Why Enrolled Agents Face Elevated Cybersecurity Risk in 2026
Enrolled agents (EAs) are federally authorized tax practitioners licensed by the U.S. Department of the Treasury to represent taxpayers before the Internal Revenue Service. That authorization creates privileged access to some of the most valuable data criminals target: Social Security numbers, employer identification numbers, multi-year income and banking records, and IRS e-filing credentials for every client in the practice.
The IRS explicitly identifies tax professionals as a priority target for identity theft rings. A single compromised EA account can supply criminals with enough information to file fraudulent returns, open credit lines, or sell taxpayer records in bulk on the dark web. The IRS "Protect Your Clients; Protect Yourself" initiative, documented in IRS Publication 4557, was created precisely because tax practitioner data breaches have exposed hundreds of thousands of taxpayer records in recent years.
This cybersecurity checklist for enrolled agents consolidates the 2026 requirements from IRS Publication 4557, the Federal Trade Commission (FTC) Safeguards Rule, and National Institute of Standards and Technology (NIST) guidance into one actionable framework. Work through each section to identify gaps, assign ownership, and document your compliance status, all of which your Written Information Security Plan (WISP) must reflect.
For a broader view of security obligations across the tax profession, see our guide to cybersecurity for tax professionals.
The Cost of Inaction: Data Breach Risk by the Numbers
IBM Cost of Data Breach Report 2024
Verizon Data Breach Investigations Report 2024
Required reporting window after a tax professional discovers a data breach
IRS and FTC Requirements Enrolled Agents Must Meet
IRS Publication 4557: Safeguarding Taxpayer Data
IRS Publication 4557, "Safeguarding Taxpayer Data," is the primary compliance reference for all tax professionals, including enrolled agents. It outlines eight core security practices the IRS expects every practitioner to implement: creating a WISP, using strong authentication, encrypting data, training employees, restricting access, installing security software, backing up data, and establishing an incident response plan.
Publication 4557 is not a standalone advisory, it references the Gramm-Leach-Bliley Act (GLBA), under which the FTC's Safeguards Rule applies to tax return preparers who earn compensation. Failure to comply can result in IRS referrals, loss of e-filing privileges, and potential FTC enforcement action. Our detailed breakdown of tax safeguard compliance 4557 explains each requirement in depth.
FTC Safeguards Rule (Amended 2023)
The FTC Safeguards Rule, in its updated form effective since 2023, designates tax preparers, including enrolled agents, as "financial institutions" under GLBA. This classification carries specific information security program requirements that go beyond general best practices:
- Designate a qualified individual to oversee the information security program
- Conduct and document written risk assessments
- Implement technical safeguards including access controls, encryption, and multi-factor authentication (MFA)
- Monitor and test security controls on a regular schedule
- Maintain a written incident response plan
- Oversee service provider security arrangements through contracts or due diligence reviews
For enrolled agents operating as sole proprietors with fewer than 5,000 customer records, a simplified compliance path exists, but the core written program requirements still apply. Our FTC Safeguards Rule for tax preparers guide walks through every element of the amended rule.
PTIN Renewal and Security Obligations
Every enrolled agent must maintain a Preparer Tax Identification Number (PTIN). While PTIN renewal does not include a formal security audit, the IRS has indicated that practitioners who experience data breaches and cannot demonstrate an active security program face heightened scrutiny. Understanding the link between PTIN and WISP requirements for tax preparers protects both your license and your clients.
2026 Cybersecurity Checklist for Enrolled Agents
Draft or Update Your Written Information Security Plan (WISP)
Your WISP must document every security control, risk assessment, and response procedure your practice uses. Review and update it whenever you change software, add staff, or experience an incident, and at minimum once per year.
Enable Phishing-Resistant Multi-Factor Authentication on All Accounts
Apply MFA to every account that stores or accesses taxpayer data: tax preparation software, IRS e-services, email, payroll platforms, and cloud storage. Hardware security keys (FIDO2/WebAuthn) or authenticator apps are preferred; SMS-based codes are a last resort only.
Patch All Software and Firmware Within 30 Days of Release
Apply vendor-issued security patches to operating systems, tax software, browsers, and network devices. High-severity patches should be deployed as quickly as possible, within 72 hours where practical.
Encrypt All Devices and Portable Media
Enable full-disk encryption on every workstation and laptop (BitLocker for Windows, FileVault for macOS). Use hardware-encrypted drives for any portable storage that carries client data.
Train Every Staff Member on Phishing and Social Engineering
Conduct formal security awareness training at least annually, with phishing simulations quarterly. The IRS reports that phishing is the most common attack vector used to compromise tax professional accounts.
Implement Role-Based Access Controls and Least Privilege
Grant each staff member access only to the client records, software features, and systems required for their specific role. Revoke access immediately upon termination or role change, and audit user accounts quarterly.
Set Up Encrypted, Off-Site Backups and Test Monthly
Back up all client data and firm records to an encrypted, off-site location, separate from your primary network. Test restoration monthly to confirm backups are usable when ransomware or hardware failure strikes.
Document and Test Your Incident Response Plan
Your written incident response plan must define breach detection procedures, IRS notification steps (required within 24 hours of discovery), client notification timelines, and post-incident remediation. Tabletop test it annually.
WISP Is Mandatory for Tax Preparers Under Federal Law
The FTC Safeguards Rule, which applies to tax return preparers as financial institutions under the Gramm-Leach-Bliley Act, requires a written information security program for practitioners who handle client financial data. Enrolled agents who prepare returns for compensation and lack a documented WISP are out of compliance with federal requirements. The IRS also requires practitioners to report data breaches to the IRS Stakeholder Liaison within 24 hours of discovery. Download our IRS Publication 5708 WISP template to build your plan today.
Technical Controls Every Enrolled Agent Needs in Place
Multi-Factor Authentication
MFA is the single most effective technical control against unauthorized account access. The IRS requires enrolled agents and all tax professionals to use MFA on tax preparation software, IRS e-services, and email. For 2026, NIST Special Publication 800-63B designates phishing-resistant MFA, hardware security keys (FIDO2/WebAuthn) or certificate-based authentication, as the preferred approach for accounts holding sensitive data. Our post on NIST phishing-resistant MFA security keys explains the options available to small practices.
At minimum, enable authenticator app-based MFA (such as Google Authenticator or Microsoft Authenticator) on every account that stores or processes taxpayer data. SMS-based one-time codes provide some protection, but the IRS and NIST recommend moving away from SMS for high-value accounts because SIM-swapping attacks have successfully bypassed SMS-based codes in documented incidents.
Endpoint Detection and Encryption
Every device that touches taxpayer data, desktop, laptop, tablet, and portable drive, must be encrypted. BitLocker (Windows) and FileVault (macOS) provide full-disk encryption at no additional cost. For portable media, hardware-encrypted USB drives add a physical layer of protection against loss or theft.
Beyond encryption, enrolled agents should deploy Endpoint Detection and Response (EDR) software rather than legacy antivirus alone. EDR monitors for behavioral indicators of compromise in real time and can isolate an infected device before malware spreads across the practice network. If your tax software vendor offers an agent-based security monitor, enable it, several major vendors now include basic endpoint security as part of their subscription.
Secure Tax Software Practices
Your tax preparation software is both your most valuable tool and one of your highest-risk access points. Follow these controls for every platform in your stack:
- Apply all security patches within 30 days of release, or sooner for vulnerabilities the vendor rates as high severity
- Use unique passwords of 16 or more characters for each platform, a password manager is the most practical way to manage this, as outlined in our CISA password manager guidance post
- Audit user access lists quarterly; revoke credentials immediately when staff leave or change roles
- Review vendor security documentation annually to verify that your software transmits and stores data using current encryption standards
For a detailed look at how major platforms handle client data, see our analysis of whether tax preparation software is secure for personal information in 2025-2026.
Security Capabilities Every EA Practice Should Have
Phishing-Resistant MFA
Protect all tax software, IRS e-services, and email with hardware key or authenticator-based MFA. SMS codes alone are insufficient for accounts holding taxpayer data.
Endpoint Detection & Response
Real-time behavioral monitoring that detects and contains threats before they spread to client records, EDR goes beyond signature-based antivirus.
Written Information Security Plan
A documented WISP tailored to your practice size, data types, and vendor stack, updated annually and reviewed after any incident or system change.
Encrypted Off-Site Backups
Automated, encrypted backups stored off-site or in a separate cloud account, tested monthly to confirm restorability before ransomware makes that test urgent.
Dark Web Monitoring
Continuous scanning for your firm's domain, employee email addresses, and client credentials on criminal marketplaces, early warning before stolen data is used.
Incident Response Plan
A tested written procedure covering breach detection, IRS notification within 24 hours, client notification timelines, and post-incident remediation steps.
Building a WISP That Satisfies IRS and FTC Requirements
A Written Information Security Plan is the foundation of your compliance program. The IRS published a sample WISP in IRS Publication 5708 specifically to help tax professionals, including enrolled agents, create plans that satisfy both Publication 4557 and the FTC Safeguards Rule. Your WISP must address six core areas:
- Scope and purpose: Define which data, systems, and personnel the plan covers
- Risk assessment: Identify and document threats to the confidentiality, integrity, and availability of taxpayer data
- Safeguards: Map technical, administrative, and physical controls to each identified risk
- Employee training: Describe how and when staff receive security training and who is responsible for delivering it
- Service provider oversight: List vendors who access your systems and document how you verify their security posture
- Incident response: Define what constitutes a breach, who is notified, the notification timeline, and how the practice recovers
For enrolled agents running solo practices, the IRS offers a simplified WISP format. Our WISP template for sole proprietors adapts the Publication 5708 sample to single-preparer practices with fillable sections for every required element. You can also access our broader guide to creating an IRS Written Information Security Plan for step-by-step instructions.
Update your WISP whenever you add a service provider, change your software stack, hire or terminate employees with system access, or experience a security incident. At minimum, review the document annually and record the review with a dated signature. The FTC Safeguards Rule requires evidence that the program is actively managed, an undated, unreviewed WISP does not satisfy the rule's requirements.
Incident Response: What Enrolled Agents Must Do After a Breach
When a data breach occurs, whether through phishing, ransomware, unauthorized access, or a vendor compromise, enrolled agents face a narrow response window. The IRS requires tax professionals to report a breach to their IRS Stakeholder Liaison within 24 hours of discovery. Delays in notification can result in additional regulatory scrutiny and expose clients to preventable harm during the window when fraudulent returns could still be filed.
A sound incident response sequence for enrolled agents looks like this:
- Contain immediately: Disconnect affected systems from the internet and your practice network. Do not attempt to clean the system yourself before preserving forensic evidence, premature remediation can destroy the information needed to determine what was accessed.
- Assess scope: Determine which client records were accessed or exfiltrated, the estimated timeframe of unauthorized access, and the likely attack vector (phishing link, stolen credentials, unpatched vulnerability).
- Report to the IRS within 24 hours: Contact your local IRS Stakeholder Liaison and provide your name, EFIN, contact information, the number of potentially affected clients, and a brief description of what occurred.
- Notify affected clients: State data breach notification laws govern client notification timelines, most states require notification within 30 to 90 days. Consult legal counsel before sending notifications to ensure you meet applicable state law requirements.
- File a police report: A police report documents the incident for cyber insurance claims and regulatory purposes.
- Remediate and update your WISP: After the investigation, close the vulnerability that enabled the breach, update your WISP to reflect lessons learned, and document every step taken with timestamps.
Enrolled agents who discover unauthorized use of their Electronic Filing Identification Number (EFIN) should also submit IRS Form 14157, Complaint: Tax Return Preparer. Our tax season cybersecurity preparation guide for CPA firms includes an incident response checklist template you can adapt to your EA practice. For a broader look at protecting client portal data, see our analysis of security of tax client portals and sensitive data.
Get a Free Cybersecurity Assessment for Your EA Practice
Bellator Cyber Guard's tax security specialists will review your WISP, MFA setup, and security controls against IRS Publication 4557 and FTC Safeguards requirements, then deliver a prioritized action plan at no cost.
Frequently Asked Questions
Yes. Enrolled agents who prepare tax returns for compensation are classified as "financial institutions" under the Gramm-Leach-Bliley Act, which means the FTC Safeguards Rule applies to their practices. The Safeguards Rule requires a written information security program. IRS Publication 4557 also directs all tax professionals to create and maintain a Written Information Security Plan. The PTIN and WISP requirements for tax preparers page explains how these obligations interact.
IRS Publication 4557, "Safeguarding Taxpayer Data," outlines eight security requirements for tax professionals: (1) creating a WISP, (2) using strong passwords and MFA, (3) encrypting sensitive data in transit and at rest, (4) training employees on security, (5) restricting access to taxpayer data on a need-to-know basis, (6) installing and maintaining security software, (7) backing up data securely, and (8) establishing and testing an incident response plan. The full publication is available from the IRS website.
Yes. The FTC Safeguards Rule applies to "financial institutions" as defined under the Gramm-Leach-Bliley Act, and the FTC's interpretation includes tax return preparers. As a result, enrolled agents who prepare returns for compensation must implement a written information security program that includes a risk assessment, designated security officer, specific technical safeguards (MFA, encryption, access controls), service provider oversight, and an incident response plan. Sole proprietors with fewer than 5,000 customer records qualify for a simplified compliance path but are not exempt from the written program requirement.
The IRS requires MFA on all tax preparation software accounts, IRS e-services portals, and email. For 2026, NIST SP 800-63B designates phishing-resistant MFA, hardware security keys (FIDO2/WebAuthn standard) or PKI certificate-based authentication, as the preferred approach for accounts holding sensitive data. Authenticator app-based one-time passwords (such as Google Authenticator or Microsoft Authenticator) are an acceptable alternative for most small EA practices. The IRS and NIST both recommend moving away from SMS-based codes for high-value accounts due to documented SIM-swapping vulnerabilities.
The IRS requires tax professionals to report a data breach to their local IRS Stakeholder Liaison within 24 hours of discovery. Immediately disconnect affected systems from the network, assess which client records were potentially accessed or exfiltrated, and contact the IRS Stakeholder Liaison with your EFIN, the estimated number of affected clients, and a brief incident description. File a police report for insurance and regulatory documentation. Notify affected clients in accordance with your state's data breach notification law, most states require notification within 30 to 90 days. Update your WISP to reflect lessons learned after remediation is complete.
At minimum, review your cybersecurity checklist and WISP annually and document the review with a dated signature. The FTC Safeguards Rule requires evidence of active program management, and an undated or unreviewed WISP does not satisfy the rule. Outside the annual cycle, update your WISP whenever you add or change a software platform, onboard a new service provider, hire or terminate employees with system access, change the physical location of your office, or experience a security incident. Each change should be documented in the WISP's revision history.
The core IRS Publication 4557 requirements and FTC Safeguards Rule obligations apply broadly to all paid tax return preparers, which includes enrolled agents, CPAs with tax practices, and Attorneys-at-Law who prepare returns for compensation. The differences are largely in scope and oversight frameworks: CPAs may also be subject to state CPA board data security rules and AICPA guidance, while attorneys are subject to state bar ethics rules regarding client data protection. The IRS security obligations, including WISP creation and the 24-hour breach notification requirement, apply to all categories of tax professional.
Non-compliant enrolled agents can face a range of consequences depending on the nature and outcome of a security failure. The IRS can suspend or revoke an EA's EFIN (Electronic Filing Identification Number), effectively ending their ability to e-file client returns. The FTC can pursue civil enforcement actions for Safeguards Rule violations, with penalties that can reach tens of thousands of dollars per violation. Enrolled agents are also subject to disciplinary action under Circular 230, which governs practice before the IRS, including censure, suspension, or disbarment from IRS practice. A data breach that exposes client records may also expose the EA to civil liability under state breach notification and consumer protection laws.
Cyber insurance is strongly recommended for enrolled agents as a financial backstop for breach-related costs, including forensic investigation, legal fees, client notification, credit monitoring for affected taxpayers, and regulatory defense. Many cyber insurers now require documented security controls, including MFA, patch management, encrypted backups, and a written incident response plan, as conditions for coverage. Reviewing your policy's requirements is itself a useful audit of your security posture. An active WISP and demonstrable security controls can also favorably affect your premium.
The IRS provides a sample WISP through IRS Publication 5708 specifically designed to help small and solo tax practices meet Publication 4557 requirements. Our WISP template for sole proprietors adapts the Publication 5708 framework into a fillable format tailored to single-preparer practices. The most important first step is completing a written risk assessment that identifies what data you hold, where it is stored, who can access it, and what could go wrong, the rest of the WISP documents the controls you have in place to address those risks.
Schedule
Need help with IRS compliance?
Our tax cybersecurity specialists can review your security posture and help you get compliant.



