A CPA practice that has a breach involving client financial data is not just dealing with an IT incident. It's dealing with regulatory notification obligations, state breach disclosure laws, IRS reporting in some cases, professional liability exposure, and the reputational damage that follows when a client learns their SSN or banking information was exposed by their accountant. In a small market like Wichita, that kind of story travels.
This page covers the regulatory landscape most CPAs are now subject to (and many haven't fully addressed), the specific IT and security posture a serious CPA practice should be running, and what makes the tax season operational concerns different from a typical business calendar.
The FTC Safeguards Rule, in plain English
The FTC Safeguards Rule was originally promulgated in 2003 under the Gramm-Leach-Bliley Act. The version that matters now is the 2021 update, with most provisions effective December 9, 2022 and the rest enforceable starting June 9, 2023.
The Rule applies to "financial institutions" as the FTC defines that term, which is broad. It explicitly covers tax preparers and CPAs doing tax work. It also covers bookkeepers, payday lenders, mortgage brokers, finders of consumer financial information, and other businesses significantly engaged in financial activities. If your firm prepares tax returns for compensation, the Rule applies to you.
The substantive requirements include a designated Qualified Individual responsible for the information security program, a written Information Security Program based on a written risk assessment, access controls and inventory of customer information, encryption of customer information both at rest and in transit, multi-factor authentication on any system that accesses customer information, secure disposal of customer information, change management, monitoring and logging of activity on systems with customer information, periodic penetration testing or vulnerability scanning, training for personnel handling customer information, oversight of service providers (your IT firm included), an incident response plan, and an annual written report from the Qualified Individual to the board or senior management.
Most Wichita CPA firms we talk to in onboarding audits have parts of this in place and parts they haven't formally addressed. Multi-factor authentication is often deployed on email but not on the tax software or the practice management system. A risk assessment may exist but isn't current. A written Information Security Program might be a template downloaded from a webinar three years ago. An incident response plan often doesn't exist, or exists as a verbal understanding rather than a document. The Annual Report has not happened.
These gaps are not unusual. They are the pattern we run into more than we'd like to. The Rule has teeth. The FTC's civil penalties reach into the tens of thousands of dollars per violation and rise with inflation each year, and financial-sector data security has drawn heightened FTC scrutiny recently, so closing the gaps systematically is a priority. We build out the Information Security Program, run the risk assessment, document what needs to be documented, and put the technical controls in place. The work folds into our Managed IT Services engagement rather than being a separate consulting project.
IRS Publication 4557 and the Security Six
If you prepare tax returns for compensation, IRS Publication 4557 also applies. It outlines the data security obligations of paid tax return preparers, and the IRS has been increasingly active in checking compliance during PTIN renewals.
The core technical requirements are sometimes called the "Security Six": antivirus software (in 2026, this means modern endpoint detection and response, not the consumer antivirus the term once described), a firewall, two-factor authentication, backup software with proper backup hygiene, drive encryption, and a VPN for remote access to the firm's network. Publication 4557 also requires a written data security plan, which is essentially the same artifact as the FTC Safeguards Rule's Information Security Program, with some accounting-specific language.
A CPA firm that's compliant with the FTC Safeguards Rule is generally also compliant with IRS Publication 4557, with minor differences in documentation language. We build the program once and document it appropriately for both regulatory contexts.
The breach risk for a CPA practice
The data a CPA firm holds is high-value to attackers and high-stakes to lose. Full social security numbers, tax IDs, banking information, employer identification numbers for business clients, signatures, prior-year returns, dependents' information, and in many cases scanned source documents that include passport copies, driver's licenses, and other identity documents. The combination is more than enough to enable identity theft, refund fraud, and synthetic identity creation at industrial scale.
That value attracts a specific category of attack. Tax season phishing campaigns targeting CPA firms accelerate in February and March every year. Business email compromise (BEC) attacks against accounting firms often impersonate a client or a payroll provider to redirect a payment, refile a return with a fraudulent direct deposit instruction, or extract sensitive data through what looks like a legitimate request. Ransomware against CPA firms tends to peak in the weeks before April 15 because operational urgency makes ransom payment more likely.
No single product defends against this. The protection is a layered posture that covers identity (MFA across every system that touches client data, not just email), endpoints (real endpoint detection and response on every workstation, including the partners' home machines if they ever access firm data), email (advanced filtering beyond the default Microsoft 365 or Google Workspace protections, plus user training calibrated to the kinds of phishing CPA firms actually receive), backup (immutable copies that ransomware can't reach, with restore testing before busy season), and incident response readiness (a documented plan so the first 24 hours of an incident aren't improvised). The depth on each layer is covered on our Cybersecurity Services page.
Tax season is an operational reality, not a footnote
Most general IT firms manage their clients on a flat calendar. Standard response times, standard maintenance windows, standard service expectations year-round. That model breaks down for a CPA firm between February and April.
During tax season, an outage that would be inconvenient at most businesses is a real revenue and client-trust event for a CPA. A server crash on March 15 with returns due April 15 is not a routine ticket. A workstation that becomes unstable during a partner's peak billing days costs real money. The patches that need to be applied get applied around the workload, not into the middle of it.
A CPA-aware IT engagement plans around the calendar. Major changes and migrations happen in summer or fall, not in February. Backup verification and restore testing happen before busy season starts, with documented confirmation. Workstation performance is reviewed and addressed in January, before the workload hits. None of that is a special busy-season service tier. It's that the whole team knows when your crunch hits, so the routine work gets timed around it instead of dropped into the middle of it.
This is the kind of operational thinking that comes from having watched the calendar of a CPA practice. The pattern of a firm's busiest weeks is built into how we plan the engagement.
What's in scope for a CPA IT engagement
Everything covered on our Managed IT Services page (endpoint management, server administration, network management, email and identity, patch management, backup management, end-user support, vendor management, IT strategy) plus the CPA-specific layers:
FTC Safeguards Rule program build and maintenance. The Information Security Program document, the risk assessment, the Qualified Individual support, the access control inventory, the annual written report. We document what needs to be documented and we update it as the firm changes.
IRS Publication 4557 compliance. The written data security plan and the Security Six technical controls, integrated with the Safeguards Rule work so it's one program, not two.
Tax software and practice management support. Workstation specifications appropriate for the multi-program load of tax season. Performance monitoring tuned to the applications that matter to a CPA. Coordination with the tax software vendor when issues are application-side rather than infrastructure-side.
Secure client document exchange. A client portal infrastructure that meets the encryption-in-transit requirements of both the Safeguards Rule and IRS guidance. The portal becomes the default channel for sensitive document exchange, instead of email attachments.
Backup and recovery sized for accounting workloads. CPA firms carry years of prior-year returns, large source-document repositories, and a practice management database that only grows, all of which you're obligated to retain for a set period and then dispose of securely. The backup, retention, and disposal strategy reflects those patterns and the seasonal load.
Access for seasonal and remote staff. Busy season and the extension stretch often bring temporary or remote preparers who touch client data. We provision their access cleanly when they start and pull it just as cleanly when they're done, which is what the Safeguards Rule's access-control and inventory requirements expect.
Cybersecurity calibrated to client-data-handling. Higher floor than a typical small business engagement, because the threat profile and regulatory expectations are higher. The full layered posture on the Cybersecurity Services page.
Tax season operational planning. An annual review in November or December handles what needs handling before busy season, with major changes scheduled outside the crunch. We time routine work around your calendar rather than into it, because the team knows when each client's busiest weeks land.
Where to start
A short call is the right way to figure out whether we're a fit. Tell us what your firm does, where you sit on the FTC Safeguards Rule readiness scale (honestly, even if the answer is "I'm not sure"), and what your current IT setup looks like. We'll tell you what we'd address first.
Book an exploratory call. Thirty minutes, no commitment. Best timing is between May and December (before next year's busy season starts compressing).
Frequently asked questions
1. Does the FTC Safeguards Rule actually apply to a small CPA firm?
Yes, in nearly every case. The FTC defines "financial institution" broadly enough to cover paid tax preparers, CPA firms that prepare tax returns, bookkeepers, mortgage brokers, payday lenders, and other businesses significantly engaged in financial activities. There is no small-firm exemption. The Rule is structured so that smaller firms have somewhat lighter documentation requirements than larger firms (some provisions kick in only at 5,000 customer records or above), but the core requirements (written Information Security Program, Qualified Individual, risk assessment, MFA, encryption, incident response plan, oversight of service providers) apply regardless of firm size.
2. We already have IT support. Why would we switch?
The question is whether your current IT support understands the Safeguards Rule, IRS Publication 4557, and the operational pattern of a CPA practice well enough to actually deliver on the regulatory and security requirements. Some MSPs do. Many don't. The Co-Managed IT model works for firms where the existing setup is partially fine but lacks compliance depth or security expertise. The exploratory call is where we figure out whether switching, supplementing, or staying with your current setup is the right move for your firm.
3. What happens if we have a breach despite all of this?
You work the incident response plan we documented with you before the incident happened. That plan names who decides, who calls outside counsel, who notifies the cyber insurance carrier, when state breach notification obligations get triggered, what client communication looks like, and how the firm continues to operate while the investigation is happening. Layered defenses reduce the probability and the blast radius, and a documented incident response plan reduces the chaos and the cost when something does get through. The difference between a contained incident and an existential event for a CPA practice often comes down to how the first 24 hours are handled.
4. How do you handle our tax software environment?
The tax software stays with the vendor (we don't replace your tax preparation suite, your practice management system, or your document management platform). We manage the infrastructure those applications run on: the workstations, the servers, the network, the storage, the identity layer, and the security around all of it. When there's an application-side issue, we coordinate with the vendor's support rather than telling you to call them yourself, and when an infrastructure problem is masquerading as a software issue, we handle it.
5. What does CPA IT pricing look like?
Our pricing is structured per user across your firm. There's a one-time onboarding fee for the initial work (discovery, documentation, FTC Safeguards Rule program build if needed, operational handoff) and a monthly per-user fee that covers all our labor for ongoing operations and the Safeguards Rule maintenance work. Hardware, software licensing, the cybersecurity products deployed in your environment, and explicit project work are scoped and billed separately. The exploratory call is the right place to talk through what the numbers look like for your firm.
Industry Specific
Our 10 Benefits
This whitepaper will evaluate the differences between traditional technical support practices and modern managed IT practices and the pros and cons of both in regards to small and medium-sized businesses.
