Cybersecurity Checklist for Accounting & Bookkeeping Firms

Accounting firms hold SSNs, EINs, bank credentials, and payroll data for every client — and the IRS now requires tax professionals to have a Written Information Security Plan (WISP). During filing season, one compromised inbox becomes hundreds of fraudulent returns. Here's the checklist built for that reality.

The threats that actually hit accounting firms

Tax-season credential phishing

Fake IRS notices, e-services alerts, and client emails spike January through April, targeting EFINs and portal logins to file fraudulent returns.

Client-portal account takeover

Portals full of W-2s and financials sit behind one password unless MFA is enforced — a bulk identity-theft kit for attackers.

Business email compromise for payment fraud

Firms authorized to move client money or run payroll are prime BEC targets; attackers impersonate clients requesting 'urgent' changes.

How many of these boxes can you actually check?

Find out in 3 minutes. CyberGrade grades your security posture A+ through F and shows your top risks — free, no email required to start.

Get Your Free Security Grade

The checklist

1.Write (or update) your WISP

an afternoon

IRS Publication 4557 makes a Written Information Security Plan mandatory for tax preparers — and it's checked on PTIN renewal.

2.Enforce MFA on email, tax software, and client portals

quick win

The IRS 'Security Six' starts here; credential theft is the dominant tax-pro attack.

3.Encrypt client data at rest and in transit — no email attachments for returns

quick win

A return in an email attachment is an SSN in plaintext; use the portal, always.

4.Verify payment and banking changes by phone at a known number

quick win

BEC succeeds when a written request is enough to move money. Make voice verification policy.

5.Back up client files and tax software daily, off-site, tested

an afternoon

Ransomware during filing season is an existential event without a restore you've actually run.

6.Monitor your EFIN usage weekly during season

ongoing

Fraudulent filings under your EFIN show up in e-services counts before the IRS letters arrive.

7.Give seasonal staff least-privilege accounts that expire

an afternoon

Temporary preparers shouldn't retain year-round access to the client base — expiry dates automate the cleanup.

8.Train staff on phishing every season, with examples from your inbox

ongoing

Real samples from your own quarantine beat generic training — filing-season phish are highly specific.

Frequently asked questions

Is a WISP actually required for tax preparers?

Yes — the FTC Safeguards Rule and IRS requirements make a written security plan mandatory for anyone with a PTIN. The IRS provides a template (Pub. 5708), and PTIN renewal now includes attesting to your data-security responsibilities.

What happens if my firm suffers a breach during tax season?

You must notify the IRS (stakeholder liaison), potentially the FTC, affected clients, and possibly state authorities — while fraudulent returns filed under stolen data create months of client remediation. Prevention is dramatically cheaper than the notification process alone.

Can I email tax returns to clients if they ask?

Only encrypted — an unencrypted return exposes everything identity thieves need. The cleaner answer is a client portal with MFA; 'the portal, always' is easier to enforce than per-email judgment calls.

How many of these boxes can you actually check?

Find out in 3 minutes. CyberGrade grades your security posture A+ through F and shows your top risks — free, no email required to start.

Get Your Free Security Grade