IRS & FTC-Compliant Cybersecurity for Accounting & Tax Firms
A WISP that satisfies IRS Publication 4557 and the FTC Safeguards Rule. MFA on your tax software, e-file portals, and client document portals. Endpoint protection on every workstation. Tax-season BEC defence that catches client-impersonation emails before your preparers fall for them. Built by people who understand how a firm operates in February through April.
Why Now
Tax preparers are now a federal cybersecurity priority. Most firms aren't ready.
For decades, accounting and tax-prep cybersecurity was a sticky note: maybe antivirus on the desktop, maybe an external hard drive somewhere, definitely a shared password for the e-file portal. Those days are over.
In IRS Publication 4557, the agency lays out the explicit security obligations of every paid tax preparer. The FTC Safeguards Rulegoes further and treats every preparer that helps clients with financial decisions as a "financial institution" — meaning a written information security programme (WISP) and nine specific control families are mandatory. There's no size exemption.
The IRS now asks every preparer renewing a PTIN to affirm that they have a WISP. The number of preparers honestly answering "yes" is much smaller than the number who've answered yes on the form. The gap is closing — and not in preparers' favour.
Meanwhile, the threat side has gotten worse. Tax-season BEC is now a category attackers specialise in. Stolen preparer credentials are actively traded. Ransomware groups time their hits to March and early April for maximum leverage. Penalties under the FTC Act run up to $43,792 per violation per day. State boards of accountancy enforce too. Client lawsuits are routine after a breach.
The firms doing this well aren't the biggest ones. They're the ones who treated their WISP as a living programme rather than a one-time PDF.
The IRS Security Six
The six controls the IRS expects every preparer to operate.
Publication 4557 names these six explicitly. We deliver each one as a managed service — not as a checklist your firm has to chase.
Anti-Virus Software
IRS-compliant modern EDR on every workstation handling client data — not just consumer antivirus.
Firewalls
Properly configured perimeter and host-based firewalls, with documented rules and quarterly review.
Two-Factor Authentication
MFA on email, tax software, e-file portals, bank logins, IRS e-Services, and client document portals. No exceptions for partners.
Backup Software & Services
Encrypted, off-site, immutable backups of tax returns, working papers, and client documents — tested for restorability quarterly.
Drive Encryption
Full-disk encryption on every device that touches client data — laptops, desktops, mobile devices, and removable storage.
Virtual Private Network
VPN or zero-trust network access for any remote work, with documented configuration and access reviews.
The 9 FTC Safeguards Elements
What your WISP must contain — and how we deliver each one.
The FTC requires nine specific elements layered on top of the IRS Security Six. We operate the controls behind each one, every day.
Qualified Individual
A named person responsible for the security programme. We act as your virtual Qualified Individual or work alongside your appointed partner.
Written Risk Assessment
Documented assessment of threats to client tax data, financial records, SSNs, and bank details. Refreshed annually before PTIN renewal.
Access Controls
Least-privilege access, named accounts, role-based permissions across tax software, document portals, and accounting platforms.
Data Inventory & Classification
We map where client NPI lives — tax software, document portals, scanned W-2s and 1099s, working papers, accounting platforms.
Encryption of Client Data
Tax returns, working papers, scanned IDs, and bank details encrypted in transit and at rest. Email encryption for any client document exchange.
Application Security
Secure configuration of tax software, document portals, and accounting platforms. Vendor due diligence on every system touching client data.
MFA Everywhere
Multi-factor authentication enforced on every account that can reach client data — tax software, e-file, IRS e-Services, banking, portals, email.
Secure Disposal
Documented retention policy and secure-disposal procedures for paper returns, scanned IDs, prior-year files, and end-of-life devices.
Monitoring, Training, Response & Reporting
24/7 SOC monitoring, tax-season-aware awareness training, incident response plan including IRS Stakeholder Liaison notification, quarterly partner reporting.
Threats Built for Accounting Firms
Not generic SMB threats. The exact attacks targeting tax and accounting practices.
Tax-Season BEC & Client Impersonation
Attackers impersonate clients during tax season requesting last-minute W-2 or 1099 changes, fake IRS notices, or 'updated' bank details for refund direct deposit. The pressure of April makes it harder to verify.
Tax Software Account Takeover
Compromised credentials let attackers log into Drake, Lacerte, UltraTax, ProSeries, or CCH and file fraudulent returns against real client SSNs. The IRS reports thousands of preparer account compromises every season.
EFIN & PTIN Theft
A stolen EFIN or PTIN lets attackers file returns in your name. Recovery requires IRS intervention and can take months — during which you may be barred from e-filing.
Ransomware in Filing Season
Encrypt a tax practice mid-March and the leverage is enormous. Working papers, returns in progress, and client documents — all unavailable at the worst possible time. Ransom demands are calibrated accordingly.
Phishing for Client Documents
Attackers send fake 'send your W-2 securely' links to your clients, harvest the documents, then file fraudulent returns. Your clients blame you, even if your systems were never breached.
Unencrypted Client Files on Shared Drives
The single most common WISP failure: scanned IDs, prior-year returns, and client correspondence sitting unencrypted on a shared drive any staff member can copy or any compromise can exfiltrate.
We Speak Accountant
No translation needed. We know your stack — and your calendar.
We won't schedule a major rollout in March. We won't ask your senior partner to learn cybersecurity vocabulary. We've mapped controls onto the tax software, accounting platforms, and document portals you actually run — so the WISP and the day-to-day controls fit your workflow, including your filing-season pace.
Whether you're a solo preparer with 200 returns or a 40-person firm with three offices, the controls scale to match. Document-portal security, multi-office identity governance, client-impersonation phishing defence — built in.
Systems We Work With
Not a complete list. If your tax software, accounting platform, or document portal isn't shown, we've almost certainly worked alongside it.
What Onboarding Looks Like
90 days to a firm that can answer the IRS and the FTC honestly.
Week 1
Free WISP-Readiness Assessment
We map your firm against IRS Publication 4557, the Security Six, and the 9 FTC Safeguards elements. A one-page roadmap you can show your insurance broker and reference at PTIN renewal.
Weeks 2–4
Stabilise the Critical Gaps
MFA on tax software, e-file, IRS e-Services, banking, and email. EDR on every workstation. Removing shared logins. Encrypting client files. Backups verified.
Month 2
Build the WISP
Drafted to IRS Pub 4557 and the 9 FTC elements, signed by a Qualified Individual, with documented procedures the IRS Stakeholder Liaison or an FTC examiner could review. Tabletop incident-response exercise with the managing partner.
Month 3+
Run It
24/7 monitoring, monthly plain-English reports to partners, quarterly WISP review, monthly phishing simulations targeted to tax-season scenarios. We're your firm's outsourced security team year-round and especially during filing season.
What It Costs
Indicative pricing for a typical firm.
Solo / Small Practice
$399+/mo
Solo preparer or 2–5 staff
- Right-sized WISP to IRS Pub 4557
- Security Six fully operated
- MFA & EDR essentials
- Email security & encrypted backups
- Quarterly check-ins & reporting
Mid-Size Firm
$1,200+/mo
~6–25 staff, single office
- Full WISP build & ongoing oversight
- MFA enforcement across tax stack
- EDR on every workstation
- 24/7 monitoring & response
- Tax-season-aware awareness training
Multi-Office / Regional
$2,800+/mo
25–50+ staff, multi-office
- Everything in Mid-Size
- Multi-office identity governance
- Inter-office network segmentation
- Partner-level security committee reporting
- Per-office WISP variants
Indicative pricing. Final figures depend on staff headcount, office count, tax/accounting stack, and existing controls. Set out in the written services agreement.
What We Hear From Preparers
The five objections — answered honestly.
Doesn't my tax software handle security?+
It handles the security of its own platform. Everything else — your endpoints, your email, your identities, your document portal, your backups, your training, and the WISP itself — is your responsibility. The IRS holds the preparer accountable, not the software vendor. And under FTC Safeguards, you are the financial institution, not Intuit or Wolters Kluwer.
I have a local IT person. Isn't that enough?+
Most local IT shops are excellent at workstation support and printer issues but aren't security-led. Ask them: do you have a written WISP that satisfies IRS Publication 4557 and the FTC Safeguards Rule? Do you run 24/7 monitoring? Do you do tax-season-specific phishing simulations? If those answers are no, you have IT support, not security operations.
I'm a solo preparer. The IRS doesn't care about me.+
Wrong direction — the IRS specifically cares about you. Since 2023, the IRS PTIN renewal includes an affirmative question confirming that you have a written information security plan. Misrepresenting that is a problem. And under the FTC Safeguards Rule there's no size exemption — every preparer who handles client financial data is a 'financial institution' under FTC's definition. Penalties run up to $43,792 per violation per day.
My cyber insurance has me covered.+
Only if you have the controls you attested to on the application. Cyber applications for accounting and tax firms now routinely ask about MFA, EDR, encrypted backups, awareness training, and a documented WISP. Misrepresent any of those and the carrier denies the claim. We make your attestation truthful.
We had an assessment when we built our WISP. We're fine.+
An assessment is a snapshot. Both IRS Pub 4557 and the FTC Safeguards Rule require ongoing monitoring, periodic risk re-assessment, change management, and continuous training. If nothing has changed since your last assessment, that itself is the problem — the threat environment has changed dramatically.
Dig Deeper
Accounting-specific reading.
IRS Publication 4557 & the WISP every tax preparer needs
A plain-English walkthrough of the IRS Security Six and the WISP elements the IRS now confirms at PTIN renewal.
Business Email Compromise — the SMB BEC playbook
The six BEC plays, the technical stack that catches most, and the process controls that catch the rest.
Backup strategies that survive ransomware — the 3-2-1 rule
Why most accounting-firm backups are useless against modern ransomware, and what immutable and offline really mean.
IRS Pub 4557 Security Six + FTC WISP checklist — fillable and PTIN-ready
The Security Six controls plus the 9 FTC Safeguards WISP elements in one fillable checklist, with PTIN-renewal attestation language, a tax-season risk register, and IRS Stakeholder Liaison contacts.
See where your firm stands.
Free WISP-readiness assessment. We map your firm to IRS Publication 4557 and the 9 FTC Safeguards elements and hand you a one-page roadmap. No sales pressure. No IT-jargon report. Whether you engage us or not, you walk away with clarity — and something defensible the next time the IRS asks at PTIN renewal.
Get Free WISP Assessment