Cyber Cover for Accountants

Your PI policy will not pay the ransom. It will not pay the regulator. It may not pay the forensics bill either.

The standard professional indemnity policy held by an ICAEW or ACCA-regulated firm is designed to respond to a third-party civil-liability claim arising from a negligent professional act. It is not designed to respond to a ransomware attack, a fraudulent payment instruction, a data breach notification under UK GDPR, or the first-party cost of forensic investigation. For accountants — who sit on client money, run payroll bureaux, hold HMRC online filing credentials, and process supplier payments at scale — the gap between what the PI policy covers and what a real cyber incident costs is now the single most underbought exposure in the practice. This guide sets out why cyber sits alongside PI, not within it.

What this means in practice

Accountancy firms are an unusually attractive target for cyber criminals for four specific reasons. First, the firm holds the financial credentials of a large number of clients — HMRC Government Gateway logins, Companies House filing credentials, online banking access for client money accounts, payroll bureau access tokens. Compromising the firm gives access to dozens or hundreds of downstream targets. Second, the firm processes high-value payments under time pressure — supplier runs, payroll, VAT remittances, dividend payments. Push payment fraud and CEO-impersonation fraud against accountancy firms is a routine event, not a rarity. Third, the firm holds sensitive personal data on every individual on every client payroll — names, addresses, national insurance numbers, bank details — engaging the firm’s obligations under UK GDPR and the Data Protection Act 2018. Fourth, the firm typically uses cloud-hosted practice management, tax compliance and bookkeeping software, each of which is an attack surface.

The PI policy, mechanically, is built around the wrong trigger for any of this. PI responds to a third-party claim alleging negligent professional service. A ransomware attack that encrypts the firm’s systems is not a claim against the firm — it is a first-party loss to the firm. The cost of bringing systems back online, paying or refusing the ransom, retaining a digital forensics team, notifying the ICO, notifying affected data subjects, defending a regulatory investigation under UK GDPR, and managing reputational fallout are not within the PI insuring clause. Where PI policies have added a “cyber” extension in response to broker pressure, the limits are typically capped at £25,000 to £100,000 — useful as a sub-cover, nowhere near sufficient for a real incident.

Insurers have responded to this gap by writing standalone cyber policies. A cyber policy gives the firm a first-party response — incident response, breach counsel, forensics, ransomware extortion negotiation, business interruption — and a third-party response covering claims by clients and regulators arising from the breach. The two policies should be bought as a programme, not as alternatives.

How the cover usually responds

A standalone cyber policy for an accountancy firm will typically respond on three layers.

First-party loss. Cover for the firm’s own costs: forensic investigation, system restoration, data recovery, business interruption, cyber-extortion (including ransomware where it is lawful to pay), and crisis management. Most policies include a 24-hour breach response hotline staffed by an external incident response panel; for many incidents the speed of that first call matters more than the policy limit.

Third-party liability. Cover for claims brought by clients, employees and third parties arising from the firm’s failure to keep data secure. This includes liability for downstream losses caused by the firm’s breach — for example, where a client was defrauded because credentials held by the firm were stolen and used to authorise fraudulent payments.

Regulatory. Cover for the cost of responding to an investigation by the Information Commissioner’s Office under UK GDPR and the Data Protection Act 2018, including defence costs and, where insurable, regulatory fines. The insurability of GDPR fines remains a developing point; most policies cover defence costs and the costs of notification but treat the fine itself as a question of public policy.

The PI policy, sitting alongside, continues to respond to its own trigger: a claim by a client alleging negligent professional service. Where a cyber incident gives rise to both a regulatory notification (cyber policy) and a client claim alleging the firm was negligent in its data handling (PI policy), the two policies should respond to their respective heads of loss without conflict. The Third Parties (Rights against Insurers) Act 2010 ensures that where the insured firm becomes insolvent during a claim, the third-party claimant has direct rights against the insurer.

A practical wrinkle worth flagging: many PI policies contain a “cyber act” or “cyber event” exclusion that bites where the cause of the loss is a cyber incident even if the resulting claim looks like a professional negligence claim. The exclusion language varies. Reading both policy wordings together at inception is essential.

Common mistakes

• Treating the cyber extension built into the PI policy as a substitute for standalone cyber cover. The extension was never designed to do that job.
• Failing to map the firm’s data and credential holdings to the cyber policy at inception. Insurers price on what they understand the exposure to be; mis-stated client-money handling, payroll bureau scale or third-party processor relationships affect both price and the validity of cover.
• Ignoring the supply chain. The firm’s exposure to a breach at a cloud-hosted practice management provider is real, and the policy should respond to that as a covered cause.
• Buying limits that match the PI floor rather than the real cost of an incident. Forensics and breach counsel alone routinely cost £50,000 to £150,000 for a mid-sized practice; restoration and business interruption add materially.
• Assuming push payment fraud is a “crime” issue and not a cyber issue. Many cyber policies cover social engineering fraud as a sub-limit; many crime policies do not. Knowing which policy responds to which trigger matters before the loss.

Worked example

A 15-person accountancy practice running a payroll bureau for around 80 corporate clients suffers a credential compromise on its practice management platform. The attacker, having access for three weeks before detection, redirects two client payroll runs (around £180,000 in total) to mule accounts and exfiltrates personal data on around 4,200 employees across the client book.

The firm’s costs include: forensics and incident response (£72,000), breach counsel and notification (£28,000), client notification and regulatory response under UK GDPR (£35,000), system rebuild and credential rotation (£40,000), business interruption during the three weeks of disrupted service (£55,000), and reimbursement of the redirected payroll to the affected clients (£180,000). Total first-party and reimbursement cost: around £410,000.

A separate cohort of clients then bring claims against the firm alleging negligent failure to secure their data. The firm’s PI policy responds to the third-party negligence claims, subject to its terms and any cyber-act exclusion. The cyber policy responds to the first-party costs, the regulatory response and the social engineering element of the redirected payroll. Without the cyber policy, the £410,000 would have landed on the firm’s balance sheet.

What to do at renewal

1. Map the firm’s data and credential holdings against the cyber policy proposal form. Be specific about HMRC online filing access, client money handling and payroll bureau scale.
2. Read the cyber exclusion in the PI policy. Where the wording is broad, push the PI insurer to narrow it or accept that the cyber policy is the only response for cyber-cause losses.
3. Test the cyber limit against a realistic incident cost, not a regulatory minimum. £1 million is a starting point for a mid-sized practice; £2 million to £5 million is common where the payroll bureau or client money exposure is significant.
4. Confirm the incident response panel and the 24-hour hotline. The first 12 hours of a cyber incident shape the entire claim trajectory.
5. Check the social engineering sub-limit. Push payment fraud against accountancy firms is now routine; the sub-limit should reflect the realistic single-event exposure.
6. Confirm GDPR fines insurability and the defence cost position. The defence cost element is the predictable cost; the fine itself is the regulatory wildcard.

Apex’s view

Apex’s view: Accountants are now one of the highest-exposure professional categories for cyber loss and one of the lowest-take-up categories for standalone cyber cover. The cyber extension built into the PI policy was a compromise written when the market did not understand the exposure; it is no longer fit for purpose for any firm that touches client money, runs a payroll bureau or holds HMRC credentials at scale. We treat cyber and PI as a single programme purchase and we will not let an accountancy client renew the PI policy without confirming the cyber position alongside. The cost of getting this wrong is the firm’s largest uninsured exposure that we routinely see.

See also

• PI insurance for accountants: the buyer’s guide
• Cyber insurance
• ICAEW PII regulations explained
• Accountants sector page
• Professional indemnity insurance

Sources

1. Data Protection Act 2018
2. UK General Data Protection Regulation (UK GDPR)
3. Insurance Act 2015, sections 3, 8 and 11
4. Third Parties (Rights against Insurers) Act 2010
5. ICAEW Professional Indemnity Insurance Regulations (current edition)