Cyber insurance for accountants in the UK: what accountancy firms need to know in 2026

Reviewed by Matthew Bartlett, Director (SMF3, SMF16, SMF17). Last reviewed 10 July 2026.

Accountancy practices in the UK are now running two insurance policies where they used to run one. Professional indemnity cover remains the anchor, but the exposures that arrive through email, cloud accounting platforms, and HMRC agent portals no longer sit comfortably inside a PI wording alone. Client money moves at bank-transfer pace, filing runs in near real time under Making Tax Digital, and criminal targeting of accountancy firms has moved from a background risk to a live one. This entry sets out why accountancy firms are cyber targets, what the professional bodies expect, what standalone cyber cover does, where the cyber-PI boundary sits, and what to look for at renewal.

Why accountancy firms are cyber targets

Criminals target accountants for the same reason clients trust them: they sit close to money and data. A general practice handles client bank details for payroll and payment services, holds credentials for corporate accounts and HMRC portals, files returns through agent authorisation, drafts tax planning advice by email, and holds sensitive personal financial information for individuals and business owners. Each touchpoint is a potential attack surface.

Three patterns dominate. Business-email compromise, where an attacker gains access to an inbox and impersonates the firm or a client to divert a payment. Credential theft aimed at HMRC agent services, cloud accounting platforms, and banking apps. And ransomware, which arrives through phishing or a compromised remote-access tool, encrypts records, and demands payment for a decryption key or a promise not to leak exfiltrated data.

The exposure is not confined to larger firms. Sole practitioners and small partnerships are attractive precisely because their controls tend to be lighter and their reliance on email for client instructions tends to be higher. The size of the firm affects the shape of the incident, not whether it happens.

Common cyber incident scenarios for accountancy firms

Authorised push payment fraud and vendor impersonation. A client receives an email that appears to come from the firm, or the firm receives an email that appears to come from a client, asking for payment details to be changed. The wire goes to the fraudulent account. In accountancy contexts this is common in payroll processing, purchase-ledger administration, and tax refund handling.

HMRC portal compromise. An attacker gains access to the firm's agent services account and submits false returns, redirects refunds, or extracts client data. Loss of agent authorisation and the reputational damage with clients can outweigh the direct financial loss.

Ransomware during a peak filing window. The worst-timed attacks arrive close to a statutory deadline, when the firm is least able to absorb downtime. Self-assessment season, quarterly VAT windows, and year-end for corporate clients are all sensitive.

Data breach involving client tax records. Personal tax data, corporate accounts, and payroll records are regulated personal data under UK GDPR. A breach triggers notification obligations, potential ICO engagement, and client civil claims.

Payroll fraud. An attacker changes employee bank details in a payroll file so wages are diverted at the next run. The firm processes the payroll on behalf of the client and is often the first party to detect the issue after the payment has cleared.

Compromised advice thread. A criminal inserts themselves into an ongoing advice email chain with a client and issues instructions that appear to come from the firm. The client acts on those instructions and suffers loss.

What ICAEW, ACCA and CIOT expect on cyber security

None of the accountancy professional bodies has issued binding cyber rules in the way the FCA has for regulated financial firms. What they have issued is guidance, thematic review, and practice-assurance material that shapes supervisory expectations. The ICAEW publishes cyber and information security guidance and refers members to the National Cyber Security Centre's small-organisation material. The ACCA maintains a cyber security guide for members. The CIOT's Practice Assurance Standards treat IT security and client data protection as part of a member firm's control environment, reflected in the questions asked at practice review. None is statutory, but all of it shapes the questions a supervisor, an insurer or a client will ask.

Client due diligence has moved in parallel. Larger commercial clients now ask about multi-factor authentication, backup practice, incident response, and supplier security as part of vendor onboarding. Firms without a clear answer risk losing tender opportunities before price is discussed.

What accountants' PI cover does on cyber-arising loss

Professional indemnity cover for an accountancy firm is a civil-liability wording. Where a cyber event has caused loss to a client, and the client can advance a civil claim in negligence or breach of duty against the firm, the PI wording is designed to respond. In practice that means the PI cover will typically engage on the client civil claim itself, on defence costs of that claim, on defence costs of a regulatory investigation linked to the alleged failure, and on third-party liability arising from the breach where the firm is legally liable to a third party.

PI insurers do not generally carve out cyber-caused liability from an accountants' policy. If the ingredient of the claim is professional negligence, breach of contract, or breach of duty in the ordinary sense, the wording engages regardless of whether the underlying failure was a mis-drafted return or a compromised inbox. Aggregation of related client claims is handled by the wording's aggregation clause, which for accountants is typically negotiated rather than prescribed — see the related entry on aggregation clauses by regulator.

What accountants' PI cover does not typically do

The PI wording is not a cyber policy. First-party incident response — the forensic investigation, breach counsel, digital evidence preservation, and public relations costs of managing the event — is not answered by PI. Nor is a ransomware payment, whether direct or via a specialist negotiator. Business interruption arising from a cyber outage — loss of fees, loss of margin, and the increased cost of working during downtime — is not a PI head. Data restoration and system rebuild are outside the wording. Client notification and credit-monitoring costs are outside. ICO administrative fines imposed on the firm itself sit in contested legal territory and are routinely excluded.

Those categories are not marginal. In a mid-scale ransomware event affecting a firm of twenty fee-earners, the first-party costs alone can run to six figures before any client claim has been quantified. That is the practical case for standalone cyber cover.

What standalone cyber policies cover for accountants

A modern standalone cyber policy is designed to sit alongside the PI cover and pick up the operational and first-party costs the PI cannot reach. A typical wording will include first-party incident response, covering forensic investigation, breach counsel, notification specialists, and public-relations support. It will include ransomware and extortion cover, subject to sanctions screening, insurer approval of any payment, and any policy sub-limit. It will include business interruption arising from a cyber outage, usually with a waiting period. It will include data restoration and system rebuild. It will include client notification and credit monitoring. It will include regulatory investigation defence, typically reaching ICO and HMRC engagement. And it will include third-party liability for privacy breaches on a network security and privacy liability limb.

Standalone wordings vary widely between markets. Two policies described as "cyber" can look very different in the definitions of "cyber event", "extortion demand", "business interruption loss", or "social engineering". The wording matters more than the label.

The APP fraud boundary — which insurer pays

Authorised push payment fraud is the scenario where the boundary between cyber and PI is most often contested. The pattern is familiar: an attacker compromises the firm's email, poses as the firm or as a client, and instructs a transfer to an account under criminal control. The client suffers the loss. The firm faces a civil claim and, in some cases, a regulatory follow-up.

The PI insurer typically argues the firm was negligent and the PI wording responds. The cyber insurer typically argues the systems breach was the operative cause and the cyber wording responds. Both may be correct on their own reading. Both insurers may need to be notified, and the broker manages the boundary discussion so the client is not left without cover while the two insurers debate. The firm's social-engineering sub-limit inside the cyber policy is often where this lands.

Making Tax Digital and the cyber attack surface

Making Tax Digital has changed the shape of an accountant's data flow. Where returns were once filed in batches at fixed points in the year, MTD requires digital record-keeping and API-based filing at higher frequency. The attack surface has grown in step. Client bookkeeping data now flows continuously through cloud accounting platforms — Xero, Sage, QuickBooks, FreeAgent and their peers — with API integrations to HMRC and to third-party apps. Each platform is a target and each integration is a control point that has to be maintained.

The practical effect for an insurance programme is threefold. First, third-party software breaches are now a foreseeable exposure and the cyber wording needs to answer for supplier or vendor failures. Second, client data is often shared across cloud platforms the firm does not control end to end, which sharpens the notification and supply-chain questions at renewal. Third, MTD's filing frequency means a cyber outage during a peak window causes wider disruption than the same outage during a quiet period. The business-interruption sub-limit and the waiting period both matter more than they did five years ago.

Cyber cover essentials for an accountancy practice

A cyber policy that is fit for an accountancy firm typically needs a first-party sub-limit for social engineering and APP fraud that is proportionate to the firm's client-money throughput. It needs cover for HMRC portal and agent-authorisation compromise, articulated in the wording rather than assumed. It needs a business-interruption limb that recognises the peak filing periods the firm depends on. It needs vendor and supply-chain cover for the cloud accounting platforms the firm relies on. It needs client notification cover that meets UK GDPR expectations, and regulatory-investigation defence cover that reaches HMRC as well as the ICO. And it needs to sit sensibly alongside the PI wording so the boundary discussion, when it arrives, is manageable.

How Apex Insurance Brokers helps

Apex Insurance Brokers Limited is an FCA-authorised broker (firm reference number 724952) with a professions focus. The firm is director-led. Matt Bartlett holds SMF3, SMF16 and SMF17 approvals and is accountable for how business is placed. Apex arranges professional indemnity cover for accountancy firms across the ICAEW, ACCA, CIOT and unregulated segments, and places standalone cyber cover alongside it for firms with material client money throughput, HMRC agent portal exposure, or tax advisory work by email. Where the PI and cyber wordings need to be coordinated at renewal, or where a live incident straddles the two, Apex acts as the firm's broker on both sides of the boundary.

FAQs

Do accountants need cyber insurance separately from PI? Professional indemnity and cyber cover answer different questions. PI answers for client civil claims and the associated defence and regulatory costs. Cyber answers for first-party incident response, ransomware, business interruption, data restoration, notification and regulatory-investigation defence. Firms that hold only PI are typically exposed on the operational side of an incident.

Does ICAEW require cyber insurance? ICAEW does not mandate a standalone cyber policy as a condition of practice. Its guidance and thematic material treat cyber security as part of a firm's control environment and its practice-assurance work asks about IT security. For firms handling client money or filing at scale, cyber cover is increasingly part of a defensible practice.

How much cyber cover does an accountancy firm need? The answer depends on the firm's fee income, client-money throughput, size of the client base, and reliance on cloud platforms. For small practices, limits in the low hundreds of thousands are common. For mid-sized firms with material payroll or advisory work, limits at one to five million are more typical. The right answer is a function of exposure rather than a rule of thumb.

Does a cyber policy cover ransomware payments? Most standalone cyber wordings include an extortion limb that can respond to a ransomware demand, subject to sanctions screening, insurer approval of any payment, and any policy sub-limit. The answer varies by wording and by the specific circumstances of the incident. The insurer's incident-response panel is usually engaged first.

What happens when a client is defrauded via my firm's compromised email? Both the PI insurer and the cyber insurer may need to be notified. The PI wording answers for the client civil claim; the cyber wording answers for the first-party costs of investigating the breach and, where the wording engages, for social-engineering loss up to the relevant sub-limit. The broker's role is to manage the notifications and the boundary discussion — see the entry on the first 30 days of a PI notification.

Do MTD requirements increase cyber exposure? Yes. Cloud accounting platforms, API integrations to HMRC, and continuous data flow between client and firm all sit inside the exposure a cyber policy has to answer for. Firms that adopted MTD without revisiting their cyber cover are often under-protected on business interruption and vendor risk.

Further reading

For the sector context see the ultimate UK accountants' PI guide. For the ICAEW capital-and-cover framework see ICAEW Bye-law 61 explained. For the difference between consumer and commercial cover see consumer vs commercial PI. For the practical steps in the first month after an incident see the first 30 days of a PI notification. And for the parallel cyber-PI boundary discussion in the solicitor market see cyber and PI overlap under the SRA MTC.

Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority. Firm reference number 724952.