Cyber Essentials for Accountants: Protecting Client Financial Data in 2026
Accountancy practices sit on a goldmine of data that cyber criminals want. Tax returns, payroll records, bank details, company accounts, personal financial statements - the breadth of sensitive information flowing through even a small practice is significant.
The regulatory bodies have taken notice. ICAEW publishes dedicated cyber security guidance for its members. ACCA includes information security in its compliance framework. And under UK GDPR, every accountancy firm is a data controller with a legal obligation to implement appropriate technical and organisational measures to protect the personal data it processes.
Cyber Essentials certification provides a structured, verifiable way to demonstrate that those measures are in place.
The Regulatory Landscape
Accountancy firms in the UK operate under several overlapping regulatory obligations:
UK GDPR and the Data Protection Act 2018 - as data controllers, accountancy firms must implement appropriate technical and organisational measures to protect personal data. The ICO expects evidence of specific controls including encryption, access controls, multi-factor authentication, and documented breach notification procedures. A data breach involving client financial records can result in ICO enforcement action, fines, and reputational damage that is difficult to recover from.
ICAEW guidance - the Institute of Chartered Accountants in England and Wales publishes cyber security resources and actively recommends that member firms adopt recognised certification standards. While ICAEW does not currently mandate Cyber Essentials, its guidance on "appropriate systems and controls" aligns closely with the five Cyber Essentials control themes.
ACCA requirements - the Association of Chartered Certified Accountants includes information security within its compliance and governance framework. Firms seeking to demonstrate best practice are expected to hold relevant certifications.
Professional indemnity insurance - PI insurers for accountancy practices increasingly ask about cyber security controls during the renewal process. Holding Cyber Essentials provides a clear, third-party-verified answer.
Client expectations - enterprise clients and public sector organisations increasingly require their professional advisers to hold Cyber Essentials. If your practice advises government departments, NHS trusts, or large corporates, expect to be asked for your certificate.
Why Accountancy Firms Are Targeted
Accounting practices are targeted because of what they hold and how they operate:
Volume of sensitive data. A mid-sized practice might hold tax records, bank details, and payroll data for hundreds of clients. That data has direct financial value to criminals. Stolen tax records can be used to file fraudulent returns. Payroll data enables identity theft. Bank details enable direct financial fraud.
Seasonal pressure. Tax deadlines create periods of intense pressure where staff are working long hours and processing large volumes of data. These are exactly the conditions where phishing emails succeed - a well-crafted message impersonating HMRC or a client is more likely to be clicked when staff are under time pressure.
Client trust. The relationship between an accountant and their client is built on trust. Clients share their most sensitive financial information without hesitation. That trust is destroyed in the event of a breach, and for a profession built on relationships, the commercial damage extends far beyond the immediate incident.
Small firm vulnerability. Many accountancy practices are small businesses themselves, with limited IT budgets and no dedicated IT staff. The assumption that "we are too small to be targeted" is demonstrably false - NCSC data consistently shows that small businesses are targeted at a rate disproportionate to their size.
What Cyber Essentials Covers
The five controls address the most common attack vectors that accountancy firms face:
Firewalls - protecting the boundary between your practice network and the internet. For cloud-first practices, this includes the configuration of your cloud services and the settings on your staff devices.
Secure configuration - removing default passwords, disabling unnecessary services, and hardening your systems. This applies to your accounting software (Xero, Sage, QuickBooks), your document management system, and your email platform.
Access control - ensuring each staff member has their own account with appropriate access levels. Partners should not be using shared admin accounts. Trainees should not have access to the full client database. From v3.3, multi-factor authentication is mandatory for all cloud services and admin accounts.
Malware protection - anti-malware software on all devices that access client data. This includes any personal devices used for remote working.
Patch management - keeping software up to date. Critical and high-severity patches must be applied within 14 days. This includes your operating system, browsers, and accounting software.
Making Tax Digital and Cloud Accounting
The shift to Making Tax Digital and cloud-based accounting platforms (Xero, QuickBooks Online, FreeAgent) has changed the security landscape for practices. Data that was once stored on local servers is now in the cloud, accessible from anywhere.
This makes access control and MFA more important than ever. If your team can access client records from any device with an internet connection, the security of those access credentials is the primary barrier between a threat actor and your client data.
Cyber Essentials v3.3 addresses this directly by mandating MFA for all cloud services. If your practice uses cloud accounting software, cloud document storage, or cloud email, MFA must be enforced on every one of those services.
The Certification Process
For accountancy practices, getting certified is straightforward:
1. Check your readiness - Use Fig's free readiness tool to assess your current position
2. Address common gaps - For accountancy firms, the most frequent issues are: MFA not enforced on cloud accounting platforms, shared user accounts between staff, and overdue Windows or macOS updates
3. Complete the assessment - The self-assessment questionnaire covers your actual technical configuration across the five control themes
4. Certify same-day - Purchase through Fig before 12:00 midday and receive your Cyber Essentials certificate the same working day
For practices that want external verification (particularly useful when demonstrating compliance to enterprise clients), Cyber Essentials Plus adds an independent technical audit. Allow 1-3 working days for this.
Timing It Right
If your practice handles government contracts, public sector advisory work, or enterprise clients, you may already need Cyber Essentials. Check your existing contracts and terms of engagement for cybersecurity requirements.
For all other practices, the direction of travel is clear. Certification is moving from "nice to have" to "expected standard." Getting certified now - before it becomes a contractual requirement from a key client - puts you in a stronger position than scrambling to comply under deadline pressure.
Certificates are valid for 12 months. Many practices align their renewal with their professional indemnity insurance renewal or their annual compliance review, keeping all their governance documentation on the same cycle.