Accounting firms have become a high-value target for ransomware operators, BEC crews, and tax-refund redirect scammers. CPA and tax firms hold concentrated client financial data — SSNs, bank routing details, prior-year returns, K-1s, active wire instructions — in environments small enough for defenses to be inconsistent. Downtime hurts because IRS deadlines do not move.
Cyber insurance sits next to accountants professional liability on the renewal checklist. What has changed in 2026 is not whether a firm needs it, but what carriers will underwrite, at what price, and which questionnaire answers quietly turn into coverage conditions on the day a claim is filed.
This article is for managing partners, firm administrators, and IT-responsible CPAs filling out a renewal application. Obsidian Ridge does not sell insurance. We help firms pass underwriting honestly and operate the controls behind the answers.
Why a standalone cyber policy is not optional
Many partners assume their existing policies cover cyber events. They do not. Accountants professional liability — E&O — responds to errors and omissions in accounting and tax: a missed Section 754 election, an incorrect depreciation schedule, alleged audit negligence. General liability covers slip-and-fall. Neither responds to forensics, ransomware, an FTC inquiry, or a wire redirected by a compromised vendor email.
A cyber liability policy is a separate contract. In 2026, coverage parts on a typical accounting policy include forensics and IR retainer, breach coach and legal counsel, breach notification with credit monitoring, regulatory defense (FTC Safeguards Rule, IRS tax preparer breach inquiries, state AG actions), business interruption, cyber extortion and ransom where legal under OFAC, data restoration, and a crime or social-engineering rider for wire fraud and BEC. Some carriers bundle. Some sell endorsements. Read the declarations and schedule of endorsements, not the brochure.
Coverage limits and sublimits for accounting SMBs
Do not size an accounting-firm cyber policy from a blog post — but walk into the broker conversation with the right anchors. Most small firms carry $1 million in aggregate cover; firms in the 50-to-250-employee range commonly carry $2 million to $5 million. A $1 million policy with documented controls typically prices around $1,000 to $3,000 per year. Use partner count, revenue, client-data volume, payroll or refund authority, contract requirements, and prior-incident history to refine it.
The aggregate is half the conversation. Sublimits decide what the firm actually collects: the ransomware sublimit may sit well below the aggregate, the regulatory defense sublimit may be lower than the headline, and the social-engineering and crime sublimit commonly lands at $50,000 to $100,000 on a $1 million policy — with standalone crime endorsements running $100,000 to $500,000 — while BI waiting periods can apply before recovery starts. For a firm that processes client refunds, manages payroll, or holds funds in trust, the crime sublimit may be the single most important number on the page.
The 2026 underwriting questionnaire
The controls below appear repeatedly across current accounting-firm and general SMB cyber applications. They are the controls most likely to affect eligibility, sublimits, exclusions, and price.
- MFA on email, tax software, remote access, and admin accounts. Carriers ask separately about MFA on Microsoft 365 or Google Workspace, on the tax platform (Lacerte, Drake, UltraTax, ProSeries, CCH Axcess), on RDP, VPN, RMM, and on every privileged admin account. Misrepresenting MFA is a top cause of denied claims.
- 24/7 EDR or MDR on every endpoint and server. A real 24/7 SOC watching the EDR, not "we will check the dashboard Monday."
- Identity threat detection on the M365 or Google Workspace tenant. Token theft, impossible travel, anomalous mailbox rules, OAuth consent abuse — where most BEC events begin.
- Immutable offsite backup with documented restore tests. Separated from production credentials, with a monthly or quarterly restore test that produces a log.
- Written information security program. A WISP meeting both IRS Publication 4557 and the FTC Safeguards Rule, named qualified individual, current within 12 months. We cover the build in IRS Publication 4557 and the FTC Safeguards Rule for CPA Firms in 2026.
- IR plan plus a tabletop in the last 12 months. Short, usable, with evidence the firm has run through it.
- Security awareness training with phishing simulations. Recurring cadence, not a once-a-year video. Tax-season simulations carry weight.
- DMARC at quarantine or reject. Plus link protection and attachment sandboxing.
- Vendor risk inventory with breach notification clauses. Tax software, e-signature, cloud storage, document portal, payroll service, bank file transfer.
- Encryption at rest and in transit. Workstations, backups, file shares, email, client portal.
- Documented adherence to AICPA SSTS Section 1.3. Newer questionnaires now include this — the SSTS addressing data privacy is a professional standard, and carriers ask whether the firm has written policies aligned with it.
This is the control stack current applications keep asking firms to prove, and it lines up closely with the IRS Security Six.
The crime and social-engineering rider — read it carefully
The most common cyber loss in accounting is not ransomware. It is wire fraud through BEC. An attacker compromises an email account — the firm's, a vendor's, or a client's — and inserts altered payment instructions into a routine transaction. FBI IC3 reporting continues to show BEC driving the largest dollar losses in cybercrime, and tax-season patterns intensify the exposure.
Exposures by service line:
- Tax-season refund redirects. A client emails what looks like updated banking for a refund. The firm files Form 8888 with the wrong account.
- Vendor payment-instruction changes. An AP team member receives a routine invoice from a known vendor with "updated banking details." The vendor's mailbox was compromised three weeks ago.
- Payroll platform compromise. Direct deposit redirection on a client payroll run. One compromised mailbox can redirect dozens of paychecks.
- Trust account and escrow exposure. Firms that hold client funds — bookkeeping retainers, estate administration, forensic engagements — carry the same trust-account exposure that hits law firms.
The base cyber policy generally does not cover the loss. The crime or social-engineering rider does. Two things to verify:
- whether the sublimit is large enough for the firm's actual wire-fraud exposure
- whether the rider covers social engineering fraud — where the firm or client was tricked into authorizing the transfer — and not only direct computer-funds-transfer fraud where the attacker moves money directly
A rider that covers only direct funds-transfer fraud is nearly useless for the accounting BEC pattern. Insist on social-engineering language.
The co-insurance trap on ransomware
Ransomware endorsements commonly carry coinsurance — typically a 10 to 25 percent insured share, though some policies use 50 percent — plus sublimits below the aggregate and controls-warranty language. A clause may condition or reduce coverage if the insured cannot demonstrate MFA, EDR or MDR, immutable backups, and a tested IR plan were operating at the time of loss.
The result is simple: the headline limit is not the whole payout story. If the policy includes a controls warranty, every answer on the application is a coverage condition.
War, systemic, and supply-chain exclusions
After the 2023 Lloyd's war exclusion guidance, most cyber policies exclude nation-state attacks. Wording varies.
For accounting firms, watch the supply-chain language. If a breach travels through the tax software vendor, document portal, e-signature platform, or RMM, some policies treat that as a systemic event and exclude it. Ask whether the policy responds if a tax software vendor breach affects this firm, and whether there is a separate sublimit for systemic events. Get it in writing.
Prior-acts matters too. If a tax-season incident happened in the prior policy period and was never disclosed at renewal, the carrier can deny on the next policy. Disclose known incidents.
The tax-season problem
Many carriers now ask whether the firm has cybersecurity gaps during tax season — specifically, whether seasonal contractors and per-diem preparers are brought into the same control set as full-time staff. The honest answer is often "no." A firm that runs tight MFA, MDR, and offboarding for full-time staff often loosens all three when it brings on seasonal preparers from January through April. Be ready to answer how seasonal staff are onboarded and offboarded, whether they use firm-managed or personal devices, whether MFA is enforced on day one, and whether MDR coverage extends to seasonal endpoints.
What does not change underwriting much
Things that look like security but do not change underwriting much in 2026: a fancier firewall by itself, stacking two or three antivirus products on the same machine, "we have a great IT guy" without 24/7 monitoring behind it, a WISP PDF from 2019 nobody has read, a one-time pentest with no controls behind it, a SOC 2 from a vendor that does not touch client data. Carriers score operating controls and evidence, not invoices.
The operational sequence that improves underwriting
The sequence that works in practical order:
Step 1 — MFA on email, tax software, and remote access
Enable MFA on Microsoft 365 or Google Workspace, on Lacerte, Drake, UltraTax, ProSeries, or CCH Axcess admin accounts, and on every RDP, VPN, and RMM path. This is usually one of the cheapest control moves and one of the most important underwriting answers.
Step 2 — MDR plus ITDR
A managed detection and response service with a real 24/7 SOC checks the EDR and 24/7 monitoring boxes at once. Identity threat detection on top covers the cloud productivity suite controls and MFA-bypass detection. Our Managed Detection and Response and Managed ITDR services are designed against this control set.
Step 3 — Immutable backup with a monthly restore test
Pick a product that supports immutability natively, include tax software databases and the document management system in the test scope, schedule a monthly restore, and keep the log.
Step 4 — WISP, IR plan, and a tabletop
A WISP satisfying IRS Publication 4557 and the FTC Safeguards Rule, paired with a one-page IR plan naming who calls the carrier hotline, who declares an incident, who notifies the IRS Stakeholder Liaison, and who handles client communication. A 60-minute tabletop with managing partner, administrator, and IT vendor satisfies the tabletop requirement.
Step 5 — Tax-season phishing simulations
Refund-redirect emails, vendor banking changes, IRS-impersonation lures, payroll change requests. Our Managed Security Awareness Training handles the cadence and tunes simulations to the tax calendar.
That covers the main underwriting control categories on a 2026 questionnaire.
Renewal reality in 2026
A firm with repeated claims or no demonstrable program improvement should expect a harder renewal conversation and may need to shop excess and surplus markets. The key is not a better narrative. It is evidence that the controls changed after the incident.
If a claim was paid in a prior period, expect the next application to ask what changed. "We are more careful now" does not pass. "We moved to a 24/7 MDR provider, added MFA on the tax software admin accounts, rewrote the WISP to meet the Safeguards Rule amendments, and ran a tabletop in March" does.
Misrepresentation is a coverage defense. If the questionnaire said MFA was enabled and forensics shows it was not, the carrier may rescind. Answer honestly. If a control is partial, say so.
The AICPA-ethics intersection
A partner cannot use cyber insurance to "transfer" the obligation to safeguard client data. AICPA SSTS Section 1.3 addresses use and protection of client information, and Code of Professional Conduct provisions on confidentiality and due care apply regardless of what the policy pays. Insurance covers financial consequences. It does not cover a state board finding that controls were unreasonable, an IRS EFIN suspension, or a Safeguards Rule enforcement action. The firm remains the data steward; the carrier is a backstop.
Where Obsidian Ridge fits
We are not an insurance broker. We do not sell policies and we do not collect commissions. We help firms operate the controls underwriters score and produce the evidence the application asks for.
The control set that appears most often on 2026 applications — 24/7 MDR, identity threat detection, MFA enforcement, and workforce training — lines up with our Foundation and Protected tiers. Foundation covers endpoint and MDR. Protected adds ITDR and SAT, addressing the core control categories on many questionnaires. The accounting industry page lays out the mapping.
For firms renewing in the next 90 days, the two-week Cyber Insurance Readiness sprint maps each questionnaire control to evidence the carrier will accept, identifies gaps most likely to block underwriting, and produces a clean evidence package. The Obsidian Ridge Briefing walks through how the program fits together.
Cyber insurance is not a substitute for controls. It is a backstop for residual risk. Firms that treat the policy as the plan tend to learn the expensive way that the controls warranty is doing more work than the declarations page.
If the questionnaire is making you nervous, that is the right instinct. The fix is operational. Start with MFA on email and tax software, a real 24/7 MDR layer, an immutable backup with a tested restore, and a WISP that meets both Publication 4557 and the Safeguards Rule.
Ready to map your firm's controls to the carrier questionnaire? Start the Cyber Insurance Readiness sprint.