factor authentication (MFA) is now one of the most commonly required controls for cyber insurance approval.
No MFA and shared accounts
MFA only for a few users
MFA for most users
MFA for all users
Strong MFA with conditional access and phishing-resistant methods
2
Q2. Email Security* This field is required.💡 Email remains the #1 entry point for cyberattacks, with phishing being one of the most common ways hackers gain access to business systems.
No filtering or awareness controls
Basic spam filtering only
Spam and phishing filtering in place
Filtering plus user reporting and training
Advanced email security with DMARC/SPF/DKIM and ongoing monitoring
3
Q3. Endpoint Protection / EDR* This field is required.💡 Basic antivirus is often no longer enough. Many insurers look for actively managed monitoring tools.
No endpoint protection
Basic antivirus on some devices
Antivirus on all devices
Managed EDR on most devices
Managed EDR on all devices with active response and monitoring
4
Q4. Patching & Updates* This field is required.💡 Keeping systems updated is one of the simplest ways to reduce cyber risk and demonstrate basic security controls.
No regular patching process
Ad hoc patching when issues arise
Monthly patching for some systems
Regular patching with tracking and exceptions
Automated patch management with rapid critical updates
5
What Cyber Insurance Providers Typically Look For
While every provider is slightly different, most underwriting questionnaires focus on:

Access Security
(Do you use multi-factor authentication for email, remote access, and admin accounts?)

Endpoint Protection
(Are your computers actively monitored for threats and regularly patched?)

Data Backup & Recovery
(Can your firm recover quickly from ransomware or data loss?)

Email Security
(Is phishing protection in place for your staff?)

Policies & Training
(Do attorneys and staff receive basic cybersecurity awareness training?)

Incident Response Preparedness
(Do you have a plan if something goes wrong?)

💡 The goal isn’t perfection, it’s demonstrating reasonable safeguards and documented practices.
6
Q5. Encryption & Admin Rights* This field is required.💡 Encryption protects sensitive data by making it unreadable to anyone without proper access, even if it’s stolen.
0 - No encryption or admin controls
1 - Basic encryption only
2 - Encryption on some devices and limited admin rights
3 - Encryption on all devices and role-based admin rights
4 - Full encryption with least-privilege admin access
7
Q6. Microsoft 365 Security Hardening* This field is required.💡 Out‑of‑the‑box Microsoft 365 settings prioritize ease of use, not security, so additional controls are needed to reduce risk.
0 - No hardening in place
1 - Basic settings only
2 - MFA and basic policies enabled
3 - Conditional access and advanced policies enabled
4 - Fully hardened with continuous review
8
Q7. Backup & Disaster Recovery* This field is required.💡 Backups need to be both secure and recoverable—insurers often ask if they are tested regularly.
0 - No backups or recovery plan
1 - Irregular backups only
2 - Regular backups but untested recovery
3 - Tested backups with documented recovery plan
4 - Automated backups with tested disaster recovery
9
Q8. Data Loss Prevention & File Sharing* This field is required.💡 Data Loss Prevention (DLP) helps ensure sensitive information isn’t accidentally or improperly shared outside your firm. Very important for the safety of your clients personal information.
0 - No DLP or sharing controls
1 - Limited DLP awareness
2 - Basic DLP rules and restricted sharing
3 - DLP policies with approved sharing controls
4 - Comprehensive DLP with monitored secure sharing
10
Q9. Password Management & Vendor Access* This field is required.💡 Compromised passwords and unmanaged vendor access are two of the most common ways attackers gain entry into business systems.
0 - Not in place
1 - Initial
2 - Developing
3 - Managed
4 - Optimized
11
Q10. Security Awareness Training & Phish Drills* This field is required.💡 Most cybersecurity incidents involve human error, making employee awareness one of your strongest defenses.
0 - Not in place
1 - Initial
2 - Developing
3 - Managed
4 - Optimized
12
Q11. Logging & Incident Response* This field is required.💡 System logs provide a record of activity, helping detect suspicious behavior and investigate security incidents.
0 - Not in place
1 - Initial
2 - Developing
3 - Managed
4 - Optimized
13
Q12. Policies & Cyber Insurance Readiness* This field is required.💡 Even simple written policies can strengthen your firm’s risk profile during underwriting.
0 - Not in place
1 - Initial
2 - Developing
3 - Managed
4 - Optimized
14
Add Your DomainProviding your domain (e.g., yourlawfirm.com) allows us to include a high-level external security review as part of your assessment.
15
Email address* This field is required.Enter your email to receive your cybersecurity readiness report.
Enter your email to receive the PDF results
Should be Empty: