The Cost of a Cyberattack on Your Firm: Threats, Safeguards, and Response

65% of financial service businesses were attacked by ransomware in 2024. The cost of a cyberattack on your firm is not just financial. It impacts your credibility as a trusted professional and your reputation as a business. Not only is a cyber breach devastating to you, your business, and your clients, it is legally your responsibility as a trusted tax or accounting professional to protect sensitive data. Outlined below are some measures you can take to prevent financial devastation for your firm as well as reduce the losses if a breach does occur despite being cautious.

Why are Tax and Account Firms High-Value Targets?

The 2025 Verizon Data Breach Investigations Report found that small businesses are four times more likely than large organizations to be targeted for a cyberattack. Cybercriminals know that small businesses may have more lenient security measures in place and therefore are more attractive when it comes to planning a cyberattack.

Tax and accounting firms are prime targets for cybercriminals seeking sensitive information for their own financial gain because of the large amount of personal and transactional information that is stored in their systems. Personally Identifiable Information (PII), such as Social Security numbers, bank account information, and tax filings, can be used to open credit cards, take out loans, and submit faulty tax returns to collect refunds in another person’s name. PII is highly valuable in the digital underground economy and can be misused for a range of financial crimes, including identity theft and fraudulent loan applications.

Cybercriminals know that small businesses tend to have less robust security measures in place and therefore are more likely to target them. Attackers often employ ransomware, phishing schemes, malware, or social engineering tactics to gain unauthorized access to sensitive data.

The best way to avoid disaster is to stay informed, identify potential vulnerabilities within your systems, and invest in resources that will protect your firm.

What Could a Cyber Breach Cost You?

A cyberattack can inflict severe financial losses on your tax firm, leading to lost clients, reputational harm, or even permanent closure for your business. According to IBM’s 2024 Cost of a Data Breach report, the global average cost of a breach reached $4.88 million, with financial organizations in the United States averaging $6.08 million per incident. This figure includes the ransom, lost business, legal penalties, and post-breach response costs.

After a data breach, the upfront costs are large and expensive. The average cost per record that contains sensitive data is $181. This includes all relevant costs, such as investigation costs, legal fees, and incident response expenses. The higher the number of records a tax or accounting firm keeps, the higher the financial impact. If a ransomware attack occurs, the price of ransom can vary widely.

Your business may also face severe legal penalties and fines from governmental agencies. The Federal Trade Commission (FTC), for instance, can issue civil fines of up to $100,000 per violation for privacy breaches, and in some more severe cases, may escalate to criminal charges.

The financial consequences of a cyberattack go far beyond legal penalties and recovery expenses. The aftermath of a data breach can negatively affect a firm for several years after the attack. The financial impact of lost time and lost clients is less obvious and harder to quantify, but it will nonetheless have a major impact on your business and the revenue you may struggle to bring in following an incident.

While staying informed and aware of cyberthreats may help to identify and prevent some attacks, it is important to have response measures in place to protect your client data.

How Can You Stay Compliant?

The Financial Services Modernization Act of 1999, or the Gramm-Leach-Billey Act, requires certain financial entities, including tax professionals, to have a security plan in place to protect their client data. The Federal Trade Commission’s Safeguards Rule requires financial institutions to keep taxpayers’ data safe and secure.

You can reference these resources to help you create a security plan for your firm:

• IRS Publication 4557: Provides guidance on safeguarding taxpayer data.
• NIST’s Small Business Information Security Famework: Provides small businesses with steps to secure client data.

This is a basic first step to remain compliant with government regulations and to have a plan in place. While having this security plan is important, there are actionable steps your firm should take to stay ahead of cyberthreats.

What Steps Can You Take Now?

Beyond compliance, strong cybersecurity requires day-to-day safeguards that reduce your exposure. Some practical measures you can implement are: 

• Multi-Factor Authentication (MFA): Require multi-factor authentication for all digital platforms, email, and tax preparation software.
• Data Encryption: Encrypt client records both during transit and while kept in storage.
• Employee Training: Conduct quarterly training and simulated phishing tests to keep your staff aware of common phishing scams.
• Access Controls: Prevent internal compromise by enforcing measures to ensure that your staff only sees the data they need.
• Regular Patching and Updates: Keep operating systems, tax software, and plug-ins up-to-date to eliminate exploitable gaps.

Proactive and ongoing defenses are essential to safeguarding your firm in an ever-changing landscape of cyberthreats. While these measures do not eliminate risk entirely, they can significantly reduce the probability of a successful cyberattack and demonstrate due diligence to regulators and clients.

How Can You Protect Your Firm’s Future?

Even the most vigilant businesses can be infiltrated by cybercriminals. It is critical to have a response plan in place when a cybercriminal sneaks past defenses and initiates a cyber breach.

Protection Plus is dedicated to helping your business succeed. We offer access to comprehensive solutions designed specifically for tax and accounting professionals to help navigate the cyber landscape and mitigate damage from a cyberattack. Cyber insurance can help offset the financial impact of a cyber breach and ensures access to rapid response resources.

ERO Cyber Program – our trusted cybersecurity solution built specifically for tax professionals. ERO Cyber Security is a complete package designed to assist firms that process less than 500 returns.

Through our ERO Cyber Program, for only $395 a year, you’ll get access to:

• Cyber Liability Insurance (Coverage up to $200,000 in the aggregate)
• Written Information Security Plan (WISP) tools
• Breach response assistance
• Compliance resources to meet IRS & state requirements
• Training materials and regular security updates

Up to $1,000,000 in additional Cyber Liability coverage is available via a separate policy, subject to underwriting, and includes access to expanded services. This coverage is designed to supplement your ERO Cyber Coverage.

Coalition Cyber Insurance — an active, comprehensive cyber liability solution designed to protect businesses like yours against evolving digital threats. Coalition Cyber Insurance is a comprehensive solution designed for businesses that process 500 or more returns in a single tax season.

Coalition offers:

• Up to $1 million in cyber liability coverage
• Breach response and forensic services
• Ransomware protection and recovery
• Business interruption loss coverage
• Continuous risk monitoring and security alerts
• Access to cybersecurity experts 24/7
• Simple and convenient online quoting tool
• Easily manage and bind your policy online

In today’s world, cyber protection isn’t optional — it’s essential. These solutions are built to make it easy and affordable to stay ahead of cyber risk.

Want to speak to a Protection Plus representative about these cyber options?

Schedule a call here.

Katie Lasko

Tax Protection Plus

October 2025

References

1. Sophos News. 2024. The State of Ransomware in Financial Services 2024. https://news.sophos.com/en-us/2024/06/24/the-state-of-ransomware-in-financial-services-2024/
2. Verizon Business. 2025. 2025 Data Breach Investigations Report.  https://www.verizon.com/business/resources/reports/dbir/
3. IBM. 2024. Cost of a data breach 2024: Financial industry. https://www.ibm.com/think/insights/cost-of-a-data-breach-2024-financial-industry
4. PKWARE. 2025. The True Cost of a Data Breach in Banking and Financial Services. https://www.pkware.com/blog/the-true-cost-of-a-data-breach-in-banking-and-financial-services
5. Transcend. 2025. GLBA Compliance: Essential Steps for Financial Institutions. https://transcend.io/blog/gramm-leach-bliley-act
6. Gray, Gray, & Gray, LLP. 2024. The Hidden Costs of a Data Breach for Small- and Medium-Size Businesses. https://www.gggllp.com/the-hidden-costs-of-a-data-breach-for-small-and-medium-size-businesses/
7. BitLyft Cybersecurity. 2025. The True Cost of a Security Breach. https://www.bitlyft.com/resources/the-true-cost-of-a-security-breach
8. Federal Trade Commission. 2024. FTC Safeguards Rule: You’re your Business Needs to Know. https://www.ftc.gov/business-guidance/resources/ftc-safeguards-rule-what-your-business-needs-know
9. Internal Revenue Service. 2024. Safeguarding Taxpayer Data. https://www.irs.gov/pub/irs-pdf/p4557.pdf
10. National Institute of Standards and Technology. 2016. Small Business Information Security: The Fundamentals. https://doi.org/10.6028/NIST.IR.7621r1