Accounting and tax firms hold the exact data identity thieves want most: Social Security numbers, full financial statements, bank routing details, and prior-year returns — for hundreds or thousands of clients at once. That concentration, combined with a hard seasonal deadline that pressures staff into fast clicks, makes accounting firms one of the most-phished verticals each January through April.
47 controls mapped to what underwriters verify · one-time purchase · instant download
Why cyber insurance is different for accounting & cpa firms
Accounting and tax firms hold the exact data identity thieves want most: Social Security numbers, full financial statements, bank routing details, and prior-year returns — for hundreds or thousands of clients at once. That concentration, combined with a hard seasonal deadline that pressures staff into fast clicks, makes accounting firms one of the most-phished verticals each January through April.
Two federal requirements now shape every CPA-firm application. The IRS requires any firm that prepares returns to maintain a written Written Information Security Plan (WISP) under the Gramm-Leach-Bliley Act, and the FTC Safeguards Rule (amended 2023) extends GLBA security obligations to tax preparers and accountants as "financial institutions" — including named mandates for MFA, encryption of customer information, and a qualified individual responsible for the program. Underwriters increasingly ask to see the WISP itself.
The seasonal threat pattern is specific. Attackers impersonate the IRS, e-filing vendors, or a partner asking for a client’s return, and they target the window when staff are processing hundreds of documents a day. Carriers respond by weighting email authentication, MFA, security-awareness training timed before tax season, and EDR that can catch a credential-stealer before it harvests an entire client book. A firm that can show those controls — plus a tested backup — prices materially better than one that cannot.
The regulatory and contractual pressures underwriters expect accounting & cpa firms to have already accounted for.
Priority controls
Drawn verbatim from the 47-control Cyber Insurance Prep Checklist — with why each one matters specifically for your vertical.
Require multi-factor authentication on every email account.
The FTC Safeguards Rule names MFA explicitly; a mailbox holding client SSNs and returns without it is a direct compliance and underwriting failure.
Encrypt sensitive customer data at rest (PII, PHI, payment card).
Encryption of customer financial information at rest is a named Safeguards Rule control and the first thing an examiner or underwriter looks for.
Conduct phishing simulation exercises at least annually.
Tax-season phishing is the dominant attack vector; carriers want simulations run, ideally before January, not generic once-a-year videos.
Deploy Endpoint Detection & Response (EDR) on all endpoints.
A credential-stealer dropped during return-prep season can exfiltrate an entire client book in hours — managed EDR is how firms price down social-engineering risk.
Keep at least one air-gapped or append-only backup.
Ransomware during filing season is catastrophic; an air-gapped backup lets a firm meet IRS deadlines instead of paying to recover client files.
Publish DMARC set to p=quarantine or p=reject.
Spoofed “IRS” and partner-impersonation emails drive fraud; DMARC enforcement protects the firm’s own domain from being weaponized against clients.
Maintain a written incident response plan.
A WISP must include an incident response component; the carrier’s IR-plan question and the IRS WISP requirement are answered by the same document.
These are 7 of the 47 controls. The full checklist covers all of them — required, premium-affecting, and disqualifying — with verification and remediation steps.
Most popular
Best value
Free
By purchasing you agree to our Terms. Digital products are non-refundable once accessed. A checklist supports your application; it does not guarantee an underwriting decision.
A Written Information Security Plan is independently required by the IRS for paid preparers, and the FTC Safeguards Rule requires a documented information security program. Many carriers now ask to see it. The controls in this checklist — MFA, encryption, designated security responsibility, incident response — are the building blocks of both the WISP and a clean application.
The 2023 Safeguards Rule names multi-factor authentication, encryption of customer information at rest and in transit, a qualified individual overseeing the program, and periodic risk assessment. Underwriters treat these as baseline; firms missing MFA or encryption commonly see premium loads or coverage declines.
Phishing and impersonation attacks spike during filing season because staff are processing high volumes under deadline pressure. Carriers reward firms that run phishing simulations and awareness training ahead of January and that have EDR monitoring in place to catch credential theft before a full client book is exposed.
Law Firms
View requirements ›Healthcare Practices
View requirements ›Dental Practices
View requirements ›Financial Advisors & RIAs
View requirements ›Manufacturers
View requirements ›Construction Firms
View requirements ›Nonprofits
View requirements ›Real Estate Firms
View requirements ›MSPs & IT Providers
View requirements ›