Accounting and bookkeeping firms hold some of the most sensitive financial data in existence — Social Security numbers, bank account details, tax returns, payroll records. A single breach can expose hundreds of clients and trigger multi-state notification obligations. Cyber liability insurance pays for breach response, legal defense, regulatory fines, and client notification costs so the firm survives an incident that would otherwise be catastrophic.
Who this is for: CPAs, enrolled agents, bookkeepers, payroll processors, and tax preparers — sole practitioners through mid-size firms — who handle client financial records in any digital format.
TL;DR — Key Takeaways
- Accounting firms are high-value ransomware targets because they aggregate tax, payroll, and banking data for dozens or hundreds of clients simultaneously.
- A typical standalone cyber policy for an accounting firm costs $1,200–$4,500 per year depending on revenue, client count, and security controls.
- Claims-made is the standard trigger form for cyber policies; prior acts coverage and an extended reporting period (ERP) matter when switching carriers.
- State data breach notification laws apply to CPA firms; most states require notification without unreasonable delay (with statutory deadlines commonly ranging from 30 to 90 days where specified) — costs the insurer covers.
- Professional liability (E&O) does not cover breach response costs; a standalone or endorsement cyber policy is required.
Why Accountants Face Elevated Cyber Exposure
Accounting and bookkeeping firms are disproportionately targeted for several reasons:
- Data density: A 10-person CPA firm may hold tax returns, W-2s, and bank account numbers for 500+ clients — a single breach yields identity theft material in bulk.
- Third-party access: Tax software portals (Drake, Lacerte, UltraTax), cloud bookkeeping platforms (QuickBooks Online, Xero), and payroll processors create multiple entry points.
- Business email compromise (BEC): Fraudsters impersonate partners to redirect client ACH payments or wire transfers — BEC losses are a common cyber claim for bookkeepers.
- IRS identity theft: Stolen Preparer Tax Identification Numbers (PTINs) and e-file credentials can be used to file fraudulent returns in clients' names — the firm faces regulatory scrutiny even if it was the victim.
- Small-firm security gaps: Solo practitioners and small firms rarely have dedicated IT, making them softer targets than large enterprises.
What Accountants & Bookkeepers Cyber Liability Insurance Covers
| Coverage Component | What It Pays |
|---|---|
| Breach Response / Incident Response | Forensic IT investigation to identify the breach scope |
| Notification Costs | Mailing, call center, and credit monitoring for affected clients |
| Regulatory Defense & Fines | Defense costs and civil fines under state breach notification laws and FTC Safeguards Rule |
| Ransomware / Extortion | Ransom payments (where legal) and negotiation services |
| Business Interruption (Cyber BI) | Lost income while systems are down; covers firm downtime after a ransomware attack |
| Data Recovery | IT costs to restore corrupted or encrypted files |
| Social Engineering / BEC | Funds transferred under fraudulent wire instructions (sublimit varies by carrier) |
| Media Liability | Claims arising from the firm's website content |
| Crisis Communications | PR firm fees to manage client and public communications |
| Cyber Crime / Theft | Funds stolen directly from firm accounts via unauthorized access |
Key exclusions to watch for: Acts of war/nation-state attribution (some carriers now add war exclusions), prior known incidents not disclosed at application, intentional acts by employees (may fall under a crime policy instead), and infrastructure outages caused by third-party cloud vendors (contingent BI sublimits apply).
How Much Cyber Liability Costs for an Accounting Firm
Premiums depend on annual revenue, number of clients, cloud vs. on-premise systems, and security controls in place (MFA, endpoint detection, backup protocols).
| Firm Profile | Annual Revenue | Typical Annual Premium |
|---|---|---|
| Sole practitioner / bookkeeper | Under $250K | $900–$1,800 |
| Small CPA firm (2–5 professionals) | $250K–$750K | $1,500–$3,000 |
| Mid-size firm (6–20 professionals) | $750K–$3M | $2,800–$6,500 |
| Regional firm (20+ professionals) | $3M+ | $6,000–$20,000+ |
Factors that reduce your premium: - Multi-factor authentication (MFA) on all remote access and email - Endpoint detection and response (EDR) software - Offsite/immutable data backups tested regularly - Cyber security awareness training documented annually - Encryption of client files at rest and in transit
Factors that increase your premium: - Storing unencrypted SSNs or tax returns on local hard drives - No formal incident response plan - Prior breach or ransomware event in the last three years - Revenue growth outpacing security investment
Ranges are illustrative estimates based on admitted and E&S market submissions as of mid-2026. Actual premiums vary by carrier and application.
Common Policy Structures: Standalone vs. Endorsement
Most independent agents recommend a standalone cyber policy over a professional liability endorsement for accounting firms above solo-practitioner scale.
| Feature | Standalone Cyber Policy | E&O/PL Cyber Endorsement |
|---|---|---|
| Sublimits | Full policy limits for each coverage | Usually sublimited ($100K–$250K) |
| BEC / Social Engineering | Available (sublimit negotiable) | Rarely included |
| Ransomware negotiation services | Included with most carriers | Usually excluded |
| Business interruption | Available; waiting period 6–12 hrs | Typically absent |
| Regulatory defense | Full limits | Sublimited |
| Best for | Firms with $250K+ revenue | Solo bookkeepers, tight budget |
FTC Safeguards Rule: What Accounting Firms Must Know
The FTC's revised Safeguards Rule (effective June 2023 for most covered firms) applies to tax preparers and financial data custodians that qualify as "financial institutions" under the Gramm-Leach-Bliley Act — which includes many CPA and bookkeeping practices that prepare tax returns or handle financial records.
Required elements include: a written information security program (WISP), designated security coordinator, risk assessment, access controls, encryption, and incident response plan. Violations can result in civil penalties and FTC enforcement action. A cyber policy's regulatory defense and fines coverage responds to these proceedings. [Verify applicability with your compliance counsel; thresholds and exemptions apply.]
How to Buy Cyber Liability Coverage in 5 Steps
- Inventory your data: List every type of client data you hold (SSNs, bank accounts, payroll, tax returns) and where it lives (cloud, local servers, laptops, email).
- Document your controls: Compile evidence of MFA, backup frequency, encryption, and training — carriers ask for this on the application and better controls = lower premium.
- Choose a limit: For most firms, $1M per occurrence / $1M aggregate is a starting point; firms with high-net-worth clients or 200+ client files should consider $2M–$5M.
- Compare carriers and forms: Not all cyber policies cover BEC or regulatory fines equally. Review the insuring agreements, not just the limits page.
- Bind and calendar your renewal: Cyber is claims-made; set a reminder 90 days before expiration to avoid gaps and review any retroactive date changes.
Real-World Scenario: Ransomware at a Mid-Size Bookkeeping Firm
Illustrative example — not a guarantee of coverage or outcome.
A seven-person bookkeeping firm in Atlanta, Georgia, serving 340 small-business clients had their server encrypted by ransomware delivered via a phishing email. The attackers demanded $85,000 in cryptocurrency. The firm's systems were offline for nine days.
Out-of-pocket exposure without cyber insurance: - Forensic IT investigation: ~$28,000 - Ransom payment (if paid): $85,000 - Data recovery and system rebuild: ~$40,000 - Notification letters + credit monitoring for 340 clients: ~$22,000 - Lost revenue during nine-day outage: ~$35,000 - Attorney fees for regulatory response (Georgia breach law): ~$15,000 - Total exposure: ~$225,000
With a $1M standalone cyber policy (illustrative): - Insurer engaged forensic and breach coach vendor within 4 hours of notice - Ransom negotiated down to $42,000; insurer paid - Notification campaign managed by insurer-panel vendor - Business interruption covered after 12-hour waiting period - Firm's out-of-pocket: $10,000 deductible - Total insurer outlay: ~$175,000 (within limits)
Georgia requires breach notification to affected residents in the most expedient time possible and without unreasonable delay; if more than 10,000 residents are affected, nationwide consumer reporting agencies must also be notified (O.C.G.A. § 10-1-912). [Verify current thresholds with Georgia AG / counsel.]
FAQ — Accountants & Bookkeepers Cyber Liability
Does my professional liability (E&O) policy cover a data breach? Generally, no. Professional liability covers claims that your professional services caused a client financial harm. A data breach triggers breach response costs, notification expenses, and regulatory proceedings — none of which are "damages" under a standard E&O insuring agreement. You need a separate cyber policy or a cyber endorsement to your E&O.
What limit should a solo tax preparer carry? A $500,000–$1M per occurrence limit is a reasonable floor for a sole practitioner with under 200 clients. If you prepare returns for high-net-worth individuals or business clients with complex financials, start at $1M. Costs at this level are typically $900–$1,600/year.
I use QuickBooks Online and store everything in the cloud. Am I still at risk? Yes. Cloud storage shifts some infrastructure risk to the vendor, but your login credentials, client portal access, and email remain attack vectors. Business email compromise — where an attacker impersonates you to redirect a wire payment — is one of the most common bookkeeper claims and has nothing to do with where files are stored.
What is an extended reporting period (ERP) and do I need one? Cyber is claims-made: the policy in force when a claim is reported (not when the incident occurred) responds. If you cancel or switch carriers, an ERP — sometimes called a "tail" — extends the reporting window for incidents that happened during the policy period. Ask for at least a 12-month ERP option when comparing quotes.
Are ransomware payments covered? Most standalone cyber policies include a cyber extortion insuring agreement that covers ransom payments, subject to legal compliance (OFAC sanctions screening is required). Sublimits and panel vendor requirements vary; confirm with your carrier before a loss occurs.
Does cyber insurance cover wire transfer fraud where a client is tricked into sending money? This depends on the policy form. Social engineering / BEC coverage responds when the firm itself is tricked into transferring money. If a client is tricked into wiring money to a fraudster impersonating the firm, that may fall under the firm's E&O or the client's own crime policy — not your cyber policy. Review carefully.
Is cyber coverage required by any professional licensing body for CPAs? Currently, no state CPA licensing board mandates cyber insurance as a condition of licensure. However, some commercial landlords and larger client contracts (especially bank clients or government clients) require it by contract. [Verify current requirements in your state.]
How does the FTC Safeguards Rule affect my coverage needs? The FTC Safeguards Rule requires covered financial institutions — which can include tax preparers — to maintain a written information security program and report certain incidents to the FTC within 30 days. Non-compliance can result in civil penalties. Cyber policies with regulatory defense and fines coverage respond to these proceedings and associated legal costs.
Why Morrow for Accountants & Bookkeepers Cyber Liability
- Independent agency, multiple carriers: Morrow accesses admitted and surplus lines cyber markets — not a single insurer's captive product. We shop your risk to find the form that best covers BEC, regulatory fines, and ransomware for accounting-specific exposures.
- Industry-specific placement: We understand the FTC Safeguards Rule, IRS data security requirements for tax preparers, and the data density that makes accounting firms high-value targets. We ask the right application questions so you don't under-insure or over-pay.
- Fast COI turnaround: When a client contract or office lease requires proof of cyber coverage, we issue certificates of insurance same day in most cases.
- Claims advocacy: If you experience a ransomware event or breach, Morrow acts as your advocate with the carrier — helping you engage panel vendors quickly and ensuring coverage isn't improperly denied.
- Bundled review: We review your full insurance program (E&O, cyber, crime, BOP) so there are no gaps or double-payments between your professional liability and cyber coverages.
Get a Quote
Ready to protect your firm and your clients? Request a cyber liability quote from Morrow in minutes — we'll compare options across multiple carriers and have a proposal to you within one business day.
Morrow (Afthonea Inc, DBA Morrow) | Licensed commercial P&C insurance agency [Morrow to confirm: licensed states and NPN] | Rated [Morrow to confirm] on Google | Placing coverage with admitted and E&S carriers
Related Pages
- Accountants & Bookkeepers Insurance — Overview
- Professional Liability (E&O) for Accountants & Bookkeepers
- Business Owner's Policy for Accounting Firms
- Cyber Liability Insurance — Coverage Guide
- Cyber Liability Cost Guide
- Cyber Liability vs. Technology E&O — What's the Difference?
Author: Morrow Editorial Team, reviewed by a licensed P&C insurance professional with experience in technology and professional liability lines. Published: June 2026 Last updated: June 2026
Sources: - Federal Trade Commission (FTC) — Safeguards Rule (16 CFR Part 314) - IRS Publication 4557, Safeguarding Taxpayer Data: A Guide for Your Business - National Association of Insurance Commissioners (NAIC) — Cybersecurity Model Law (Model #668) - Insurance Information Institute (III) — Cyber Insurance Facts & Statistics - Georgia Code Annotated § 10-1-912 (Personal Identity Protection Act) - U.S. Department of the Treasury / OFAC — Guidance on Ransomware Payments (2021) - Ponemon Institute / IBM — Cost of a Data Breach Report (2025 edition)