Why Cyber Insurance Alone Won't Protect Your Accounting Firm

When a CPA firm or financial advisory practice suffers a data breach, there is a natural assumption that cyber insurance will cover the damage. That assumption is increasingly wrong — and discovering it at the moment of a breach is the worst possible time. Insurers have dramatically tightened their underwriting standards and coverage requirements since 2022, and claim denial rates are rising. For accounting firms subject to the FTC Safeguards Rule, GLBA, and IRS security requirements, the intersection of regulatory non-compliance and insurance coverage gaps creates a dangerous and costly exposure. Cyber insurance is a risk transfer tool, not a security program. Understanding the difference is essential for any firm partner or practice manager making decisions about how to protect client financial data.

How Often Are Cyber Insurance Claims Actually Denied?

The denial rate is higher than most small firm partners realize. According to analysis by ASi Networks citing Fitch Ratings data, nearly one in four cyber insurance claims filed in 2024 were rejected for failing to meet coverage requirements. The leading reasons for denial break down as follows:

• Failure to maintain MFA (37% of denials): If your policy requires multi-factor authentication and an attacker compromised an account that didn't have it enabled, your claim can be denied outright — regardless of the severity of the breach.
• Outdated systems (22%): Ransomware delivered via an unpatched legacy server is treated by insurers as a preventable loss. Running outdated operating systems or unsupported software is documented grounds for denial.
• Late notification (17%): Most policies require you to report a breach to your insurer within 48–72 hours. Waiting to "assess the damage first" frequently invalidates your coverage before the claim process even begins.
• Vendor breach not covered (14%): When your cloud accounting software, payroll provider, or document management platform is breached and your client data is exposed, many standard cyber policies do not cover the downstream losses without specific third-party coverage endorsements.
• Policy exclusion mismatch (10%): Social engineering fraud, funds transfer fraud, and phishing-based losses are often not covered under standard cyber policies and require separate endorsements.

Beyond formal denials, Breach Craft's 2026 analysis notes that many organizations walk away without payment because the loss didn't exceed their deductible/retention, or because they withdrew a claim after resolving the issue internally — never realizing their actual exposure. The bottom line: for small accounting firms, a cyber incident of any significant size is likely to result in out-of-pocket costs even with coverage in place.

What Does FTC Safeguards Rule Compliance Have to Do with Your Insurance Coverage?

Almost everything. The FTC Safeguards Rule (16 CFR Part 314) requires accounting firms and tax preparers to maintain a written information security program (WISP) with specific technical controls. These controls — MFA, encryption, endpoint protection, patch management, annual penetration testing, and a written incident response plan — are nearly identical to the controls that cyber insurance carriers now require as conditions of coverage.

When you apply for or renew a cyber policy, you attest on the application that these controls are in place. If an incident occurs and the carrier's post-breach investigation reveals that your systems didn't have MFA enabled, hadn't been patched in six months, or lacked endpoint detection and response — controls you attested to having — the carrier can deny your claim on grounds of material misrepresentation. As Network IT Easy notes, AI-driven underwriting systems now scan your public-facing assets and compare what they see against what you claimed on your application. If you said "MFA everywhere" but an external service doesn't enforce it, that discrepancy is grounds for denial.

The FTC Safeguards Rule's nine required program elements under Section 314.4 create a clear benchmark: if your firm is out of compliance with Safeguards, you are almost certainly also out of compliance with your cyber insurance policy's security requirements. The two exposures compound each other.

What Are the IRS's Security Requirements for Tax Preparers — and How Do They Intersect with Coverage?

IRS Publication 4557 (Safeguarding Taxpayer Data) establishes specific security requirements for all tax return preparers. These requirements include:

• Creating and maintaining a written data security plan
• Using anti-virus software and firewalls on all systems used to prepare returns
• Implementing two-factor authentication for tax software access
• Using encrypted, password-protected portable storage devices
• Backing up client data and storing it securely
• Disposing of client data properly when no longer needed
• Restricting physical and logical access to client data to those with a business need

The IRS also requires tax preparers to report data theft to the IRS Stakeholder Liaison immediately upon discovery, file a complaint with the FTC, and notify affected clients. These reporting obligations are in addition to the FTC Safeguards Rule's notification requirement (within 30 days for breaches affecting 500+ consumers, per Section 314.4(j)).

Failing to meet IRS Publication 4557 requirements doesn't just create regulatory exposure — it creates facts that a cyber insurer can use to deny a claim. If your firm was breached through a system that lacked two-factor authentication for tax software access, and IRS Pub. 4557 requires that control, your insurer has a strong argument that the breach resulted from a failure to implement required safeguards — a standard exclusion in most cyber policies.

What Coverage Gaps Should Accounting Firms Be Most Concerned About?

Even fully compliant firms with proper technical controls can have significant coverage gaps if their policy was not structured with their specific risk profile in mind. The most common gaps affecting accounting firms and financial services practices include:

• Funds transfer fraud exclusions: If a cybercriminal uses a phishing attack or BEC to trick your firm or a client into initiating a fraudulent wire transfer, a standard cyber policy may not cover the loss. This requires a separate social engineering or funds transfer fraud endorsement — and the FBI documented nearly $2.8 billion in BEC losses in 2024.
• Third-party/vendor coverage: Your firm's GLBA obligations under Section 314.4(f) require you to contractually obligate service providers to maintain appropriate safeguards. But if a vendor breach exposes client data you handed them, standard first-party cyber coverage doesn't automatically pay for your notification costs, regulatory fines, or client lawsuits. Third-party liability coverage must be explicit.
• Regulatory fine coverage: FTC civil penalties for Safeguards Rule violations can reach $11,000 per day, per violation. Many cyber policies exclude regulatory fines and penalties, or cover them only up to modest sublimits. Verify whether your policy covers FTC, SEC, or FINRA penalties specifically.
• Retroactive date gaps: If your policy has a retroactive coverage date (the earliest date from which claims can originate), and an attacker had been inside your systems for months before discovery — a common pattern — the pre-retroactive-date portion of the breach may be excluded entirely.
• Log retention requirements: Some carriers have denied claims because the firm's endpoint detection logs only covered 30 days rather than the 90-day minimum the insurer expected. Without logs, you cannot prove what happened, when it happened, or that your controls were functioning — all of which are required to process a claim.

What Controls Does Your Cyber Insurance Policy Actually Require in 2026?

The cyber insurance industry has moved from asking "Do you have security?" to demanding continuous, provable evidence. Current carrier requirements for 2026 include:

• MFA and EDR: Quarterly evidence of deployment and activity, not just attestation at renewal.
• Immutable backups: Backups must be segmented or offline so ransomware cannot encrypt them. Cloud-synced backups that a ransomware infection can reach do not qualify.
• Zero Trust access controls: Documented least-privilege policies and access reviews.
• Annual vendor risk reviews: Formal assessment of critical third-party vendors' security posture — directly aligned with the GLBA Safeguards Rule's vendor oversight requirements.
• Documented security awareness training: Proof that all staff received training, not just that training was made available.

For accounting firms, these requirements are not new — they align closely with what the FTC Safeguards Rule and IRS Publication 4557 have required for years. Firms that have built genuine compliance programs are already meeting most insurer requirements. Firms that have a WISP document filed in a drawer but have not actually implemented its controls face both regulatory and insurance exposure.

What Does a Breach Actually Cost an Accounting Firm Without Adequate Protection?

U.S. data breaches reached a record high in 2025, with 3,322 reported incidents — a 4% increase over the previous year's record, according to the Identity Theft Resource Center via Barracuda Networks. For a small accounting firm, a breach involving client tax returns, Social Security numbers, and financial account data creates costs across multiple categories:

• Forensic investigation: $15,000–$50,000 to identify the source and scope of the breach
• Notification costs: Legal guidance, notification letters, and credit monitoring for affected clients can run $5–$10 per affected individual
• Regulatory response: FTC Safeguards breach notification, IRS reporting, and potential state attorney general notification requirements
• Client loss and reputational damage: Often the largest long-term cost, and completely uninsurable
• Regulatory fines: FTC Safeguards penalties of up to $11,000 per day, per violation, for failures that contributed to the breach
• Litigation: Clients whose data was breached may pursue claims for damages

88% of individuals who received a data breach notice experienced at least one negative consequence, including increased targeted phishing attempts (54%) and attempted account takeovers (40%). When client financial data is exposed, the harm extends well beyond the initial incident — and so does your firm's liability.

What Should Your Accounting Firm Do to Make Cyber Insurance Work?

Cyber insurance should be the last line of defense — the financial backstop after your security program has done everything it can to prevent and contain incidents. Making insurance work means building the security foundation first: a properly implemented WISP, verified technical controls, annual penetration testing, staff training, and a written incident response plan that your team has actually rehearsed. Then your insurance coverage reflects your real security posture, claims are supportable with documentation, and the policy pays out when you actually need it.

At NorthStar Technology Group, we help accounting firms and financial services companies build the security programs that satisfy both their FTC Safeguards obligations and their cyber insurance requirements simultaneously. We provide the documentation, technical controls, and ongoing monitoring that carriers now require — so that if the worst happens, your policy pays. If you're not certain whether your current security controls align with your coverage terms, that uncertainty is worth resolving before a breach makes it urgent. Learn more about our financial services cybersecurity programs at northstartechnologygroup.com/services.