Cybersecurity for CPAs: Protect your clients and yourself

  • Daniel P. Vargo

    Daniel P. Vargo

By Daniel P. Vargo
Daniel P. Vargo and Associates, P.C.
Posted11/13/2022 1:00 AM

We all know and understand that cybersecurity is a profound and serious issue for everyone, especially for any paid income tax preparers including CPAs, enrolled agents and attorneys.

When our clients share their confidential information and documents with us, our clients should rightfully expect that their CPA understands the vital importance of, and takes an active role in, properly maintaining and protecting such confidential information.


Again, cyber fraud continues as a growing great concern with ever increasing frequency and costs in the billions in the U.S. over the past several years. The most common and increasing complaints include identity theft, personal data breaches, phishing/vishing/smithing/pharming, nonpayment/non-delivery, fraudulent text messages, fake IRS robocalls, phone scams and extortion.

A hacker could be anyone, a current/former employee, an employed/unemployed IT personnel, a kid in his parent's basement, etc. All the risks require vigilance for identification, controls, training, monitoring and reporting.

All paid tax return prepares, including CPAs, are required by federal law to create and maintain a written data security plan. The IRS' Paid Preparer Tax Identification Number (PTIN) application and renewal, (the IRS Form W-12) requires the applicant to attest that, "I am aware that paid tax return preparers must have a data security plan to provide data system security protections for all taxpayer information." Check the box yes.

References to these federal laws requirements are included in The Graham -Leach-Bliley Act of 1999, Federal Trade Commission Requirement Safeguard Rules, and various IRS requirements. The IRS Taxpayer Bill of Rights states that taxpayers have a fundamental right to confidentiality. More specifically, these requirements are highlighted in this IRS Publications 4557 entitled "Safeguarding Taxpayer Data." It's the law.

by signing up you agree to our terms of service

This required IRS Written Information Security Plan must define objectives, purpose and scope. This is not an easy task. It requires that responsible Individuals be identified and trained, a risk assessment be performed, that a hardware and software inventory be taken, document safety measures be identified, rules be documented for all office and remote users, as well as connection devices, the existence of an employer/employee code of conduct, record retention policies and finally implementation.

Another important practice is to use written engagement letters and to procure professional and cybersecurity insurance policies. A good cybersecurity insurance policy may help insulate and protect. from1m breaches both inside your practice and within taxpayer records and business interruption.

Ultimately, human error is the biggest risk. Security controls must be shared and discussed with everyone. Most important, one must back up files and test the backup system.

Finally, consider engaging a comprehensive security firm to protect you from computer viruses, online security theft and protection. Develop and utilize best practices.

If a cybersecurity issue occurs, a timely adequate response is necessary. An inadequate and/or delayed response could potentially have a significant negative impact to everyone. Reach out to contact your professional liability carrier and legal counsel.

Each cybersecurity issue is different, whether it's ransomware, wire transfer fraud or something else. Who really knows what cyber criminals are doing with everyone's social security numbers. Cyber risk issues are real and costly. The IRS consistently reports the increase in texting scams. Be vigilant.

Article Comments
Guidelines: Keep it civil and on topic; no profanity, vulgarity, slurs or personal attacks. People who harass others or joke about tragedies will be blocked. If a comment violates these standards or our terms of service, click the X in the upper right corner of the comment box. To find our more, read our FAQ.