KVKK and Cyber Security for Accounting Firms in Türkiye

Have you ever counted how many people’s data sits on a single accounting firm’s server? A mid-sized practice with a hundred clients holds, for each one, employee payrolls, national ID numbers (TCKN), social-security filings (SGK), bank statements and tax-portal credentials. The most sensitive records of thousands of people, usually on one Windows server, and often without a clean backup.

That is exactly why accounting offices (in Türkiye, the mali müşavir / SMMM firms) are a “small but high-value” target for ransomware crews. In one reported Turkish case, an attacker using the alias “AtSeverse” — later caught by police — ran the Mimic ransomware specifically against accountants; one victim paid 7,000 euros to get the data back. The logic is simple: strike during tax-filing season, encrypt the server, and negotiate while the client panics about missing the deadline with the tax authority (GİB).

Why an Accountant Counts as a “Data Controller”

Under KVKK — Türkiye’s personal data protection law, the local equivalent of the GDPR — an accountant wears two hats. For their own staff files, office CCTV and internal records they are a data controller (veri sorumlusu). When keeping a client’s books or running payroll, they usually act as a data processor (veri işleyen) on the client’s behalf. Both roles create obligations, and in both the party that failed to take technical measures stands alone before the Authority.

One distinction matters in practice. Even if the client is the data controller, if the data is processed on your server then protecting it is technically your responsibility. After a leak, the Authority turns to the firm with “the processor failed to take adequate measures.” Without a written data processing agreement between you and the client, the boundary of liability stays blurry too.

The VERBİS Deadline Is 5 June 2026

There is a current date you cannot afford to miss. By the Authority’s decision of 13 May 2026, the deadline for legal entities (corporate taxpayers) that exceeded the 2025 financial-balance threshold to register and notify VERBİS — the national data controllers’ registry — was extended to Friday, 5 June 2026. A good share of accounting firms structured as limited or joint-stock companies may fall within this scope.

The VERBİS exemption still exists: businesses with annual net sales under 2.5 million TL and fewer than 50 employees are exempt from registration. But the exemption only removes the registry entry. The duty to inform data subjects, to obtain explicit consent, and to secure data applies to every firm. “We’re small, nothing will happen to us” is, unfortunately, a comfort with no support in the Authority’s decisions.

When a Breach Hits: the 72-Hour Clock

The moment you suffer a leak, the clock starts. Under the Authority’s decision 2019/10, you must notify the Authority within 72 hours at the latest of becoming aware of the breach. Affected individuals must be told within “the shortest reasonable time.”

The most common mistake I see in the field is delaying that window. The owner loses two days trying to “handle it quietly so the client doesn’t hear,” and then the notification window closes. Yet when the Authority detects concealment, it fines harder than for the breach itself. Even if you don’t have every detail within 72 hours, filing an initial notice and completing it in stages is accepted — so “I don’t have everything yet” is not a reason to wait.

The numbers are not small. With the 25.49% revaluation rate published in the Official Gazette on 27 November 2025, the 2026 fines were recalculated: breaching data-security obligations now ranges from 256,357 TL to 17,092,242 TL. For a ten-person firm, the upper limit can equal an entire year’s profit.

What to Do First in an Accounting Office

In budget order, the concrete steps any firm can take in week one:

Priority	Measure	What it solves
1	3-2-1 backup + an immutable copy	Recovers data during ransomware
2	MFA / passkey for email	Stops account takeover
3	EDR/MDR on servers and endpoints	Halts encryption before it spreads
4	VERBİS registration and privacy notices	Lowers administrative-fine risk
5	Data processing agreements with clients	Clarifies the boundary of liability

None of these are luxuries. Without backups, paying the ransom is the only exit; without MFA, a single phishing email locks the whole office. Honestly, the hardest part isn’t the technology, it’s the habit — the updates postponed during filing season turn into the gaps that never get closed.

For an accounting firm, the right setup can be built through a managed IT agreement of a few thousand lira a month, scaled to the office size. The full cost depends on user count, server layout and backup volume. Let’s map your data inventory and build a plan tailored to your office.

Frequently Asked Questions

My client’s data leaked — am I the one held responsible? If the data is processed on your infrastructure, the duty to take technical measures is yours. The Authority can fine the firm directly on the grounds that “the processor failed to provide adequate security.” A signed data processing agreement clarifies that boundary.

I’m a one-person practice — do I have to register with VERBİS? As a sole proprietor with annual net sales under 2.5 million TL and fewer than 50 employees, you are exempt from the registry. But the duties to inform, obtain consent and secure data bind you regardless of the exemption.

If ransomware hits, is paying the ransom enough? Payment doesn’t guarantee the data returns, and it marks you as a repeat target. With an immutable backup you recover without paying — which is why backups are always cheaper than a ransom negotiation.

What if the attack lands during filing season? That is the timing these crews choose deliberately. Without a prepared incident-response plan, an offline backup and the phone number of IT support you can reach, you’ll make the worst decisions at the worst moment.

Sources

• Personal Data Protection Authority (KVKK) — VERBİS registration periods and data breach notification: kvkk.gov.tr
• KVKK Board decision 2019/10, dated 24 January 2019 (72-hour notification procedure)
• Official Gazette, 27 November 2025 — 2026 revaluation rate (25.49%)