Cyber Insurance for Accounting Firms: The Controls Underwriters Are Asking About in 2026

Accounting firms have become a high-value target for ransomware operators, BEC crews, and tax-refund redirect scammers. CPA and tax firms hold concentrated client financial data — SSNs, bank routing details, prior-year returns, K-1s, active wire instructions — in environments small enough for defenses to be inconsistent. Downtime hurts because IRS deadlines do not move.

Cyber insurance sits next to accountants professional liability on the renewal checklist. What has changed in 2026 is not whether a firm needs it, but what carriers will underwrite, at what price, and which questionnaire answers quietly turn into coverage conditions on the day a claim is filed.

This article is for managing partners, firm administrators, and IT-responsible CPAs filling out a renewal application. Obsidian Ridge does not sell insurance. We help firms pass underwriting honestly and operate the controls behind the answers.

Why a standalone cyber policy is not optional

Many partners assume their existing policies cover cyber events. They do not. Accountants professional liability — E&O — responds to errors and omissions in accounting and tax: a missed Section 754 election, an incorrect depreciation schedule, alleged audit negligence. General liability covers slip-and-fall. Neither responds to forensics, ransomware, an FTC inquiry, or a wire redirected by a compromised vendor email.

A cyber liability policy is a separate contract. In 2026, coverage parts on a typical accounting policy include forensics and IR retainer, breach coach and legal counsel, breach notification with credit monitoring, regulatory defense (FTC Safeguards Rule, IRS tax preparer breach inquiries, state AG actions), business interruption, cyber extortion and ransom where legal under OFAC, data restoration, and a crime or social-engineering rider for wire fraud and BEC. Some carriers bundle. Some sell endorsements. Read the declarations and schedule of endorsements, not the brochure.

Typical coverage limits for accounting SMBs in 2026

Limits in this segment have stabilized after the 2022-2023 hard market:

• solo to 1-to-3 partner firms: $250,000 to $1,000,000 aggregate
• 4-to-15 partner firms: $1,000,000 to $3,000,000 aggregate
• 15-plus partner firms: $3,000,000 to $10,000,000 aggregate, often with a separate excess tower

The aggregate is half the conversation. Sublimits decide what the firm actually collects: the ransomware sublimit is often 50 percent of the aggregate, the regulatory defense sublimit may be lower than the headline, the social-engineering and crime sublimit is frequently $25,000 to $250,000, and BI waiting periods are typically 8 to 12 hours. For a firm that processes client refunds, manages payroll, or holds funds in trust, the crime sublimit may be the single most important number on the page.

The 2026 underwriting questionnaire

The controls below appear on virtually every accounting firm carrier's 2026 application. They move premium roughly 20 to 40 percent and decide whether the carrier offers terms at all.

1. MFA on email, tax software, remote access, and admin accounts. Carriers ask separately about MFA on Microsoft 365 or Google Workspace, on the tax platform (Lacerte, Drake, UltraTax, ProSeries, CCH Axcess), on RDP, VPN, RMM, and on every privileged admin account. Misrepresenting MFA is a top cause of denied claims.
2. 24/7 EDR or MDR on every endpoint and server. A real 24/7 SOC watching the EDR, not "we will check the dashboard Monday."
3. Identity threat detection on the M365 or Google Workspace tenant. Token theft, impossible travel, anomalous mailbox rules, OAuth consent abuse — where most BEC events begin.
4. Immutable offsite backup with documented restore tests. Separated from production credentials, with a monthly or quarterly restore test that produces a log.
5. Written information security program. A WISP meeting both IRS Publication 4557 and the FTC Safeguards Rule, named qualified individual, current within 12 months. We cover the build in IRS Publication 4557 and the FTC Safeguards Rule for CPA Firms in 2026.
6. IR plan plus a tabletop in the last 12 months. Short, usable, with evidence the firm has run through it.
7. Security awareness training with phishing simulations. Recurring cadence, not a once-a-year video. Tax-season simulations carry weight.
8. DMARC at quarantine or reject. Plus link protection and attachment sandboxing.
9. Vendor risk inventory with breach notification clauses. Tax software, e-signature, cloud storage, document portal, payroll service, bank file transfer.
10. Encryption at rest and in transit. Workstations, backups, file shares, email, client portal.
11. Documented adherence to AICPA SSTS Section 1.3. Newer questionnaires now include this — the SSTS addressing data privacy is a professional standard, and carriers ask whether the firm has written policies aligned with it.

This is the actual scoring rubric most carriers apply, and it lines up closely with the IRS Security Six.

The crime and social-engineering rider — read it carefully

The most common cyber loss in accounting is not ransomware. It is wire fraud through BEC. An attacker compromises an email account — the firm's, a vendor's, or a client's — and inserts altered payment instructions into a routine transaction. FBI IC3 reporting continues to show BEC driving the largest dollar losses in cybercrime, and tax-season patterns intensify the exposure.

Exposures by service line:

• Tax-season refund redirects. A client emails what looks like updated banking for a refund. The firm files Form 8888 with the wrong account.
• Vendor payment-instruction changes. An AP team member receives a routine invoice from a known vendor with "updated banking details." The vendor's mailbox was compromised three weeks ago.
• Payroll platform compromise. Direct deposit redirection on a client payroll run. One compromised mailbox can redirect dozens of paychecks.
• Trust account and escrow exposure. Firms that hold client funds — bookkeeping retainers, estate administration, forensic engagements — carry the same trust-account exposure that hits law firms.

The base cyber policy generally does not cover the loss. The crime or social-engineering rider does. Two things to verify:

1. the sublimit, usually $25,000 to $250,000
2. whether the rider covers social engineering fraud — where the firm or client was tricked into authorizing the transfer — and not only direct computer-funds-transfer fraud where the attacker moves money directly

A rider that covers only direct funds-transfer fraud is nearly useless for the accounting BEC pattern. Insist on social-engineering language.

The co-insurance trap on ransomware

Many 2026 policies apply co-insurance to ransomware claims if the named controls were not in place at the time of loss. A typical clause: if the insured cannot demonstrate MFA, EDR or MDR, immutable backups, and a tested IR plan were operating at the time of loss, the insured shall bear 50 percent of the loss — ransom, restoration, and business interruption.

A $1,000,000 ransom sublimit becomes $500,000, with the firm on the hook for the rest. Coveware's quarterly reporting consistently shows small professional services firms among the highest-frequency victims, and Sophos State of Ransomware data shows average recovery cost still exceeds the ransom itself. If the policy includes a controls warranty, every answer on the application is a coverage condition.

War, systemic, and supply-chain exclusions

After the 2023 Lloyd's war exclusion guidance, most cyber policies exclude nation-state attacks. Wording varies.

For accounting firms, watch the supply-chain language. If a breach travels through the tax software vendor, document portal, e-signature platform, or RMM, some policies treat that as a systemic event and exclude it. Ask whether the policy responds if a tax software vendor breach affects this firm, and whether there is a separate sublimit for systemic events. Get it in writing.

Prior-acts matters too. If a tax-season incident happened in the prior policy period and was never disclosed at renewal, the carrier can deny on the next policy. Disclose known incidents.

The tax-season problem

Many carriers now ask whether the firm has cybersecurity gaps during tax season — specifically, whether seasonal contractors and per-diem preparers are brought into the same control set as full-time staff. The honest answer is often "no." A firm that runs tight MFA, MDR, and offboarding for full-time staff often loosens all three when it brings on seasonal preparers from January through April. Be ready to answer how seasonal staff are onboarded and offboarded, whether they use firm-managed or personal devices, whether MFA is enforced on day one, and whether MDR coverage extends to seasonal endpoints.

What does not lower the premium

Things that look like security but do not move underwriting in 2026: a fancier next-generation firewall by itself, stacking two or three antivirus products on the same machine, "we have a great IT guy" without 24/7 monitoring behind it, a WISP PDF from 2019 nobody has read, a one-time pentest with no controls behind it, a SOC 2 from a vendor that does not touch client data. Carriers score operating controls and evidence, not invoices.

The operational sequence that moves premiums

The sequence that works, in order of premium impact and cost-effectiveness:

Step 1 — MFA on email, tax software, and remote access

Enable MFA on Microsoft 365 or Google Workspace, on Lacerte, Drake, UltraTax, ProSeries, or CCH Axcess admin accounts, and on every RDP, VPN, and RMM path. The cheapest move, and it materially lowers premium.

Step 2 — MDR plus ITDR

A managed detection and response service with a real 24/7 SOC checks the EDR and 24/7 monitoring boxes at once. Identity threat detection on top covers the cloud productivity suite controls and MFA-bypass detection. Our Managed Detection and Response and Managed ITDR services are designed against this control set.

Step 3 — Immutable backup with a monthly restore test

Pick a product that supports immutability natively, include tax software databases and the document management system in the test scope, schedule a monthly restore, and keep the log.

Step 4 — WISP, IR plan, and a tabletop

A WISP satisfying IRS Publication 4557 and the FTC Safeguards Rule, paired with a one-page IR plan naming who calls the carrier hotline, who declares an incident, who notifies the IRS Stakeholder Liaison, and who handles client communication. A 60-minute tabletop with managing partner, administrator, and IT vendor satisfies the tabletop requirement.

Step 5 — Tax-season phishing simulations

Refund-redirect emails, vendor banking changes, IRS-impersonation lures, payroll change requests. Our Managed Security Awareness Training handles the cadence and tunes simulations to the tax calendar.

That covers roughly 80 percent of the premium-moving controls on a 2026 questionnaire.

Renewal reality in 2026

Underwriters now share loss intelligence on the accounting vertical. Two-strike firms — those with claims in consecutive renewal periods — frequently face non-renewal and have to shop E&S markets to find terms. Even top-100 firms with sophisticated programs face surcharges after an incident, regardless of how much the program improved post-event. The IBM Cost of a Data Breach 2024 report put average breach cost in financial services well into the seven figures, and carriers price toward that.

If a claim was paid in a prior period, expect the next application to ask what changed. "We are more careful now" does not pass. "We moved to a 24/7 MDR provider, added MFA on the tax software admin accounts, rewrote the WISP to meet the Safeguards Rule amendments, and ran a tabletop in March" does.

Misrepresentation is a coverage defense. If the questionnaire said MFA was enabled and forensics shows it was not, the carrier may rescind. Answer honestly. If a control is partial, say so.

The AICPA-ethics intersection

A partner cannot use cyber insurance to "transfer" the obligation to safeguard client data. AICPA SSTS Section 1.3 addresses use and protection of client information, and Code of Professional Conduct provisions on confidentiality and due care apply regardless of what the policy pays. Insurance covers financial consequences. It does not cover a state board finding that controls were unreasonable, an IRS EFIN suspension, or a Safeguards Rule enforcement action. The firm remains the data steward; the carrier is a backstop.

Where Obsidian Ridge fits

We are not an insurance broker. We do not sell policies and we do not collect commissions. We help firms operate the controls underwriters score and produce the evidence the application asks for.

The control set that moves the most premium in 2026 — 24/7 MDR, identity threat detection, MFA enforcement, and workforce training — lines up with our Foundation and Protected tiers. Foundation covers endpoint and MDR. Protected adds ITDR and SAT, addressing the four heaviest premium-moving controls on most questionnaires. The accounting industry page lays out the mapping.

For firms renewing in the next 90 days, the two-week Cyber Insurance Readiness sprint maps each questionnaire control to evidence the carrier will accept, identifies gaps most likely to block underwriting, and produces a clean evidence package. The Obsidian Ridge Briefing walks through how the program fits together.

Cyber insurance is not a substitute for controls. It is a backstop for residual risk. Firms that treat the policy as the plan tend to learn the expensive way that the controls warranty is doing more work than the declarations page.

If the questionnaire is making you nervous, that is the right instinct. The fix is operational. Start with MFA on email and tax software, a real 24/7 MDR layer, an immutable backup with a tested restore, and a WISP that meets both Publication 4557 and the Safeguards Rule.

Ready to map your firm's controls to the carrier questionnaire? Start the Cyber Insurance Readiness sprint.