Does our 5-person firm really need to do this?

Yes. The client-multiplier means one breach exposes 20-200 client books. Attackers economically prefer accounting firms over individual SMBs. Verizon DBIR 2024: 43% of breaches involve firms under 1,000 staff.

Which systems do we secure first?

Priority order: e-Tax Office (eUS), KSeF, ZUS PUE (social security), Comarch Optima/Enova365/Symfonia, business email, business banking + client banking authorizations, CRM, website admin. MFA everywhere; unique passwords in a firm password manager.

What is BEC and why are we especially exposed?

Business Email Compromise hijacks or impersonates a business account to extract a wire transfer. Accounting firms authorize client transfers daily - one impersonated CEO email leads to a five-figure loss. FBI IC3 reported USD 2.9B in 2023 BEC losses.

KSeF itself is stable and certified. The risk lies in firm and client access accounts: token phishing, missing MFA, shared passwords. MFA on KSeF is now industry standard; proxies without MFA = real risk.

Does NIS2 apply to an accounting firm?

Almost never. Accounting is not in UKSC Annex I or II. Grey zone: if you serve an essential entity (e.g., a public hospital) as its critical ICT provider, the client may impose contractual cyber clauses. Run the scope test in the NIS2/UKSC pillar.

What is the GDPR Article 32 minimum?

MFA on critical accounts, BitLocker at-rest, tested 3-2-1 backup, regular ERP updates, per-user access control with audit log, team training, annual external audit as evidence of regular testing under Article 32.

What about DPAs with clients?

Every client = separate Article 28 DPA. The firm acts as processor for client data (their staff, contractors). Template must cover: purpose and scope, technical measures, sub-processing (e.g., cloud), audit rights, retention, breach-notification timing (typically 24h to client).

When should we schedule the external audit?

Outside tax season - June or October. March, April, and January are blocked by annual filings and JPK. CyberAudyt takes 5 business days; critical-finding remediation another 7 days. Plan it for the calendar quarter without statutory deadlines.

How much does minimum cyber hygiene cost?

Annual budget PLN 8-25K for a 5-25 person firm: Microsoft 365 Business Premium with EDR, immutable cloud backup, CyberCerber external audit, cyber insurance PLN 3-15K. Less than the cost of one BEC incident.

What if an employee clicks a fake invoice?

Immediately: disconnect the workstation, preserve logs, rotate passwords on critical accounts (eUS, banking, ERP), review recent transfers, notify CERT Polska. If a client lost funds - notify UODO within 72 hours. Run a team post-mortem after every incident.

Can we give clients VPN access to KSeF and Optima?

Yes, but: VPN with MFA (not password alone), separate login per client (no sharing), restricted permissions (their firm's data only), audit log per access, cyber clause in the client contract. Otherwise = cross-contamination risk at first compromise.

Is cyber insurance worth it?

For a firm with 50+ clients - usually yes. PLN 3-15K/year policy covers incident costs, GDPR fines up to policy limit, IR costs, sometimes client damages. Insurer requires MFA + backup + cyber audit. ROI: one successful BEC = multiple times the annual premium.

Accounting Firm Cybersecurity - 2026 Guide

Polish accounting firm cybersecurity rests on six foundations: MFA on every e-Tax Office (eUS), KSeF, and ERP account (Comarch Optima, Enova365, Symfonia); offline-capable backup of the client database; network segmentation; routine patching; BEC- and phishing-focused team training; and one external vulnerability assessment per year - preferably outside tax season. 43% of breaches target firms under 1,000 staff (Verizon DBIR 2024), and Polish accounting firms are especially exposed due to the client-multiplier effect.

1. Why accounting firms are targeted

Client multiplier. One breach into the firm = access to financial data for 20-200 clients. Attackers prefer targets that open many books in one move. From the attacker’s economic perspective, an accounting firm is a “collector node” worth multiples of an individual SMB.

Seasonality. Polish statutory deadlines (VAT 25th of each month, PIT 30 April, CIT 31 March, JPK, KSeF) create pressure windows. An attack at the end of March = the accountant under deadline pressure will sign almost anything. Attackers know this and time accordingly.

BEC is unusually effective. Accountants authorize client transfers every day. One spoofed “client CEO” email asking for an urgent wire to a new supplier account = real money lost. FBI IC3 reported USD 2.9B in global BEC losses for 2023; Polish accounting firms are over-represented in that statistic.

The multiplier nature of risk means an accounting firm should run higher cyber hygiene than its average client. The client has one bank account - the firm has fifty.

2. Three defence layers - applied to the accounting firm

Layer 1 - Access to fiscal systems

MFA on eUS and KSeF (highest priority - holds JPK, tax declarations, client proxies). MFA on Comarch Optima, Enova365, Symfonia. Separate logins for each accountant and clerk - no shared “accountant@firm.pl”. Audit log in the ERP shows who authorized every document. Vendor patches: Comarch typically mid-month; Symfonia (Sage) similar - test on a backup copy, deploy outside business hours.

Layer 2 - Client data

3-2-1 backup of ERP databases, JPK archive, PDF document archive, client correspondence. Local NAS + immutable cloud (S3 Object Lock) + offline rotating copy. RPO ≤24h, RTO ≤48h. Monthly restore test for one client database. BitLocker at rest on every workstation. Database encryption in the ERP where the vendor supports it. Segmented client VPN access - one compromised client cannot reach another.

Layer 3 - BEC and phishing defence

SPF + DKIM + DMARC on the firm domain (p=none → p=reject over 4-8 weeks). Written second-channel verification procedure for any supplier-account change, urgent transfer, or “from CEO” instruction. 3-hour annual team training covering BEC recognition, eUS/KSeF/ZUS phishing patterns, password and MFA hygiene, post-incident steps, plus a final simulated phishing test. Monthly phishing simulations with a <5% click-rate goal over 12 months. In 2026: AI voice deepfakes targeting the receptionist - defence is the same as for email (second-channel verification, pre-agreed passphrase).

3. Compliance specifics

Dual GDPR role. The firm is simultaneously controller (own staff data, sales contacts) and processor (client data under Article 28 DPA). Two parallel data-protection regimes under one roof.

Article 28 DPAs with every client. Purpose and scope, categories of subjects, technical measures, sub-processing, audit rights, retention, breach-notification timing.

Polish accountant professional secrecy. SKwP (Polish Accountants Association) Code of Ethics imposes a separate confidentiality duty - parallel to GDPR.

Retention rules. Tax Ordinance: 5 years for accounting records; Labour Code: 10 years for personnel files (50 years for some pre-2019 employees). Deletion policies must respect both - too early breaks tax law, too late breaks GDPR.

NIS2 - usually not applicable. Bookkeeping is not in UKSC Annex I or II. Exception: if you are a critical ICT provider for an essential entity, the client may impose contractual cyber clauses. Scope test in the NIS2/UKSC pillar.

4. Vendor stack: Comarch, Enova, Symfonia

Comarch Optima / ERP XL - most common Polish accounting platform. MFA in Optima 2023+. Monthly patches; subscribe to vendor CVE alerts. Risk: legacy XL installs on outdated Windows Server.

Enova365 (Soneta) - second most common. Cloud-native option (Enova Cloud) with built-in MFA; optional MFA on-premise.

Symfonia (Sage) - third place. Three tiers (ERP, Mała Księgowość, Premium). MFA available; Sage maintenance schedule.

Insert, iFirma, InfaktPro - smaller-segment / SaaS for micro-firms. MFA built in; risk shifts to the cloud DPA under Article 28.

Regardless of choice: MFA on the main account + MFA per proxy user, scheduled updates, audit log enabled, strong-password policy.

5. Budget

Annual ranges, 5-25 person firm, 20-100 clients, 2026 PLN, gross:

0-1K: free MFA, SPF/DKIM/DMARC, BitLocker, written policy.
1-5K: Microsoft 365 Business Premium with EDR, 4-bay NAS one-time, immutable cloud backup, managed DMARC.
5-15K: annual CyberAudyt CyberCerber (see pricing), professional phishing simulator, cyber insurance 3-10K.
15-30K: retained SOC, annual penetration test, DPO outsourcing 800-2,500 PLN/month, ISO 27001 if corporate clients require it.

One successful BEC at a mid-portfolio firm: PLN 50-300K plus reputation damage. First implementation wave (Weeks 1-12): PLN 5-15K.

6. 30-60-90 day plan - tax-season-aware

Weeks 1-2 (outside tax season - June/July/August/October): Account inventory, MFA on eUS, KSeF, ZUS PUE, ERP, banking. Avoid March, April, January, and days 23-25 of any month.

Weeks 3-4: 3-2-1 backup of ERP database, JPK archive, PDFs. Restore test. BitLocker. Firm password manager (Bitwarden Teams).

Weeks 5-8: SPF + DKIM + DMARC to p=reject. Written transfer-verification procedure. 3-hour team training. Baseline phishing simulation.

Weeks 9-12: External vulnerability assessment (CyberAudyt CyberCerber). Remediation of critical findings in 7 days. Annual audit on the calendar.

7. CyberCerber for accounting firms

Fixed-price external vulnerability assessment for Polish SMB accounting firms. Polish-language report - readable by the firm owner and head accountant. Scheduling outside tax season. Three products: PreScan (free diagnostic in 24h), CyberAudyt (full vulnerability assessment, report in 5 business days), Pentest (for firms with corporate-client or regulatory requirements). Guarantee on CyberAudyt: if the report does not surface at least three actionable findings, full refund.

Free PreScan · Pricing · Services for accounting firms.

8. FAQ

(See faq field in frontmatter - 12 Q/A pairs.)

NIS2 and Poland’s UKSC for SMBs