Cyberattacks are becoming more sophisticated, and cyber insurers are adjusting their expectations in response. In the past, having a cyber insurance policy provided enough reassurance.
That is no longer the case. Today, accounting firms must demonstrate that their IT systems are secure, that they offer employee training, and that their incident response plans are ready.
This article builds on topics covered in Cetrom’s previous articles, including What CPA Firms Need to Know About Cybersecurity Insurance and How to Save Money on Cyber Insurance by Outsourcing IT, expanding the conversation with updated trends, tools, and insurer requirements.
Handling a large volume of client data has become standard for most accounting firms. This can include a taxpayer identification number, their banking credentials, payroll details, and financial records. Financial sensitivity makes firms attractive targets for cybercriminals who increasingly use tactics such as phishing, malware, and ransomware.
When a data breach occurs, firms can often face regulatory fines, legal claims, or even contract losses. The financial exposure can be server, which is why many firms rely on cyber insurance to limit the fallout.
A strong cyber insurance policy can help cover costs for restoring systems, notifying clients, managing legal risks, and responding to government inquiries. Insurers now require evidence that a firm has implemented data protection in advance.
Application forms now require documentation that demonstrates how a firm enforces access controls, manages system updates, trains employees, and responds to threats.
An application typically requires you to submit a copy of the firm’s incident response plan, a recent screenshot of multi-factor authentication settings, examples of simulated phishing tests, and documentation that software patches are applied on time.
One of the most consistent requests involves access controls. Firms must demonstrate that administrative accounts are protected by multiple forms of authentication and that regular accounts are also protected by MFA. If your firm has not yet rolled this out across all systems, insurers may flag it as a vulnerability.
Antivirus software alone is no longer sufficient. Insurers want to see real-time threat detection tools in place — ones that monitor system behavior and respond automatically when something appears unusual. These tools should also be able to send alerts and generate logs for later review.
How you manage patches to your systems is a growing area of concern. Insurance carriers want to know how quickly your team applies their updates, whether a third-party software is monitored, and how your IT provider tracks vulnerability notices. Any delay in patching can directly translate into higher risk ratings.
Firms also must show that their staff is receiving regular training on recognizing suspicious activity, creating secure passwords, and reporting issues promptly. Training should also include simulations, not just annual review sessions.
As cyber insurance becomes more selective, premiums are increasingly tied to the strength of your systems. Firms with well-documented controls may secure better coverage at a lower cost. Gaps in protection, or a lack of evidence of routine oversight, often result in higher costs or exclusion.
A common focus is on your backup systems configuration. Backups system should be both encrypted, located off-site, and tested frequently. Carriers want backup confirmation that a ransomware incident won’t render your ability to recover. If backups are stored on the same system as live data or backups have not been recently tested, they may not pass review.
Another area insurers review is how your network handles containment. If a threat accesses one account, can they move freely across your systems? You will need to show that controls are in place that limit access by role, isolate traffic, and generate logs that can trace an event back to its source. Firms with strong internal segmentation and logging generally fare better during underwriting.
Some firms are now learning that renewals are no longer guaranteed. If risks were flagged in a previous cycle and not addressed, coverage may be reduced or declined. Insurers expect to see progress between assessments, not just paperwork.
More accounting firms are adopting artificial intelligence to speed up tasks and improve consistency, including scanning tax forms, extracting key information, analyzing financial data, and assisting with advisory work. While these tools offer real efficiency gains, they also introduce new concerns for carriers — especially around how client data is secured, governed, and monitored.
These trends show that insurers increasingly evaluate risk based on controls, governance, and documentation - not just the incident itself.
Carriers now expect firms to articulate how AI tools fit into their overall security posture. Specifically, they want answers to questions like:
AI- especially when it involves third-party platforms- is treated the same as any internal system. Firms that can’t clearly address these areas may be viewed as having unmanaged exposure.
Insurers are rejecting claims for reasons that directly relate to poor governance and missing controls, including:
These denial trends highlight a shift: having cyber liability insurance is no longer enough — firms must prove ongoing compliance and active risk management.
AI tools are powerful — but if they process or store client data without encryption, access controls, or audit trails, carriers may see them as weak links in your security ecosystem.
Firms that treat AI governance as part of their Information Security Plan — with clear policies, documentation, and monitoring — generally:
✔ Face fewer questions at underwriting
✔ Have stronger negotiating leverage for premiums
✔ Reduce the likelihood of claim denial
By demonstrating that AI fits into a well-managed security program, firms not only improve their risk profile but also align with what today’s insurers expect.
Most insurers now share a baseline set of requirements, even if the application forms vary. While the exact language changes, the core expectations remain consistent. Here are the key areas where carriers look for controls:
Providing clear, recent documentation for each of these areas is key. Firms that cannot do so may still be insurable, but they should expect stricter terms and higher premiums.
Many firms now rely on outside experts to help them meet insurance requirements. A managed security provider can oversee technical setup, maintain documentation, and provide reports that align with what underwriters are looking for.
These providers also support ongoing improvement. They help firms test their systems, train employees, and refine policies as insurer standards evolve. Having a partner in place not only simplifies the renewal process but also improves your resilience against real-world threats.
Cetrom delivers secure, cloud-based environments that are purpose-built for accounting firms. This includes a fully managed cybersecurity framework that meets and often exceeds what cyber insurers require.
Working with Cetrom gives firms access to:
By bringing together technical expertise and industry-specific knowledge, Cetrom enables firms to reduce risk, respond to underwriter questions, and stay ready for whatever comes next. That means fewer surprises at renewal and stronger protection every day in between.
You don’t need to prepare alone. Cetrom can help your firm understand where it stands, what insurers are asking for now, and how to build the systems and evidence needed to meet their expectations.