DIAM Security Partners
HIPAA · Cyber Get in touch
ServicesControlsPracticeFor brokersBriefs Get in touch
← Briefs
A practical brief Published

Cyber liability underwriting requirements for small CPA and tax practices

A practical brief for brokers and the 5–50 employee Certified Public Accountant (CPA), tax-preparation, bookkeeping, and tax-adjacent advisory practices they advise.

Foreword

Three pressures are converging on small accounting and tax practices in 2026. Cyber underwriters have turned the application from an attestation checkbox into a documentary-proof exercise, and the landmark rescission case is now seven years old and cited by name in carrier declination letters. The IRS moved the Written Information Security Plan (WISP) from recommended to federally mandated through the Preparer Tax Identification Number (PTIN) renewal attestation, which every paid preparer files before the next season. AI-era attackers now operate at a speed and scale a three-person back office cannot outrun, and they know the tax calendar better than the firm does.

This brief lays out the eight specific technical controls underwriters are asking about in 2026, what implemented actually looks like inside a firm of this scale, why the threat landscape has raised the bar since the last renewal cycle, and why claims still get denied even after coverage is bound. Brokers and firm partners both should finish it able to name which controls their client (or their own practice) can truthfully attest to today, and which controls require 60 to 90 days of work before the next application or the next PTIN renewal, whichever comes first.

In one page

  • Coverage now turns on eight verifiable technical controls, not a broad attestation. A mismatch between what a firm attests to on the cyber application and what the claims adjuster verifies post-loss is the single most common reason coverage is voided, and Travelers v. ICS is the precedent carriers cite by name when they rescind.
  • AI has compressed attack timelines to minutes and commoditized phishing, voice-cloning, and deepfakes. Average eCrime breakout time is now 29 minutes, the fastest observed 27 seconds, and 82% of 2025 intrusions were malware-free: attackers authenticating with valid credentials rather than dropping files. The controls on underwriter applications have become the last line of defense.
  • The single largest loss pattern in this class is business email compromise (BEC) leading to funds-transfer fraud (FTF), which together drove 58% of all cyber insurance claims in 2025. Half of all FTF events begin with a BEC.
  • The Written Information Security Plan (WISP) is now both a federal compliance obligation and a carrier-intake gate. A WISP is attested on each PTIN renewal, required by the Federal Trade Commission (FTC) Safeguards Rule at 16 CFR § 314.3, and codified by the Internal Revenue Service (IRS) in Publications 5708 and 5709.
  • Texas’s 30-day Attorney-General clock (SB 768, 2023) for breaches affecting 250+ Texans runs parallel to the FTC Safeguards Rule’s 30-day federal clock at the 500-consumer threshold. Senate Bill 1188 does not apply to tax or accounting practices; it is a healthcare-only statute that brokers routinely conflate with the general notification law.
  • Claims most often fail for reasons the firm could have controlled. Misattestation at application, missed 72-hour notification windows, and wire transfers released before callback verification account for most of the denied claims we see.
  • Closing the gap is a four-to-six-week engagement for a 10–20 person firm. Implementation runs $12,000–$30,000 against a 2025 professional-services incident-cost average of $307,000.

The 2026 environment

A few data points frame the conversation.

  • The IRS logged nearly 300 data breaches at tax practices in the first half of 2025 alone, exposing data on as many as 250,000 clients. The targeting is industrial, not opportunistic: Electronic Filing Identification Number (EFIN), PTIN, and Centralized Authorization File (CAF)-number-targeted phishing runs on the tax calendar, and the same new client booby-trapped-attachment campaign returns every filing season.
  • Coalition’s 2026 Cyber Claims Report puts BEC and FTF at 58% of all cyber claims in 2025, with FTF alone at 27% and ransomware at 21%. Among all FTF events, 52% originated from a prior BEC. Coalition recovered $21.8 million in stolen funds for policyholders in 2025 at an average of $202,000 per recovery, but only when the insured reported the fraudulent transfer within 72 hours.
  • NetDiligence’s 14th Annual Cyber Claims Study showed professional-services small and medium enterprise (SME) incident costs jumping from $199,000 in 2022 to $307,000 in 2023, a 54% spike in a single year, while healthcare SME costs fell. Professional services, including CPA practices, is now a rising-cost class while other regulated sectors moderate.
  • Travelers v. ICS remains the landmark rescission. Travelers voided a $1 million cyber policy after discovering the insured had attested to enterprise-wide MFA but in fact used MFA only on its firewall. When ransomware struck weeks after binding, the court declared the policy void from inception, and the insured absorbed every dollar of loss. Forrester has since reported that roughly 40% of cyber claims now face denial or partial denial, most commonly for control-attestation gaps.

The controls a firm attests to on the application are the controls the claims adjuster will verify if a loss occurs. If the attestation does not match reality, the claim is denied after the premium has been paid and the breach absorbed.

The eight controls underwriters are asking about

Drawn from current applications by Beazley, Coalition, Chubb, Travelers, CNA, and Hartford, and from the public advisory guidance of Aon, Marsh McLennan, the IRS Security Summit, and the FTC Safeguards Rule. The wording varies by carrier; the questions are consistent. The full brief documents each control with the specific question underwriters ask, why it matters, what implemented looks like inside a firm of this scale, and where firms of this size most commonly fall short.

  1. Multi-Factor AuthenticationIdentity & access
  2. Endpoint Detection and ResponseEndpoint security
  3. Immutable and Tested BackupsResilience
  4. Written and Tested Incident Response PlanPreparedness
  5. Email Security and Awareness TrainingHuman layer
  6. Timely Patch ManagementVulnerability management
  7. Written Information Security Plan (WISP)Governance & compliance
  8. Wire Verification and Vendor Risk ManagementFunds-transfer integrity

The full brief (20 pages, April 2026) covers each control with the question underwriters ask, why it matters, what implementation looks like inside a small firm, and where firms of this size commonly fall short. It also walks through what is happening in Texas right now (Salling Madeley, Sheheen Hancock & Godwin, SB 768, SB 1188 does not apply to CPA practices, CBIZ), the FTC Safeguards Rule and how each control maps to a specific subsection of 16 CFR § 314.4, why claims still get denied after coverage binds, when to refer a client to DIAM, and the practical sequence a firm should follow before its next cyber application or PTIN renewal. Request a copy to keep reading.