CPA and tax firms
When you renewed your PTIN, you attested that you keep a written security plan for client data. I make that plan real, turn on the controls behind it, and put wire-fraud defenses in place so a forged instruction is far harder to pull off. The work maps to the FTC Safeguards Rule and your IRS WISP, so the written security plan you signed for actually exists.
You hold client Social Security numbers, bank details, and full financial histories. That is exactly why small firms are targeted. In the 2025 Verizon Data Breach Investigations Report, ransomware appeared in 88 percent of breaches at small and medium businesses, against 39 percent at large organizations (Verizon 2025 DBIR, verizon.com/business). You are the target precisely because you hold valuable data and rarely have layered defenses.
The civil exposure is concrete and calm to plan for. FTC civil penalties for Safeguards Rule violations run up to $53,088 per violation as of the 2025 inflation adjustment, and that figure rises each year (FTC, Inflation-Adjusted Civil Penalty Amounts for 2025, ftc.gov). Separately, confirming the data-security acknowledgment on your PTIN renewal without a real plan behind it is a false statement on a federal form. Building the plan is small next to either outcome.
The same controls do double duty. MFA, encryption, and access controls are what the rule requires and what a cyber-insurance carrier asks about before it will quote or pay, so this work also protects your ability to qualify, bind, and keep a claim from being denied.
For the large majority of CPA practices and independent tax preparers, yes. The Gramm-Leach-Bliley Act defines a financial institution by the activities a business performs, not by whether it is a bank, and preparing income tax returns is one of those activities. The FTC regulation at 16 CFR 314.2(h) names an accountant or tax preparation service that completes income tax returns directly (FTC, 16 CFR Part 314, ftc.gov).
The IRS reaches the same conclusion. Publication 5708 states plainly that under the GLBA and the Safeguards Rule, tax and accounting professionals are considered financial institutions, regardless of size (IRS, Pub 5708, irs.gov). So this is not a gray area. If you prepare returns or handle clients' nonpublic financial information, plan on being covered. Most of the rule has been enforceable since June 9, 2023.
A WISP is the written information security plan the IRS expects of every paid preparer, spelled out in Publication 4557 with a template in Publication 5708 (IRS, irs.gov). The FTC side, 16 CFR 314.4, requires that same written program built from nine elements. Here is what that means in plain terms, with the citation beneath each.
Ownership
The rule calls this the Qualified Individual. It can be you, a staff member, or an outside provider, but one person has to own and enforce the program. Most firms have no one named, which is the first gap I close (16 CFR 314.4(a)).
Identity
Multi-factor authentication for anyone reaching a system with client information. This is also the first control a cyber-insurance carrier asks about, so the same work protects your ability to bind a policy (16 CFR 314.4(c)).
Data
Encryption of customer information on your devices and as it moves across outside networks. Where encryption is not feasible, the Qualified Individual approves an equivalent control in writing (16 CFR 314.4(c)).
Access
Access controls and least privilege, so a single clicked link or one compromised login cannot reach every client file at once (16 CFR 314.4(c)).
People
Staff training and oversight of the vendors who touch your data, held to the same standard you are. The people and the vendors are where most breaches actually start (16 CFR 314.4(e), (f)).
The bad day
A written incident response plan and the ability to see who touched what, and when. Smaller firms get relief on the written and periodic-testing pieces, covered below, but not on being ready to respond (16 CFR 314.4(h)).
If your firm maintains customer information on fewer than 5,000 consumers, 16 CFR 314.6 relaxes four specific items only. It removes formal documents and periodic testing. It does not remove your duty to assess risk, to put safeguards in place, or to be ready to respond to an incident. So we are small is not a defense. It removes four documents, not the obligation.
| Relaxed under 5,000 consumers (16 CFR 314.6) | Still required, every firm |
|---|---|
| Risk assessment in writing (314.4(b)(1)) | Multi-factor authentication (314.4(c)) |
| Continuous monitoring or annual penetration testing (314.4(d)(2)) | Encryption of customer data at rest and in transit (314.4(c)) |
| Written incident response plan (314.4(h)) | Access controls and least privilege (314.4(c)) |
| Qualified Individual's annual written report to the board (314.4(i)) | Qualified Individual, staff training, and vendor oversight (314.4(a), (e), (f)) |
Source: FTC, 16 CFR 314.6 and 314.4, ftc.gov.
Your firm moves client funds and refunds and sends instructions by email, which makes you a target for business email compromise. An attacker gets into or spoofs an email account, watches a real thread, and sends altered payment instructions at the moment money is moving. The defense is controls, not a guarantee.
I put these in place as controls, not as an insured guarantee, and the detail lives in the wire-fraud defense work. The honest goal is to make a fraudulent instruction fail at several points instead of clearing.
Written by Hammad Arain, founder of Arain Systems. CCNA, CompTIA Security+, Microsoft AZ-104. Updated June 2026. Educational, not legal advice.
I check how a fraudulent instruction would move through your office today, where your Safeguards and WISP gaps are, and how an insurer would read your posture, then give you written findings. No commitment, yours to keep.
Get my free review