Is cyber liability insurance mandatory for CPA firms seeking financing in 2026?

No. As of 2026, cyber liability insurance is not a blanket legal or SBA-program requirement for CPA firms seeking financing. There is no statute or SBA rule forcing every accounting practice to carry a standalone cyber policy to qualify for a loan. Instead, the requirement is decided case-by-case by the individual lender and, separately, by the insurance carrier underwriting your coverage.

That said, "not mandatory" does not mean "not expected." For SBA 7(a) loans, liability coverage that a lender may require "can include General Liability, Professional Liability, and Cyber Liability, to name a few," and the specific mix is set by your business type and the participating lender, not by a fixed federal checklist (NEWITY). Because CPA firms handle highly sensitive client data, a lender financing a data-heavy practice may well make cyber coverage a closing condition even when the SBA itself does not.

What is actually required by law

The firmer obligation for accounting practices is not insurance at all — it is a data-security program. Under the Gramm-Leach-Bliley Act (GLBA), tax and accounting professionals are treated as "financial institutions" and must implement a written data security plan, an obligation the IRS reminds tax pros about every year (IRS). The FTC Safeguards Rule operationalizes this, and practitioners are advised to keep a current written information security plan (WISP) and incident-response plan on hand (Technology Advisors). A clean WISP is increasingly what a cyber carrier wants to see before it will quote you.

Why most firms buy it anyway

Professional liability does not fill the gap. The AICPA notes its Professional Liability Policy does not cover "the expenses associated with a data breach, such as client notification and credit monitoring" — those require a separate cyber endorsement, which the AICPA frames as a strong recommendation rather than a mandate (AICPA / CNA). The market has largely voted with its wallet: in the 2025 National MAP Survey, 88% of firms reported purchasing cyber liability insurance (Technology Advisors).

Bottom line for a financing application

Don't assume you must buy cyber insurance to get approved — but expect your lender to ask. Confirm coverage requirements in writing with your loan officer before closing, and remember that the cost of a cyber policy is an operating expense your financing structure should account for. If you're weighing how your overall risk and coverage profile affects approval, see our guidance on business insurance for CPA firms and the broader cyber liability guide. For firms financing through the SBA route, our SBA loans for accounting firms overview covers what lenders typically condition closing on.

Sources

• Insurance Requirements for SBA 7(a) Loans — NEWITY
• IRS Security Summit: tax pros must have a Written Information Security Plan — IRS
• FTC Safeguards Rule for CPA Firms — Technology Advisors
• Cyber Liability Insurance for CPA Firms — AICPA / CNA