Cybersecurity Checklist for Accounting & Bookkeeping Firms
Accounting firms hold SSNs, EINs, bank credentials, and payroll data for every client — and the IRS now requires tax professionals to have a Written Information Security Plan (WISP). During filing season, one compromised inbox becomes hundreds of fraudulent returns. Here's the checklist built for that reality.
The threats that actually hit accounting firms
Tax-season credential phishing
Fake IRS notices, e-services alerts, and client emails spike January through April, targeting EFINs and portal logins to file fraudulent returns.
Client-portal account takeover
Portals full of W-2s and financials sit behind one password unless MFA is enforced — a bulk identity-theft kit for attackers.
Business email compromise for payment fraud
Firms authorized to move client money or run payroll are prime BEC targets; attackers impersonate clients requesting 'urgent' changes.
How many of these boxes can you actually check?
Find out in 3 minutes. CyberGrade grades your security posture A+ through F and shows your top risks — free, no email required to start.
Get Your Free Security GradeThe checklist
1.Write (or update) your WISP
an afternoonIRS Publication 4557 makes a Written Information Security Plan mandatory for tax preparers — and it's checked on PTIN renewal.
2.Enforce MFA on email, tax software, and client portals
quick winThe IRS 'Security Six' starts here; credential theft is the dominant tax-pro attack.
3.Encrypt client data at rest and in transit — no email attachments for returns
quick winA return in an email attachment is an SSN in plaintext; use the portal, always.
4.Verify payment and banking changes by phone at a known number
quick winBEC succeeds when a written request is enough to move money. Make voice verification policy.
5.Back up client files and tax software daily, off-site, tested
an afternoonRansomware during filing season is an existential event without a restore you've actually run.
6.Monitor your EFIN usage weekly during season
ongoingFraudulent filings under your EFIN show up in e-services counts before the IRS letters arrive.
7.Give seasonal staff least-privilege accounts that expire
an afternoonTemporary preparers shouldn't retain year-round access to the client base — expiry dates automate the cleanup.
8.Train staff on phishing every season, with examples from your inbox
ongoingReal samples from your own quarantine beat generic training — filing-season phish are highly specific.
Frequently asked questions
Is a WISP actually required for tax preparers?
Yes — the FTC Safeguards Rule and IRS requirements make a written security plan mandatory for anyone with a PTIN. The IRS provides a template (Pub. 5708), and PTIN renewal now includes attesting to your data-security responsibilities.
What happens if my firm suffers a breach during tax season?
You must notify the IRS (stakeholder liaison), potentially the FTC, affected clients, and possibly state authorities — while fraudulent returns filed under stolen data create months of client remediation. Prevention is dramatically cheaper than the notification process alone.
Can I email tax returns to clients if they ask?
Only encrypted — an unencrypted return exposes everything identity thieves need. The cleaner answer is a client portal with MFA; 'the portal, always' is easier to enforce than per-email judgment calls.
How many of these boxes can you actually check?
Find out in 3 minutes. CyberGrade grades your security posture A+ through F and shows your top risks — free, no email required to start.
Get Your Free Security Grade