A Practical Cybersecurity Compliance Guide for CPA Firms

By Kate Krupey, VP of CPA Practice 

As cybersecurity threats evolve, so do compliance expectations. Both the IRS and FTC now require CPA firms to implement robust safeguards for protecting sensitive client information, and the bar is getting higher. 

These requirements aren’t just IT recommendations. They’re regulatory standards that define professional responsibility in today’s landscape. And while the IRS and FTC guidelines don’t perfectly align, there’s significant overlap that firms can use to streamline their efforts and reduce risk. 

Two Regulators. One Mission: Protect Client Data. 

The IRS has long required tax professionals to secure taxpayer data under Publication 4557, which outlines key practices for preventing breaches and unauthorized access. Meanwhile, the FTC’s revised Safeguards Rule — part of the Gramm-Leach-Bliley Act — now explicitly includes CPA firms and mandates that each firm have a Written Information Security Plan (WISP)Written Information Security Plan (WISP), a designated security lead and an ongoing risk management process. 

While the details vary, the message is clear: protecting client data is non-negotiable. And beyond regulatory compliance, strong cybersecurity helps preserve your firm’s reputation and business continuity. 

Looking Beyond the IRS and FTC: The Bigger Compliance Picture 

The IRS and FTC requirements are central, but CPA firms may also be subject to other compliance frameworks depending on the services they offer, the industries they serve and where their clients are located. 

Here are some examples: 

• Gramm-Leach-Bliley Act (GLBA): Forms the foundation of the FTC’s Safeguards Rule and includes provisions for data sharing and protection. 

• Sarbanes-Oxley Act (SOX): Impacts firms working with public companies, especially in audit or financial reporting roles. 

• State Privacy Laws (CCPA, CPA, VCDPA, etc.): Impose requirements on data collection, sharing and consumer rights based on where clients reside, not necessarily where your firm is based. 

• HIPAA: Applies to firms working with healthcare clients or handling protected health information (PHI). 

To help firms make sense of these overlapping obligations, here’s a high-level reference table: 

Key Regulations CPA Firms Should Know 

Bringing Compliance to Life 

Cybersecurity compliance isn’t just an annual task, it’s an ongoing process. And during high-demand times like tax season, the risks increase. According to Accounting Today, cyberattacks against CPA firms tend to rise before and after tax deadlines when firms are most vulnerable. 

This is where a strong WISP becomes crucial. A well-built WISP supports both FTC and IRS requirements while also serving as a blueprint for how your firm protects data, manages risk and keeps operations running during an incident. 

Here’s how to get started: 

1. Conduct a Risk Assessment to identify vulnerabilities 

2. Update or create policies that address those risks 

3. Revise your WISP and Incident Response Plan to reflect new or improved safeguards 

4. Train your staff to ensure security policies are followed across the firm 

   
   

As you revisit your program, ask: 

• Do we have policies that align with our WISP? 

• Who is responsible for security oversight, and do they meet the FTC’s “Qualified Individual” standard? 

• Did any shortcuts or changes during tax season introduce new risks? 

• Are encryption, backups and authentication applied consistently? 

• Have we documented any recent incidents or near misses? 

• Has our Incident Response Plan been tested? 

Where the Rules Align — and Where They Don’t 

You don’t need two separate compliance programs for the IRS and FTC. But you do need to know where their expectations overlap and where they diverge: 

• Both emphasize encrypting sensitive data (in transit and at rest) 

• The IRS promotes the “Security Six” — essential controls like antivirus, backups, firewalls and VPNs 

• The FTC expects more documentation, including vendor oversight, testing and written risk evaluations 

Importantly, compliance doesn’t always mean security. A checklist approach can leave blind spots. True protection comes from building a program informed by real risks and backed by strong policies, documentation and employee engagement. 

Why Documentation Matters 

Regulators don’t just want to hear that your firm is secure — they want proof. That means clear documentation: risk assessments, training logs, incident response playbooks and security configurations. 

Many smaller firms fall short here, especially without internal IT leadership. But creating audit-ready documentation is a critical investment and a sign that your firm treats cybersecurity as more than a one-time obligation. 

From Mandate to Advantage 

Most CPAs didn’t enter the profession to become cybersecurity experts. But in today’s landscape, security is part of running a successful, resilient firm. 

Clients are paying attention. They want to know their data is safe. By showing that your firm takes cybersecurity seriously, you don’t just meet regulatory requirements, you gain a competitive edge. 

Building a strong compliance foundation today also sets your firm up for future certifications like SOC 2 or ISO. It’s a step toward maturity and trustworthiness that clients notice. 

Firms that embed security into their daily operations are more agile, resilient and better positioned for long-term growth. Compliance becomes a differentiator, not just a checkbox. 

About the Author & Next Steps 

This blog was written by Kate Krupey, who leads Netgain’s CPA practice vertical. Kate helps firms achieve results through bold change and smart IT investments. As a former CIO of a national CPA firm, she brings a deep understanding of the profession and a practical approach to advancing it. 

Want to explore how your firm can strengthen its compliance posture? Connect with us to start the conversation. Our team is here to help you assess your current state and build a roadmap for success.