What Cybersecurity Does Your Accounting Firm Actually Need?

Accounting and CPA firms are legally required to implement a formal cybersecurity program under the FTC Safeguards Rule and IRS Publication 4557. At minimum, this means a Written Information Security Plan (WISP), multi-factor authentication, encryption, employee training, and a documented incident response plan. Non-compliance can result in fines starting at $100,000 per incident, regulatory action, and civil liability from affected clients.

Why Are Accounting Firms High-Value Targets for Cyberattacks?

Few industries outside of healthcare and financial services hold the concentration of sensitive data that accounting firms do. A single mid-sized CPA firm may possess Social Security numbers, tax returns, full business financials, payroll records, bank account details, and retirement account information for hundreds or thousands of clients. Cybercriminals have recognized this reality.

In 2024, the IRS received over 250 reports of data breach incidents from tax professionals, impacting more than 200,000 clients. During tax season alone, accounting firms face an average of 900 cyberattack attempts. Financial services and professional services together accounted for over 1,200 of the record 3,322 data breaches reported in the United States in 2025—a 4% year-over-year increase according to the Identity Theft Resource Center.

What makes accounting firms particularly vulnerable is the combination of high-value data, often limited dedicated IT staff, and the false assumption that small or regional firms are beneath a cybercriminal's notice. Ransomware actors deliberately target small and mid-sized professional service firms, knowing that these organizations often lack the technical sophistication to detect intrusions early and are highly motivated to pay ransoms to restore access before tax deadlines or audit completions.

What Laws Require Accounting Firms to Have Cybersecurity Programs?

Accounting and tax professionals are subject to several overlapping regulatory requirements—most of which are not optional:

FTC Safeguards Rule (Gramm-Leach-Bliley Act)

The Federal Trade Commission's Standards for Safeguarding Customer Information applies to any entity engaged in financial activities—which definitively includes CPA firms, tax preparers, bookkeeping services, and accounting practices. The Rule, substantially updated in 2021 and amended again in 2023 to add breach notification requirements, requires covered firms to:

• Designate a qualified individual to oversee the information security program
• Conduct and document a written risk assessment
• Implement multi-factor authentication on all systems accessing customer financial information
• Encrypt all sensitive customer data at rest and in transit
• Develop a written incident response plan
• Train all security personnel and provide ongoing awareness training
• Periodically assess the security practices of service providers
• Report breaches involving 500 or more consumers to the FTC within 30 days of discovery

Non-compliance can result in fines of up to $100,000 per violation per day, plus potential criminal penalties for knowing violations.

IRS Publication 4557 and the Written Information Security Plan (WISP)

The IRS requires all tax professionals to maintain a Written Information Security Plan as a legal obligation—not merely a best practice. When renewing a PTIN (Preparer Tax Identification Number), tax professionals explicitly confirm awareness of this legal obligation. The WISP must be:

• Written (not oral or informal)
• Current and updated at least annually or after material business changes
• Tailored to the specific firm—generic templates alone are insufficient
• Available for review in the event of an IRS or FTC audit or enforcement action

Since January 1, 2025, updated IRS Publication 1075 requirements have expanded mandatory security and privacy controls for all recipients of Federal Tax Information (FTI), including tax professionals. This includes role-based security awareness training annually, controlled access protection for physical and system access, and an expanded scope covering all vendors and systems that process FTI.

IRS Publication 1075 (Expanded 2025)

Effective January 1, 2025, IRS Publication 1075 now applies to all organizations that access, store, transmit, or process Federal Tax Information. This expanded scope means that cloud vendors, hosting providers, and software platforms used by accounting firms share compliance responsibility—and firms must vet and document those third-party relationships accordingly.

What Is a Written Information Security Plan (WISP) and What Must It Include?

A WISP is the cornerstone document of an accounting firm's security program. It spells out how the firm prevents, detects, responds to, and recovers from security incidents. A compliant WISP for a CPA firm in 2025 must include:

• Data Mapping and Inventory: All client data, storage locations, and transmission pathways identified and documented
• The Security Six baseline controls:
  • Anti-malware/anti-virus software on all systems
  • Properly configured firewalls
  • Multi-factor authentication (MFA) on all high-value systems
  • Encryption for data at rest and in transit
  • Secure, tested backups
  • Secure communication channels including encrypted email and client portals
• Access Controls: Role-based access, least-privilege principles, and documented procedures for onboarding and offboarding employees
• Employee Training: Records of annual security awareness training, including phishing simulations
• Incident Response Procedures: Step-by-step protocols for detecting, containing, and recovering from a breach, including FTC notification procedures
• Vendor Risk Management: Assessment of security practices for all service providers handling client data
• Annual Review: Documented review date and evidence of updates reflecting changes in business operations or threat landscape

Most accounting firms, particularly those without a dedicated IT department, cannot develop a compliant WISP on their own. Engaging a qualified managed IT and cybersecurity provider ensures the document is legally sufficient, technically accurate, and actually implemented—not simply filed away.

What Are the Biggest Cybersecurity Threats Facing Accounting Firms?

Ransomware

Ransomware has become the dominant threat to accounting firms. Attackers encrypt all files and systems—locking access to client tax returns, audit workpapers, payroll data, and billing systems—and demand payment to restore access. What makes ransomware attacks on accounting firms particularly devastating is their timing: criminal groups deliberately target firms in the weeks before major tax deadlines and during peak audit season, when pressure to pay is highest and downtime is most costly.

Average ransom demands now exceed $300,000, and system downtime from ransomware attacks typically ranges from 14 to 21 days. Total losses—including recovery costs, regulatory fines, client notifications, and lost business—regularly push into the millions. Ransomware attacks increased 58% globally in 2025, making it the most active ransomware year on record according to GuidePoint Security.

Phishing and Business Email Compromise (BEC)

Phishing remains the leading initial access vector for attacks against accounting firms. Criminals craft convincing emails impersonating the IRS, state tax authorities, software vendors, or even firm partners to steal credentials or install malware. Business email compromise—where an attacker impersonates a partner or client to redirect funds—is particularly dangerous given the volume of client wire transfers and tax payments that flow through accounting firms.

Supply Chain and Software Vendor Attacks

Accounting firms depend on a small ecosystem of tax preparation, practice management, and document management software. When vendors in that ecosystem are breached, firms inherit the exposure. The number of supply chain breaches nearly doubled in 2025, from 660 affected entities in 2024 to 1,251 in 2025 according to ITRC data, even though the number of attacks increased by only one.

Insider Threats and Employee Error

A significant percentage of accounting firm breaches result from employee mistakes—opening phishing emails, misaddressing client communications, or using personal devices without proper security controls. Seasonal staff and part-time employees hired during tax season represent elevated risk if they are not properly trained before accessing client systems.

What Are the Minimum Technical Cybersecurity Controls for a CPA Firm?

Regulatory guidance and insurance underwriting standards converge on the following minimum technical controls for accounting firms:

• Multi-Factor Authentication: Required under both the FTC Safeguards Rule and IRS guidance. Must cover all systems that access client financial data—tax software, cloud storage, email, remote access.
• Endpoint Detection and Response (EDR): Behavior-based endpoint protection that can detect and contain threats in real time. Basic antivirus no longer satisfies insurer or regulatory expectations.
• Encrypted Data Storage and Transmission: All client files must be encrypted at rest. Client portal communications and email containing sensitive data must use encrypted channels.
• Secure, Tested Backups: Backups must be isolated (offline or immutable), encrypted, and tested for restorability at least quarterly. Many firms discover backup failures only after a ransomware attack—too late.
• Network Segmentation and Firewall: Separate client-facing systems from administrative systems. Use a next-generation firewall with intrusion prevention capabilities.
• Patch Management: A documented process for applying critical security patches within 30 days. Unpatched software is among the most commonly exploited attack vectors.
• Privileged Access Management: Limit administrative rights to specific personnel. Employees should access only the client data necessary for their specific role.
• Security Awareness Training: Annual training documented in the WISP, including simulated phishing exercises to test and reinforce employee readiness.

What Is the FTC Safeguards Rule Breach Notification Requirement for Accounting Firms?

As amended in 2023, the FTC Safeguards Rule requires covered financial institutions—including accounting firms—to notify the FTC within 30 days of discovery of a breach involving the unauthorized acquisition of unencrypted customer information for 500 or more consumers. This notification requirement is separate from any state-level data breach notification laws, which may have shorter timelines and additional requirements.

Failure to provide timely FTC notification can compound regulatory penalties significantly. Firms should include this notification procedure explicitly in their WISP and incident response plan.

Does Cybersecurity Apply to Small Accounting Firms and Solo Practitioners?

Yes—unambiguously. The FTC Safeguards Rule contains no exemption based on firm size. The IRS WISP requirement applies to all tax professionals, regardless of whether a firm has one employee or one thousand. Solo practitioners and small firms are, if anything, more attractive ransomware targets because they are less likely to have dedicated security staff, tested backups, or rapid recovery capabilities.

Approximately 60% of small businesses close within six weeks of a significant cyberattack. For a solo practitioner or two-partner CPA firm, a ransomware event during tax season could be permanently disabling. The cost of prevention is a fraction of the cost of recovery.

Do Accounting Firms Need Cyber Insurance?

Cyber insurance is not federally mandated for accounting firms, but it has become a near-essential risk management tool. Consider that the average data breach in the financial sector now costs approximately $5 million. Professional liability (E&O) policies for accounting firms do not typically cover cyber incidents—firms need a separate cyber liability policy.

Key coverage areas accounting firms should seek:

• Ransomware coverage and negotiation support
• Business interruption during system outages
• Client notification costs and credit monitoring services
• Regulatory investigation defense and FTC fine coverage
• Social engineering and funds transfer fraud (wire transfer BEC coverage)

Importantly, insurers will deny claims if documented security controls were not in place—including the WISP. Firms that carry cyber insurance but lack a compliant WISP may find their coverage worthless when they need it most.

How Often Should an Accounting Firm Review Its Cybersecurity Program?

The FTC Safeguards Rule requires periodic review and update of the information security program. In practice, the following review cadence represents best practice for accounting firms:

• Annually: Full WISP review and update; security awareness training; penetration test or vulnerability assessment
• Semi-annually: Vulnerability scanning; backup restoration test; review of access control logs
• Quarterly: Backup testing; phishing simulation
• On material changes: New software platforms, new employees, partner additions, office relocations, or merger activity all trigger a required WISP update
• After any security incident: Post-incident review to update controls, revise the incident response plan, and adjust the risk assessment

How NorthStar Technology Group Can Help Accounting Firms

NorthStar Technology Group (NTG) provides managed cybersecurity and IT compliance services purpose-built for accounting and CPA firms. Our "Protect to Propel" philosophy recognizes that compliance is not just about avoiding fines—it is the foundation of client trust, firm continuity, and long-term growth.

NTG helps accounting firms:

• Develop and maintain a compliant WISP that satisfies FTC Safeguards Rule and IRS Publication 4557 requirements—customized to your firm's size, structure, and software ecosystem
• Implement MFA across all platforms—tax software, document management, email, and remote access tools
• Deploy and manage EDR with 24/7 monitoring and alert response to detect ransomware and intrusions in real time
• Design and test encrypted backup systems with documented recovery time objectives and quarterly restoration testing
• Conduct IRS-aligned cybersecurity training for all firm staff, including seasonal employees, with simulated phishing campaigns tailored to accounting-specific threats
• Perform annual security risk assessments that produce audit-ready documentation for FTC, IRS, and insurance underwriter review
• Manage vendor and supply chain risk including review of cloud hosting, tax software, and document management provider security posture
• Support cyber insurance applications by building the evidence package that demonstrates compliance and maximizes coverage eligibility

Ken Satkunam, CISM, and the NTG team work alongside accounting firms to make security seamless—protecting client data, satisfying regulators, and enabling partners to focus on what they do best: serving their clients.

Contact NorthStar Technology Group to schedule a complimentary accounting firm cybersecurity assessment and WISP gap analysis.