Cybersecurity for CPAs: How To Be Compliant with the IRS


Learn how to become compliant with the IRS cybersecurity standards and protect yourself and your clients’ data.  

 We are not representatives from the IRS. This is our technical understanding of their requirements based upon our experience managing technology. That beings said, the IRS guidelines are not only important to understand. It also may be a helpful way for you to analysis your current IT structures and determine if you do have the best practices in place and if you are following the IRS requirements.


  1. Introduction

  2. Review IRS Safeguarding Taxpayer Data Guide 

    1. Overview of IRS Requirements 

    2. Protect Your Clients 

    3. Be On Guard 

    4. Respond & Report Incidents 

    5. Comply with FTC Additional Requirements

  3. Our Process: How to Be Compliant (The Big 4) 

    1. Policies & Procedures 

    2. Training
    3. Annual Risk Assessment 

    4. 3rd Party Assessments & Questionnaires 

  4. Summary 





Cybersecurity is a top concern for many CPA and tax-preparer firms. The IRS also has strict guidelines and rules they require tax-preparers to follow. Learn how you can become complaint with the IRS and also how to do everything within reason to ensure you protect yourself and your clients. Note, that through this process, participation is key. Every organization is different so there is not a blank one fix all solution for your organization. The more specific questions you ask yourself the more you can uncover potential security risk points and learn to mitigate them in your organization. 


Review IRS Safeguarding Taxpayer Data Guide


Overview of IRS Requirements


In the IRS Safeguarding Rules Guide (you can find it here), they lay out 4 main topics you should review to ensure you are protecting your client's data. You can find their guideline here and follow-along with each section if you’d prefer reviewing their answers in addition to ours.


Your Clients 

  • Take Basic Security Steps 
    • Training 

      • The IRS suggestions that you enforce regular and comprehensive cybersecurity training for your organization. There are many online training solutions out there that provide regular cybersecurity training that can keep you and your organizations up to date on the latest threats. Some training programs (like ours), provides different types of testing for things like phishing scams. More about this later in the article.  

    • Security Plan 

      • Similar to the FTC additional guidelines which we will be addressing later in this post, the IRS requires that you have a comprehensive Security Plan in place to address ongoing security issues but also things like having a disaster recovery or data loss recovery. Basically, what will you do in a situation where you unfortunately had a breach or suspect you have one. A thought-through plan would also include things like an annual risk assessment and designated a Security Officer. A comprehensive security plan would also cover things such as policies and procedures for documenting how you store, transmit, and delete sensitive data. 


    • Review Internal Controls

      • You have Financial Controls in your organization, you also have security and an industry term for technical security controls would "Internal Controls" - Depending on what technology your organization is utilizing, you will have a many different areas that you should be reviewing regularly to ensure things don't fall through the cracks. 


    • Reporting & Staying Connected with the IRS News

      • The IRS recommends that you are aware of the processes available for reporting a loss or breach in your organization. They also recommend you frequently check out their website for updates news on industry specific threats and changes.


    • Use Security Software  

      • Ensuring your hardware and software are encrypted is very important. In this section of the IRS guideline, they refer to making sure your hardware and software is encrypted. For example, if your laptop were to get stolen, having the hard drive encrypted beforehand will decrease chances of the criminal accessing the data on the drive. The same type of security applies to software access. Thankfully, most business-class hardware and software has encryption build-in but it's something to review to ensure you don't have any consumer-grade hardware or software in use. 

    • Create Strong Passwords  

      • Password management has only gotten more and more challenging as we have increased the amount of passwords we use in our organizations. This is partially due to the increased usage of cloud-based applications. That being said, storing passwords on an excel spreadsheet that is shared in your organization is extremely dangerous and has been linked to many accounts being compromised. A simple yet extremely power solution is to not reuse passwords but have a unique password for every situation. You might say that that would be challenging to remember all those different passwords. Yes it would and that is why Password Managers such as 1Password or LastPass have been in high demand as of late. These tools are extremely useful for managing all your passwords, creating unique passwords for each login, and also utilizing multi-factor authentication more easily. 

    • Secure Wireless Networks  

      • What you do on the internet is important, but also in what way you access the internet. The IRS recommends that you do not use public WiFi’s unless you are using a VPN solution to access your data. If you are working from home or the office, ensure you have a strong password to access your network. You should also have a firewall in place for your network and your workstations.

  • Protect Stored Client Data 

    • Drive encryption  

      • Similar to ensuring your software has encryption built-in, all hard drives that store sensitive data should be encrypted in-case someone where to maliciously gain access to them.  
    • Backup encrypted copies  

      • Backing up files is super important. In the case of a data-loss of any-kind, having a back-up ensures you can recovery and get your organization back to work. Many organizations are now storing their files in the cloud which is a huge win on many levels. However, that still doesn’t eliminate the need for cloud back-ups. Many of the large cloud providers such as Google or Microsoft guarantee to protect your data from loss due to them, however if someone where to maliciously login and delete your files or accidentally delete them, they do not provide back-ups for those. This is the same with email back-ups as well.  

    • Avoid: external transmitting client data through software not recommended by IT provider

      • In general, it’s best not to store and transmit client data through any provider except for the ones you’ve designated in advanced or ones your IT provider or IT manager has designated.  
    • Cloud-based or complete virtualization 

      • We’ve mentioned this before but just because your data is stored in the cloud doesn’t not it’s not susceptible to compromise or deletion. The precautions may look different, but you should still have the same diligence as you do with locally hosted files.

Be On Guard 

  • Spot Data Theft
    • Most of this section is based on common sense. However, review the following areas to ensure you are not missing anything. Here are a few red flags that should give you pause and potentially stop what you are doing:

    • Red flag: Client e-filed tax returns begin to reject because returns with their SSN were already filed. E-file has become much smoother over the years but:

      • Historically, we’ve seen frustrating software errors pop up with the e-filing function of tax software, especially during high-volume times or when forms are being updated.

      • That said, it may not be a software error that’s causing your e-file submission to be rejected. Pay attention to message in your tax software.

    • Red flag: Unexpected communication from the IRS, such as authentication letters, transcripts, notices that client’s account was accessed, etc.

      • This is really no different than monitoring your credit. If your bank sends you a notice saying congratulations on your new credit card, you may want to investigate further. Same thing here -- if the IRS is sending acknowledgements to things that you never initiated, you’ll want to follow up with them to understand why.

      • We recommend you commit to ongoing security training for your staff and be aware of the latest trends in security scams. COVID caused new scams to emerge, for example. The PPP and other stimulus programs provide new opportunities for scammers.

    • Red flag: Replies to emails you didn’t send 

      • This may or may not represent a breach in your email system. You’ll need your tech team to investigate.

      • One possible cause: Spoofing. Spoofing is when an unauthorized party (a hacker) sends an email that looks like it’s from you, but it isn’t. 

      • It is very easy for hackers to “spoof” an email address. This is because when the internet and email were originally designed, security wasn’t only in place, but discouraged (mail servers intentionally relayed messages for everyone, for free, in order to encourage the use of email)
      • We recommend locking down your email. You can restrict the permitted “sources” of email for your domain (using SPF) and publish your organization’s requirement to digitally sign your email (using DKIM) by configuring a DMARC record. (Tax professionals and IT people share a love for acronyms!) 
    • Monitor EFIN/PTINs  

      • IRS guide to safeguarding taxpayer data advises that weekly checks will flag any abuses. Here are a couple of those things to check: 

        • Check EFIN totals and PTIN totals online. 

        • Contact the IRS e-help Desk (EFIN) or report misuse on Form 14157 (PTIN) if number of returns filed exceed what you anticipated .

      • One way to demonstrate compliance is to task a member of your firm to keep weekly logs of how many tax returns have been e-filed at a given point in time. If you have a security portal where you document certain activities, such as checking logs, or acknowledging policies, that may be a perfect place to keep the weekly logs. This demonstrates you checked, and will provide you historical information for when a problem started, if you detect one. 
    • Recognize Phishing Scams  

      • Phishing is when scammers use email or text messages to trick you into giving them your personal information. 

      • Spear phishing – is individually targeted, contains additional information obtained from another source (such as your
        website or a collection of compromised passwords on the dark web)

      • Criminals may try to steal your passwords, account numbers, or Social Security numbers. If they get that information, they could gain access to your email, bank, or other accounts. 

      • How can they steal my password? I have a good antivirus software in place! (You visit a link which appears to take you to your regular login page, but it isn’t. When you input your password, it goes directly to the hacker, who then uses it on the REAL login page) 

      • The thief may pose as your tax software provider, your data storage provider, the IRS, your bank, or even a prospective client. (remember, spoofing is easy!) 

      • Scammers launch thousands of phishing attacks like these every day — and they’re often successful. Receiving an email from what appears to be a known source naturally puts us off our guard even for uncommon requests. 

        • I Love You virus 
        • Gift card scams 
        • Compromised online accounts 

      • Remember: A legitimate business will never email and request personal or sensitive information be sent to them via email, unless through a secured mail service. 

    • Guard Against Phishing Emails  

      • Here is an example of a phishing attempt email. As you can see they are very sophisticated and appear to be legitimate:


      • There are numerous best practices to avoid these scams:
        • Anti-phishing tool bars 

          • You can download an extension for your email provider that you can check and see if it’s a legitimate email or not.  

        • Hover first 

          • Hover over the link to see where it actually is headed. Just because the link is listed does not mean the link because the button or text is actually what is displaced. Two different things.  

        • Don’t click links 

          • Unless you are expecting or know for certain who the sender is, just don’t click on links.  

        • Use additional email filtering tools (Office 365 ATP, ProofPoint, etc.) 

          • There are many email filtering and phishing filtering services out there.  

        • Ongoing training 

          • The best way to fight phishing and other scams like that is to provide the best in class training to help your team stay alert and on guard. Our training service automatically send a few phishing simulations every week to keep our team and clients to reminder and train them regularly 

    • Be Safe On The Internet  

      • You should use general best practices for how to interact with the web safely. If you are looking for more personal best practices for safe surfing, check out our other blog post on Digital Hygiene here.

      • Multifactor-Authentication 

        • This is one area we hasn’t talked about much yet but it’s extremely important. When you are looking at your password and user name security, ensure you are enabling MFA where you can. This adds an additional level of security that will help you be event that much more secure. Password Managers can also help you manage the MFA as well.  

      • https:// in browser bar means the site is encrypted, and a green lock icon means. Browsers have got a lot better at this over the years. Google Chrome, Firefox, Microsoft Edge.  

      • Recommend against using IE unless absolutely necessary. It’s an old browser and less likely to be patched against security threats. Instead, switch to a modern browser like Google Chrome, Firefox, or Microsoft Edge. 

      • Use a password manager. 1Password is amazing for sharing passwords securely across a team, and allows you to have a separate password. 

      • Avoid using public wifi. And if you do, use a VPN service or your firewall’s built-in VPN. 

      • Encrypt data at rest (BitLocker, FileVault

      • Encrypt data in transit (Secure portal, email)



Report and Respond Incidents

  • Report Data Loss to IRS/States

    • There are three groups you should contact in case you have a breach or loss of data. You should note that if you have a Security Portal that tracks and stores your policies, you can be helpful in knowing what to communicate with the IRS.
      • Contact the IRS and Local Police (FBI or Secret Service only if directed by IRS) 

      • Contact states in which you prepare state returns 
        • Email the Federation of Tax Administrators 
        • State Attorney General for each state you prepare returns 

      • Contact experts 
        • Security experts to help determine where the breach occurred. Depending on the Data Loss could be your local IT Team or more specialized team. 

      • If you have cybersecurity insurance or your general liability covers data loss, you should contact your insurance company to report breach and check to see if they cover data breach mitigation expenses 
    • IRS has a Complete checklist for Data Theft on their website for reference 
    • Respond and Recover from a Data Loss (Basic Suggestions) 
      • Update your IRS Stakeholder Liaison with developments – Third Party reports will not be accepted in the case of identity theft over the phone.
      • Review FTC’s Data Breach Response Guide. helpful guidance in notifying clients and tips for responding and recovering from data loss 

      • Determine how the intrusion or theft occurred and make any required fixes before resuming tax preparation activities and being issued a new Electronic Filing Identification Number (EFIN). So as not to leave a back door open to hackers or virus lingering in the system. 

      • Develop a continuity plan. (Emergency Operations Plan for when data loss our an outage occurs) We help do this for our clients for when there is an outage. 

      • Make full backups of all business data and files. (Cloud Backups for email or Local Backups of machines that store sensitive data) If you weren’t doing it before the data loss, start as soon as your systems are clean. Encrypted regular cloud backups 

        • Routine backups can mean that data loss or ransomware attack will not destroy all files 

        • Consider a monthly backup schedule or more frequently during filing season. 

        • You don’t want to backup infected machines. 

      • Finally Consult with your professional insurance provider about data theft protection. 

        • Insurance Firms can help preparers recover from theft and they can sometimes help provide security experts to analyze protections that are in place or detect intrusions. 




Comply with the FTC Safeguards Rules 

  • Understand & Comply with the FTC Safeguards Rule  

    • You'll notice at the end of the IRS Safeguarding Guide document that they mention you much comply with the FTC rules in addition to the IRS rules. The FTC rules are very similar to the IRS but are more general guidelines as they relate to all financial service organizations. The IRS rules on the other hand go deeper into specific areas that are specific to CPAs and tax-preparers such as IRS filing scams, etc. However there are a few items that are notable in the FTC guidelines that are not mentioned in the IRS guidelines:

      • Designate one or more employees to coordinate its information security program;

      • Identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks;

      • Design and implement a safeguards program, and regularly monitor and test it;

      • Select service providers that can maintain appropriate safeguards, make sure your contract requires them to maintain safeguards, and oversee their handling of customer information; and

      • Evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.  




Our Process: How to Be Compliant (The Big 4)


So we covered a lot. You might be asking yourself, “how do I get all this stuff done” or “I’m confused! How does all this stuff connect?” - For our clients, we have a simple but effect what we call the Big 4 to ensure our clients are compliant with the IRS and stay as secure as possible. Here are the 4 areas and how they impact and effect your security & compliance: 


  • Training 

  • As we (the IRS) mentioned, training is extremely important as threats are consistently changing and it’s impossible to know everything. Ongoing and regular training and testing of yourself and employees is paramount. Thankfully there are many online training programs that are affordable and effective.  

  • Policies and Procedures  

  • Many of the actions listed above need to be documented and stored in a policy and procedures that your IT manager and other team-members know how to function in your organization’s situations. Most organizations need about 30 – 50 written policies and procedures to cover everything we’ve mentioned in this article. 

  • Annual Risk Assessment 

  • Writing everything you need to do down is great, but who is going to enforce it? Performing an annual risk assessment ensures your organization is complying by it’s own standard of rules. This assessment also helps to see which areas of your organization can be improved upon without finding out after the fact in the case of a breach.  

  • 3rd Party Assessments and Questionnaires  

  • If you haven’t been audited by the IRS for cybersecurity compliance, that’s great! However, it still can happen and being ready for it is important. Also, being ready for other outside assessments or questionnaires from clients or venders is important.  



In this blog post, we’ve reviewed the IRS Safeguarding Data Guidelines and everything that is entailed with their suggestions and requirements. We also covered parts of the FTC requirements that the IRS mentions in their document. We also discussed our process and the 4 main areas we help our clients to ensure they are compliant and do anything within reason to keep their organization secure. If you'd like to learn more our services, click here to request a quote.  



You may also like

Hosting Your Applications with ...
on October 1, 2021

Also known as Azure, Microsoft Azure is an online platform offering several cloud computing ...

commentIcon 0 Comments
Taylor Wells
5 Exciting New Features of ...
on September 9, 2021

Microsoft, the second-largest provider of unified communications as a service (UCaaS), recently ...

commentIcon 0 Comments
Taylor Wells
5 Lessons from JBS and Colonial ...
on August 31, 2021

Cybercriminals continue to penetrate the security system of business enterprises through various ...

commentIcon 0 Comments
Taylor Wells
5 Ways to Improve Your Security ...
on August 13, 2021

The Health Insurance and Portability and Accountability Act (HIPAA) is a policy that protects ...

commentIcon 0 Comments
Taylor Wells

Looking for more help?

Check out our live webinars!

Attend a webinar