Cyber Insurance and Cyber Risk for Accountants Using MTD Systems

Why cyber risk matters now for MTD ITSA

The 2026 rollout of Making Tax Digital for Income Tax (MTD ITSA) changes how accountants and their clients exchange tax information. From April 2026 onwards businesses and individuals above specified income thresholds must keep digital records and submit quarterly updates using compatible software. That digital link creates new convenience but also new exposures. Cyber risk management and appropriate cyber insurance are therefore essential parts of a modern accountant’s toolkit.

MTD ITSA rollout and who is affected

The staged timetable for MTD ITSA is:

• April 2026: taxpayers with income above £50,000
• April 2027: taxpayers with income above £30,000
• April 2028: taxpayers with income above £20,000

As an accountant or a self-employed person or landlord preparing for MTD, you will be handling more live financial data, maintaining digital records, and connecting to HMRC and third-party accounting software via APIs. That elevates the importance of preventing, detecting and responding to cyber incidents.

How MTD changes the cyber risk picture

• More data in motion — routine bank feeds, automated VAT and income declarations, and quarterly updates increase the volume of sensitive information being transmitted.
• More third parties — cloud accounting platforms, payroll services and outsourced IT support create supply chain risk.
• API connections — persistent connectors to HMRC and banks mean stolen credentials can give attackers live access.
• Higher trust value — client financial records are attractive to fraudsters and extortionists.

Common threats that target accountants and MTD systems

Understanding likely threats helps you prioritise defences. The most common include:

• Phishing and credential theft — attackers trick staff or clients into revealing login details for accounting portals.
• Ransomware — malware that encrypts or blocks access to records, often followed by data theft and extortion.
• Business email compromise and social engineering — attempts to redirect payments or to authorise fraudulent filings.
• Supply chain compromise — breaches at software providers or hosting partners that expose client data.
• Insider risk — accidental or malicious actions by staff or contractors.

Practical cyber risk controls for accountants

You do not need to be a security expert to put good controls in place. Start with the fundamental measures below and build from there.

• Access control and multi-factor authentication (MFA) — enforce MFA for all accounts that access accounting software, HMRC services and email. Use role-based access so staff only see what they need.
• Strong password management — use a central, business-grade password manager and enforce unique passwords for each service.
• Secure endpoints — keep operating systems and software patched, use reputable antivirus/EDR, and secure laptops and mobile devices with full-disk encryption.
• Network security — use a business-grade firewall, segment networks where possible, and separate guest WiFi from internal systems.
• Backups and disaster recovery — maintain regular, immutable backups stored off-site or in a separate cloud tenancy. Test restores periodically.
• Logging and monitoring — enable audit logs in accounting software and review for unusual access or bulk data exports.
• Staff training — run targeted security awareness training on phishing, social engineering, and safe handling of client data.
• Supplier due diligence — review security practices of your cloud accounting vendor, payroll provider and IT support partner; ensure they use encryption and have incident response plans.
• Least privilege and secure development — for practices offering software development or custom integrations, ensure code is reviewed and tested.

What cyber insurance covers — and what it usually does not

Cyber insurance can be a valuable backstop, but policies vary. Typical cover areas are:

• Incident response and forensic costs — paying for specialists to investigate and contain a breach.
• Notification and credit monitoring — costs of informing affected individuals and offering identity protection services.
• Business interruption — loss of revenue due to systems being unavailable, often linked to the time taken to restore services.
• Cyber extortion/ransom — handling of ransom demands and related negotiation costs (policies differ on whether ransom payments are covered).
• Liability to third parties — costs and damages if a client suffers loss due to your breach, including legal defence costs.
• Social engineering and funds transfer fraud — optional extensions that cover lost funds when fraudsters trick staff into redirecting payments.

Common exclusions or limitations include deliberate criminal acts by the insured, unpatched known vulnerabilities, losses from prior incidents not disclosed at policy inception, and certain regulatory fines or penalties depending on local law and the insurer’s position. Some policies also limit cover for failure to keep up with agreed security controls, so read the conditions carefully.

Key policy features to check when buying cyber insurance

• Clear wording on social engineering and fraud — many losses in accountancy come from manipulated payment instructions.
• Retroactive date and prior acts — ensure the policy covers incidents that began before cover started, if relevant.
• Limits and sub-limits — check the overall limit and sub-limits for forensics, notification and extortion, which can restrict available funds.
• Excess and indemnity period — understand how much you must pay before cover and how long business interruption cover runs.
• Breach response services — look for policies that supply dedicated breach coaches, PR and forensics teams who understand professional services firms.
• Regulatory defence and fines — some policies cover defence costs for regulatory action and certain fines where permitted by law; confirm the status for ICO investigations.
• Third party provider failure — cover that responds when a cloud supplier is breached can be crucial for MTD-connected practices.

How insurance and controls work together

Insurers increasingly expect firms to maintain basic cyber controls. Good security can reduce premiums and speed claims. Typical underwriting questions include whether you use MFA, managed backups, patch management and staff training. Insurance is not a substitute for controls; it is part of a resilience strategy together with prevention, detection and response.

Practical checklist for accountants and MTD users

Below is a concise action list to help you prepare practically for MTD while managing cyber risk.

• Confirm which clients fall into the MTD thresholds for 2026â201828 and discuss digital record-keeping responsibilities.
• Ensure all staff and clients use MFA on HMRC accounts, accounting software and email accounts associated with financial workflows.
• Adopt a reputable cloud accounting platform that is MTD-compatible and can provide encryption, audit logs and secure APIs.
• Implement and test backups that are isolated from live systems and immutable where possible.
• Obtain cyber insurance with cover for incident response, business interruption and social engineering relevant to accounting practices.
• Keep an up-to-date incident response plan that includes insurer contact details and a communications template for clients and the ICO.
• Periodically test staff awareness with phishing simulations and tabletop incident response exercises.

Costs and premiums — what drives price for small firms and self-employed people

Premiums depend on a number of factors:

• Revenue and payroll — larger revenues and more staff generally increase premiums.
• Data held — the volume and sensitivity of client financial records and bank details affect risk.
• Controls in place — MFA, backups and patching reduce perceived risk and can lower premiums.
• Claims history — prior incidents or past claims raise premiums or attract exclusions.
• Industry and client base — firms handling high-value transactions or working with landlords who handle tenant payments may face higher risk profiles.

For self-employed accountants and landlords, premiums can be affordable when sensible controls are in place. Insurance underwriters often offer tailored products for smaller practices and owner-operators that balance cost and cover.

How cyber insurance affects client relationships under MTD

Having cyber insurance and documented controls reassures clients. It demonstrates you take their data protection seriously and are prepared to respond if something goes wrong. Make it part of your engagement letter to outline the steps you take to protect data and the mutual responsibilities of client and firm, for example, keeping client portals secure and promptly reporting suspicious activity.

After a breach — a short step-by-step guide

• Isolate — disconnect affected systems to limit spread where possible without destroying evidence.
• Notify — call your insurer or broker immediately; most policies require prompt notice.
• Preserve evidence — avoid altering logs or deleting files until forensic specialists assess them.
• Inform stakeholders — prepare client notifications, and if personal data is at risk contact the ICO within 72 hours where required.
• Restore — work with your IT provider and insurer-appointed forensics to restore services from clean backups.
• Review — after containment, carry out a post-incident review and update controls and policies to prevent recurrence.

Accounting software and supplier questions to ask

When selecting MTD-compatible accounting software, ask suppliers for:

• Security certifications and evidence of encryption in transit and at rest.
• Details of data residency and backups.
• Audit log and user management facilities.
• API security and rate limits, and how they detect abnormal API activity.
• Their incident response plan, notification times for customers, and insurance they hold for service failure.

Final thoughts and next steps

MTD ITSA will make accounting workflows more digital and interconnected. That is beneficial for efficiency, but it increases cyber exposure. A practical mix of good security controls, staff awareness, reliable backups and appropriate cyber insurance will put you in a strong position to protect clients and your practice.

Start with a simple plan: confirm your MTD obligations under the April 2026â201828 timeline, implement MFA and secure backups, review supplier security, and obtain cyber insurance with suitable incident response cover. If you would like help assessing your current controls or selecting a tailored policy, Tax Digital can guide you through a pragmatic, compliant and affordable approach that keeps your practice and clients secure.