In 2024, the IRS received over 250 reports of data breach incidents from tax professionals, impacting more than 200,000 clients. The same year, cybercrime losses in the United States exceeded $16 billion, a 33% jump from the prior year. For accounting firms, the pattern is consistent: cybercriminals treat small and mid-sized CPA practices as high-yield, low-resistance targets. A single mid-sized accounting firm may hold Social Security Numbers, tax returns, full business financials, payroll records, bank account details, and retirement account information for hundreds or thousands of clients, all accessible through the same systems that process daily workflows.
The compliance landscape has caught up with that reality. The FTC Safeguards Rule, IRS Publication 4557, and the requirement for a Written Information Security Plan (WISP) now make data protection a regulatory obligation for accounting firms, not a best practice. Non-compliance can result in fines starting at $100,000 per incident, regulatory action, and civil liability from affected clients. This article explains what compliance actually requires, what the regulators will ask for, and what controls your firm needs in place before an incident forces the question.
| KEY STAT | Accounting firms face an average of 900 cyberattack attempts during tax season alone. 74% of breaches involve human error. Firms that conduct regular security audits cut breach risk by 70%. In 2024, the FTC penalized a tax preparation firm for failing to encrypt client data under the Safeguards Rule. IRS / Verizon DBIR / FTC |
Why accounting firms are a high-value target
Few industries outside healthcare hold the concentration of sensitive personal and financial data that accounting firms handle daily. A single compromised CPA account can expose thousands of client Social Security Numbers, bank account details, and prior-year tax returns simultaneously. Attackers have recognized this for years, and so have regulators.
The threat profile for accounting firms in 2026 involves three primary attack vectors. Phishing attacks posing as IRS communications, QuickBooks login pages, or client invoice requests target administrative staff who handle money and sensitive data. Business email compromise (BEC) uses spoofed or hijacked accounts to redirect wire transfers or request fraudulent payments, and law firms, accounting practices, and consultancies collectively report 28% of BEC incidents across professional services. And ransomware that locks down tax files during filing deadlines extracts maximum leverage: a mid-sized CPA firm in the US Southeast was ransomed 48 hours before the April 2024 filing deadline and closed its doors within 12 months.
Armour Cybersecurity’s cybersecurity assessment identifies the specific gaps in your firm’s current controls before a regulator or attacker identifies them for you.
The regulatory framework: what applies to your firm
Accounting and tax practices operate under a layered compliance framework that most small firms have not fully mapped. Here are the key obligations:
FTC Safeguards Rule (16 CFR Part 314): The Gramm-Leach-Bliley Act’s Safeguards Rule applies to financial institutions, and the FTC’s definition of ‘financial institution’ explicitly includes tax preparers, accounting firms, and CPA practices that provide financial or tax advice. The updated Safeguards Rule, with enhanced provisions effective from 2023, requires firms to designate a qualified individual to oversee the information security program, conduct a written risk assessment, implement MFA for any system accessing customer information, deploy encryption for customer data in transit and at rest, monitor and test security controls, maintain a written incident response plan, and strengthen visibility through managed detection and response capabilities. Non-compliance carries fines of up to $100,000 per violation.
IRS Publication 4557 and the Written Information Security Plan (WISP): The IRS requires all tax professionals to have a WISP — a written document that describes how the firm protects client data, responds to incidents, and restores operations after disruption. IRS Publication 5708 provides specific guidance on WISP creation. The WISP must be maintained and updated annually, and it must reflect the firm’s actual security practices — not aspirational ones. A WISP that does not reflect reality becomes evidence of negligence if a breach occurs.
State-level privacy laws: As of January 1, 2026, 19 US states have enacted comprehensive data privacy laws. California’s CPRA, Virginia’s CDPA, Texas’s TDPSA, and others impose obligations around data subject rights, breach notification timelines, and security requirements that vary by jurisdiction. Firms operating across multiple states face compounding compliance obligations. Canadian accounting firms face PIPEDA obligations and, where clients are Quebec residents, the more stringent Quebec Law 25.
AICPA professional standards: The AICPA’s Trust Services Criteria and its cybersecurity attestation framework define what ‘reasonable’ security looks like for accounting practices from a professional standards perspective. Member firms that experience a breach without documented security controls face both regulatory exposure and professional discipline.
What the FTC Safeguards Rule requires in practice
The 2023 enhanced Safeguards Rule created specific technical requirements that many accounting firms have not yet implemented. These are not suggestions, they are enforceable mandates:
| Requirement | What it means for your firm |
| Qualified individual | Designate one person — internal or external — accountable for the information security program. Document the designation in writing. |
| Written risk assessment | Identify and assess risks to client data across all firm systems, people, and processes. Update annually and after any significant change. |
| MFA everywhere | Multi-factor authentication for every system that accesses customer information — including desktop login, cloud platforms, tax software, and email. |
| Encryption | Encrypt client data in transit (email, file transfers) and at rest (stored files, backups). No unencrypted client data on laptops or portable media. |
| Access controls | Limit access to client data to employees who need it for their role. Maintain an access log and review quarterly. |
| Vendor monitoring | Require third-party vendors who access client data to implement security controls equivalent to your own. Many firms also leverage managed SOC services to continuously monitor security events and support compliance reporting. |
| Incident response plan | A written, tested plan for detecting, containing, and recovering from a security incident. Must include notification procedures and access to experienced incident response services when an event occurs. |
| Annual penetration testing | The Safeguards Rule requires periodic penetration testing and vulnerability assessments, annually at minimum. |
The WISP: what it must contain and what regulators look for
The Written Information Security Plan is the document regulators and insurers will ask for first after an incident. Many small accounting firms either do not have one or have one that bears no resemblance to their actual security practices. A WISP that was copied from a template without being customized to the firm’s actual environment is worse than useful, it becomes a liability when regulators discover the gap between what it says and what actually happened.
A compliant WISP for an accounting firm must address: the scope of the program and the client data it covers; the risk assessment methodology and findings; the specific security controls in place for each identified risk; the employee training program and its frequency; the vendor management process; the incident response and notification procedures; and the annual review and update process. It should name the individual accountable for each section and include the dates of the most recent review.
Armour Cybersecurity’s Integrated Compliance Audit Program builds WISP-compliant documentation and security programs from gap assessment to audit-ready, aligned to FTC Safeguards, IRS 4557, and Canadian PIPEDA requirements. Learn about the Compliance Audit Program →
The 8 security controls every accounting firm needs in 2026
- MFA on every system that touches client data, tax software, email, cloud storage, practice management platforms, remote access. This is now an FTC mandate, not a recommendation.
- Phishing-resistant email security, Microsoft Defender for Office 365 or equivalent, with anti-impersonation protection, Safe Links, and Safe Attachments configured. Accounting staff receive IRS-themed phishing at high volumes during tax season.
- Endpoint detection and response (EDR), behavioral threat detection on all firm endpoints, replacing legacy antivirus. Many accounting firms implement these controls through managed cybersecurity services that provide ongoing monitoring and support. EDR detects the credential-stealing tools and lateral movement that standard antivirus misses.
- Encrypted cloud storage and file sharing, client files must be encrypted at rest and in transit. Unencrypted email attachments and shared drives are the most common data exposure vector in accounting breaches.
- Privileged access controls, separate admin accounts for IT functions; limit who can access which client files; quarterly access reviews to remove departed employees and unnecessary access.
- Tested backup and recovery, encrypted, offsite backups tested for actual restoration on a quarterly basis. For firms hit with ransomware during tax season, the backup is the difference between a recoverable incident and business closure.
- Written Information Security Plan (WISP), compliant with IRS Publication 4557, updated annually, reflecting actual firm practices, and signed by the designated accountable individual.
- Employee security awareness training, phishing simulation and security training at least annually. 74% of breaches involve human error; training is the highest-ROI control available to small firms.
Canadian-specific obligations for accounting firms
Canadian CPA firms operate under PIPEDA’s accountability and safeguards principles, which require appropriate security measures proportionate to the sensitivity of the information held. Accounting firms hold some of the most sensitive personal information in any industry, SINs, tax returns, banking details, making the proportionality threshold high. PIPEDA’s breach notification obligations require firms to notify affected individuals and the Office of the Privacy Commissioner when a breach creates a real risk of significant harm.
For firms with clients in Quebec, Law 25 adds more stringent requirements: a designated Privacy Officer, privacy impact assessments for new technology deployments, 72-hour notification to the Commission d’accès à l’information for confidentiality incidents, and explicit consent requirements that go beyond PIPEDA. CPA Canada’s cybersecurity guidance aligns with the CPA profession’s obligations under provincial licensing requirements and the AICPA’s Trust Services Criteria.
Frequently asked questions
Does the FTC Safeguards Rule apply to my small accounting firm?
Yes, if your firm provides tax preparation, bookkeeping, or financial advisory services to individuals or businesses, you are likely covered by the FTC’s definition of ‘financial institution’ under GLBA. The updated Safeguards Rule’s enhanced technical requirements apply regardless of firm size. The IRS also independently requires a WISP for all tax professionals. Non-compliance exposes your firm to FTC enforcement action, IRS penalties, and civil liability from affected clients.
What happens if my firm is breached and does not have a WISP?
A missing or inadequate WISP becomes evidence of negligence in regulatory enforcement proceedings, civil litigation by affected clients, and insurance claim disputes. The IRS has stated explicitly that failure to maintain a WISP is a factor in determining whether a firm exercised reasonable care in protecting client data. If affected clients suffer identity theft or financial losses traceable to the breach, the firm’s liability exposure increases significantly without documented security controls.
How often does my firm need to update its security program?
The FTC Safeguards Rule requires an annual review and update of the information security program and the WISP. Updates are also required after any significant change to the firm’s operations, technology environment, or client base. Penetration testing and vulnerability assessments are required at least annually. Many insurers now require quarterly vulnerability scans as a condition of cyber insurance coverage for professional services firms.
What is the biggest cybersecurity mistake small accounting firms make?
Relying on a password-protected email account and a generic antivirus program as the total security posture. These controls were inadequate five years ago and are essentially useless against 2026 attack techniques. Credential abuse now drives the majority of cyberattacks — the attacker does not need to break your defenses if they can steal valid login credentials through phishing and use them to authenticate normally. MFA, email security configuration, and endpoint detection are the foundational controls that stop the attacks accounting firms actually face.
The FTC Safeguards Rule and IRS WISP requirements are not aspirational standards — they are enforceable mandates with documented penalties. The accounting firms that navigate 2026 without a compliance crisis are the ones that built their security program around what regulators will actually ask for during an investigation, often guided by a documented cyber strategy roadmap that aligns security investments with compliance requirements, not around what seemed like enough when nothing bad had happened yet.
Armour Cybersecurity’s Integrated Compliance Audit Program guides accounting firms from gap assessment to audit-ready status across FTC Safeguards, IRS 4557, PIPEDA, and emerging state privacy laws — with practical documentation your managing partner can defend to a regulator.
