Cybersecurity for the Small Practice: What SARS, POPIA, and Your PI Insurer Expect When You Hold Client Data

3 Jun

Written By Leana van der Merwe, Technical Manager, Chartered Institute for Business Accountants (CIBA)

This article will count 0.25 units (15 minutes) of unverifiable CPD. Remember to log these units under your membership profile.

You store your clients' bank statements, tax numbers, payslips, and ID documents on your laptop. Maybe in a WhatsApp chat. Maybe in a shared Google Drive folder with a password that's been the same since 2018.

If a hacker gets in — or your laptop gets stolen — you're not just losing data. You're facing a POPIA complaint, a SARS query, and a PI insurer who might not pay out.

This isn't a threat. It's the reality of running a small practice in 2025. And the good news? Fixing it doesn't require an IT degree. It requires a checklist and about two focused afternoons.

Let's go.

Why This Suddenly Matters More Than It Did Before

Three things have changed in the last two years.

POPIA is now being enforced. The Information Regulator has real teeth. Fines of up to R10 million are possible for serious breaches. Small practices are not exempt — if you hold personal information about a natural person (that's every individual client you've ever had), POPIA applies to you.

SARS wants your systems clean. SARS has made clear that registered tax practitioners are expected to maintain secure recordkeeping. If your client data is compromised and a fraudulent return is filed in their name, you could be held professionally responsible — especially if you can't demonstrate you had proper safeguards in place.

Your PI insurer is reading the fine print. Professional Indemnity insurance covers you when a client suffers a loss due to your error or negligence. But most PI policies now include cyber-related exclusions or sub-limits. If you suffer a breach and you haven't taken basic precautions, your insurer may reject the claim. That's a gap that can end a practice.

What "Personal Information" Actually Means Under POPIA

This is where many practitioners get caught out. They assume POPIA only covers sensitive medical records or big corporate databases.

It doesn't.

Under POPIA, personal information includes: full name and ID number, contact details, financial information, tax number, employment history, and any other information that can identify a living person.

In plain terms: every single client file in your practice is regulated personal information. Every payslip you processed. Every bank statement you used to prepare a set of accounts. Every email with a client's salary details.

You are a data operator under POPIA. This is not optional. And it comes with obligations.

The No-Jargon Checklist

Work through this list. Tick what you have. Fix what you don't.

🔐 Section 1: Access Controls (Who Can Get In?)

Your laptop and phone have passwords or PINs. If someone steals your device, they shouldn't be able to open it and walk straight into your client files.
You use a password manager. One strong, unique password per service. Not "Password1!" everywhere. Tools like Bitwarden (free) or 1Password make this painless.
Two-factor authentication (2FA) is on your email and accounting software. This means even if someone gets your password, they still can't get in without a second code. It takes 5 minutes to set up.
You have a separate email for client work. Using your personal Gmail for all client correspondence is a risk. A dedicated professional email with 2FA is better.
Former staff or partners no longer have access to your systems. Check shared drives, accounting software logins, and email forwards.

🗂️ Section 2: Data Storage (Where Does It All Live?)

You know exactly where client data is stored. Laptop? Cloud? External hard drive? WhatsApp? Telegram? All of the above? Make a list. You cannot protect what you haven't mapped.
Client data is not stored in personal WhatsApp or SMS threads indefinitely. WhatsApp is encrypted in transit but not at rest on your device. Use it to receive documents — then move and delete.
You use a cloud storage provider with encryption. Google Drive, Dropbox Business, and OneDrive all encrypt data at rest. Free personal accounts offer less protection than business accounts.
Sensitive documents are not sitting in your Downloads folder for years. Clean up. Organise. Archive securely.
You have a backup. A separate backup. Not just the original. The 3-2-1 rule: 3 copies, 2 different media, 1 offsite (or cloud).

📋 Section 3: POPIA Compliance Basics

You have a POPIA Privacy Policy. If you have a website, you need one. Even without a website, you should be able to show what data you collect and why. Templates are available — there is no reason not to have one.
You only keep client data for as long as you need it. SARS requires you to keep records for 5 years after the relevant tax period. After that, you should have a process to securely destroy old records.
You have a process if a breach happens. POPIA requires you to notify the Information Regulator and affected clients if a breach is likely to affect them. You need to know what you'd do — and who you'd call — before it happens, not after.
You have a data processing agreement with any third-party tools you use. If your payroll software, accounting platform, or cloud provider processes your clients' personal data, they are a "responsible party" too under POPIA. Check that they have a privacy policy and that you've agreed to their data processing terms.
You have a PAIA Manual (if required). Businesses with 50+ staff need one by law. If you're a sole practitioner, it's still best practice to have a basic version.

🛡️ Section 4: What Your PI Insurer Expects

You have reviewed your PI policy's cyber exclusions. Read the policy. Look for "cyber event", "data breach", or "privacy liability" clauses. Know what is and isn't covered.
You have considered a cyber liability add-on. Standard PI policies often exclude first-party losses from cyber incidents. A cyber liability extension (increasingly available and affordable) covers notification costs, data recovery, and third-party claims.
You can show due diligence. If you ever need to claim after a breach, your insurer will ask what precautions you had in place. This checklist — completed and documented — is your answer.

🖥️ Section 5: The Basics You Still Might Be Skipping

Your operating system and software are up to date. Most hacks exploit known vulnerabilities. Updates patch them. Yes, it's that simple — and that important.
You have reputable antivirus software installed. Windows Defender (built into Windows 10/11) is actually decent. But it must be active and updated.
You do not use public Wi-Fi for client work without a VPN. Coffee shop Wi-Fi is not safe for sending financial data. A VPN (Virtual Private Network) encrypts your traffic. It costs less than your monthly coffee spend.
You can recognise a phishing email. Hackers are targeting accountants specifically — because accountants have access to client financial systems. If an email asks you to click a link and log in somewhere, stop and verify. Call the person. Don't just click.

The Bottom Line

You are not just an accountant. You are a data custodian. Your clients trusted you with information that could ruin them if it fell into the wrong hands.

SARS, POPIA, and your PI insurer all expect the same thing: that you took the matter seriously and put basic safeguards in place.

The practitioners who get caught out aren't careless people. They're busy people who assumed cybersecurity was a big-business problem. It isn't anymore.

Complete this checklist. Document what you've done. Review it once a year.

You are already doing the hard work of keeping your clients financially compliant and commercially sound. Protecting their data is part of that work now.

The profession depends on practices like yours. Make sure yours is protected.