Cybersecurity for Accountants and CPA Firms: Protecting Client Financial Data

CPA Firms Are Prime Targets — and Have Specific Legal Obligations

Accounting firms and CPA practices hold some of the most sensitive financial data in existence: personal tax returns, business financial statements, payroll records, Social Security numbers, bank account information, and in many cases the complete financial picture of every client they serve. This concentration of high-value data makes CPA firms disproportionately targeted by identity thieves, ransomware groups, and fraudsters — and creates specific legal obligations under IRS guidelines and the Gramm-Leach-Bliley Act (GLBA) that many small accounting practices do not realize apply to them.

GLBA Safeguards Rule: The Legal Requirement Most CPA Firms Miss

The Federal Trade Commission’s GLBA Safeguards Rule applies to “financial institutions” — a category that explicitly includes tax preparers and accounting firms that handle nonpublic personal financial information. Small CPA firms and tax practices are covered. The Safeguards Rule requires covered businesses to implement a comprehensive written information security program (WISP) that includes:

• Designation of a qualified individual responsible for overseeing the information security program
• A risk assessment identifying reasonably foreseeable threats to client data
• Implementation of safeguards to address identified risks — including access controls, encryption, and multi-factor authentication
• Oversight of service providers who handle client financial data on your behalf
• A written incident response plan
• Annual review and update of the program

The FTC has increased enforcement of the Safeguards Rule and civil penalties for violations are significant. More importantly, the IRS requires all tax professionals to create and maintain a Written Information Security Plan (WISP) — providing a free template and guidance at irs.gov/wisp.

Tax Season: The Highest-Risk Period

Accounting practices experience heightened cyber risk during tax season — January through April — for several reasons:

• Staff are under pressure and working long hours, increasing the likelihood of clicking suspicious emails without careful review
• Large volumes of client documents arrive via email, creating cover for malicious attachments
• Attackers specifically target tax professionals during this period, knowing that payment pressure and deadline stress create exploitable distraction
• Fraudulent tax return filing using stolen client data spikes — attackers who have compromised a CPA firm’s systems can file fraudulent returns for all clients simultaneously

The IRS Identity Protection PIN Program

The IRS Identity Protection PIN (IP PIN) is a six-digit number that prevents someone else from filing a federal tax return using a client’s Social Security number. Encouraging all clients to obtain IP PINs — available to all taxpayers at irs.gov/ippin — is a proactive measure that protects your clients from one of the most direct consequences of a data breach at your firm. If client SSNs are compromised in a breach, IP PINs block the primary fraudulent use of that data.

Secure Client Document Exchange

Email is not a secure method for exchanging tax documents, financial statements, or other sensitive client information. Unencrypted email transmitting Social Security numbers, bank account details, and income information is a GLBA violation and a security risk. Every accounting practice should use a secure client portal for document exchange:

• Practice-management integrated portals: Platforms like Canopy, TaxDome, and Practice CS include built-in secure client portals — the preferred solution for accounting practices because document exchange, engagement management, and billing are integrated
• Standalone secure portals: ShareFile, SmartVault, and similar platforms provide encrypted document exchange without full practice management
• Minimum requirement: If clients insist on email, use encrypted email with password-protected documents — but actively encourage portal adoption as standard practice

Tax Software and Remote Access Security

Tax preparation software — Drake, ProSeries, Lacerte, UltraTax — stores client return data that is a direct theft target. Security controls for tax software environments:

• Enable MFA on tax software accounts and portals wherever the software supports it
• Restrict tax software remote access to VPN connections from known devices — never expose tax software directly to the internet
• Maintain separate user accounts for each staff member with access limited to their assigned clients
• Enable software audit logging to track who accessed which client files and when
• Review the tax software vendor’s security practices and incident notification procedures

Client Notification Obligations After a Breach

If your firm experiences a data breach affecting client financial information, notification obligations apply under multiple frameworks:

• State breach notification laws — every state has one, with varying timelines (typically 30 to 60 days)
• GLBA Safeguards Rule notification requirements
• IRS notification guidance for tax professionals (Publication 5293)

Document your incident response plan before a breach occurs and identify your legal counsel and cyber insurer contacts. The first 48 hours after discovering a breach are the most critical for limiting damage and meeting notification timelines.

CPA Firm Security Checklist

• Written Information Security Plan (WISP) documented and current
• Designated security officer responsible for the program
• MFA on all tax software, email, and client portal accounts
• Secure client portal in use for all document exchange — no sensitive documents via unencrypted email
• IP PIN adoption encouraged for all clients
• Tax software remote access restricted to VPN
• Staff phishing training covering tax-season-specific scenarios
• Incident response plan documented with breach notification contacts
• Cyber insurance covering data breach, GLBA compliance, and client notification costs

Bottom Line

CPA firms and tax practices have legal obligations under GLBA and IRS guidance that many small practices have not implemented. The Written Information Security Plan is the foundational requirement — the IRS provides a free template that makes compliance accessible. Beyond compliance, secure client portals, MFA on all systems, and tax-season-specific staff training address the practical cybersecurity risks that make accounting practices attractive targets. The combination of regulatory obligation and attractive data makes security investment at accounting firms not optional — it is professional responsibility.