Your professional indemnity insurer used to ask about your practising certificates, your complaints history, and your trust account processes. Now they are asking about your IT.
Questions about multi-factor authentication, data backup procedures, access controls, and incident response plans are showing up on PI renewal questionnaires across Australia. Many law firms cannot answer them. Not because the firm is negligent, but because IT has been on the to-do list for years and no one has had the time or the guidance to sort it out.
The problem is real. If you cannot answer those questions convincingly, your insurer may increase your premium, impose conditions, or in some cases decline to cover cyber-related claims. Here is what they are asking, what good looks like, and how to get there.
The Questions Your Insurer Is Asking
PI insurers are not asking about IT for fun. The legal sector is a high-value target for cyber attacks because law firms hold sensitive client data, handle trust money, and often have weaker controls than their corporate clients.
The specific questions vary by insurer, but they tend to cover the same ground. Here are the most common areas and what your insurer wants to hear.
Multi-Factor Authentication
The question: Do all staff use multi-factor authentication to access firm systems, including email and remote access?
What your insurer wants to hear: Yes. Every user, every system, no exceptions.
What good looks like: MFA (a second verification step beyond your password, typically a code or push notification from a phone app) is turned on for all Microsoft 365 accounts, your practice management system, any remote access tools, and your document management system. No staff member can log in with just a password.
How to get there: This is a configuration change in Microsoft 365 and your other platforms. It can be rolled out in a week with proper planning. Your security stack should include MFA as a non-negotiable baseline.
Data Backup and Recovery
The question: Are firm data and client files backed up regularly? Are backups tested? Are backups stored offsite?
What your insurer wants to hear: Daily backups, tested quarterly, with at least one copy stored offsite and protected from ransomware.
What good looks like: Your firm follows the 3-2-1 backup rule, three copies of your data, on two different types of storage, with one copy offsite. At least one backup is immutable (cannot be deleted or encrypted, even by an attacker with full network access). Your IT provider has documented evidence of successful restore tests.
How to get there: Review your current backup setup with your IT provider. Ask when they last tested a restore. If the answer is vague, that is your starting point. Backup and disaster recovery should be reviewed and tested regularly, not set and forgotten.
Patching and Software Updates
The question: Are operating systems and applications kept up to date with security patches?
What your insurer wants to hear: Patches are applied within a defined timeframe. Critical patches are applied urgently. No unsupported software is in use.
What good looks like: Your devices run supported operating systems (not Windows 10 past its end-of-life date). Browsers, Office, PDF readers, and your practice management system are patched regularly. Your IT provider has a patching schedule and can demonstrate that patches are being applied, not just that auto-update is switched on.
How to get there: Your IT provider should be managing patching as part of their ongoing service. If they are not tracking patch status and reporting on it, you do not have visibility of a fundamental control.
Access Controls
The question: Is access to client data restricted to authorised staff? Are former staff removed promptly?
What your insurer wants to hear: Access is based on role. Only staff who need access to specific matters can see those files. Departing staff are removed on their last day.
What good looks like: Your file server or document management system uses permission-based access. Not everyone can see everything. When a staff member leaves, their accounts are disabled the same day. Admin accounts are limited to IT staff, not shared across the firm.
How to get there: This requires a review of your current folder structure and permissions. For most small firms, it is a one-off cleanup followed by a simple process for onboarding and offboarding staff.
Incident Response
The question: Does the firm have a documented incident response plan?
What your insurer wants to hear: Yes. The firm has a written plan that covers who to contact, how to contain an incident, and how to notify affected clients and regulators.
What good looks like: A practical, short document (not a 50-page policy manual) that covers: who is the first point of contact if something goes wrong, how to isolate affected systems, when to notify the Australian Information Commissioner, and how to communicate with clients. Your staff know the plan exists and know where to find it.
How to get there: Your IT provider should help you draft this. It does not need to be complex. It needs to be real, tested, and accessible. A plan that sits in a drawer unread is the same as no plan at all.
How This Maps to Essential Eight
Every question above maps directly to the Essential Eight, the eight security controls published by the Australian Cyber Security Centre. MFA, patching, backups, access controls. They are all in there.
Getting your firm aligned with Essential Eight Level 1 does not just answer your insurer’s questions. It reduces the actual risk to your practice, your clients, and the privilege that your clients trust you to protect.
What to Do Next
If your PI renewal is coming up and you are not confident in your answers, do not guess and do not bluff. Get a clear picture of where your firm stands right now.
An IT Audit gives you exactly that. We review your firm’s security controls, backup setup, access management, and email security over 90 days and give you a documented report with clear priorities. It is $990 with no ongoing commitment. You will know what to fix, in what order, and what to tell your insurer.
We are a Sydney-based team in Bella Vista. We work with law firms across Sydney and we understand the specific pressures your practice faces. No jargon, no upselling. Just a clear assessment and practical recommendations.
