Most cost-of-breach articles quote the IBM global average of 4.45 million US dollars. That number is useless if you run a 40-person professional services firm in Melbourne. It is calculated across global enterprises and tells you almost nothing about what a real incident costs an Australian SME.
This article does the opposite. It walks through a composite case study, anonymised but with real numbers from incidents we have helped respond to in late 2025, of a Melbourne professional services SME hit by a phishing-led business email compromise that escalated into a partial ransomware event. Line by line. Every number traceable to a real invoice, productivity calculation, or insurance excess. By the end you will have a defensible cost-of-incident model you can take to your board.
TechAssist has been responding to incidents like this since we were founded in 2014. Our cybersecurity services Melbourne team has worked on enough breaches across the Melbourne metro to know that the line-by-line numbers are remarkably consistent across firms of similar size. The variability is in the tail (insurance, customer churn, vendor questionnaires), and the tail is bigger than people expect.
The Case: A Hawthorn Professional Services Firm
The composite firm is 42 staff. Professional services, business advisory. Office in Hawthorn. Average revenue per consultant is $380,000 per year. Average gross margin around 55 percent. They had Microsoft 365 Business Standard (note: not Premium), a basic backup tool, MFA enabled but not enforced through conditional access, and a flat network with no segmentation. They had no formal incident response retainer, no tabletop exercises, and no cyber insurance until six months before the incident, when their bank required it as a condition of a working capital facility.
This is a deliberately realistic baseline. It is the security posture we see in roughly 30 to 40 percent of mid-market Melbourne firms when we first engage. Not abysmal, not great. Compliance with the obvious basics, gaps in the less-obvious depth.
The incident timeline: a senior consultant clicked a phishing link on a Wednesday afternoon, entered Microsoft 365 credentials into a credential-harvesting page, and the attacker logged into her mailbox at 4:47pm Melbourne time. By the time the consultant noticed something was off (Thursday morning), the attacker had set up inbox forwarding rules, created an OAuth app with mailbox-read permissions for persistence, and identified a finance team payment workflow they could exploit. Over the next four days, the attacker conducted classic business email compromise activities while also deploying ransomware on a file server the consultant had access to via mapped network drive.
The ransomware did not encrypt the entire estate. It encrypted approximately 40 percent of the file server contents, which included the active client engagement directory. The Microsoft 365 mailboxes and SharePoint were not encrypted but were exfiltrated, with evidence of approximately 12GB of data taken to an external server before the attacker was kicked out.
Line-by-Line: The Direct Costs
These are the invoices that hit the firm’s accounts payable system in the 90 days following the incident.
| Line item | Amount (AUD) | Notes |
|---|
| Incident response retainer activation | $28,000 | External IR firm, week-one engagement. Includes after-hours rates. |
| Forensics and scoping | $45,000 | Full mailbox forensics, endpoint forensics on 18 devices, SharePoint audit log review, exfiltration scoping. |
| Ransomware containment and recovery | $18,500 | Server rebuild from backup, mailbox cleanup, OAuth app removal, credential rotation across the tenant. |
| Legal counsel (privacy and notification) | $22,000 | Privacy Act advice, Notifiable Data Breach assessment, customer notification language drafting. |
| Notification production and dispatch | $4,800 | Letters to affected individuals, customer email programme, regulator submission. |
| External communications support | $6,500 | Holding statement, FAQ document, two staff comms sessions, board briefing pack. |
| Additional security tooling (post-incident) | $14,000 | Upgrade to Microsoft 365 Business Premium for the whole tenant, Defender for Business deployment, conditional access policies. |
| Cyber insurance excess | $25,000 | Policy excess for first-party costs. Below total claim value. |
| Direct costs subtotal | $163,800 | |
These are the invoices. They are the part most articles cover. They are also, in our experience, only about 35 to 45 percent of the actual total cost of the incident. The bigger numbers are the indirect costs, which we will get to next.
Line-by-Line: The Productivity and Revenue Losses
The firm was substantially offline for nine business days. Full operations did not resume for fourteen business days. Email was down for four days during the cleanup. The shared file environment was down or partially down for seven days. The active client engagement directory took the longest to fully restore because some of the data required reconstruction from local copies, email attachments, and supplier records.
Here is what the productivity loss looked like.
| Line item | Amount (AUD) | Calculation |
|---|
| Consultant productivity loss (9 days) | $110,000 | 40 consultants x $380k revenue / 220 days x 55% margin x 9 days x 40% efficiency loss. |
| Admin and support staff productivity loss | $8,500 | 6 staff x $85k salary / 220 days x 9 days x 100% loss for first 3 days, 50% for next 6. |
| Partner time on incident response | $32,000 | 2 partners at full opportunity cost over two weeks coordinating response. |
| Deferred client work | $26,000 | Two engagements pushed by three weeks; revenue recognition delayed, project margin compressed. |
| Productivity subtotal | $176,500 | |
This is where the cost actually lives. The productivity loss is bigger than every invoice combined. And the only way to avoid this number is to maintain operations during the incident, which requires segmentation (so the incident does not take everything), backups that actually work (not just exist), and an incident response plan that has been rehearsed so the firm can keep working in a degraded mode while specialists clean up.
Note the calculation method. We are not double-counting. The 40 percent efficiency loss accounts for the fact that some work could continue on local copies, mobile devices, and via personal email. It is not a full revenue loss; it is the proportion of consultant time that was actually unproductive during the disruption period. For a fully air-gapped firm with no degraded-mode capability, this number would have been closer to $200,000.
The Indirect Costs: Where the Tail Really Hurts
The direct and productivity costs are large. The indirect costs are where the real long-term damage shows up, and these are the numbers boards consistently underestimate.
Customer churn. Two of the firm’s clients ended their engagement within four months of the incident. One cited the incident directly. The other did not, but the timing was clear. Combined annual revenue from those two clients: $340,000. Even attributing only 50 percent of the loss to the incident (because both clients had other contributing factors), the cost is $170,000 in lost annual revenue, or roughly $93,500 in gross margin in the first year. The two-year tail is materially worse.
Cyber insurance premium uplift. The firm’s cyber insurance premium at renewal increased from $11,400 per year to $34,800 per year, with a higher excess, more exclusions, and a requirement to demonstrate ongoing security controls (a quarterly attestation). Across a five-year window before they can credibly negotiate back down, that is roughly $117,000 in additional insurance cost.
Vendor security questionnaires. This is the cost that surprises most firms. Every existing enterprise client (and they had four) requested a detailed security questionnaire within three months of the incident becoming known. Each questionnaire required 8 to 14 hours of senior engineering time to complete, plus partner review and signoff. New business pursuits were paused for four months while they rebuilt their security posture sufficiently to credibly respond to procurement processes. We estimated the 14-month tail of vendor questionnaires and rebuilt pursuit activity at roughly $48,000 of internal time and $35,000 of opportunity cost from delayed new business.
Brand and recruitment impact. Harder to quantify. The firm reported two senior consultant hires falling through after the candidates raised the incident in second-round conversations. The estimated cost of the delayed hires and the additional recruitment spend was around $22,000.
| Line item | Amount (AUD) | Notes |
|---|
| Customer churn (year 1 margin) | $93,500 | Conservative 50% attribution. |
| Cyber insurance premium uplift (5 years) | $117,000 | Premium increase plus higher excess. |
| Vendor security questionnaires (internal cost) | $48,000 | 14-month tail. |
| Lost new business (procurement gating) | $35,000 | Pursuits delayed or paused. |
| Recruitment impact | $22,000 | Hires falling through, additional recruitment spend. |
| Indirect cost subtotal | $315,500 | |
The Total: A Real Number
Direct costs: $163,800. Productivity and revenue losses: $176,500. Indirect costs: $315,500. Total cost of the incident over the 14-month tail: $655,800.
That number, $655,800, is the realistic cost of a phishing-led BEC and partial ransomware incident for a 42-person Melbourne professional services SME with the security posture we described. Not 4.45 million dollars. Not 100,000 dollars. Somewhere between half a million and a million Australian dollars, depending on customer churn and how cleanly the insurance claim is handled.
If you scale this for a smaller firm (say 20 staff with $5m revenue), the number scales down roughly proportionally, but not linearly because the fixed costs (legal, IR, forensics) compress less. A similar incident at a 20-person firm typically lands between $300,000 and $500,000. For a 100-person firm, similar incidents land between $1.2 million and $2.5 million.
What Cyber Insurance Did and Did Not Cover
Cyber insurance is genuinely useful but is not a substitute for prevention. The Hawthorn firm’s policy covered most of the incident response retainer, forensics, legal counsel, and notification costs (about $99,000 of the first-party costs above the $25,000 excess). It did not cover the productivity loss, the customer churn, the premium uplift, or the indirect business impact.
The lesson: cyber insurance covers the bill from external responders. It does not cover the cost of being offline. It does not pay your consultants while they cannot work. It does not retain clients who have lost confidence. Insurance is a backstop for the invoiced costs. The productivity and tail costs are yours either way.
A second lesson: the insurer required, as part of claim acceptance, evidence of the controls the firm had attested to at policy inception. Their attestation said MFA was enforced on all users. In reality MFA was enabled but not enforced through conditional access, and the specific consultant whose credentials were compromised had MFA disabled via a legacy authentication grandfather clause. The claim was paid, but the next year’s renewal was tougher because the discrepancy was visible. Be careful what you attest to. Insurers will check.
What Would Have Prevented This Incident
Almost all of it was preventable, and almost none of the preventative controls were expensive relative to the incident cost. Here are the specific controls that would have prevented or substantially mitigated each phase.
The credential phishing would have been mitigated by phishing-resistant MFA (a hardware token or platform authenticator) instead of SMS or push notification MFA. Hardware tokens cost about $80 each. Platform authenticators (Windows Hello, Face ID) are free.
The credential theft, if MFA had been bypassed via a session-token phishing attack, would have been further mitigated by conditional access policies requiring a compliant device. The attacker’s session would have failed the device compliance check.
The OAuth app persistence would have been blocked by Microsoft 365’s Defender for Office 365 default policies (which block unverified app consent for users) and by an admin policy disabling user consent to apps without admin approval.
The lateral movement to the file server would have been mitigated by network segmentation (the consultant’s laptop should not have had unfiltered SMB access to the file server) and by application control (the ransomware payload should not have executed on the file server).
The ransomware impact would have been minimised by immutable backups with shorter recovery time objectives. The firm’s backup tool was working but the recovery process took four days because they had never tested it under realistic load.
The data exfiltration would have been detectable, and potentially preventable, by SharePoint download volume alerting and by data loss prevention policies on sensitive document libraries.
None of those controls is expensive. Microsoft 365 Business Premium (which includes most of them) costs about $36 per user per month, roughly $18,000 per year for the 42-person firm. The incident cost was $655,800. The math does not require a spreadsheet.
For the framework view, our zero trust security model explained guide covers how these controls fit together. For the backup and recovery side specifically, see our backup and disaster recovery Melbourne 2026 guide.
What Got Done in the Six Months After
The firm engaged us for remediation about three weeks into the incident response (their existing IT provider was not equipped to run incident response). Over the six months following the incident, the security posture was substantially rebuilt. Here is the rough sequence and cost.
| Workstream | Cost (AUD) | Duration |
|---|
| Microsoft 365 uplift to Business Premium | $18,000 / year ongoing | Week 1 |
| Conditional access and Intune deployment | $24,000 one-off | Weeks 2-5 |
| Network segmentation (UniFi, four VLANs) | $28,000 one-off | Weeks 6-9 |
| Backup overhaul with immutable copies | $22,000 one-off + $14,000/year | Weeks 10-13 |
| Application control deployment (corporate VLAN) | $32,000 one-off | Weeks 14-22 |
| Privileged access management | $18,000 one-off + $9,600/year | Weeks 16-20 |
| Staff phishing training programme | $8,400/year | Week 8 onwards, quarterly |
| Quarterly tabletop exercises | $12,000/year | Started week 18 |
| Six-month remediation total | $124,000 one-off + $62,000/year ongoing | |
The remediation cost less than the incident cost by a factor of five. If the same investment had been made before the incident, the incident would either not have happened, or would have been contained at a cost roughly an order of magnitude smaller.
The firm is now aligned with Essential Eight Maturity Level Two on most controls and is targeting Maturity Level Three for the controls that matter most to their client base. They moved to managed IT services Melbourne with us under per-user fixed monthly pricing, which gave them predictable costs and 24/7 NOC coverage out of our Tecoma office. P1 incidents are responded to in under 15 minutes, and same-business-day on-site coverage across Melbourne metro is the standard SLA.
Lessons for Boards and Owners
If you read nothing else from this article, read this section. These are the takeaways for non-technical decision-makers.
The IBM global average is irrelevant. Your number is between three and ten times your annual cybersecurity budget, and the multiplier is higher the worse your starting posture is. Calculate your number based on your headcount, your revenue per head, your billable model, and your client base.
The invoice is the smallest part. Productivity loss and indirect cost are 60 to 70 percent of the real total. Reducing the incident cost means reducing time-to-recovery and reducing customer impact, not just having someone to call when it happens.
Cyber insurance is necessary but not sufficient. It pays the bills from external responders. It does not pay your staff while they cannot work, and it does not prevent customer churn.
The controls that matter most are not expensive. Microsoft 365 Business Premium, conditional access, MFA enforcement, network segmentation, immutable backups, and application control collectively cost less than 5 percent of the realistic incident cost for an SME of this size.
Your client base will assess your security posture after an incident, and possibly before. If you serve enterprise clients, expect vendor questionnaires. If you serve government, expect IRAP-adjacent assessments. The post-incident scramble to answer questionnaires you should have answered years ago is one of the bigger hidden costs.
For the broader buyer’s guide on getting the right partner in place, see how to choose an MSP Melbourne and our top managed service providers Melbourne review. Privacy obligations are covered in our Australian Privacy Act for SMBs guide.
Frequently Asked Questions
How long does an incident response engagement typically take?
The intense phase is two to three weeks. Containment is days one to three. Forensics and scoping is the first ten days. Remediation continues for one to three months depending on the depth of the cleanup required. The notification and regulatory tail can run six to nine months. The vendor questionnaire and customer trust tail runs twelve to eighteen months.
Does paying the ransom make sense?
Almost never. In this case the firm did not pay because backups, while slow to restore, were intact. In cases where backups are not viable, paying the ransom is a partial gamble even with reputable negotiation specialists, and the legal and reputational ramifications are significant. The Australian Government discourages ransom payment and is moving toward mandatory reporting of payments. Our advice is to invest in recovery capability so paying is not on the table.
What is the single highest-leverage control to deploy first?
MFA enforcement with conditional access for every user. It is the single control that would have prevented the largest proportion of the incidents we have responded to over the last three years. Specifically: MFA enforced at the conditional access layer (not just enabled), with phishing-resistant methods (passkeys, platform authenticators, or hardware tokens) for at least admin accounts and high-value users.
Do I need a 24/7 SOC?
For most SMEs, no. A managed service provider with 24/7 NOC monitoring and a documented escalation path to an incident response specialist covers the same risk at a fraction of the cost of a dedicated SOC. We provide this as part of our managed service from our Tecoma NOC. Once you exceed 200 staff or move into highly regulated industries, the calculus changes.
How often should we run tabletop exercises?
Quarterly for the first year after starting a security programme. Twice yearly thereafter. The first tabletop usually exposes more gaps than the actual control review did, because it surfaces decision-making issues that controls do not address (who calls the lawyer, who briefs the board, who talks to clients).
Where do I start if my security posture is similar to the case study firm?
Start with an assessment. Not a vendor pitch. An honest evaluation of where your gaps are, what they would cost to remediate, and what they would cost if exploited. We do this for Melbourne SMEs out of our Tecoma office and our 575 Bourke St CBD office. Reach the team via the contact page and we will run the assessment with you.
�����������������������������������������������������������������������������������������������
Your Professional Indemnity insurer wants proof, not promises. At 2026 renewal they expect documented evidence of MFA on every account, EDR on every endpoint, immutable backups, a tested incident response plan, vendor risk records, and current security awareness training logs. If you can’t produce these on demand, expect higher premiums, tighter sub-limits, or a declinature.
That’s the short answer. The longer answer is that law firm cybersecurity australia conversations have changed shape since 2023. PI underwriters in the Australian legal market — Lawcover, LMI, Marsh-placed syndicates, and the London market behind most boutique brokers — used to ask a single tick-box question about “having antivirus”. Renewal questionnaires in 2025 and 2026 run twenty to forty technical questions deep, and a “yes” with no evidence is functionally a “no” at claim time.
This post is the practical brief for partners, principals, and practice managers at Melbourne firms with five to a hundred staff. It’s written from the engineering side: what underwriters now demand, what that actually looks like in a working firm, where Melbourne practices keep getting caught, and what to have ready before your broker rings.
Why PI underwriting changed
The Optus breach in September 2022 and Medibank a month later reframed cyber risk in the Australian insurance market. Reinsurers based in London and Munich repriced Australian cyber and PI cover almost immediately. By the 2024 renewal cycle, every Australian PI insurer touching the legal sector had rebuilt their underwriting questionnaires around the same control set — the one the Australian Cyber Security Centre had been publishing as the Essential Eight since 2017.
Three things shifted at once. First, the Notifiable Data Breaches scheme — administered by the OAIC under the Privacy Act 1988 — generated enough public data that underwriters could finally model breach frequency by sector. Legal services consistently sit in the top five by notifications per thousand businesses. Second, the Legal Profession Uniform Law’s professional conduct rules around client confidentiality were tested in several disciplinary matters where the underlying cause was a cyber incident, not deliberate disclosure. The VLSB+C (Victorian Legal Services Board and Commissioner) takes a dim view of practitioners who lose privileged material through preventable controls failures. Third, business email compromise losses on conveyancing and family law settlements stopped being rare. They became the most common notification type from the legal sector.
The combined effect: insurers stopped treating cyber as an adjacent line and started treating it as a core PI risk. A breach that exposes client trust account details, leaks privileged advice, or redirects settlement funds is now a PI loss, not just a cyber loss. That’s why the questionnaires got longer.
The controls underwriters now require evidence of
Below is the control set we see consistently across renewal questionnaires for Melbourne legal practices in 2025 and 2026. The exact wording varies between insurers in the Australian legal market, but the substance is consistent. “Evidence” in the right column means what we hand to the broker — not a verbal assurance.
| Control | What underwriters expect | Evidence we provide |
|---|
| Multi-factor authentication | MFA on every account that can access email, practice management, document management, trust accounting, and remote access. No exceptions for partners or senior staff. | Conditional access policy export from Entra ID showing 100% coverage; sign-in logs demonstrating MFA enforcement. |
| Endpoint Detection and Response | EDR on every endpoint and server — not signature-based antivirus. Behavioural detection, 24/7 monitoring, automated isolation. | Vendor licence count matching device count; SOC console screenshots; recent detection and response examples. |
| Immutable backups | Backups that ransomware operators cannot delete or encrypt, even with administrative credentials. Offline or object-locked copies. | Backup architecture diagram; restore test results from the last six months; 3-2-1-1-0 verification. |
| Email security and BEC controls | Advanced anti-phishing, DMARC at p=reject, internal phishing simulation, and process controls for changing bank details on settlements. | DMARC report; phishing simulation results; documented dual-approval process for payment changes. |
| Patching | Operating systems and applications patched within fourteen days of vendor release; critical patches within forty-eight hours. | Patch compliance reports by device class; exception register for unpatchable systems. |
| Privileged access management | Separate admin accounts, just-in-time elevation where practicable, no shared credentials, no domain admin used for daily work. | Admin account inventory; PAM tool reports; evidence that partners do not have local admin on their daily-driver laptop. |
| Incident response plan | A written, tested IR plan with named roles, escalation paths, breach notification flowchart, and an external IR retainer. | The plan itself; tabletop exercise minutes; signed IR retainer with a DFIR firm. |
| Vendor risk management | A register of every third party touching firm data — counsel chambers, e-discovery providers, court filing platforms, accounting software — with security posture assessed. | Vendor register; SOC 2 or ISO 27001 certificates collected from key vendors; data flow map. |
| Security awareness training | Annual mandatory training, with quarterly phishing simulation and remedial training for staff who click. Records kept for every employee including partners. | LMS completion reports; phishing simulation click-rate trend; remedial training records. |
| Logging and monitoring | Centralised logs from identity, endpoint, email, and firewall, retained for at least twelve months, reviewed by a SOC. | SIEM or XDR coverage matrix; retention configuration; SOC engagement summary. |
This is the spine of the Essential Eight in legal-firm clothing. If you’ve already mapped your controls to the ACSC framework, you’ve done most of the work — see our Essential 8 compliance guide for how the maturity levels translate into renewal evidence. The broader operational picture for Melbourne firms is covered in our piece on managed IT for Melbourne law firms, which goes deeper on day-to-day workflows. This post stays focused on what the underwriter wants to see.
How Melbourne law firms actually get caught
The questionnaire controls aren’t theoretical. Each one exists because insurers paid claims on a specific failure mode. Three patterns dominate the legal-sector losses we see across Melbourne.
BEC during property settlement
A boutique conveyancing practice in Hawthorn, eight staff, ran a standard residential settlement through PEXA. Two weeks before settlement, the conveyancer’s email account was compromised through a credential-stuffing attack — the practitioner reused a password that had appeared in a 2021 breach dump. The attacker sat in the mailbox for nine days, set up an Outlook rule to auto-forward and delete anything containing the matter reference, and at the right moment sent the purchaser’s solicitor a “corrected” trust account BSB and account number from a lookalike domain registered three weeks earlier.
The purchaser’s funds — $847,000 — landed in a mule account in Sydney and were withdrawn within ninety minutes. The PI claim covered the loss but the renewal premium tripled, the firm was placed on a remediation programme by the insurer, and the principal had a conversation with the VLSB+C that no principal wants to have.
What would have stopped it: MFA on the email account (would have blocked the credential stuffing); DMARC at p=reject on the firm’s domain (would have made the lookalike-domain trick harder); a dual-approval process for any change to settlement bank details that requires verbal confirmation on a known phone number; an inbox rule audit running weekly. Every one of those is now a tick-box on the renewal questionnaire.
Ransomware on the practice management system
A 22-lawyer commercial firm in William Street ran LEAP on an on-premises Windows server. The server was patched, the firm had antivirus, and they had backups on a Synology NAS that was reachable from the domain. On a Tuesday afternoon a paralegal opened an invoice attachment that wasn’t an invoice. By Wednesday morning the LEAP database was encrypted, the file shares were encrypted, the Synology backups had been encrypted because the backup service account had write access to the NAS, and the only clean restore point was a three-month-old archive on a USB drive in the office manager’s desk drawer.
The firm was offline for nine business days. Court deadlines were missed. The reconstruction of work-in-progress cost more than the ransom demand. PI cover responded but the insurer required, as a condition of renewal, EDR with managed response, immutable backups with offline copies, and segregation of the backup environment from the production domain. They also required documented evidence that the firm had moved off the legacy AV product within sixty days.
What would have stopped it: EDR with behavioural detection (would have killed the ransomware process before encryption started); immutable backups (the Synology was the single point of failure); least-privilege on the backup service account (it had no business being able to write to anything except the backup repository); a tested restore process.
Departing-staff conflict-of-interest exfiltration
A family law boutique in Camberwell, six lawyers, had an associate resign and move to a competing practice down the road. In her last fortnight she synced her firm OneDrive to a personal Dropbox, emailed forty-seven matter files to a Gmail address, and copied the client list to a USB stick. The firm only found out when a former client rang asking why the new practice already knew about her matter.
This isn’t a hacker story. It’s a controls story. The OneDrive sync to personal storage was permitted because nobody had configured a conditional access policy blocking personal Microsoft accounts on managed devices. The email exfiltration ran unnoticed because the firm had no DLP rules on outbound attachments. The USB copy worked because removable storage wasn’t blocked. The PI insurer paid the resulting client claims but the firm now has formal data loss prevention controls in place — because the renewal questionnaire asked, and a “no” wasn’t an option.
Where the LIV, VLSB+C, and Uniform Law sit in this
The Law Institute of Victoria publishes practice guidance on technology use and increasingly references the Essential Eight directly. The VLSB+C, as the regulator, doesn’t run a separate cyber compliance regime — but the Legal Profession Uniform Law’s professional conduct rules around client confidentiality apply to electronic records the same way they apply to paper. If privileged material walks out the door because controls were absent, that’s potentially a conduct matter, not just a cyber incident.
The OAIC sits across this as the regulator for the Notifiable Data Breaches scheme. Any breach involving personal information that’s likely to result in serious harm must be notified within thirty days. For a law firm, almost any breach meets that threshold because the data is, by definition, sensitive. The OAIC’s reasonable steps test under APP 11 looks remarkably similar to the Essential Eight in practice.
None of these bodies mandate a specific technical control set. Together they make absence of one indefensible. PI underwriters know this, which is why their questionnaires read like an APP 11 audit with a managed-services flavour. Our guide to IT compliance for legal practices goes deeper on the regulatory side; this post is focused on the insurance side because that’s the meeting that’s coming up next.
The PI questionnaire decoded
If you’ve been handed a 2026 renewal questionnaire, the questions tend to cluster into seven domains. Here’s how to read them.
| Questionnaire domain | What they’re really asking | Where firms trip up |
|---|
| Identity and access | Do you have MFA on every account, or just on email for some staff? | Partners and IT admins exempted from MFA “for convenience”. This is now a hard fail. |
| Endpoint security | Is your endpoint product EDR or AV? Who responds when it triggers at 2am? | Naming a legacy AV product. Buying EDR but not having anyone watching the console. |
| Backups | Can a ransomware operator with domain admin credentials destroy your backups? | NAS backups on the same domain. Cloud backups in the same tenant as production with no immutability lock. |
| Email and BEC | What stops a fraudulent settlement-redirection email from reaching your inbox, and what stops your staff actioning it? | No DMARC. No dual-approval process for changes to client banking details. |
| Incident response | If you discover a breach at 4pm Friday, who do you call? | No retainer in place. Plan exists but has never been tested. |
| Vendor management | Who touches your data outside the firm, and how do you know they’re secure? | No register. Counsel chambers and e-discovery vendors never assessed. |
| People | Do staff know what a phishing email looks like, and is there a record proving you trained them? | Ad-hoc training with no records. Partners exempt themselves and then click the worst links. |
What “evidence-ready” actually looks like
The phrase brokers use is “evidence-ready”. Insurers want a folder — usually shared via a secure portal — containing the documents that back each questionnaire answer. For a 30-person Melbourne firm, that folder typically holds:
- An information security policy, signed by the managing partner, dated within the last twelve months.
- The incident response plan, with a tabletop exercise record from the last six months.
- A network diagram showing the firm’s environment, including cloud tenancy boundaries.
- A data flow map showing where client data lives — practice management, document management, email, archives.
- Backup architecture and the most recent restore test report.
- MFA coverage report exported from Entra ID or the equivalent identity platform.
- EDR licence and coverage report.
- Patch compliance report by device.
- Phishing simulation results for the last twelve months.
- Security awareness training completion records for every employee.
- Vendor risk register with current SOC 2 or ISO 27001 reports for material vendors.
- Penetration test report or vulnerability assessment dated within the last twelve months.
- Cyber insurance certificate if held separately from PI.
- IR retainer agreement with a DFIR firm.
This is roughly what we maintain for our legal-sector clients on a rolling basis. The first time a firm builds this folder it takes about six weeks. After that it’s a quarterly review.
The trust account angle
Trust accounts deserve their own paragraph because they’re where the PI conversation gets sharpest. The VLSB+C’s trust account inspection regime focuses on financial controls, not cyber controls — but a compromised email account that authorises a trust withdrawal is a trust account failure with a cyber root cause. The principles are similar to what we’ve written about for the accounting sector in our accounting firm data security and trust account protection piece, but legal practices have additional confidentiality obligations on top.
For trust account-handling firms, the additional controls underwriters look for are:
- Segregation of duties so no single person can authorise a trust payment and change a bank detail.
- Out-of-band verification — a phone call to a known number, not the number in the email — for any change to settlement banking details.
- Logging of every change to bank account details in the practice management system.
- Restrictions on remote access to the trust accounting module.
The IR retainer question
This one trips firms up consistently. A growing number of PI questionnaires ask whether the firm has a “pre-engagement with an incident response provider”. A yes-or-no answer with no documentation isn’t enough; underwriters want to see the agreement, the SLA on response time, and the name of the DFIR firm.
The reason is practical. A breach at 4pm on a Friday in a firm without a retainer means the principal spends Friday night ringing law firms (ironic) for referrals, then ringing IR firms who all quote a five-figure engagement fee before they’ll start work, then waiting until Monday morning for forensics to begin. By then the attacker has been in the environment for sixty-plus additional hours. With a retainer, the call goes to a 24/7 hotline, the engagement is pre-papered, and the analyst is in your environment within an hour.
TechAssist’s NOC at Tecoma runs 24/7 with sub-fifteen-minute P1 response, and we maintain DFIR relationships for clients who need separate forensics capability. The retainer doesn’t replace your MSP’s incident response — it’s the specialist forensics and legal-privilege layer that sits above it.
Cost framing
The question every managing partner asks is what this costs. Rough order of magnitude for a Melbourne firm of 25 staff, looking at what insurers now expect as table stakes:
| Control area | Indicative annual cost (25-staff firm) | Notes |
|---|
| MFA and conditional access (Entra ID P1/P2) | Already covered in most Microsoft 365 Business Premium licences | Configuration effort, not licence cost, is the spend. |
| EDR with managed response | $60-120 per endpoint per year | Includes 24/7 SOC monitoring; AV-only is no longer accepted. |
| Immutable backup with offline copy | $8,000-15,000 per year depending on data volume | Usually replaces an existing backup product, not additive. |
| Security awareness training and phishing simulation | $30-50 per user per year | Records retention is part of the value. |
| Penetration test (external + light internal) | $8,000-15,000 every twelve to eighteen months | Required by some questionnaires; recommended by all. |
| IR retainer | $3,000-8,000 per year | Plus hourly rates if invoked. Retainer keeps the meter off. |
| Vendor risk management programme | Included in managed service for our legal clients | Standalone tools exist but add complexity for small firms. |
The savings sit on the other side of the ledger — in PI premium itself, in the avoided cost of a single BEC loss, and in the avoided cost of unwinding a ransomware event. A 25-staff firm seeing premium reductions of 10-20% on a $40,000-$80,000 PI line is paying for most of the control uplift through the insurance line alone.
How TechAssist works with law firms on this
We’ve been running managed IT for Melbourne legal practices since 2014. The team is thirteen Australian engineers, all local, with the 24/7 NOC at Tecoma in Melbourne’s east. Our controls are Essential Eight aligned and our delivery is ISO 27001 capable, which matters because the same questionnaire that asks about your controls also asks about your MSP’s controls — and your MSP either passes that sub-questionnaire or becomes the weak link in your renewal.
For PI-renewal-ready engagements we work to a four-stage pattern: gap assessment against the questionnaire your broker uses; remediation plan with priority order driven by the questions most likely to determine pricing; implementation with evidence captured from day one; and a documentation pack handed to your broker. The full picture of how we handle ongoing operations for legal sector clients is in our broader piece on IT support for Australian law firms, which covers the day-to-day. The cybersecurity layer is detailed at cybersecurity services Melbourne.
P1 response sits under fifteen minutes by SLA. We’ve had to use that response time on legal-sector incidents, including BEC attempts caught mid-attack and one ransomware event isolated before encryption spread off the patient-zero machine. The pre-existing IR retainer made the difference in both cases.
If your renewal is coming up
Pull the questionnaire from your broker now, not when the renewal date arrives. Read it cold and mark each question green, amber, or red. Green is “yes, with evidence in the folder”. Amber is “yes, but the evidence is thin”. Red is “no, or I don’t know”.
Take the reds first. The high-leverage ones are usually MFA-everywhere, EDR with managed response, immutable backups, an IR retainer, and a dual-approval process on settlement banking details. Those five, properly implemented and documented, move the needle on premium more than any other combination.
If the questionnaire mentions specific frameworks — Essential Eight, ISO 27001, NIST CSF — ask the broker which one the underwriter weights most heavily. For the Australian legal market it’s almost always Essential Eight, and the maturity level expected is typically ML2 for firms over twenty staff.
If you’d like a hand with any of this — the gap assessment, the remediation, the evidence pack — get in touch via our contact page or call 1300 028 324. Mention you’re working on a PI renewal and we’ll structure the conversation around the questionnaire rather than running through a generic discovery.
Frequently asked questions
What does Lawcover require for cyber controls at renewal?
We don’t speak for any specific insurer’s underwriting position and you should confirm directly with your broker. What we observe across questionnaires from insurers active in the Australian legal market — including Lawcover-placed risks, LMI, and London-market boutique syndicates — is convergence on the Essential Eight control set, EDR rather than signature AV, immutable backups, documented IR plans, and security awareness training records. Specific wording and thresholds vary; the underlying expectations don’t.
Our PI insurer wants “evidence of MFA”. What does that mean in practice?
They want a report, not a statement. For Microsoft 365 environments that’s typically the Authentication Methods Activity report or a conditional access policy export from Entra ID showing the policy, its assignment to all users, and sign-in logs proving MFA fires on every sign-in. For other identity platforms the equivalent applies. A screenshot of the MFA setup page isn’t evidence; a sign-in log is.
Do we need a separate incident response retainer if we already have a managed service provider?
Most renewal questionnaires ask the question in a way that expects yes. The MSP handles operational response — isolating endpoints, restoring from backup, locking down accounts. A DFIR retainer adds forensics under legal privilege, breach notification advice, and the chain-of-custody work that holds up in a regulator investigation or insurance claim dispute. The two are complementary. For smaller firms we sometimes structure this through the MSP’s partnerships rather than a direct DFIR retainer, which is generally acceptable to underwriters if the arrangement is documented.
How long does it take to get evidence-ready for a renewal?
For a firm starting from “we have antivirus and basic backups”, expect six to twelve weeks to reach evidence-ready, depending on the existing environment. The technical implementations can happen quickly — MFA rollout in two weeks, EDR deployment in a week, backup re-architecture in three to four weeks. The documentation and policy work is what extends the timeline. Most firms underestimate the policy side and overestimate the technical side.
If we fail the questionnaire, will we lose cover?
Outright declinature is rare; what happens more often is higher premium, lower limits, ransomware sub-limits, or specific exclusions written into the policy. Some insurers in the Australian legal market will offer cover conditionally — with a remediation deadline and a follow-up assessment in six months. The worst outcome we see isn’t refusal; it’s a policy that pays out at claim time only to the extent the firm can prove it met the controls it said it had at renewal. Failure-to-disclose claims are a recurring source of disputes.
We’re a five-partner firm with one practice manager and no IT staff. Is this all proportionate?
The control set scales down well. MFA is free with your Microsoft licensing. EDR for ten endpoints is around $600-1200 a year. Immutable backup for a small firm is a few thousand. The documentation is shorter because the environment is simpler. The premium savings are proportional too — small firms see absolute premium reductions that more than cover the spend. The trap small firms fall into is assuming size buys them out of the questionnaire. It doesn’t.
Accounting firms in Melbourne hold a richer concentration of attack-worthy data than most law firms or medical practices: TFNs, bank details, payroll files, BAS lodgement credentials, trust account balances, and SMSF records. The real threats are business email compromise during EOFY, ransomware on practice management servers, and departing staff exporting client lists. None of these are theoretical.
This is a security-focused post. If you want the broader operational picture, see our guide on IT support for Melbourne accounting firms. Here we’re staying in the security lane: the controls that actually matter, the regulators that actually audit, and the insurers that actually pay out.
What accounting firm data security actually means in 2026
The phrase gets thrown around loosely. For a Melbourne accounting firm with 5 to 50 staff, accounting firm data security is the set of technical and procedural controls that protect three asset categories: client financial records (tax returns, BAS, financial statements), authentication credentials to lodgement and banking platforms (myGovID, ATO Online Services for Agents, Xero, MYOB, bank portals), and trust account ledger data where applicable.
Three regulators care about how you handle this. The OAIC enforces the Privacy Act and the Australian Privacy Principles (APPs), with mandatory data breach notification under the Notifiable Data Breaches scheme. The Tax Practitioners Board (TPB) sets the Code of Professional Conduct, which includes obligations around confidentiality, conflict management, and reasonable care of client records. The ATO sets technical requirements for Online Services for Agents access, including a hard MFA requirement and operational security controls. If you handle SMSF audits or AFSL-adjacent work, ASIC and APRA obligations layer on top. AML/CTF accountants (tax agents providing designated services) sit under AUSTRAC.
The point: data security is not optional and it’s not just “an IT thing”. It’s a partnership-level risk that determines whether the firm keeps its registration, its PI insurance, and its clients.
Trust account protection: separation of duties at the IT level
Where firms hold trust money (commonly auditors, insolvency practitioners, and some tax practitioners with statutory deposits), the IT controls around the trust account need to mirror the financial controls. This is where most firms slip up. The bookkeeper has the trust account password saved in their browser, the principal “needs” override access, and there’s no audit trail when transfers happen out of hours.
What proper IT-level separation of duties looks like:
- Dedicated identities for trust account access. Not a shared “office@” login. Each authorised person has their own credential.
- Hardware-backed MFA on those identities. SMS codes are not sufficient for trust account roles. We deploy authenticator apps or FIDO2 keys.
- Conditional access policies that restrict trust account portals to managed devices on Australian IP ranges. Travelling staff get a documented exception process, not a permanent bypass.
- Privileged Access Management (PAM) so that the principal’s elevated access requires a second approver and is logged. This is an Essential Eight maturity-level-two control and it stops the most common trust account fraud vector: a single compromised principal account.
- Immutable audit logging retained for seven years to align with TPB record-keeping requirements. Logs sitting on the same server as the data are not audit logs; they’re evidence the attacker will delete.
A Hawthorn accounting firm we onboarded last financial year had a single Office 365 account being used by three partners for trust correspondence. There was no MFA on it because “the partners share the phone code anyway”. Within two months of remediation we’d split it into three identities, deployed conditional access, and pushed audit logs into a separate tenant. Three weeks after that, one of the partner accounts had a credential-stuffing attempt from Eastern Europe. It was blocked at the conditional access policy and we had the full sign-in log to give to their cyber insurer.
Client data classification: not all client data is equal
One of the most useful exercises we run with new accounting firm clients is a data classification workshop. Most firms treat everything the same, which means either everything gets expensive top-tier protection (wasteful), or sensitive data gets the same controls as the office lunch roster (negligent).
A workable three-tier model:
| Tier | Examples | Required controls | Retention |
|---|
| Tier 1 — Highly sensitive | TFNs, bank credentials, SMSF documents, trust ledger, signed financial statements | Encryption at rest and in transit, MFA-gated access, DLP egress controls, full audit logging, restricted-share-only | 5–7 years per ATO/TPB rules |
| Tier 2 — Client confidential | Working papers, draft returns, engagement letters, correspondence | Encryption at rest, MFA, role-based access, standard audit logging | 5–7 years |
| Tier 3 — Internal/admin | Internal policies, marketing material, supplier invoices | Standard access controls, backup | Per business need |
Once classification is in place, the security tooling actually has something to enforce. Microsoft Purview Information Protection (or equivalent) can auto-label documents containing TFNs as Tier 1 and block them from being emailed to external addresses. Without classification, DLP rules are guesswork.
Business Email Compromise: the EOFY scenario
BEC is the dominant fraud threat against Melbourne accounting firms. Not ransomware. Not data theft for sale. Plain old “trick the bookkeeper into changing the bank account number on a supplier payment” fraud, weaponised around tax time when everyone is busy and inboxes are flooded.
The classic EOFY scenario: it’s late June, a senior accountant is finalising a client’s return. An email lands purporting to be from the client, sent from a lookalike domain (the legitimate domain is client-co.com.au, the fake is clientco-com.au). The email says “we’ve changed our bank for the refund — here’s the new account”. The accountant updates the ATO refund nomination. The refund — sometimes $40,000, sometimes $400,000 — lands in the fraudster’s account.
The other variant: the firm itself gets compromised. An attacker phishes a junior accountant, sits in their inbox for two weeks reading client conversations, then sends invoices for “outstanding fees” to clients from the legitimate firm address with the firm’s logo and the partner’s email signature. Clients pay. By the time anyone notices, the money is gone and the firm’s reputation is on the line.
Controls that actually stop this:
- DMARC at policy
p=reject. Stops your domain being spoofed. Most accounting firms we audit are still on p=none or have no DMARC record at all. - External email banners with prominent visual warning. Cheap. Works.
- Mailbox audit logging turned on. Default in newer M365 tenants but not always enabled in older ones. Without it you cannot determine breach scope when the OAIC asks.
- Inbox rule monitoring. Attackers create rules to auto-delete or forward security alerts. Alerting on new rule creation catches this within minutes.
- Out-of-band verification for any bank account change. Written policy: bank detail changes require a phone call to a known number, never the number in the email.
- Impossible-travel and risky-sign-in detection. If a Hawthorn-based accountant signs in from Lagos at 3am, the session should be blocked, not just flagged.
For a deeper look at our broader posture, see our cybersecurity services for Melbourne businesses.
Xero, MYOB and QuickBooks integration security
Accounting software is the single most concentrated point of value in the firm. A compromised Xero Practice Manager session gives an attacker access to potentially hundreds of client files, bank feed credentials, and payroll data. Most firms underprotect this.
| Platform | Minimum security baseline | Recommended uplift |
|---|
| Xero Practice Manager / Xero HQ | MFA on every user, individual logins (no sharing), removed-staff offboarding within 24 hours | SSO via Microsoft Entra ID, conditional access, session timeout reduction, login alerts to security inbox |
| MYOB AccountRight / MYOB Practice | MFA enforced, role-based permissions reviewed quarterly | SSO integration, IP allow-listing where supported, regular audit log review |
| QuickBooks Online Accountant | MFA on master admin and all team members, no client-shared logins | Intuit SSO, custom user roles, integration audit (third-party app review) |
| ATO Online Services for Agents | myGovID Standard or Strong identity strength, RAM permissions reviewed | Strong identity strength for all client-impacting operations, RAM authorisations reviewed quarterly, offboarding procedure for departing staff |
Two specific issues we see constantly: third-party app sprawl in Xero (every tool a previous staffer integrated still has API access years later), and ATO RAM permissions never being revoked when staff leave. The RAM one is particularly dangerous because a former employee with active RAM authorisation can still lodge BAS or update bank details on behalf of the firm’s clients.
Secure document portals for engagement letters and signed financials
Emailing signed engagement letters and PDF financial statements is still the default at most Melbourne firms. It shouldn’t be. The risks: email-in-transit interception is rare but possible; mailboxes are persistent attack targets, so signed docs sitting in Sent Items for years are loot for any future breach; and there’s no audit trail of who actually opened the document.
A proper secure portal (FuseDocs, Suralink, FYI Docs, Annature for signing, or Microsoft SharePoint with sensitivity labels) provides:
- Encrypted upload and download with per-client access control
- Audit trail showing who opened what and when
- Document expiry — links don’t live forever
- MFA on client access (not always implemented by default, ask)
- Watermarking for sensitive financial statements
The compliance angle: if a client engagement letter is breached via your unsecured email channel, the OAIC will ask why you didn’t use available technical controls. “It’s how we’ve always done it” is not a defensible answer under APP 11.
Backup strategy: 3-2-1-1-0 for accounting data
Backup for accounting firms isn’t about RTO bragging rights. It’s about whether you can restore a client’s 2024 working papers when the ATO audits them in 2028, and whether you can do that after a ransomware event without paying. We won’t repeat the whole rule here — read our detailed breakdown in why the 3-2-1 backup rule is not enough in 2026.
What’s specific to accounting firms:
- Practice management database backups need to capture the full database, not just user documents. APS, CCH iFirm, Xero Practice Manager (where applicable), HandiSoft — each has its own backup procedure and most need scheduled exports beyond what the vendor provides by default.
- Workpaper retention beyond active client period. A client who leaves in 2026 still needs their 2024–25 records retained until at least 2030 for ATO purposes. That data must be on backup, not just on the departed-clients folder of a single fileserver.
- Immutable backups — the “1” in 3-2-1-1-0. Ransomware variants in 2025 routinely targeted backup repositories first. Immutability prevents the attacker from deleting your last lifeline.
- Tested restores — the “0” errors. We test client restores quarterly for accounting clients. The number of firms that discover their backups have been silently failing for six months is depressing.
For backup and recovery specifically, see our data backup and recovery service page.
Insider threat: departing staff with client data
This is the one nobody wants to talk about. The single most common data loss event at an accounting firm isn’t a hacker — it’s an accountant taking client contact details, working papers, or template documents on their way out the door, often to a competing firm or to set up their own practice.
The controls:
- USB and removable media controls via endpoint policy. Disabled by default, with documented exception process.
- Cloud egress controls — blocking personal OneDrive, Dropbox, Google Drive sign-in from work devices. Microsoft Defender for Cloud Apps does this well.
- Email auto-forwarding rules disabled at tenant level and alerted on creation.
- Print logging — yes, this still matters. Accountants print client lists.
- Formal offboarding checklist — credentials revoked same day, RAM permissions removed, Xero access removed, mobile devices wiped, signed declaration that no firm data is retained.
- UEBA (User and Entity Behaviour Analytics) — detecting unusual download volumes by users in their final two weeks. We’ve caught two departing senior accountants this way in the past 18 months.
Essential Eight non-negotiables for accounting firms
The Essential Eight is the ASD/ACSC’s mitigation strategy framework. For accounting firms, we treat Maturity Level One as table stakes and push toward Maturity Level Two for firms with trust account or SMSF audit exposure. Full breakdown on our Essential Eight compliance page.
| Essential Eight control | Accounting firm priority | Common gap |
|---|
| Application control | High — stops ransomware execution | Not deployed; relying on AV alone |
| Patch applications | High — practice software is a top target | APS, CCH and HandiSoft updates deferred for “stability” |
| Configure Microsoft Office macro settings | High — spreadsheet macros are an active attack vector | Macros enabled tenant-wide for “convenience” |
| User application hardening | Medium — reduces browser-based attack surface | Java, Flash legacy plugins still installed |
| Restrict administrative privileges | Critical — principals running as local admin is the norm | Daily-use accounts have admin rights |
| Patch operating systems | High | Windows 10 machines past EOL still in use |
| Multi-factor authentication | Critical — every system, every user | MFA on M365 only, not on Xero/MYOB/banking |
| Regular backups | Critical — see backup section above | Untested restores, no immutability |
You can self-assess to Maturity Level One in a workshop. Maturity Level Two requires technical configuration that most firms don’t have in-house. We help firms close the gap as part of our security and compliance service.
Cyber insurance requirements: what your insurer actually checks
Cyber insurance renewal questionnaires in 2026 are not the box-ticking exercise they were in 2021. Insurers now require evidence — not attestation — for the controls that drive their loss ratios. If you sign the questionnaire claiming you have MFA on all admin accounts and you don’t, you’ve given the insurer grounds to decline the claim. We’ve seen it happen.
What every Australian cyber insurance application we’ve seen in the last 12 months requires:
- MFA evidence — screenshots of MFA enforcement policy, list of accounts covered, exception register
- EDR/endpoint security — name of product, coverage percentage, last quarterly review
- Backup proof — last successful restore test date, immutability configuration, offsite copy verification
- Email security — DMARC policy state, anti-phishing platform, user training cadence
- Privileged access — separation of admin accounts, no shared credentials, just-in-time elevation
- Incident response — documented IR plan, named IR provider on retainer, tabletop exercise within last 12 months
- Vulnerability management — patch cadence, vulnerability scanning evidence
Firms that can’t demonstrate these are either declined or quoted with sub-limits that make the policy near-useless for ransomware (e.g., $50,000 sub-limit on a $5m policy). For accounting firms that means ransomware recovery comes out of partnership cash.
How TechAssist works with Melbourne accounting firms
We’re a Melbourne MSP with 13 Australian-employed engineers, a 24/7 NOC, sub-15-minute response on critical-severity tickets, and Essential Eight-aligned standard builds. We’re ISO 27001 capable, which matters when your professional indemnity insurer or your largest audit clients ask about your supply chain. We work with accounting practices from Hawthorn, Camberwell, Box Hill, South Yarra and across metro Melbourne.
For accounting firms specifically, our standard onboarding includes a security baseline assessment against Essential Eight, MFA rollout across every business-critical system (not just M365), backup architecture review against the 3-2-1-1-0 standard, and a documented cyber insurance evidence pack so renewal is straightforward rather than terrifying.
FAQ
Do we need ISO 27001 certification as an accounting firm?
Almost certainly not — and the cost of full certification (typically $40,000 to $80,000 over two years for a firm your size) is rarely justified unless you’re servicing ASX-listed audit clients or government work that mandates it. What you do need is the substance of an Information Security Management System: documented policies, risk register, access reviews, incident response plan, supplier risk assessments. We deliver that without the certification overhead for most accounting clients. If a tender or major client actually requires ISO 27001, we’ll get you there; otherwise, the Essential Eight at Maturity Level Two delivers more practical security per dollar.
Is MFA enough?
No. MFA is necessary, not sufficient. MFA stops the majority of credential-based attacks but does nothing about endpoint compromise, malicious insider activity, phishing-resistant attacker-in-the-middle attacks (which bypass non-phishing-resistant MFA), or ransomware delivered via supply chain. Treat MFA as the foundation and build EDR, application control, backup immutability, and email authentication (DMARC) on top. For high-risk roles like principals and trust account signatories, move to phishing-resistant MFA — FIDO2 hardware keys or platform passkeys.
What does our cyber insurer actually require?
Each insurer differs, but the consistent minimum is: MFA on all remote access and admin accounts, EDR (not just AV) on all endpoints, immutable or air-gapped backups with documented restore tests, DMARC and email filtering, a written incident response plan, and security awareness training at least annually. The insurer will ask for evidence at renewal and after any claim. Firms that produced evidence pre-incident settled claims significantly faster than firms that scrambled to assemble it post-incident — and several firms in the past two years had claims declined because their stated controls didn’t match reality.
How long should we retain client data after the engagement ends?
The minimum is generally five years from the date the relevant transaction or act was completed, per ATO record-keeping rules, but TPB obligations and Limitations of Actions Act considerations often push this to seven years. For SMSF and audit work, retention can be longer. The IT implication is that “departed client” data still needs to be on protected, backed-up storage — not a USB drive in the partner’s bottom drawer.
What’s the single biggest security gap you see at Melbourne accounting firms?
Shared logins. A senior partner’s M365 credentials shared with two other staff “for convenience”. Trust account portal credentials in a shared password manager folder. ATO Online Services accessed via a colleague’s myGovID because their own setup is “still being sorted”. This is the gap that causes the most regulatory pain when a breach occurs, because you cannot prove who did what. Individual identities with MFA, full audit logging, and a real offboarding process fixes it.
Next steps
If you’re a partner or principal at a Melbourne accounting firm and you want a frank assessment of where your security sits against Essential Eight, TPB expectations, and current cyber insurance requirements, get in touch via our contact page. The first conversation is a security posture review — no obligation, no sales pitch dressed as a free audit. We tell you what’s actually exposed and what to fix first.