KapacyberKapacyber
Accounting & Tax Firm Cybersecurity Guide·Overview·IRS Publication 4557 & the WISP Every Tax Preparer Needs·How Much Does Cybersecurity Cost for an Accounting Firm?·The FTC Safeguards Rule for Accountants & CPA Firms·Tax-Season Phishing·Your Tax Firm Had a Data Breach·Cyber Insurance for Tax and Accounting Firms
ComplianceAccounting & Tax8 min read

The FTC Safeguards Rule for Accountants & CPA Firms

If your firm prepares returns or handles client financial data, the FTC Safeguards Rule treats you as a "financial institution." Here's what your written information security program must contain, how it overlaps IRS Pub 4557, and the 2026 change that catches firms out.

The FTC Safeguards Rule for accountants is the compliance obligation most CPA and tax firms don't realise they already have. The FTC's expanded definition of a "financial institution" under the Gramm-Leach-Bliley Act captures any firm that prepares tax returns, does bookkeeping, or otherwise handles client financial data — which is essentially every accounting practice, of any size.

If you've already built a WISP for IRS Publication 4557, good news: you're most of the way there. The IRS requirement and the FTC Safeguards Rule describe largely the same program. The trap is the firms that have done neither — and the ones whose plan predates the 2025–26 update that removed the in-office MFA exception.

Two rules, one program

IRS Pub 4557 (which the IRS confirms at PTIN renewal) and the FTC Safeguards Rule overlap almost entirely. Build onewritten information security program that satisfies both — don't maintain two.

The required elements — for an accounting firm

1

Qualified Individual

One named person (partner, firm admin, or an outsourced virtual Qualified Individual) accountable for the security program.

2

Written risk assessment

Document the foreseeable threats to client financial data across your tax software, document portal, email, and file storage. Refresh annually.

3

Access controls

Named accounts, least privilege, no shared logins to tax software, the document portal, or accounting platforms.

4

Data inventory

Map where client NPI lives — tax software, portals, scanned IDs, working papers, email, and any back-office spreadsheets.

5

Encryption

Client data encrypted in transit and at rest — including email containing returns or PII and any laptop or backup drive.

6

Multi-factor authentication

MFA on email, tax software, e-file portals, IRS e-Services, and bank logins. The 2025–26 update removed the in-office exception — MFA applies to everyone, on-site or remote.

7

Secure disposal & change management

Documented retention and secure-disposal for paper and digital client records, plus vendor due diligence on every system touching client data.

8

Monitoring, training, IR & reporting

Ongoing monitoring, recurring staff training, a written incident response plan, and at least annual reporting to firm ownership.

Penalties & the risks that hurt more

The headline FTC Act civil penalty is $53,088 per violation(inflation-adjusted annually), with state attorneys general able to enforce in parallel. But for most firms the sharper risks are practical: a cyber-insurance claim deniedbecause you attested to controls you didn't have, PTIN/EFIN consequences and IRS scrutiny after a breach, and the client-trust damage of a tax-season data exposure.

The 8-question self-audit

Firm self-audit

  • 1
    Have we designated a Qualified Individual in writing?
  • 2
    Have we completed a written risk assessment in the last 12 months?
  • 3
    Is MFA enforced on email, tax software, e-file portals, and bank logins — for everyone?
  • 4
    Is client data encrypted in transit and at rest, including email and laptops?
  • 5
    Do we have named accounts (no shared logins) across all client-data systems?
  • 6
    Have we run vendor due diligence on our tax software and document portal?
  • 7
    Do we have a written, tested incident response plan?
  • 8
    Could we show this to an FTC examiner or at PTIN renewal tomorrow?

The bottom line

The FTC Safeguards Rule isn't a new burden on top of IRS Pub 4557 — it's largely the same program under a second name. Build one documented WISP, enforce MFA everywhere (including in the office), and keep it current. That satisfies the IRS, the FTC, and your cyber-insurer at once.

See the deep dive in IRS Pub 4557 & the WISP every tax preparer needs, what a breach triggers in the IRS reporting path nobody tells you about, and what it costs for an accounting firm.

This article is general information, not legal advice. Verify current penalty figures and requirements before relying on them.

Accounting & Tax

Free IRS Pub 4557 + FTC WISP checklist.

The Security Six plus all 9 FTC Safeguards WISP elements in one fillable checklist — PTIN-renewal attestation language and an evidence checklist for every control.

Get the free checklist

One WISP, both regulators satisfied

A free 30-minute assessment maps your firm against the FTC Safeguards + IRS Pub 4557 requirements and hands you a one-page roadmap. No obligation.

Get Free Assessment
← Back to Security Insights

Keep Reading

Accounting · Pricing Guide7 min read

How Much Does Cybersecurity Cost for an Accounting Firm?

Read More
Accounting · Threat Alert7 min read

Tax-Season Phishing: The Scams Targeting Accounting Firms and Their Clients

Read More
Accounting · Incident Response8 min read

Your Tax Firm Had a Data Breach: The IRS Reporting Path Nobody Tells You About

Read More

Explore Our Managed Security Services

EDR, 24/7 monitoring, backup, and incident response in one predictable plan.

Learn More