Cyber insurance for tax and accounting firms has hardened significantly. Five years ago an application was a checkbox and a signature; today it's a 40-question deep dive into how you authenticate, monitor, back up, train, and respond. Carriers know what your firm holds — SSNs, bank details, and full financial profiles for every client — and they price the policy on whether you can credibly show you're protecting it.
The good news: the questions are predictable. Below is the control map underwriters actually use, with the right answers and the red flags that move premium or get coverage denied outright.
What the Questionnaire Actually Asks
Multi-factor authentication
What they ask
MFA on email, the tax software, e-Services, the bank, all admin accounts, and any remote access.
The right answer
Yes — enforced across every account, with a documented exception process for the rare break-glass cases.
Red flag
MFA only on the bank, only on the tax software, or only on 'most' accounts. Carriers treat partial as none.
Endpoint protection
What they ask
Modern EDR (not just antivirus) on every workstation, server, and remote device, with 24/7 monitoring.
The right answer
Yes — managed EDR with a SOC, deployed on every endpoint, with central reporting we can show.
Red flag
Free Microsoft Defender with no monitoring, expired Symantec / McAfee, or 'most' devices covered.
Backups
What they ask
Offsite, immutable, regularly tested backups of email, tax-software databases, and client files.
The right answer
Yes — third-party backup of M365 / Workspace and tax-software data, with documented test restores at least annually.
Red flag
Native M365 retention only, on-site-only backups, or 'we have backups but haven't tested them.'
Phishing training
What they ask
Ongoing security awareness training with phishing simulations and per-employee metrics.
The right answer
Yes — quarterly training plus monthly phishing simulations, with click-rate trending we can show.
Red flag
One-time training years ago, or no formal program.
Written WISP / IRS Pub 4557
What they ask
A written information security plan aligned to the FTC Safeguards Rule and IRS Pub 4557 Security Six.
The right answer
Yes — current, signed, reviewed annually, with the PTIN-renewal attestation language ready.
Red flag
No WISP, a template downloaded once and never opened, or one that doesn't match what you actually do.
Incident response
What they ask
Written IR plan with named responders, an IR retainer, and a documented IRS Stakeholder Liaison contact.
The right answer
Yes — a one-page plan with names and phone numbers, an IR retainer in place, and the IRS contact path documented.
Red flag
'We'll figure it out if it happens' — or a plan that exists but nobody on staff can find.
Vendor due diligence
What they ask
Inventory of vendors with access to client data, with security review and a contract clause covering breach reporting.
The right answer
Yes — a current vendor inventory and a documented review process for high-risk vendors.
Red flag
No vendor list, or one that hasn't been updated since the firm onboarded its tax software.
Why Misrepresenting on the Application Is Worse Than Failing
The temptation when faced with a tough question is to round up — to tick “yes” on MFA when coverage is partial, or “yes” on a WISP that's really a template you downloaded once. Don't. Modern cyber policies include warranties and conditions tied to the answers you give; if a breach happens and the carrier discovers the actual state didn't match the application, they can rescind the policy or deny the claim — exactly when you need it most. The general mechanics are the same as for insurance agencies in E&O insurance and your WISP.
What Actually Lowers Premium
Three things move the needle most. Universal MFA, particularly on email and e-Services, is the single highest-impact yes. Managed EDR with 24/7 monitoringis a step change above “we have antivirus.” And a tested backup with documented restore evidence reassures underwriters that you can recover without paying a ransom. The general mechanics of why these three matter most are in our MFA guide, EDR vs antivirus, and the 3-2-1 backup rule.
The WISP and PTIN Floor
On top of the operational controls, carriers expect the profession-specific paperwork: a written information security plan aligned to the IRS Publication 4557 Security Six and the FTC Safeguards Rule, signed and reviewed annually, with the PTIN-renewal attestation. We cover exactly what the WISP must contain in IRS Publication 4557 & the WISP every tax preparer needs. It's the floor — and increasingly, carriers won't even quote without it.
The Cost Trade
Putting these controls in place isn't free, but the trade works. A managed plan that satisfies a renewal questionnaire runs somewhere in the range covered in how much cybersecurity costs for an accounting firm — and the resulting premium reduction plus avoided coverage denials typically more than offsets it for any firm whose entire value depends on client trust and data.
The Bottom Line
Cyber-insurance renewal is now a security audit dressed up as a questionnaire. Walk into it with universal MFA, managed EDR, tested backups, a real WISP, ongoing training, an IR plan, and a vendor inventory — and you'll renew at a fair premium with no warranty traps. Walk in without them and you'll either pay more, narrow coverage, or get declined.
For how that operates as a managed service, see the cybersecurity for accounting & tax firms page.
This article is general information, not legal, insurance, or compliance advice. Policy terms vary by carrier and engagement; consult your broker and qualified counsel for your firm's situation.
Pass the questionnaire — start with the free checklist.
The IRS Pub 4557 Security Six plus all nine FTC Safeguards WISP elements in one fillable checklist, with PTIN-renewal attestation language and an evidence list for every control.
Get the free checklistRenewal Coming Up?
A free 30-minute assessment maps your current controls against what carriers actually ask — so you can answer “yes” with evidence on the questions that move premium.
Get a Free Assessment