Why accounting firms are targets
A CPA firm holds a concentrated repository of sensitive financial data: tax returns, bank statements, payroll records, business financials, and personal financial information for every client. This data has direct value — it can be used for identity theft, tax fraud, and financial account takeover. It also has indirect value as leverage in ransomware attacks, where the threat of exposing client financials creates significant pressure to pay.
The IRS identified tax professionals as a specific high-risk target group and has issued formal guidance requiring CPA firms to implement Written Information Security Plans (WISPs) under the Gramm-Leach-Bliley Act (GLBA).
The WISP requirement
The GLBA Safeguards Rule applies to financial institutions — and the FTC has interpreted this to include tax preparers and CPA firms that handle client financial data. The rule requires covered entities to develop, implement, and maintain a comprehensive Written Information Security Plan.
A WISP must:
- Designate a qualified individual responsible for overseeing the information security program
- Conduct a risk assessment identifying threats to client information
- Implement safeguards to address identified risks
- Regularly monitor and test the effectiveness of those safeguards
- Train employees on security awareness and the provisions of the plan
- Oversee service providers who access client information
- Update the plan in response to changes in operations or threats
The IRS has made WISP compliance a focus of its tax professional security guidance and has published a template to help smaller firms get started.
What the IRS specifically flags
The IRS Security Summit — a partnership between the IRS, state tax agencies, and the tax software industry — has published specific guidance on what CPA firms should have in place. Their annual Dirty Dozen list and practitioner alerts consistently highlight:
- Phishing attacks targeting tax professionals to steal client data and e-file credentials
- Business email compromise schemes targeting client wire transfers and refund redirects
- Data theft from firms using weak passwords or no MFA on practice management software
- Ransomware delivered via phishing emails or remote desktop exploitation
The IRS has explicit guidance that firms should use multi-factor authentication, strong passwords, and encrypted file sharing rather than unencrypted email for transmitting tax documents.
State board requirements
Many state boards of accountancy are adopting or referencing the AICPA's cybersecurity guidance as part of their professional standards. While the specifics vary by state, the direction is consistent: CPAs have a professional obligation to protect client data, and that obligation extends to the technology and security practices of the firm.
Florida, for example, references information security as part of its continuing professional education requirements, and state board disciplinary actions for data breaches have occurred in multiple jurisdictions.
Cyber insurance for accounting firms
Insurance underwriters have developed specific risk models for accounting firms, driven by the high value of the data and the documented pattern of attacks. Common requirements for CPA firm cyber insurance now include:
- MFA on email and remote access (often a mandatory requirement, not just a preferred control)
- Encrypted storage and transmission of client financial data
- Employee security training including phishing awareness
- Documented incident response procedures
- Backup testing — not just having backups, but verifying they can be restored
- Vendor assessments for practice management software and cloud providers
Firms without MFA are increasingly unable to obtain coverage at reasonable rates. Some insurers have withdrawn from the accounting firm market entirely for firms below a certain security baseline.
The e-file credential problem
One specific risk unique to tax professionals is theft of IRS e-file credentials. Attackers who gain access to a CPA firm's systems can steal the firm's Electronic Filing Identification Number (EFIN) and use it to file fraudulent returns. This causes direct financial harm to clients and creates significant liability for the firm.
Protecting e-file credentials requires the same controls as protecting any other sensitive credentials: strong unique passwords, MFA where available, and access limited to only those who need it.
A practical security baseline for CPA firms
Given regulatory requirements, insurance expectations, and the specific threats facing accounting firms, a reasonable security baseline includes:
- Written Information Security Plan documented and updated annually
- MFA on all accounts that access client data — email, practice management software, cloud storage
- Encrypted file sharing for client document exchange (not unencrypted email)
- SPF, DKIM, and DMARC configured to prevent domain spoofing
- Annual phishing simulation and security awareness training for all staff
- External vulnerability scanning of firm-facing systems
- Tested offline backups
See how your firm's external security posture looks with a free scan at kasperashield.com.
