I want to talk about a category of cybersecurity risk that almost no small business owner thinks about: the security posture of the third parties who hold your data.
Specifically, your accountant.
Small accounting firms — the two-to-twenty-person practices that handle bookkeeping, payroll, T4s, and corporate tax returns for thousands of Canadian SMBs — have become one of the most aggressively targeted business categories in 2025 and 2026. The reasons are structural and they are not improving. If you have an accountant, this affects you. Here is what is happening, and what to ask.
Why accounting firms are targeted
Three things make accounting firms attractive to ransomware operators in a way that most other small businesses are not.
First, the data is uniquely valuable. An accountant's working files contain payroll information for thirty client businesses, bank account numbers, T4 details for every employee of every client, corporate tax data, and often the personal tax returns of the principals of each client business. A successful intrusion at one accounting firm yields data on potentially hundreds of downstream businesses and thousands of individuals. The same intrusion at a single end-customer business yields data on just that one business.
The math is asymmetric. Attackers respond to math.
Second, the security budget is structurally thin. Most small accounting practices are run by CPAs who are experts at accounting and not at cybersecurity. Their IT support is often a part-time contractor or a family relative. Their security tooling is often whatever was bundled with their primary accounting software — Sage, QuickBooks, CaseWare — none of which provide endpoint security. Their backup strategy is often “we use OneDrive.” (OneDrive is not a backup.)
The combination of high-value data and thin security investment is, from an attacker's perspective, ideal.
Third, timing pressure makes accounting firms unusually willing to pay ransoms. When a tax-related deadline is two weeks away — corporate year-end, T4 filings, instalment dates — an accounting firm under ransomware lockout is in an existential business situation. Paying the ransom to recover the files quickly is often the only viable choice. Attackers know this and time campaigns accordingly. We have observed clear clustering of accounting-firm campaigns in the weeks before major Canadian tax deadlines.
What the impact looks like for clients
When an accounting firm is hit by ransomware, the consequences for client businesses typically include some combination of:
- Operational disruption while the accountant cannot access their working files
- Late tax filings with associated penalties and interest
- Payroll delays when the accountant runs payroll for the client
- Privacy breach notification obligations under PIPEDA and Alberta PIPA, because the accountant's files contain personal information about employees
- Fraud exposure when leaked employee data is used for downstream identity theft
- Reputational damage when the breach becomes public
Most of these consequences land on the client, not the accountant. The client's employees are the ones whose personal information is now in criminal hands. The client's tax filings are the ones that are late. The client's privacy obligations to its employees are the ones being triggered.
And critically — the client's own cyber-insurance carrier is going to ask questions. Specifically, they will ask whether you exercised reasonable due diligence in selecting and overseeing third-party service providers who handle your data.
What to ask your accountant
If your accountant's security posture is poor, it is your problem too. Here are the five questions worth asking your accountant in your next regular meeting. They are not technical. The answers should be specific.
1. Do you have managed Endpoint Detection and Response (EDR) on every computer that touches client data, monitored 24/7?
Acceptable answer: “Yes, we use [Huntress / SentinelOne / Microsoft Defender for Business / CrowdStrike].”
Unacceptable answer: “We have antivirus.” (Antivirus is not EDR.)
2. Are your backups immutable, off-site, and tested in the last 90 days?
Acceptable answer: “Yes, we use [Datto / Cove / Acronis] with cloud immutability, and we last tested a restore in [month].”
Unacceptable answer: “We use OneDrive.” or “Everything is in the cloud.”
3. Do you carry cyber-insurance coverage that would respond if a breach affected my data?
Acceptable answer: “Yes, [carrier name], with [coverage limit] and a notification SLA.”
Unacceptable answer: “Our general liability covers that.” (It almost certainly does not.)
4. What is your written incident response plan if a breach happens during tax season?
Acceptable answer: A specific description of who calls whom, when clients are notified, when regulators are notified, and what their working assumption is about restoration time.
Unacceptable answer: “We'd figure it out.”
5. Are you a Microsoft 365 or accounting-software customer with MFA enforced on every account, no exceptions?
Acceptable answer: “Yes, MFA is enforced on everyone, including the principals and any seasonal contract staff.”
Unacceptable answer: “We have it on most accounts.” (One unprotected account is a one-account-wide attack surface.)
What to do if the answers concern you
You have three options if your accountant's answers do not satisfy you.
Option 1: Have the conversation. Most accounting firms genuinely do not know what their carrier-grade clients now expect, because nobody has told them. A polite, specific conversation is sometimes enough to motivate them to upgrade — particularly if you frame it as a request from a client they want to keep.
Option 2: Document the request and limit what you share. Where possible, limit what data the accountant actually needs. They may not need full employee SIN details for every payroll cycle. They may not need historical banking information older than seven years. Reduce the surface area of what they hold.
Option 3: Change accountants. This is the right answer if your accountant cannot or will not improve. There are firms in Alberta with strong cybersecurity practices, and the gap between them and the laggards is now wide enough to be worth switching over.
The reciprocal question
It is worth asking the same questions of your own business — because your accountant, your law firm, your insurance broker, your IT provider, and any other third party who handles your data is asking the same questions of you. Increasingly, these questions are baked into the standard professional-services engagement letters that small businesses sign every year.
The era when SMBs could rely on the assumption that their service providers were “probably handling security” is over. The questions are being asked. The answers are now part of the relationship.
How we help
Peace Country Cyber serves several accounting firms across northern Alberta. The combination of high-value data, regulatory obligations under PIPEDA/PIPA, and tax-season timing pressure makes them exactly the kind of business that benefits most from a managed cybersecurity partnership. If you are an accounting firm reading this and any of the questions above made you uncomfortable, get in touch.
If you are a client business worried about your accountant's security posture, send them this article. The conversation often goes better when initiated by a respected source than when initiated by an awkward question over a tax-prep meeting.
Peace Country Cyber is northern Alberta's local cybersecurity partner. Take the free Security Risk Report →