Reviewed by Matthew Bartlett, Director · Last reviewed 9 July 2026
Accountancy practices sit on client identity documents, National Insurance numbers, bank statements, VAT returns, payroll records and — increasingly — direct feeds into HMRC through Making Tax Digital. That combination makes the profession a durable target for both opportunistic ransomware and targeted business email compromise. This entry sets out how cyber cover works for an accountancy practice, how it fits with ICAEW and ACCA ethical standards on client confidentiality, and where the notification duties sit under UK GDPR and to the professional bodies.
ICAEW's Code of Ethics section 114 sets a fundamental principle of confidentiality: a professional accountant shall respect the confidentiality of information acquired as a result of professional and business relationships. ACCA's Code of Ethics and Conduct carries an equivalent principle. Neither disappears when the information is copied out of the firm's server by a threat actor.
Under UK GDPR every practice is a data controller for its client and employee personal data, and a data processor for the personal data of the client's own workers where it runs payroll. The MTD regime concentrates that data further — quarterly submissions, digital records and API-based interactions with HMRC increase both the value of the data at rest and the impact of an interruption. HMRC's own guidance treats agent credentials and agent services accounts as sensitive and expects reasonable steps to protect them.
Cyber policies for accountants are usually written on the same core structure as the wider market. First-party sections respond to breach response and incident management (specialist forensic, legal and PR support), cyber extortion and ransomware where lawful, business interruption while systems are down, data restoration, and cybercrime and funds transfer fraud. The cybercrime section matters particularly at year-end and during self-assessment season, when payment volumes to HMRC and refunds to clients concentrate.
Third-party sections respond to privacy and network security liability, regulatory investigation and defence (ICO and, where relevant, professional body investigations), regulatory fines where insurable at law, and media and content liability. Practices that hold client passwords for HMRC portals should check whether unauthorised transactions from client accounts fall within the wording or are treated as an excluded fidelity-style loss.
The usual carve-outs apply: state-sponsored acts, prior known circumstances, unpatched known vulnerabilities after a stated window, unencrypted portable media and war. Some wordings exclude losses where the firm has failed to enforce multi-factor authentication on remote access — a fair condition on paper, but one that can catch a practice that toggled MFA off for a specific client login and forgot to switch it back on. A specialist broker checks how the exclusion applies to individual account failures versus firmwide policy failures.
Article 33 of the UK GDPR requires notification to the ICO of a personal data breach within 72 hours where the breach risks the rights and freedoms of natural persons. Article 34 requires notification to affected data subjects where the risk is high. For an accountancy practice, the trigger is usually a mailbox compromise, a lost or stolen device with client records on it, or an exfiltration event confirmed by a ransomware group's leak site. The DPA 2018 applies where the data is special category. Practices should also treat professional-body reporting expectations as running in parallel — ICAEW and ACCA both expect prompt notification of matters likely to affect confidentiality of client information.
PI responds to civil claims arising from the practice — a client suing the firm because a breach caused them a financial loss (a fraudulent tax repayment redirected, say, or a client whose commercially sensitive numbers reached a competitor). Cyber responds to the response itself — forensics, ICO notification, ransomware negotiation, credit monitoring for affected clients. A specialist broker aligns the two wordings so the same event does not fall into a gap between covers, and so cyber-related PI exclusions (which some PI insurers have started to introduce) do not leave the firm short.
Cyber underwriters price on evidence of a small number of practical safeguards. For an accountancy practice expect to be asked about multi-factor authentication on remote access, on all cloud services and on the HMRC agent services account; endpoint detection and response on every machine rather than legacy antivirus; offline or immutable backups of the practice's ledger and payroll data tested at least annually; a documented patch cadence for accounting software and Windows workstations; staff phishing training with particular emphasis on the January self-assessment period; and a written incident response plan that names who calls whom in the first hour. A practice that answers no to these will find itself outside the mainstream market or with the cybercrime section stripped out — the section that most typically responds to the practice's biggest exposure.
Apex Insurance Brokers Limited places cyber cover for accountancy practices alongside PI. We work with Lloyd's syndicates and specialist company markets, review the cybercrime sub-limit against the practice's payment volume, and check the interaction with the PI wording line by line. Client retention runs at 95%. Commission is disclosed on request under ICOBS 4.4. Ape