Cyber insurance provides financial protection when a cyber incident — a data breach, ransomware attack, system compromise, or accidental data loss — affects your accounting practice. For UK accountants holding client financial data, the question is not whether to have cyber insurance but whether your current coverage is adequate.

This guide covers what cyber insurance for accounting practices covers, how to assess the right level of cover, and what insurers look for when underwriting the risk.

Why accounting practices need cyber insurance

Accounting practices hold some of the most sensitive personal and commercial data that exists: client tax records, payroll information, bank account details, personal identifiers, business financial information, and HMRC correspondence. A breach of this data creates multiple exposures simultaneously:

Regulatory: under UK GDPR, if a data breach is likely to result in a risk to the rights and freedoms of individuals, you must notify the ICO within 72 hours. Significant breaches can result in ICO fines of up to £17.5 million or 4% of global annual turnover (whichever is higher). ICO enforcement action against professional services firms has increased.

Professional indemnity: if a data breach results in client loss — because confidential business information was exposed to competitors, or because HMRC correspondence was intercepted and used fraudulently — you face a professional negligence claim.

Business interruption: ransomware attacks or system compromises can make client data and accounting software inaccessible for days or weeks. The loss of fee income during this period can be severe.

Reputational: a publicised data breach can cause significant client attrition and damage to the firm's reputation, with long-term revenue consequences.

Standard professional indemnity insurance does not cover all of these exposures. PII covers professional negligence claims arising from errors in your professional work but typically excludes cyber-specific losses such as ransomware costs, notification expenses, regulatory fines, and cyber-specific business interruption.

What cyber insurance covers

A comprehensive cyber insurance policy for an accounting practice should cover:

First-party costs (losses to your own business):

  • Forensic investigation costs (identifying how the breach occurred and its scope).
  • Notification costs (informing affected clients and the ICO).
  • Crisis communication and PR costs.
  • Ransomware response and recovery costs.
  • Data restoration costs.
  • Business interruption losses during system downtime.
  • Credit monitoring for affected individuals.

Third-party liability (claims made against you by others):

  • Legal costs and damages arising from client claims related to the breach.
  • Regulatory defence costs (responding to ICO investigation).
  • Regulatory fines and penalties (subject to policy terms — some policies exclude fines, others provide defence costs but not the fines themselves).
  • Media liability (where the breach leads to reputational harm claims).

Cyber crime coverage (increasingly common as a policy extension):

  • Social engineering fraud (where staff are deceived into transferring funds).
  • Invoice modification fraud (where a fraudulent invoice intercepts a client payment).
  • Telephone fraud.

The specific coverage varies significantly between insurers and policies. Read the policy wording carefully, particularly the exclusions.

How much cover do you need?

The right level of cover depends on: the volume and sensitivity of client data you hold, your annual fee income (as a proxy for business interruption exposure), your potential regulatory fine exposure, and the cost of a realistic data breach scenario for your practice size.

For a small accounting practice with fewer than twenty clients and straightforward data: a policy limit of £100,000 to £250,000 may be sufficient for notification costs, forensic investigation, and basic business interruption. Professional indemnity insurance may cover client claims arising from a breach.

For a mid-size practice with 100 to 500 SME and individual clients, including payroll processing: a policy limit of £250,000 to £1,000,000 is more appropriate given the volume of data and the business interruption exposure. Ensure the policy explicitly covers GDPR notification costs and regulatory defence costs.

For larger practices or those handling particularly sensitive data (high-net-worth clients, complex corporate clients, payroll for large employers): higher limits and bespoke coverage terms may be required. Consult a specialist cyber insurance broker.

For information on the full range of AI tools and technology for UK accountants, including how cybersecurity tools and insurance interact, see our AI and Tech hub.

The Cyber Essentials free insurance: UK organisations with fewer than 50 employees and annual turnover under £2 million that hold Cyber Essentials certification receive a free £25,000 cyber liability insurance policy. This provides useful baseline cover but is unlikely to be sufficient as the primary cyber insurance for a practice with significant client data holdings. Use it as a supplement, not a replacement.

What insurers assess when underwriting

Cyber insurance underwriters assess your security posture as part of the underwriting process. The questions on a cyber insurance proposal form typically cover:

  • Multi-factor authentication (is it enabled on email, cloud software, and remote access?).
  • Password policies (minimum length, regular changes, no default passwords).
  • Patch management (are operating systems and software kept up to date?).
  • Backup frequency and off-site storage.
  • Staff security awareness training.
  • Incident response procedures.
  • Previous cyber incidents (any ransomware, data breaches, or cyber crime in the past three to five years).
  • Cyber Essentials certification status.

Practices with strong security controls — particularly MFA and regular patching — typically receive better premiums and more favourable terms. Practices with poor controls or a prior incident history may face higher premiums, sub-limits, or exclusions.

Avoiding common coverage gaps

Social engineering exclusions: some policies exclude losses arising from social engineering fraud (where staff are deceived into transferring money or data). This is a significant exposure for accounting practices, where staff may be targeted with fake invoice or payment diversion requests. Ensure your policy explicitly covers social engineering fraud or arrange a separate crime insurance policy.

Sub-limits on regulatory fines: many policies provide legal defence costs for ICO investigations but cap the fines coverage at a much lower amount than the policy limit, or exclude fines entirely. Understand the regulatory coverage in your policy before relying on it.

Excess levels: a high excess (the amount you pay before insurance responds) can make a policy effectively useless for smaller incidents. For an accounting practice, an excess over £5,000 to £10,000 may leave many realistic breach scenarios uninsured.

System failure vs cyber attack: some policies cover cyber attacks but not accidental system failures or data loss. Accounting practices face both risks; ensure your policy covers both.

Key takeaways

  • Standard professional indemnity insurance does not cover the full range of cyber exposures — notification costs, ransomware recovery, regulatory fines, and cyber-specific business interruption typically require a dedicated cyber policy.
  • A comprehensive cyber policy covers both first-party costs (your own losses) and third-party liability (client claims and regulatory costs).
  • Cyber Essentials certification provides a free £25,000 policy — useful as a baseline but unlikely to be sufficient as the sole cyber insurance for a practice with significant client data holdings.
  • Underwriters assess your security controls; MFA and patch management have the most direct impact on premiums and coverage terms.
  • Review social engineering coverage, regulatory fine sub-limits, and excess levels carefully — these are the most common sources of coverage gaps in cyber policies.

Frequently asked questions

Does my professional indemnity insurance cover cyber breaches?

Standard PII covers professional negligence claims arising from errors or omissions in your professional work. Some cyber-related client losses — for example, incorrect advice that leads to a client's tax data being incorrectly filed — may be covered under PII. However, PII typically excludes: the cost of notifying the ICO and clients of a breach, ransomware recovery costs, forensic investigation costs, and cyber-specific business interruption. A standalone cyber policy is needed to cover these exposures.

How much does cyber insurance cost for an accounting practice?

Premiums vary significantly by practice size, data volume, and security posture. A small practice with good security controls (MFA enabled, Cyber Essentials certification) might pay £500 to £1,500 per year for a policy with £250,000 in coverage. A larger practice with higher data volumes or prior incidents might pay £3,000 to £10,000 or more. Obtain quotes from at least two to three specialist insurers or brokers to compare terms.

What should I do immediately if I discover a cyber breach?

Contain the breach (disconnect affected systems from the network if a live attack is in progress), preserve evidence, contact your cyber insurance provider's incident response helpline (most policies include 24/7 access), and begin your internal incident response procedure. Do not pay ransomware demands without consulting with your insurer and a specialist ransomware response team — payment may void your coverage or escalate the situation.

Do I need to notify the ICO if client accounting data is breached?

Under UK GDPR, you must notify the ICO within 72 hours if a personal data breach is likely to result in a risk to the rights and freedoms of individuals. Financial data, tax records, and payroll information are sensitive personal data — a breach affecting these is very likely to meet the notification threshold. You must also notify affected individuals directly if the risk of harm is high. Failure to notify when required can itself result in regulatory action.

Is cyber insurance required for Cyber Essentials certification?

No. Cyber Essentials certification does not require you to hold cyber insurance — the insurance is a benefit that comes with certification for qualifying organisations, not a prerequisite. Cyber insurance and Cyber Essentials are complementary: the certification helps prevent incidents, the insurance provides financial protection when incidents occur despite your controls.