I talk with a lot of business leaders—partners in accounting firms, managing attorneys, practice managers in healthcare—and I hear the same reasons over and over for not tightening up cybersecurity, compliance, or cyber liability insurance.

The problem? These excuses don’t stand up. And in your world—where client trust is everything—the fallout from getting it wrong is bigger than you think.

1. “We’re too small. Hackers don’t care about us.”

Accounting firms, law offices, and medical practices are exactly the size attackers love. Why? You hold extremely valuable data (financial records, client files, patient information) but don’t always have enterprise-level defenses. One compromised account could put your entire client base at risk.

2. “My insurance will pay if we’re hacked.”

Most carriers now require you to prove security controls like MFA, encrypted backups, and documented policies. If you don’t have them, you may face denied claims, reduced coverage, or skyrocketing premiums. Your clients expect you to have cyber liability insurance that actually works—not a policy full of loopholes.

3. “No one really checks those questionnaires.”

They do. Insurance carriers are auditing answers more closely. Regulators (HIPAA, IRS, state bar associations) are tightening enforcement. Even clients are sending more detailed vendor security questionnaires before they’ll sign contracts. Fudging your answers could mean denied claims—or lost business.

4. “Our EMR / PMS / LMS is in the cloud, so we don’t have to worry.”

Cloud vendors secure their systems. But your firm is still responsible for securing access to those systems. If an employee falls for a phishing email, if MFA isn’t in place, or if you store files outside of the SaaS platform (think downloads, local copies, email attachments), your client data is exposed. Cloud doesn’t mean “covered”—it means shared responsibility.

5. “We already have antivirus and backups. That’s enough.”

Not anymore. Ransomware attackers specifically target backups, and today’s phishing attacks blow past basic antivirus. A professional services firm needs layered protections: MFA for remote access, encryption, endpoint detection, secure email, and regular patching.

6. “We’ve never had a problem before.”

Neither had most firms—until the day it happened. For professional service businesses, the first incident is usually the last straw for clients. They won’t wait around while you recover—they’ll move on to someone they trust.

7. “We don’t have the budget right now.”

Understandable, but let’s compare. Investing in security and compliance might be a line item in this year’s budget. A breach could mean regulatory fines, lawsuits, lost clients, and months of downtime. Which is more expensive?

8. “Compliance is just a box to check.”

HIPAA, IRS Pub. 4557, state bar rules, and frameworks like CIS Controls are not just paperwork. They’re the foundation of protecting sensitive information. Getting them right shows clients you take their trust seriously. Cutting corners tells them the opposite.

9. “Our IT provider has it covered.”

A good IT partner is essential—but security is a shared responsibility. Your firm still needs policies, training, executive oversight, and proof of compliance. Regulators and insurers don’t just want to see IT’s work—they want leadership’s involvement.

The Bottom Line

Your clients trust you with their most sensitive information. They expect you to handle it with the same care you put into your professional work.

Cybersecurity, compliance, and insurance aren’t “nice-to-haves” anymore—they’re part of being a credible, trustworthy firm in 2025.

The excuses are easy. The consequences—lost clients, denied claims, regulatory fines—are not.

👉 If you’ve been putting this off, now’s the time to get ahead. Let’s talk about how to build cybersecurity, compliance, and insurance into your firm’s overall strategy—so you can focus on clients, not damage control.