Unfortunately, cyber-attacks against accounting firms are not unusual. Because firms store large amounts of clients’ personal and financial data, they are at a heightened risk for cyber-attacks. Malware, ransomware, phishing and other breaches are becoming common place.

Despite all the information accounting firms are responsible for, they typically have few layers of cyber protection to guard against theft. Take action to protect your firm.

Enforce a password policy

Password policies are an extremely easy way to protect sensitive data. All employee passwords should meet a few simple requirements, including:

  • A combination of letters, numbers and symbols
  • A minimum of 12 characters
  • Upper- and lower-case letters and numbers

Passwords should also be changed regularly and not be repeated.

Educate staff

Most people know to avoid a suspicious email, but educating staff properly on cybersecurity can be beneficial. Provide an extensive list of “do’s and don’ts”, including internet usage and social media policies. With regular employee training, a large number of potential data breaches can be avoided.

Specify a BYOD policy

Bring Your Own Device (BYOD) policies can be risky if appropriate security measures are not taken. If personal devices are allowed at your firm, be sure to:

  • Encrypt and password protect company data
  • Install mobile device management software that remotely wipes the employee’s device (if the firm employee leaves the company)
  • Limit unsecured Wi-Fi practices


Lost or stolen laptops/devices are a main cause of CPA firm data breaches. With simple file, email and full-disk encryption on employee devices, information can be protected ­- ­even if the laptop/device is lost or stolen.

Be Careful with Cloud Services

When firm and client information is stored in the cloud, it is technically stored off site. The information can even be stored in another country, where it may be subject to international search and seizure laws. When storing firm and client information in the cloud, ask your provider the following questions:

  • Will the information in the cloud be encrypted?
  • Have the clients provided their written consent to place information in the cloud?
  • Does the cloud provider employ adequate security to protect the data?
  • Will the data be stored internationally? If so, will it be subject to search and seizure?

Only use a cloud provider that can provide reasonable assurance that your data will be protected.

Dealing after an Attack

Even firms with the best security protection are at risk of a data breach or another cyber disaster. Cover your firm beyond preventative measures with a cybersecurity insurance policy. Cyber liability insurance coverage often makes the difference between surviving a data breach, or not at all. Cyber liability coverage can help a firm cover the costs related to a data breach, including:

  • Privacy breach notification expenses
  • Litigation
  • Loss of income
  • Regulatory fines and penalties
  • Other expenses

In addition to coverage, an insurance company can help you identify cybersecurity shortcomings of your firm and help head off future claims. Explore other ways Lockton Professional can help protect your firm.