Accounting Firm Cybersecurity Statistics (2026)
The numbers behind why CPA, tax, and accounting firms are among the most-targeted businesses online — and what a breach really costs. Every figure is cited to its primary source and refreshed monthly.
Updated June 2026 · every figure linked to its primary source
client records exposed by tax-pro data breaches in the first half of 2025 alone
IRS Security Summit, 2025 ↗average cost of a data breach in financial services — the 2nd-highest of any industry
IBM Cost of a Data Breach 2025 ↗of breaches involve a human element — phishing, stolen credentials, or error
Verizon 2025 Data Breach Investigations Report ↗01 / 05
Why accounting & tax firms are prime targets
Accounting firms aggregate Social Security numbers, bank details, and tax records for hundreds of clients — and they run on tight, cash-rich deadlines. That makes them a high-value, high-pressure target.
tax-professional data breaches reported in the first half of 2025
Reported through the IRS Security Summit — a public-private partnership protecting the tax system since 2015.
in business email compromise losses reported over 2022–2024
BEC — fraudulent wire-transfer and invoice requests — hits finance and accounting workflows hardest.
in total reported cybercrime losses in 2024 — up 33% year over year
02 / 05
What a breach actually costs
The ransom is rarely the biggest line item. Downtime, recovery, lost clients, and regulatory exposure dwarf it — and for a small firm, the per-hour math gets brutal fast.
average breach cost in financial services — 2nd-highest of any sector
average ransomware payment in Q4 2025 — though only ~20% of victims now pay
03 / 05
How firms actually get breached
It's almost never a Hollywood hack. It's a convincing email, a reused password, or a missing second factor — which is exactly why a few basic controls block the overwhelming majority of attacks.
of breaches involve a human element (phishing, stolen credentials, misdelivery)
lost to business email compromise across 21,442 complaints in 2024
of automated account-takeover attacks are blocked by multi-factor authentication
The single highest-leverage control most small firms still haven't fully deployed.
04 / 05
The compliance stakes
Cybersecurity isn't optional for tax and accounting firms — it's federal law. The FTC Safeguards Rule and IRS both mandate a written security program, with real penalties for falling short.
maximum FTC penalty per violation, per day, for Safeguards Rule non-compliance
consumers affected triggers a mandatory FTC breach report — required since May 13, 2024
a Written Information Security Plan is federally required — and PTIN renewal makes you certify you have one
05 / 05
A growing digital attack surface
As firms automate and adopt AI, more client data moves online — expanding what has to be secured even as skilled IT talent gets harder to hire.
of accountants now use automation in their workflows
of accountants use AI daily — outpacing small businesses overall
of accountants report challenges hiring skilled talent, especially in technology
About This Data
Methodology & permission to cite
This page aggregates published statistics from primary sources including the IRS Security Summit, the FBI's Internet Crime Complaint Center (IC3), IBM, Verizon, Coveware, the FTC, and the AICPA. Each figure links to its originating source and is reviewed and refreshed monthly. Last updated June 2026.
Writers and journalists: you're welcome to cite any statistic here. Please attribute it to Tech Advisors with a link back to this page — tech-adv.com/blog/accounting-firm-cybersecurity-statistics/.
Questions & Answers
Accounting firm cybersecurity statistics: FAQ
Constantly. The IRS Security Summit reported nearly 300 tax-professional data breaches in just the first half of 2025, exposing up to 250,000 clients. Accounting firms are prime targets because they aggregate Social Security numbers, bank details, and tax records — and according to the Verizon 2025 DBIR, the majority of breaches still rely on a human element like phishing or stolen credentials.
IBM's 2025 Cost of a Data Breach Report puts the global average at $4.44 million, rising to $5.56 million in financial services — the second-highest of any industry. For a small business specifically, VikingCloud estimates the average attack costs around $120,000, with downtime alone running roughly $53,000 per hour.
Yes. Under the Gramm-Leach-Bliley Act, tax preparers and accounting firms are treated as 'financial institutions' and must comply with the FTC Safeguards Rule, including a Written Information Security Plan (WISP). Since May 13, 2024, breaches affecting 500 or more people must be reported to the FTC, and non-compliance penalties can reach $46,517 per violation, per day.
The human element. Phishing, business email compromise, and stolen or reused passwords drive the majority of breaches — the FBI logged $2.77 billion in BEC losses in 2024 alone. The good news: Microsoft reports that multi-factor authentication blocks 99.9% of automated account-takeover attacks, making it the single highest-leverage control a firm can deploy.
Yes — please do. You're welcome to cite any statistic on this page with attribution to Tech Advisors and a link back to this page. Each figure also links to its original source so you can reference the primary research directly.
You've seen the numbers.
Make sure your firm isn't one of them.
Get a free, no-obligation security assessment built specifically for CPA and accounting firms — and find the gaps before an attacker does.