Skip to main content

The role of cyber insurance when using managed service providers

Insurance for professionals – how to protect yourself and your clients

For Australian professionals in various fields, including accountants, lawyers, financial advisors and the like, having robust cyber security risk management and cyber insurance to protect your business, your clients, and your confidential information, is vitally important. 

Cyberthreats and cybercrime are increasing in Australia, and small to medium-sized enterprises (SMEs) are being targeted in increasing numbers.  In recent years phishing attacks have increased, with cybercriminals posing as potential new tax clients1.

Incredibly, The Australian Cyber Security Centre (ACSC) receives a new cybercrime report every 10 minutes.2 A recent report from Office of the Australian Information Commissioner (OAIC) reports the highest levels of notified breach in the last 3.5 years, and a 9% increase in the last year alone. 3

Cyber security is something all professionals need to take seriously.

Cyber risk and Managed Service Providers (MSPs)

Many accountants, lawyers, financial advisors and other professionals use Managed Service Providers (MSPs), or technology partners to assist with housing confidential data and providing technology services, and those services can greatly assist business functionality. Your practice may well do so too.

But using MSP services doesn’t eliminate or reduce the need for you to safeguard against the cyber risks your business can face.  The Australian Privacy commissioner has warned that third parties, such as MSPs may be ‘weak spot’ in protecting data privacy.4

Managed Service Providers (MSPs) – who are they and why use them?

Managed Service Providers (MSP) are typically technology experts. They can provide many vital technological support services, so your business can focus on what it does best – servicing the needs of your client base and offering timely professional advice.

Specifically, MSPs might:

  • Provide you with technology support.
  • Store and protect confidential and sensitive client data.
  • Monitor your systems.
  • Troubleshoot your technology.
  • Upgrade your practice software when needed, and more.

MSPs, cyber security and risk management

If you use a Managed Service Provider (MSP) for data storage and technology services, and your MSP has access to your IT systems, adequate cyber insurance is more than prudent, it’s a ‘must.’

The very fact that your MSP may have access to a large quantity of confidential data, both your clients’ and others, makes them a target for cybercrime, as there are more potential ‘victims’ of a cyberattack. 

Cyberattacks targeting MSPs are generally outside of your control, yet they can directly and seriously impede your own business financially and operationally, as well as damage your reputation.

5 reasons why professionals need cyber cover (even if you already use an MSP)

  • Shared responsibility: While your MSP may have its own security measures and comprehensive insurance, your firm could still be held liable for data breaches, particularly if they involve client information. A cyber insurance policy can help cover costs related to such incidents.
  • Coverage for breaches and attacks: Cyber insurance typically provides coverage for various cyber-related incidents, including data breaches, ransomware attacks, and other forms of cybercrime. This can help mitigate financial loss and cover legal expenses.
  • Client trust: Having cyber insurance demonstrates to your clients that you are committed to protecting their sensitive information.  ‘Walking the talk’ enhances trust and may even be a requirement in contractual relationships you have with them.
  • Limitations of MSP's Insurance: Your MSP’s insurance may not cover all aspects of your specific liabilities, especially those related to the services you provide. Therefore, having your own policy is essential.
  • Regulatory compliance: Significant data breaches must be reported under the Notifiable Data Breach scheme to the Office of the Australian Information Commissioner (OAIC), as well as to individuals that are affected.  A breach can leave your business exposed to potential regulatory actions if the requirements concerning MSPs are not complied with.  So adequate cyber insurance could help you meet legal obligations. 


These regulations are set to become more stringent, as the Australian Government has introduced the Privacy and Other Legislation Amendment Bill 2024, which is currently on its way through parliament. This will strengthen privacy protection laws and give the OAIC more power to impose penalties.

So, while utilising an MSP might help your business be more competitive and efficient, it does not eliminate your firm from cyber risk or liability.  If you’re a CPA, as you’ll be aware, you are required to hold a minimum level of Professional Indemnity Insurance; cyber insurance can serve as an additional layer of security for both your business and your clients. Marsh Professional Indemnity Insurance has optional extensions for cyber and public liability insurance. We recommend you discuss this with a Marsh professional insurance broker to assess your needs. 

Cyber insurance for CPA Australia members and other professionals

Whether it’s operator error, system failure or security failure, a cyber insurance policy is extremely valuable not only for the financial cover it offers you, but also for the expertise it buys.  You can be covered for:

  • Immediate response management  24/7 - you’ll get immediate guidance from first response advisors, who are specialists in containing and managing a cyber incident. This can help protect your business’s reputation and finances, and minimise any damage or disruption from the cyberattack.  You’re also covered for their remediation costs.
  • Network interruption – and the loss of profit that results from your downtime.
  • Privacy and security liability – responds to third party liability, resulting from breaches of confidential information or security failure.
  • Digital media content liability – damage and deface costs or unintentional or negligent breach of third party IP.
  • Ransomware (cyber extortion) expenses  - and/or reimbursement, and access to ransom negotiators, where legal to do so.
  • Cybercrime - covers against various types of cyber-related crimes and fraudulent activities. This includes funds transfer fraud, computer fraud, telephone usage fraud, and crypto jacking fraud.

LanTech case study

Last year, several Marsh clients were affected by a data breach at LanTech, a New Zealand IT company.  Many had their own cyber insurance policies, which gave them coverage for costs surrounding data recreation/recovery as well as notification costs to affected individuals. They were also able to utilise the panel legal/breach counsel for guidance through the whole response and recovery process, which helped to alleviate pressure from our clients that had data compromised.

Proactive steps CPAs can take to minimise cyber risk

Within your practice
  • Don’t share more data and administrative access than necessary.
  • Ensure MSPs have unique accounts that can be tracked, monitored and access removed if necessary.
  • Regularly upgrade your business applications to implement important security updates.
  • Conduct cybersecurity training for all employees covering effective cybersecurity practices, common threats to be aware of, and how attacks can occur.
With your MSPs
  • Evaluate your MSPs cybersecurity practices including network security, compliance with industry standards, employee training, risk monitoring, contingency plans, data privacy and application security.
  • Determine what business data is more sensitive if stolen, versus other data that may be more disruptive if unavailable. This assessment will help you determine the potential risk level that each MSP has to your business.
  • Enable Multi-factor Authentication by both your business and your MSPs.

As you can see, the cyber threat landscape is rapidly evolving.  No CPA, accountant or professional – large or small – is safe from cyber threats. If you use any digital technology, consider discussing  CPA cyber insurance cover with a Marsh professional insurance broker. We can offer cyber cover for other professionals too.  They can help you assess whether you have adequate cyber security cover for your business.

[1] Cybercriminals target accounting firms. CPA INPRACTICE
[2] Results from the Australian Cyber Security Centre Small Business Survey
[3] Statistics from the OAIC September 2024 report
[4] The Guardian, May 2024

Are you a CPA Australia member? We have cyber cover for you.

Our cyber cover protects your business from cyber breaches – including recovering and restoring IT systems, crisis management and more. Our Outsource Service Provider Failure (OSP) cover insures your business against the costs that your business could incur if an Outsourced Service Provider (your MSP) fails to deliver an expected service or causes losses stemming from a cyber incident impacting them.

Request a call back

LCPA 24/531

This publication is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Marsh shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. Marsh makes no representation or warranty concerning the application of policy wordings or the financial condition or solvency of insurers or re-insurers. Marsh makes no assurances regarding the availability, cost, or terms of insurance coverage.

Marsh Advantage Insurance Pty Ltd (ABN 31 081 358 303, AFSL 238369) (“MAI”) arrange this insurance and is not the insurer. The Discretionary Trust Arrangement is issued by the Trustee, JLT Group Services Pty Ltd (ABN 26 004 485 214, AFSL 417964) (“JGS”). JGS is part of the Marsh group of companies. Any advice in relation to the Discretionary Trust Arrangement is provided by JLT Risk Solutions Pty Ltd (ABN 69 009 098 864, AFSL 226 827) which is a related entity of MAI. The cover provided by the Discretionary Trust Arrangement is subject to the Trustee’s discretion and/or the relevant policy terms, conditions and exclusions. This website contains general information, does not take into account your individual objectives, financial situation or needs and may not suit your personal circumstances. For full details of the terms, conditions and limitations of the covers and before making any decision about whether to acquire a product, refer to the specific policy wordings and/or Product Disclosure Statements available from Marsh Advantage Insurance on request.