Critical questions that every law firm should ask before closing the deal
According to recent reports from legal.io and Reuters, law firm mergers increased 21% in 2025 with deal activity anticipated to continue through the end of 2026. Merger strategy is being driven by numerous factors, including a growing imperative to scale, attract top talent, and enhance profitability.
Law firms are already exposed to heightened threat of cyber-attacks due to the type and sheer volume of highly sensitive data they hold. In a recent survey of 500 U.S. law firms, 20% reported being targeted by cyberattacks in the past year, and 8% lost or exposed sensitive data.
A merger opens firms up to fraud and cyber threats due to:
- Insider threats: Mergers often fuel fears around job security and create distraction (risk of employees falling for social engineering attacks or stealing sensitive information).
- IT integration challenges: Combining different IT systems and platforms can create security gaps, involve incompatible technologies, expose legacy systems etc.
- Expanded attack environment: Mergers often involve the movement or sharing of large amounts of highly confidential and sensitive client & firm data across systems, greatly expanding the opportunities and landscape for cyber-attack.
- Overburdened IT teams: IT and security teams are tasked with and distracted by the focus on data movement and systems integration, reducing attention on proactive security monitoring.
Navigating cybersecurity and insurance challenges during M&A
For law firms, cyber insurance is especially important during a merger or acquisition because the transaction itself creates new vulnerabilities at the exact moment the organization is most distracted. A merger expands the attack surface, increases the possibility of data exposure and can introduce uncertainty of policy coverage.
It is critically important to understand how each party’s cyber policy will respond to the deal, to assess what exposures will exist post-completion, and to prepare accordingly because coverage can change when ownership changes. Open communication and preparation with your insurance broker and insurers will reduce the likelihood of unexpected coverage restrictions or denials.
Questions that will need to be answered and issues that should be addressed include:
- What is the structure of the deal and what entity (or entities) will exist post-completion?
- How does each party’s cyber policy address “change in control?”
- Is there automatic coverage for an acquisition and will the structure of the deal trigger this provision?
- What are the incident reporting requirements on each policy and what procedures are in place to ensure that these are satisfied prior to completion of the merger?
- What is the IT transition / integration plan? What will the IT structure look like post-closing?
- If there is a residual non-operating entity that will be “run-off,” does it have continuing coverage and how long will it continue to need coverage?
- Does the post-completion operating entity’s cyber policy have any restrictions relating to the transaction or the acquired entity that may impact coverage?
Cyber insurance at the core of your M&A transaction
Cyber insurance should be viewed as a core component of M&A due diligence and not just a post-closing administrative task. Cyber policies can be complex and are not homogeneous so, most important of all, the firm should ensure that it is working with an insurance broker early in the due diligence phase, that the broker understands the intricacies of the policy wording and above all, one that understands law firms and the nuances of law firm M&A deals.
The Howden difference
Our seasoned team of law firm professionals have on average over 30 years of experience as advisors in all aspects of risk management strategy, structure, and placement, enabling them to anticipate and address your pre- and-post-close M&A-related cyber security needs.