Does my professional liability insurance cover cyber incidents?

No, traditional E&O and professional liability policies typically exclude cyber incidents. You need a separate cyber liability policy to cover data breaches, ransomware attacks, and related claims. Even if your professional liability policy doesn't explicitly exclude cyber coverage, the scope is usually too limited to cover the full range of expenses from a breach, including forensic investigations, notification costs, and regulatory fines.

How much does cyber insurance cost for a small accounting firm?

Small accounting firms pay an average of $58 per month for cyber liability insurance, though costs vary based on your firm size, security measures, data volume, and claims history. Solo practitioners with strong security controls might pay less, while firms with larger client bases or weaker security could pay $100-200 per month or more. Implementing required security measures like EDR and MFA can help lower your premium.

Will cyber insurance pay the ransom if my firm gets hit with ransomware?

Most cyber insurance policies do cover ransom payments as part of cyber extortion coverage, but there are important caveats. The decision to pay is usually made jointly between you, the insurer, and their breach response team. Some policies have sub-limits for ransom payments, and coverage may not apply if you haven't maintained required security measures like offline backups. Also, paying ransoms doesn't guarantee you'll get your data back or prevent the attackers from releasing stolen information.

What security requirements do I need to meet to get cyber insurance?

Most cyber insurance carriers now require endpoint detection and response (EDR) software, multi-factor authentication (MFA) on all systems, regular offline backups, and employee security awareness training. Some insurers also require email filtering, patch management processes, and incident response plans. These requirements have gotten stricter as carriers look to reduce their risk, so you'll need to demonstrate strong security hygiene to qualify for coverage.

How much cyber insurance coverage should my CPA firm carry?

The general benchmark is $1 million per 100 professionals, but many firms are opting for higher limits given that average financial sector breaches cost over $6 million. Consider your specific risk factors: number of client records, types of data you handle, cloud vs. local storage, and client profiles. Larger firms or those serving high-net-worth clients and businesses may need $5 million or more in coverage.

What's the difference between first-party and third-party cyber coverage?

First-party coverage protects your firm when you're directly affected by a cyber incident, covering costs like forensic investigations, data recovery, ransomware payments, business interruption, and notification expenses. Third-party coverage protects you from lawsuits when clients or others are harmed by a breach at your firm, covering legal defense costs and damages. You need both types—first-party to recover from the attack itself, and third-party to defend against the inevitable lawsuits that follow.

Cyber Insurance for Accounting Firms & CPAs

Here's something most CPAs don't realize until it's too late: you're sitting on a gold mine of data that cybercriminals are actively hunting. Tax returns, Social Security numbers, bank account details, investment portfolios—your firm handles exactly the kind of information that fetches top dollar on the dark web. And if you think your antivirus software and firewall are enough protection, you're in for an expensive surprise.

In 2024, the IRS received over 250 reports of data breach incidents from tax professionals, impacting more than 200,000 clients. Accounting firms now face an average of 300 cyberattacks per week—and that number spikes to over 900 during tax season. That's where cyber insurance comes in. It's not just about recovering your files after a ransomware attack. It's about surviving the aftermath: the client lawsuits, the regulatory fines, the notification costs, and the reputational damage that can sink a firm.

Why Accounting Firms Are Prime Targets

Think about what you have access to on any given day. Client bank accounts. Investment portfolios. Payroll information. Business financial statements. Tax returns going back years. Few industries handle the sheer volume of sensitive financial data that accounting firms do, and attackers know it.

Cybercriminals have gotten strategic. They often strike right before tax deadlines or during busy audit seasons when your firm is most vulnerable and most likely to pay a ransom just to get back to work. In 2024, 59% of organizations were hit by ransomware, and 63% of ransom demands exceeded $1 million. For accounting firms, the timing makes these attacks even more devastating—imagine losing access to your systems 48 hours before the April filing deadline.

And here's the part that keeps security experts up at night: 74% of breaches involve the human element. Phishing emails that look exactly like they came from a client. Stolen credentials from a weak password. An employee clicking on what looked like a legitimate tax form attachment. You can have the best firewall money can buy, but if someone on your team falls for a deepfake video call from a 'client' asking for sensitive information, you're compromised.

The Real Cost of a Data Breach

Let's talk numbers. The average data breach in the financial sector costs $6.08 million. But that's just the average—it can get much worse. You're looking at costs that hit from every direction: forensic investigations to figure out what happened, legal fees when clients sue, notification letters to every affected person at $260-280 per individual, credit monitoring services, regulatory fines, and the revenue you lose while your systems are down.

Then there are the regulatory penalties. The FTC Safeguards Rule, which applies to tax preparers and financial advisors, carries fines of up to $50,120 per violation as of January 2025. Multiply that by the number of clients affected, and you're looking at potentially firm-ending penalties.

But perhaps the most devastating cost is the one you can't put on a spreadsheet: reputation. In 2024, a mid-sized accounting firm in the Southeast suffered a ransomware attack just 48 hours before the April tax deadline. Within 12 months, they closed their doors. Clients lost trust and left. Referrals dried up. Once word gets out that your firm lost client data, rebuilding that trust can be nearly impossible.

What Cyber Insurance Actually Covers

Cyber insurance for accounting firms typically comes in two flavors: first-party coverage and third-party coverage. You need both.

First-party coverage protects your firm directly. This is the coverage that kicks in when you're the victim. It covers forensic investigations to figure out how the attack happened and what data was compromised. It pays for the mandatory notification letters you'll need to send to affected clients. It covers crisis communications and PR consultants who can help manage the reputational damage. If attackers encrypt your files and demand ransom, it covers the extortion expenses. And critically, it covers your lost income while your systems are down and you can't serve clients.

Third-party coverage protects you when someone else suffers because of a breach at your firm. If a client's personal information gets stolen from your servers and they sue you for negligence, this coverage handles your legal defense and any damages awarded. If you recommended tax software that turned out to be compromised and client data was exposed, you're covered. This is especially important because professional liability insurance—your E&O policy—typically doesn't cover cyber incidents.

Modern policies also typically include breach response services. When an attack happens, you'll get immediate access to a response team: forensic experts, legal counsel, notification services, and credit monitoring providers. This is huge because in the chaos of a breach, you won't have time to vet vendors and negotiate contracts. Your insurance carrier has pre-negotiated relationships and can mobilize help within hours.

What Insurers Require Before They'll Cover You

Here's where it gets real: insurance companies aren't just handing out cyber policies anymore. After getting hammered with claims, carriers have gotten picky. Nearly all of them now require endpoint detection and response (EDR) tools as a minimum. That's security software that goes beyond traditional antivirus to actively monitor and respond to threats on all your devices.

Multi-factor authentication (MFA) is another non-negotiable for most carriers. If someone steals your password, MFA is the second lock on the door that stops them from getting in. You'll also need regular data backups stored offline or in immutable cloud storage where ransomware can't reach them. And increasingly, carriers want to see employee security training—proof that your team can spot phishing emails and knows what to do when something seems off.

The application process itself is thorough. Expect detailed questions about your security practices, your revenue, the types of data you handle, your client count, and your claims history. Some carriers will even run external scans of your network to check for vulnerabilities before agreeing to cover you.

How Much Coverage Do You Actually Need?

The industry rule of thumb is $1 million of coverage per 100 professionals at your firm. But honestly, that's just a starting point. Given that average breach costs in the financial sector exceed $6 million, many firms are opting for higher limits—$2 million, $5 million, or more.

Think about your specific risk profile. How many client records do you maintain? What types of clients do you serve—are they high-net-worth individuals or businesses with valuable intellectual property? Do you store data in the cloud, on local servers, or both? The more data you have and the more sensitive it is, the higher your coverage should be.

Cost-wise, accounting firms typically pay around $58 per month for cyber liability insurance, though this varies widely. A solo practitioner with strong security measures might pay less, while a larger firm with more exposure and weaker controls could pay significantly more. Your premium will also increase if you've had prior claims or if your firm has known security gaps.

Getting Started: What to Do Now

If you don't have cyber insurance yet, don't wait until tax season when your risk spikes and carriers get more cautious. Start by assessing your current security posture. Do you have EDR in place? Is MFA enabled on all systems? Are your backups actually tested and recoverable? The stronger your security, the better your rates and coverage options.

Work with an insurance broker who specializes in professional services and understands the specific risks accounting firms face. They can help you navigate the application process, shop multiple carriers, and find coverage that actually matches your needs. The AICPA and state CPA societies also offer group cyber insurance programs specifically designed for accounting professionals.

Remember: cyber insurance isn't a replacement for good security—it's a backstop for when security fails. Think of it like your professional liability insurance. You carry E&O coverage not because you plan to make mistakes, but because you're realistic about the fact that mistakes can happen despite your best efforts. Cyber insurance works the same way. You'll invest in strong security and train your staff and implement all the right controls—and then you'll get insurance to cover you for the breach that happens anyway.

The question isn't whether your accounting firm will be targeted by cybercriminals—it's when. With over 14,000 CPA firms already carrying cyber coverage, the profession is waking up to this reality. Don't wait for a breach to force your hand. Get coverage now, while you can still choose your carrier and negotiate your terms, not when you're scrambling in the aftermath of an attack.

Cyber Insurance for Accounting / CPA: What You Need

Key Takeaways