Industry Insight
Invoice fraud via email compromise costs NZ financial firms millions annually.
Why Accounting Businesses Need Cyber Insurance
Financial data is among the most valuable information for cybercriminals. Accounting firms face unique exposure from tax portal access, client banking details and investment records. A breach can trigger Privacy Act obligations, FMCA regulatory consequences, and significant client liability.
Top Cyber Risks for Accounting Businesses
- !Client financial data theft
- !Tax portal credential compromise
- !Invoice fraud and BEC
- !Regulatory breaches (FMA/FMCA)
- !Ransomware on practice management systems
Recommended Coverage for Accounting Businesses
Typical Premium Range
Premiums vary based on revenue, data held, security controls in place, and coverage limits selected. Our brokers will find the best rate for your specific profile from multiple insurers.
Cyber Risk in the Accounting and Finance Sector
Accounting firms and financial advisors sit at the intersection of two highly attractive targets for cybercriminals: valuable financial data and access to client banking systems. The combination of client tax returns, investment portfolios, banking credentials and sensitive business financial information makes accounting practices particularly valuable targets โ both for data theft and for payment diversion fraud.
In 2025, IRD reported a significant increase in tax portal credential theft attacks targeting both accountants and their clients. Compromised accounting firm credentials can be used to access client myIR accounts, redirect tax refunds, and obtain detailed financial information that enables further fraud.
Tax Portal and Practice Management System Risks
Accounting practice management systems โ including MYOB, Xero Practice Manager, CCH and similar platforms โ contain years of client financial records, tax returns, workpapers and correspondence. These systems are accessible remotely, making them particularly vulnerable to credential theft attacks. Criminals who gain access to practice management systems can steal client data, manipulate records, and intercept banking information.
IRD's tax portal is a specific attack vector: phishing emails impersonating IRD are among the most common cyberattack types reported to CERT NZ, and compromised accountant credentials give attackers access to all clients linked to that practice.
Invoice Fraud and BEC in Financial Services
Accounting firms regularly handle large client payments โ tax obligations, investment contributions, loan settlements and advisory fees. Business email compromise attacks targeting these payment flows are increasingly sophisticated. Criminals monitor email correspondence over extended periods, learning payment patterns and counterparty relationships before striking at a moment when a large, time-sensitive payment is due.
FMCA and FMA Regulatory Exposure
Financial advisors operating under the Financial Markets Conduct Act face specific regulatory obligations around client data protection. A cyber breach that exposes client investment records could trigger FMA scrutiny, licence conditions reviews, and potentially enforcement action. Cyber insurance that includes regulatory investigation defence is essential for all FMCA-licensed entities.
What Accounting Firm Cyber Cover Includes
A comprehensive policy for NZ accounting and financial advisory firms includes: client data breach response, Privacy Act notification costs, social engineering fraud cover (BEC and invoice fraud), practice management system ransomware response, FMA/FMCA regulatory investigation defence, business interruption during system outages, and third-party liability for client claims arising from a breach.
Written by the CyberCover Advisory Team
Licensed NZ insurance advisors specialising in cyber risk for New Zealand businesses. All content reviewed for accuracy and NZ regulatory compliance.
Last updated: May 2026 ยท Get personalised advice โ
Frequently Asked Questions
Does cyber insurance cover tax portal credential theft?
Yes. If a criminal uses stolen credentials to access your practice management system or IRD portal and causes financial loss to you or your clients, cyber insurance responds โ covering investigation costs, client notification, and in some cases the financial losses directly through cyber crime cover.
Are financial advisors required to hold cyber insurance under FMCA?
Cyber insurance is not currently mandated under FMCA, but the FMA expects all licensed entities to have appropriate risk management frameworks in place. Cyber insurance is widely regarded as an essential component of those frameworks.
What cyber risks are specific to Xero and MYOB users?
Cloud accounting platforms are frequently targeted via credential phishing. Attackers impersonate the platform provider to steal login details, then access client financial data, manipulate payment details and extract banking credentials. Multi-factor authentication is the single most effective prevention measure.
How does a breach affect my accounting practice licence?
A significant breach affecting client data could attract scrutiny from professional bodies including Chartered Accountants Australia and New Zealand (CA ANZ) and the FMA. Cyber insurance covers the cost of regulatory investigation defence, helping you respond professionally and promptly.