For law firms, CPAs, and professional services

MFA: Why Cyber Insurers and Bar Associations Now Expect It

Multi-factor authentication is no longer a nice-to-have. Cyber insurance carriers and bar associations are tightening requirements every year. What MFA actually looks like in a 10-person law firm or CPA practice, and why the managing partner's account matters most.

What MFA actually does

Multi-factor authentication adds a second proof of identity on top of a password. Instead of just "something you know" (the password), the login requires "something you have" (a phone, a token) or "something you are" (a fingerprint). Even if an attacker gets the password — through phishing, a data breach, a reused-elsewhere credential — they can't log in without the second factor.

For an attacker, MFA changes the economics. Stealing passwords is cheap and automated; bypassing MFA at scale is expensive and manual. Most attacks against small professional services firms are opportunistic, not targeted — and opportunistic attackers move on when MFA is in their way.

Why insurance carriers care

Cyber insurance carriers have been paying out heavily on Business Email Compromise (BEC) claims since 2020. Their post-claim forensics consistently show one thing: the breached account was the one without MFA, usually because someone — often an executive — disabled it because it was inconvenient. Carriers learned. Today, every major cyber insurance application asks: do you require MFA on all accounts, including privileged and executive accounts?

The catch: if your firm answers "yes" on the application and a post-claim audit shows MFA wasn't actually enforced on the managing partner's account, the claim can be denied for misrepresentation. The cost of a misaligned answer can be hundreds of thousands in unreimbursed breach response.

Why bar associations and state regulators care

The American Bar Association's Model Rule 1.6 (confidentiality of client information) has been interpreted by state bars to require "reasonable" security measures. The California State Bar, in formal opinions and enforcement guidance, has increasingly cited MFA as part of the reasonableness baseline for cloud-stored client data. Other states are following.

What "all accounts" means in practice

The application question is "MFA on all accounts." In practice, that means:

  • Microsoft 365 / Google Workspace — email, calendar, files
  • Case management system (Clio, MyCase, Practice Panther, etc. for law firms) or accounting platform (QuickBooks, Xero, etc. for CPAs)
  • Tax preparation software (Lacerte, ProSeries, Drake, etc.)
  • Document management (NetDocuments, iManage, SharePoint, Dropbox Business)
  • Billing and accounting (Bill4Time, TimeSolv, QuickBooks, etc.)
  • Banking, payroll, e-filing portals
  • The firm's password manager itself

If MFA is on email but not on the case management system, an attacker who phishes a paralegal can still get into client records. The chain is only as strong as the weakest link.

Why the managing partner's account matters most

BEC attacks consistently target the managing partner, CFO, or senior partner first. The attacker doesn't want a paralegal's account — they want the account that can authorize a wire transfer, send a "please forward client tax returns" email that the staff will trust, or reset other users' passwords.

Yet the managing partner's account is also the most likely to have MFA disabled. The reason is mundane: senior people log in from multiple devices, travel, hand the phone to assistants, and find MFA annoying. They either ask IT to turn it off or use weak fallback methods (SMS instead of an authenticator app).

The fix isn't to skip MFA for the partner. It's to roll out MFA the right way: authenticator app on the partner's phone (Microsoft Authenticator, Authy, or similar), backup codes printed and stored, a designated trusted device for travel, and a clear escalation path when MFA fails. Done well, MFA is invisible after the first week.

How to roll out MFA without revolt

Three pieces matter:

  • Pilot first. Start with the security-conscious staff (IT lead, security officer, firm administrator). Iron out the kinks. Then expand.
  • Authenticator apps, not SMS. SMS-based MFA is now considered weak — it's vulnerable to SIM-swap attacks. Use a proper authenticator app (Microsoft Authenticator, Google Authenticator, Authy) or hardware tokens for the most sensitive accounts.
  • Provide the device path. If the partner doesn't want the firm's MFA app on their personal phone, give them a small dedicated device (or a hardware token like a YubiKey). Don't let "I don't want it on my phone" become the reason MFA gets skipped.

A managed IT partner can typically have MFA enforced firm-wide within 2-4 weeks, including the holdouts. The work is mostly change management, not technical.

Where Verta IT comes in

If your firm doesn't have MFA enforced on every account — including the partner's — that's the highest-impact change you can make in the next 30 days. Verta IT rolls out MFA as part of every Essential, Professional, and Premium engagement, and we can do it as a one-off project for firms that aren't ready for a full managed-IT relationship yet.

Schedule a Free IT Assessment

This article is informational and does not constitute legal, insurance, or compliance advice. For your firm's specific bar or regulatory obligations, consult qualified counsel.