CPA Firm IT Security

Reviewed by Fully Compliance editorial team

CPA firms hold tax IDs, Social Security numbers, bank accounts, salary data, and years of financial history for hundreds of clients — making them high-value ransomware targets. Security requires defense-in-depth: email security catching phishing, endpoint detection on all devices, network segmentation, offline backups, granular work paper access controls, encrypted client portals, AICPA ethics compliance documentation, and cyber liability insurance with coverage conditioned on maintaining specific controls.

Your clients come to you with more than just tax returns and financial statements to prepare. They bring tax identification numbers, Social Security numbers, bank account details, salary information, business entity structures, and years of financial history. A healthcare professional includes employee health insurance data. A closely held business owner shares proprietary revenue figures competitors would pay for. You're not just storing numbers — you're storing the financial blueprints of people's lives and livelihoods.

When a data breach happens at a CPA firm, it isn't a storage company losing encrypted backups. It's someone's confidential financial information walking out the door. For your clients, it's a regulatory headache, notification process, potential fraud monitoring costs, and a significant hit to trust. For you, it's liability exposure, regulatory scrutiny, and the very real possibility of losing clients who decide the risk of working with you outweighs the benefit.

CPA Firms Hold Uniquely Sensitive Financial Data

The IRS reported a 75% increase in identity theft returns using stolen CPA firm data between 2020 and 2023, and the AICPA's 2023 survey found that 39% of CPA firms experienced a cybersecurity incident within the prior 24 months. Individual tax returns contain government-issued identifiers, income records, investment details, and sensitive circumstantial information. Business tax data goes deeper — profit-and-loss statements, payroll records identifying every employee and their compensation, banking relationships, and board materials.

The AICPA Code of Professional Conduct requires maintaining client confidentiality — that obligation starts the moment information is received and doesn't end when the engagement is complete. From a data security perspective, this shapes your entire risk calculus. If a ransomware operator knows a CPA firm has broad access to financial data for hundreds of clients, that firm becomes an attractive compromise target.

Ransomware and Phishing Are the Primary Threats

Of all security threats a CPA firm faces, ransomware deserves special attention because it stops work. Ransomware encrypts your files and makes them inaccessible until a ransom is paid — you can't access client work papers, prepare returns, or respond to audit requests. The business literally stops.

The cost isn't just the ransom demand ($10,000 to millions depending on firm size). It's business interruption — clients miss filing deadlines, face IRS penalties, and find another firm. It's incident response forensics, legal counsel, breach notification, credit monitoring, regulatory investigation, and reputational damage. Ransomware operators specifically target professional services firms because they know the business impact of downtime is acute and firms are willing to pay quickly.

Ransomware usually arrives through phishing. A CPA receives an email appearing to be from a client asking for account balances, or from a tax authority requesting verification. The email looks legitimate. Once attackers have valid credentials, they move laterally through the network and eventually deploy ransomware or exfiltrate data.

Defense requires defense-in-depth: email security catching malicious attachments and phishing attempts, endpoint detection on all devices, network segmentation limiting lateral movement, timely patching, offline backups that can't be encrypted by an attacker, monitoring for unusual activity, and training on phishing recognition.

Work Paper Protection, Cloud Services, and Ethics Compliance

Work papers require the same protection as underlying client data. They need storage limiting access to authorized personnel on that engagement. A junior accountant shouldn't browse work papers from unassigned client audits. Access controls should be granular — people see what they need for their current assignment. Work papers in transit need encryption. Retention policies should enforce keeping work papers for the required period (3-7 years depending on engagement type), then securely destroying them.

Most CPA firms now use cloud-based services — tax preparation software, collaboration platforms, client portals, accounting systems. Cloud services create dependencies: if your cloud provider has a security incident, you have a security incident. Evaluate vendors for encryption, incident response, security audits, penetration testing, cyber insurance, and SOC 2 reports. Vendor contracts should specify data access limits, protection requirements, breach notification procedures, and data handling at relationship end.

The AICPA Code requires maintaining confidentiality and taking reasonable precautions to protect client information. Rule 1.600A requires confidentiality of all information obtained in professional relationships. Rule 2.300 requires reasonable precautions against unauthorized disclosure. These create an affirmative obligation — you can't claim ignorance of your firm's security practices. Documentation is required: policies, access control evidence, access logs, incident response records, and audit trails.

Insurance and Building a Security Program

Cyber liability insurance covers incident response costs (forensics, legal counsel, notification), regulatory fines, defense costs, liability for negligent data handling, and sometimes business interruption. Standard professional liability policies often don't cover cyber incidents well — you need a policy specifically designed for IT security risks. Some policies exclude losses from failure to implement basic controls or from known vulnerabilities. These requirements provide a roadmap: the controls your insurance company requires are the controls your clients expect.

Cost varies based on firm size and security posture. A firm with 20 employees and strong controls pays $3,000 to $8,000 annually. A firm with 200 employees and weaker controls pays $20,000 to $50,000.

Build a security program that fits your practice. A 5-person firm doesn't need the same infrastructure as a 500-person firm, but both need to demonstrate they've thought about risks, implemented reasonable controls, and can verify those controls work. At minimum: access controls, encryption for data in transit and at rest, network segmentation, monitoring, offline backups, patching, training, and written policies. Your clients have entrusted you with information critical to their financial lives — your security program demonstrates you take that responsibility seriously.

Frequently Asked Questions

What are the IRS requirements for CPA firm data security?
IRS Publication 4557 (Safeguarding Taxpayer Data) requires tax preparers to create a written information security plan, designate a security coordinator, conduct risk assessments, implement safeguards, and report data breaches to the IRS. The FTC Safeguards Rule under GLBA also applies to tax preparers as "financial institutions." Non-compliance can result in IRS penalties, loss of EFIN (Electronic Filing Identification Number), and state board disciplinary action.

How should CPA firms handle client data during tax season when temporary staff are hired?
Temporary staff should receive the same security onboarding as permanent employees — background checks, security training, acknowledgment of confidentiality policies, and provisioned access limited to the specific clients and systems their work requires. When the engagement ends, revoke all access immediately. Temporary staff should not have access to firm-wide file shares or the ability to download bulk client data to personal devices.

What backup strategy protects against ransomware for CPA firms?
Follow the 3-2-1 rule: three copies of data, on two different media types, with one copy stored offline or air-gapped. The offline copy is critical — ransomware attacks specifically seek out connected backup systems to encrypt them. Test backup restoration regularly (quarterly at minimum) to verify you can actually recover. During tax season, increase backup frequency to daily.

How does the AICPA peer review process evaluate IT security?
Peer reviews primarily evaluate engagement quality, but reviewers increasingly examine whether firms have adequate data protection. They look for written security policies, evidence of risk assessments, encryption practices for client data in transit and at rest, and documentation of security incidents. A peer review finding related to inadequate data protection triggers remediation requirements and can affect your firm's standing.

What should a CPA firm do in the first 24 hours after discovering a data breach?
Activate your incident response plan. Engage your cyber liability insurance carrier (they provide forensic and legal resources). Preserve evidence — don't wipe or reimage affected systems until forensics are completed. Determine whether client PII was accessed. Notify the IRS (if tax data is involved, use Form 14039), notify your state board of accountancy, and begin client notification planning. Do not pay ransom without consulting legal counsel and law enforcement (FBI IC3 or local field office).