Cyber incidents have continued their upward trajectory in 2023, with geopolitical events, a significant increase in hardware and software vulnerabilities, and a rise in ransomware attacks contributing to an already heightened threat level. In this environment, CPA firms are particularly vulnerable to an attack.

A cybercriminal’s motivation and rationale can vary, from securing ransom payments to selling confidential data on the dark web. This fluid environment requires firms to sharpen their focus on not just creating, but also continually enhancing, their security strategy—and considering securing cyber coverage.

Cyber insurance will continue to play an important role in managing cyber risk. CPA firms should have proactive risk assessments to engage constructively with insurers.

Targeting CPAs

In recent years, hackers have been shifting their focus—moving beyond just the big name, headline-making targets that were synonymous with breaches in the past—to smaller, “under the radar” victims. For example, based on emerging patterns, some cyber criminals may be avoiding larger organizations for ransomware attacks to avoid provoking national political or law enforcement response. According to Sherry Bambrick, senior underwriter for the AICPA Member Insurance Programs, this evolving strategy has serious implications for CPAs.

“Hackers have always found CPA firms particularly attractive because they are, in essence, aggregators of data—both financial and PII or personal identifiable information,” Bambrick said. “This trending focus on smaller organizations, coupled with the level of PII a firm potentially holds, quite simply increases the risk they face.”

Beyond the data, hackers also tend to target CPA firms because they frequently have access to client funds. Cyber criminals may also assume that mid-size and smaller firms do not have strong information security preparedness strategies in place because their leaders believe they are too small to be targeted.

Complying with Insurers’ Expectations

Many insurers are demanding more from CPA firms in terms of cyber resilience, so firms should expect rigorous questioning about their cybersecurity protocols when they seek coverage.

Today, it’s not unusual for an insurer to review a firm’s cybersecurity efforts in a few key areas. In general, insurers review whether a firm is following best practices in several areas.


  • ▪ Installing patches within 30 days of release
  • ▪ Tagging external emails to alert employees that the message originated from outside the organization
  • ▪ Implementing software to help protect against phishing messages
  • ▪ Utilizing web filtering to block access to known malicious websites

Classifying Data

  • ▪ Segmenting its network based on the classification level of information stored on its systems


  • ▪ Confirming it does not utilize any endof-life operating systems or platforms (those being phased out by the manufacturer and no longer receiving security patches); this includes systems using an extended service contract from the manufacturer
  • ▪ Utilizing an advanced endpoint detection and response (EDR) tool on all endpoints and servers; EDR tools proactively address threats after they have penetrated an organization’s endpoints, but before they cause damage
  • ▪ Having a process to decommission unused systems

Training and Testing

  • ▪ Conducting regular security awareness training and penetration testing
  • ▪ Ensuring access to information and resources is only provided to employees who need it for a legitimate purpose
  • ▪ Requiring multi-factor authentication for:
    • Remote access to the network, including web-based email
    • Protecting privileged user accounts
    • All cloud resources like Office365
    • All remote desktop protocol (RDP)
    • All virtual desktop instances (VDI) accessible from the Internet


Backups and Security Planning

  • ▪ Performing full and incremental backups of business data regularly
  • ▪ Testing backups for restorability
  • ▪ Ensuring backups are stored physically offsite
  • ▪ Ensuring backups are stored offline to safeguard from infection
  • ▪ Putting in place an annually tested incident response plan that includes the ability to quickly contain an incident
  • ▪ Having formal, annually tested disaster recovery and business continuity plans
  • ▪ Implementing a formal vendor management program that inventories and classifies the type of data and level of access each vendor uses.

Reviewing these areas before any discussions with an insurer can help facilitate the process of securing cyber coverage.

Stan Sterna, JD, is a vice president with Aon Insurance Services.
Nicole L. Graham, JD, is a risk consultant, both with Aon Insurance Services, delivering risk management consulting services to regional accounting firms to assist them with mitigating professional liability risks.