Key takeaway: Professional services is one of the three highest-incidence sectors for cybersecurity breaches in the UK, and business email compromise targeting payroll runs is the number one active threat for accounting firms in 2026. ICO enforcement actions against accountants are rising sharply, with monetary penalties for failures around encryption, multi-factor authentication, and phishing controls. UK GDPR requires breach notification within 72 hours. For practices that hold payroll data, tax records, and banking information for hundreds of clients, the consequences of a breach are not just reputational — they are regulatory and financial.
Accounting practices are high-value targets for cybercriminals. They hold, in one place, the personal and financial data of large numbers of individuals and businesses: National Insurance numbers, bank account details, tax reference numbers, payroll records, and HMRC credentials. A single successful attack on an accounting practice can expose the data of hundreds of clients simultaneously — and the practice, as data controller, is responsible for the consequences under UK GDPR.
The threat landscape in 2026 is not abstract. HMRC has issued alerts about phishing campaigns targeting accountants’ Agent Services Account credentials. The ICO has issued monetary penalties to accountancy firms for failures that were entirely preventable — inadequate encryption, absence of multi-factor authentication, and insufficient staff training on phishing. The question for every practice is not whether cybersecurity is relevant, but whether the controls in place are proportionate to the risk.
The Primary Threats Facing Accounting Practices in 2026
Business email compromise — payroll diversion fraud. This is the number one active threat for UK accounting firms in 2026. The attack pattern is specific: criminals phish or compromise a partner’s email credentials, then monitor the mailbox for emails about upcoming payroll runs. At the right moment, they send an email — appearing to come from the compromised account — to a client or to the bureau, instructing a change to payroll bank details before the next run. The changed bank details divert the payroll to a mule account. By the time the fraud is identified, the funds have moved and recovery is typically impossible.
The defence is procedural as much as technical: a strict policy that bank detail changes are only accepted following a verified phone call to a known number — not via email alone — breaks the attack chain even if credentials are compromised.
Phishing targeting HMRC agent credentials. HMRC’s Agent Services Account is accessed through a username and password. Accountants who have not enabled multi-factor authentication on their ASA, and who use the same password across multiple services, are vulnerable to credential stuffing and phishing attacks. An attacker with access to an ASA can view clients’ tax records, submit returns, and potentially make fraudulent repayment claims. HMRC has repeatedly warned that compromised ASA credentials are being used in exactly this way.
Ransomware. Ransomware attacks encrypt the victim’s data and demand payment for the decryption key. For an accounting practice, losing access to client files mid-tax-season is a catastrophic operational event — even if the firm pays the ransom and recovers the data, the disruption and reputational damage are significant. Regular, tested, off-site backups are the primary control.
Insider risk. The risk from departing employees with access to client data, or from staff who inadvertently expose data through poor security practices, is often underestimated. Practices that do not have a formal process for revoking access when staff leave — or that allow client data to be stored on personal devices without encryption — are carrying a risk that is not visible until something goes wrong.
UK GDPR Obligations: What Practices Must Do
Accounting practices are data controllers under UK GDPR for all client personal data they hold. The obligations include maintaining a record of processing activities, implementing appropriate technical and organisational security measures, and notifying the ICO within 72 hours of becoming aware of a personal data breach that is likely to result in risk to individuals.
For practices holding payroll, tax, and banking data, almost any breach — whether from external attack or internal error — is likely to meet the risk threshold for ICO notification. The 72-hour window is tight, which means practices need to have a breach response plan in place before any incident occurs, not drafted in the hours after one is discovered.
The ICO’s enforcement approach in 2026 is to pursue practices that failed to implement basic, well-known controls — multi-factor authentication, encryption of data at rest and in transit, regular staff training on phishing recognition. Monetary penalties in the accountancy sector have included cases where firms could not demonstrate that any training had been provided, or where client data was stored in an unencrypted email inbox with no access control.
How BrightManager Supports Secure Practice Operations
BrightManager is Bright’s cloud-based practice management platform. Because it is cloud-hosted and accessed through a secure login, the client data held within BrightManager — tasks, deadlines, engagement records, workflow status, and client communication logs — is managed within a security framework that is maintained and updated by Bright, rather than depending on the security posture of individual practice workstations or local servers.
Cloud-based platforms inherently remove one of the most common practice vulnerabilities: locally stored client data on unencrypted laptops or poorly secured on-premise servers. When a staff member’s device is lost, stolen, or compromised, the client data in BrightManager is not accessible from that device — it requires authenticated access through the platform, with credentials that can be revoked immediately by the practice administrator.
For practices moving away from spreadsheet-based workflow management and email-based client communication, BrightManager provides a more secure working environment as a structural consequence of the platform design — not as an add-on security feature. The task management, deadline tracking, and client record functions that practices use daily are all held in a cloud environment with appropriate access controls, rather than scattered across email inboxes, local files, and individual staff calendars.
Practical Steps for Every Practice
Enable MFA on every HMRC service. Multi-factor authentication on the Agent Services Account, the HMRC online portal, and any other HMRC digital service is the single most impactful control for preventing credential-based attacks. It should be mandatory for all practice staff, not optional.
Implement a bank detail change policy. No change to payroll bank details or client payment details should be actioned based on an email instruction alone. A verified phone call to a known number is required. This policy should be written, communicated to all staff, and applied without exception.
Test your backups. Regular, off-site backups of all client data are only useful if they can actually be restored. Testing the restoration process at least annually confirms that the backup is viable before a ransomware event makes it necessary.
Train staff regularly. Phishing recognition training is not a one-time induction activity. Regular, updated training — including simulated phishing exercises — keeps staff alert to current attack patterns. The ICO expects proportionate ongoing training for all staff handling personal data.
Revoke access immediately on staff departure. A formal off-boarding checklist that includes immediate revocation of all system access — including email, HMRC services, practice management software, and cloud platforms — is essential for controlling insider risk.
Frequently Asked Questions
What is business email compromise and why is it particularly dangerous for accounting firms?
Business email compromise involves attackers gaining access to a legitimate email account and using it to send fraudulent instructions. For accounting firms, the most common pattern is monitoring for payroll-related emails and then sending fake instructions to change bank details before a payroll run. The fraud is hard to detect because the email appears genuine. The defence is a strict policy requiring a verified phone call before any bank detail change is actioned, regardless of the email instruction.
What are the UK GDPR obligations for an accounting practice after a data breach?
Practices must notify the ICO within 72 hours of becoming aware of a personal data breach that is likely to result in risk to individuals. For most breaches involving payroll, tax, or banking data, the risk threshold is likely to be met. Where individuals are at high risk from the breach, they must also be notified directly. Practices should have a breach response plan in place before any incident.
What security controls does the ICO expect from accounting practices?
The ICO expects proportionate technical and organisational controls relative to the sensitivity of the data held. For accounting practices, this includes: encryption of personal data at rest and in transit; multi-factor authentication on systems holding personal data; regular staff training on phishing and data handling; a formal process for revoking access when staff leave; and a documented data breach response procedure.
How does using cloud-based practice management software improve security compared to local storage?
Cloud-based platforms maintain and update their security infrastructure centrally, rather than relying on the security posture of individual practice devices. Access is controlled through platform credentials that can be revoked immediately. Data is not stored locally on devices that can be lost or stolen. Reputable cloud platforms also maintain standards certifications (such as ISO 27001) that provide assurance about their security framework.
BrightManager is a cloud-based practice management platform — keeping client workflow data, deadlines, and engagement records in a secure, centrally managed environment rather than on local devices or unprotected email inboxes. Find out more about BrightManager or speak to your account manager.
