Industry insights

What an accounting practice should carry above E&O

Accountants over-rely on professional liability as their whole insurance programme. Here are the four other lines that actually matter for a CPA practice in 2026.

Stanley Cieslak Founding Head of Brokerage May 19, 2026

Accountants buy professional liability because they have to — most state boards require it, peer-review programmes assume it, and clients expect to see a certificate. Most CPA practices stop there. The result is a programme that responds to malpractice claims but leaves four other meaningful exposures uncovered.

Here’s what a complete CPA insurance programme actually looks like in 2026, beyond the E&O.

1. Cyber, sized for client-data volume

The accounting firm cyber exposure isn’t theoretical. Every firm holds:

  • Client SSNs and tax IDs
  • Financial statements and bank account details
  • Payroll data, including for the firm’s own staff
  • W-9s, 1099s, K-1s — the entire downstream tax ecosystem

The likely loss isn’t ransomware. It’s social-engineering / wire fraud during tax season, credential theft from tax software, and the third-party suits that follow when client data is exposed.

Sizing: $2M – $5M is typical for a mid-sized CPA practice; multi-partner firms with >50k client records should be at $5M+. Limits should be sized to records held, not headcount.

2. Crime / fidelity, with social engineering as a primary limit

Most CPA practices have at least one employee with access to client bank accounts (write-up, bookkeeping, controller-level engagements). That’s an employee dishonesty exposure that standard crime cover responds to.

The bigger 2026 exposure is social-engineering fraud — fake client emails redirecting refunds, vendor-impersonation invoices, finance-team email compromise. Standard crime policies typically sub-limit this to $50k–$100k, which is materially below typical loss.

The right structure: crime policy with primary social-engineering limits sized to the firm’s annual client-funds throughput, and explicit coverage for “voluntary transfer” scenarios (since social engineering essentially always involves an employee being tricked into authorising a transaction).

3. EPLI, sized for the right workforce

CPA practices are W-2-heavy and turnover-heavy, especially in the audit-staff associate years. Wage-and-hour, harassment, discrimination and wrongful-termination claims are statistically more common than malpractice claims at growing firms.

Sizing: $1M minimum; $3M+ for firms with 50+ employees or multi-state operations. Wage-and-hour cover is the line item to scrutinise — many EPLI forms sub-limit it heavily.

4. D&O, once the firm reaches partnership scale

For LLPs and partnership structures, professional liability covers professional acts but not management acts. A partner sued personally for decisions about firm governance — admission, expulsion, compensation, succession, M&A — needs D&O cover, not LPL.

Sizing: $1M – $5M depending on partnership size and revenue. M&A activity, lateral partner additions, and any litigation history within the partnership are the events that prompt upsizing.

5. Business owner’s policy

The unsexy floor: BOP covers the office property, GL for third-party slip-and-fall and basic liability, and modest business interruption. Most landlords require certificates, most clients expect baseline GL coverage. Limits here are usually adequate at modest levels and the line is cheap.

How the lines should overlap

The mistake most CPA practices make is to buy each line separately, from different carriers, without anyone reviewing whether the forms actually overlap correctly. The most common gap: a tax-season social-engineering loss falls between cyber (which sub-limited it) and crime (which excluded voluntary transfer). Neither carrier pays. The firm pays.

A clean programme has all five lines reviewed against each other annually, with primary limits and sub-limits sized to the actual exposure shape of an accounting practice — not the generic professional-services template.

What we tell new CPA clients

Three questions, one annual review:

  1. What’s the cyber social-engineering limit? If it’s under $250k for any practice with >$2M in client throughput, that’s a known gap.
  2. Is the crime policy’s voluntary-transfer exclusion present? If yes, push for an endorsement or a different carrier.
  3. Is EPLI sized to actual headcount and geography? Multi-state remote workers need multi-state EPLI; firms scaling associate headcount need to size up.

Professional liability is the floor of a CPA insurance programme. It isn’t the whole programme.

Related on Nomos

Where this lives on the site.

Professional liability Cyber liability EPLI Directors & officers Professional services
About the author

Stanley Cieslak

Founding Head of Brokerage

Stanley brings more than 20 years in wholesale and retail insurance brokerage, and has placed over $500 million in premium across his career. He has held senior roles at AmWINS, WestRope and Jencap, building exclusive insurance programs.

LinkedIn →
Get a quote

One programme,
for the whole firm.

Tell us about your firm. We'll come back with cover sized to your real risk — and we respond within an hour, any time.

Whole-firm view across every line
Quotes in days, not weeks
Reply within 1 hour, any time
Specialty and admitted markets, one programme

Request a quote

We'll get back to you with options.

We respond within 1 hour — any time, not 24.

No obligations. No spam.