Cyber insurance for tax firms changed significantly in 2024 and 2025. Premiums climbed, applications got longer, and underwriters started denying coverage outright when basic controls were missing. By 2026, the standard application has 70 to 100 questions, and most carriers will not quote a firm that cannot answer them in writing.
This post walks through what underwriters actually ask for, the 7 controls that move premiums down, and the documents you need on file before you start the application. If you renew without these, expect either a 40 to 60 percent premium hike or a non-renewal letter.
What changed and why
The cyber insurance market hardened after a wave of ransomware claims in 2021 and 2022. Carriers paid out more than they collected for two consecutive years, then tightened underwriting. The result: tax firms are now in a similar bucket to financial advisors and small banks for risk classification.
Underwriters now require attestations and proof. An "attestation" is your signed statement that a control is in place. "Proof" is the artifact that backs it up. If you sign the attestation and the artifact is missing, the carrier denies the claim, and you have committed insurance fraud at the same time.
The 7 controls that lower premium
Every major carrier weights these the same way. Have all 7, get a competitive quote. Miss two or three, expect a higher premium or a denial.
- Multi-factor authentication on every email account, every system that handles client data, and every privileged account.
- Endpoint detection and response (EDR) on every device. Antivirus alone is no longer sufficient for any carrier.
- Backups that are tested, immutable, and stored offline or in a separate cloud account.
- Email security with phishing protection above the default Microsoft or Google filters.
- Documented employee security awareness training, with phishing simulation results, completed within the last 12 months.
- A WISP and incident response plan, both dated within the last 12 months.
- Vendor risk management documentation showing you have signed data processing agreements with every vendor that touches client data.
Documents to have ready before applying
The application asks for them. The renewal asks for them. Have them on a single drive folder.
- Current WISP, dated within the last 12 months
- Risk assessment document
- Incident response plan with named contacts
- Employee training records and phishing simulation results
- EDR vendor and configuration summary
- Backup vendor, schedule, and most recent successful restore test date
- Vendor list with signed data processing agreements
- Network diagram showing where client data lives
- A list of every system that holds customer information
Coverage levels that actually matter
A tax firm with 200 to 800 clients should carry at least $1 million in cyber liability with sublimits of at least $250,000 for forensic and notification costs. Below those numbers, a real incident bankrupts the policy in the first 48 hours.
Confirm the policy specifically covers regulatory penalties (FTC, state AG, IRS Section 7216) and not just notification cost. Some cheaper policies exclude regulatory exposure entirely. That is the exposure most likely to put you out of business.
What to do this quarter
Pull your current cyber policy. Find the renewal date. Work backwards 90 days. That is your start date for the renewal prep.
Use the 7-control checklist above. Mark each one green, yellow, or red. Yellow and red items get fixed before the application goes in. The cost of fixing them is almost always less than the premium increase from a missing attestation, and it is dramatically less than the cost of a denied claim.
If you do not currently carry cyber insurance, start with a managed security provider that delivers the 7 controls as a package, and use the renewal application as your readiness checklist.
