Accounting and bookkeeping businesses face two dominant exposures: professional liability claims arising from errors in tax filings or financial statements, and cyber liability claims from data breaches involving client financial information. The first error can generate a claim that runs into the tens or hundreds of thousands of dollars. The second can expose sensitive financial data for hundreds or thousands of clients, triggering notification obligations, regulatory fines, and litigation.
Both exposures are insurable, but standard business insurance doesn't cover them. General liability policies exclude professional services claims. Property insurance doesn't cover data breach costs. You need errors and omissions insurance for the professional liability exposure and cyber insurance for the data breach exposure. If you operate without both, you're carrying uninsured risk that can end your business.
This guide covers the insurance stack accounting and bookkeeping firms need: what professional liability actually covers, why the claims-made structure matters, what cyber insurance does when client data is compromised, and how to manage risk through engagement letters and service agreements.
Errors and Omissions / Professional Liability
Errors and omissions insurance covers claims alleging that your professional services caused financial harm to a client. For accountants and bookkeepers, these claims typically arise from tax preparation errors, misstatements in financial reports, missed filing deadlines, or incorrect payroll calculations.
The tax error claim
The most common E&O claim accounting firms face is the tax error: you prepare a client's tax return, make an error that results in underpayment of tax, and the IRS or state tax authority assesses penalties, interest, and back taxes. The client demands you reimburse them for the amount they now owe. This is a professional liability claim, and it's covered under E&O.
Tax error claims can be large. A missed deduction or incorrect classification on a business tax return can generate tens of thousands of dollars in additional tax liability plus penalties and interest. If you prepare returns for high-net-worth individuals or businesses with complex structures, the exposure is higher. E&O covers your legal defense costs and any settlement or judgment, up to your policy limits.
What E&O covers for accountants and bookkeepers
- Tax preparation errors: Mathematical errors, missed deductions, incorrect filing status, or misclassification of income that results in underpayment of tax. The client is assessed penalties and interest by the IRS or state, and they file a claim against you for reimbursement.
- Missed filing deadlines: You fail to file a client's tax return by the statutory deadline, resulting in late-filing penalties and interest. The client sues for the amount of the penalties.
- Errors in financial statements: You prepare financial statements for a client that contain material errors. The client relies on those statements to secure financing, and the lender later discovers the errors and denies the loan. The client sues you for lost business opportunity.
- Payroll calculation errors: You manage payroll for a client and miscalculate withholding, overtime, or benefits, resulting in penalties from the Department of Labor or IRS. The client demands reimbursement.
- Failure to advise on tax planning opportunities: A client claims you failed to advise them of a tax-saving strategy they were eligible for, and they paid more tax than necessary. They sue for the difference.
- Breach of contract claims tied to professional negligence: A client alleges you failed to deliver the services specified in your engagement letter, and the failure constitutes professional negligence. E&O covers the defense and damages.
Claims-made structure and retroactive dates
E&O policies are written on a claims-made basis, meaning the policy only covers claims that are made — meaning filed or first reported to you — during the policy period. This creates a timing problem: if you prepared a tax return in 2023 while you had E&O coverage, but the client doesn't discover the error and file a claim until 2026 when you no longer have coverage, there's no coverage.
The retroactive date controls how far back in time your coverage extends. If your retroactive date is January 1, 2020, any claim arising from work performed before that date is not covered, even if the claim is filed during the current policy period. When you buy E&O for the first time, carriers may set the retroactive date equal to the policy inception date, meaning prior work is excluded. You can negotiate an earlier retroactive date to cover prior work, but it increases the premium.
Tail coverage when you cancel or retire
If you cancel your E&O policy — because you're retiring, closing your business, or switching carriers — claims filed after the cancellation date are not covered, even if they arise from work performed while the policy was active. To protect against this gap, you need tail coverage, also called an extended reporting period endorsement. Tail coverage is expensive: typically 150% to 300% of your final annual premium, paid as a one-time lump sum. Some carriers offer "free tail" endorsements if you retire or die; verify whether your policy includes this before binding.
Cyber Insurance for Client Financial Data
Accountants and bookkeepers handle some of the most sensitive data clients possess: Social Security numbers, tax identification numbers, bank account information, financial statements, payroll records, and credit card data. If that data is lost, stolen, or exposed in a breach, you face notification obligations under state breach notification laws, regulatory investigations, client lawsuits, and reputational damage. Cyber insurance covers these costs.
The real exposure: client financial data
The dominant cyber risk accounting firms face is unauthorized access to client financial data. This can happen through a ransomware attack that locks your systems and exfiltrates client data, an employee clicking a phishing email that compromises your network, a lost or stolen laptop with unencrypted client files, or a third-party vendor breach that exposes data you shared with them.
When client data is compromised, state breach notification laws require you to notify affected individuals, often within 30 to 60 days of discovering the breach. Notification costs include forensic investigation to determine what data was accessed, legal counsel to assess notification obligations, mailing notifications to affected individuals, setting up a call center to respond to inquiries, and providing credit monitoring services. For a breach affecting 500 clients, notification costs alone can run $50,000 to $150,000. Cyber insurance covers these costs.
What cyber insurance covers for accountants and bookkeepers
- Data breach response costs: Forensic investigation, legal counsel, notification expenses, call center services, and credit monitoring for affected individuals.
- Regulatory fines and penalties: If a state attorney general or regulatory agency investigates the breach and imposes fines for inadequate data security, cyber insurance covers the fines (where insurable by law).
- Cyber extortion and ransomware: Your systems are infected with ransomware and the attacker demands payment to restore access. Cyber insurance covers the ransom payment (if you choose to pay) and the cost of forensic investigation and system restoration.
- Business interruption: A cyberattack takes your systems offline and you lose revenue because you can't deliver services to clients. Cyber insurance covers lost income during the interruption period.
- Third-party liability: A client sues you because a breach of your systems exposed their data. Cyber insurance covers legal defense and damages.
- Funds transfer fraud: An attacker impersonates a client or vendor via email and tricks you into wiring funds to a fraudulent account. Some cyber policies include social engineering fraud coverage for this exposure. Verify whether your policy includes it.
Security controls carriers require
Cyber carriers assess your cybersecurity posture during underwriting and may decline coverage or impose warranties if your security controls are inadequate. Common requirements include multi-factor authentication for all user accounts, encryption for data at rest and in transit, regular software patching, endpoint detection and response software, and documented incident response plans. Before binding a cyber policy, confirm what security controls the carrier requires and implement them. If you suffer a breach and the carrier discovers you didn't maintain required controls, they can deny the claim.
General Liability
General liability covers third-party bodily injury and property damage claims that occur during the course of your business operations. For accounting firms, GL exposure is low — you're not operating heavy equipment or manufacturing products — but it's not zero, and many client contracts require it.
GL claim scenarios for accounting firms
- Client injured at your office: A client visits your office for a tax consultation, slips on a wet floor, and breaks their wrist. GL covers their medical costs and any resulting lawsuit.
- Property damage during client visit: You're meeting with a client at their business, spill coffee on their computer, and damage it. GL covers the property damage claim.
- Damage during off-site work: You're conducting an audit at a client's warehouse, trip over your laptop bag, and knock over a stack of inventory. GL covers the client's property damage claim.
Standard GL limits are $1 million per occurrence and $2 million general aggregate. For most accounting firms, these limits are adequate. Some enterprise clients or government contracts may require $2 million per occurrence, which means you'll need higher underlying limits or an umbrella policy.
Workers' Compensation
If you have employees, you need workers' compensation insurance. Accounting firms are low-hazard businesses — employees work at desks, not on construction sites — but workers' comp claims still occur: repetitive stress injuries from extended computer use, slip and fall incidents in the office, and vehicle accidents if employees drive to client sites.
Texas workers' comp: optional but contracts require it
Texas is the only state where workers' compensation is optional for most private employers. You can operate as a non-subscriber, meaning you don't carry workers' comp and injured employees sue you directly. For accounting firms, this is not realistic if you work with large clients or government agencies. Service contracts require workers' comp as a condition of the agreement. Without it, you're limited to solo practice.
Who Asks for Your Certificate of Insurance
Enterprise clients, government agencies, and prime contractors all require proof of insurance before they'll engage your services. The certificate of insurance is the document that proves you carry the required coverage types and limits.
Enterprise client COI requirements
When you contract with a large corporation or enterprise client, their procurement team will send you an insurance requirements schedule. It typically requires:
- Professional liability / E&O: $1M to $2M per claim
- Cyber liability: $1M to $5M per claim
- General liability: $1M per occurrence
- Workers' compensation: statutory limits (if you have employees)
- Additional insured status on GL
- Waiver of subrogation on all policies
- 30 days advance notice of cancellation
The contract often specifies that you must provide the certificate before work begins, and failure to maintain the required coverage is grounds for termination. We issue certificates of insurance on a published 15-minute SLA, around the clock. When a delayed certificate costs you the contract, speed matters.
Government contract COI requirements
If you provide accounting or bookkeeping services to government agencies — federal, state, or local — the contract will impose insurance requirements. These often include professional liability, cyber liability (especially if you handle taxpayer data), and workers' comp. Government contracts are explicit and non-negotiable: if you don't meet the insurance requirements, you cannot bid.
What Accountant and Bookkeeper Insurance Costs
Premiums depend on your annual revenue, the type of services you provide, number of employees, claims history, and whether you carry prior E&O coverage. Here are realistic ranges for an accounting or bookkeeping business with $250,000 to $2 million in annual revenue.
- Errors and Omissions ($1M limit): $1,500 - $6,000/year
- Errors and Omissions ($2M limit): $2,500 - $10,000/year
- Cyber Liability ($1M limit): $1,200 - $4,000/year
- General Liability ($1M/$2M): $600 - $1,800/year
- Workers' Compensation (if applicable): $1,000 - $3,000/year per employee
- Business Owner's Policy (combines GL + property): $1,000 - $2,500/year
Total annual cost for a small accounting or bookkeeping business: $4,000 - $15,000. Solo practitioners will be at the low end. Multi-employee firms with significant tax preparation revenue and audit services will be at the higher end. CPAs conducting audits and attestation services will pay more than bookkeepers providing payroll and basic accounting services.
What drives the cost
- Services provided: Tax preparation and audit services carry higher E&O risk than bookkeeping and payroll services. Carriers price based on the severity and frequency of claims in your service mix.
- Revenue and client size: Higher revenue and larger clients increase your E&O exposure and premium. A firm preparing tax returns for high-net-worth individuals or auditing publicly traded companies pays more than a firm serving small businesses.
- Prior E&O coverage and claims history: If you've had continuous E&O coverage with no claims, you'll pay less than someone buying E&O for the first time or someone with a claims history. Carriers reward continuity and clean loss records.
- Limits and deductibles: Higher limits cost more. Lower deductibles cost more. A $1M E&O policy with a $5,000 deductible costs less than a $2M policy with a $2,500 deductible.
- Security controls for cyber: Carriers assess your cybersecurity posture. If you have MFA, encryption, endpoint detection and response, and documented security policies, you'll pay less than a firm with weak security controls.
Engagement Letter Risk Management
The engagement letter is your primary risk management tool. It defines the scope of services, identifies what you will not do, sets deadlines and client responsibilities, and limits your liability. A well-drafted engagement letter can prevent claims from arising and can limit damages if a claim does occur.
What every engagement letter should include
- Scope of services: Define specifically what services you will provide and what you will not provide. If you're preparing tax returns but not providing tax planning advice, state that explicitly. Ambiguity creates claims.
- Client responsibilities: Specify what information and documentation the client must provide, and by what deadline. If the client fails to provide necessary information and you cannot complete the work on time, the engagement letter documents that the delay was the client's responsibility, not yours.
- Limitation of liability: Include a clause limiting your liability to a multiple of your fee (e.g., "Our liability is limited to three times the amount of fees paid for the engagement"). This won't eliminate claims, but it can reduce damages. Some states limit the enforceability of these clauses; verify what your state allows.
- Dispute resolution: Include a mandatory arbitration or mediation clause. This keeps disputes out of court, reduces legal costs, and speeds resolution.
- No third-party reliance: Include a clause stating that third parties may not rely on your work without your written consent. This limits third-party claims from investors, lenders, or buyers who see your work but are not your clients.
Have clients sign engagement letters before starting work
Do not begin work without a signed engagement letter. When a dispute arises and you don't have a signed engagement letter, you're defending a claim based on verbal agreements and email exchanges. The engagement letter is your evidence of what was agreed to. Without it, you're in a he-said-she-said dispute that's harder to defend and more expensive to resolve.
Common Mistakes
Operating without E&O because "I'm careful"
The most common and most expensive mistake accounting and bookkeeping businesses make is operating without E&O insurance. No matter how experienced you are, errors occur. Tax codes change, clients provide incomplete information, software glitches produce incorrect calculations, and deadlines are missed. When an error generates a claim, you need E&O to cover your legal defense. Without it, you're paying out of pocket, and legal defense costs alone can exceed $50,000.
Storing client data without encryption
If you store client financial data — tax returns, financial statements, bank account information — on unencrypted devices or cloud storage, and that data is lost or stolen, you face notification obligations and potential regulatory fines. Encrypt data at rest and in transit. Use encrypted cloud storage providers. Require employees to use full-disk encryption on laptops. Cyber carriers will ask during underwriting whether you encrypt client data. If you don't, they may decline coverage or charge higher premiums.
Not verifying what your E&O policy excludes
Some E&O policies exclude specific services: audit and attestation services, investment advisory services, or business valuation services. If you provide these services and your policy excludes them, you have no coverage when a claim arises. Before binding an E&O policy, verify that all the services you provide are covered. If a service is excluded, either buy a separate policy for that service or stop providing it.
Assuming your business owner's policy covers cyber claims
BOPs combine general liability and property insurance, but they do not include cyber coverage. If you suffer a data breach and you don't have a standalone cyber policy, you're paying for notification, forensic investigation, legal counsel, and credit monitoring out of pocket. Cyber coverage is a separate policy. Do not assume your BOP includes it.
Starting work without a signed engagement letter
Verbal agreements and email exchanges are not engagement letters. If a dispute arises and you don't have a signed engagement letter defining the scope of services, client responsibilities, and liability limitations, you're defending a claim based on ambiguous evidence. Always get a signed engagement letter before starting work. No exceptions.