Skip to content

Free 15-minute cybersecurity consultation — no obligation

Book Free Call
Tax40 min readDeep Dive

Tax Preparer Cybersecurity Compliance 2025: What Changed

IRS PTIN requirements, FTC Safeguards Rule mandates, WISP development, and enforcement penalties for tax preparers. Complete 2026 compliance guide.

Tax Preparer Cybersecurity Compliance 2025: What Changed - tax preparer cybersecurity compliance 2025

Tax Preparer Cybersecurity Compliance in 2026: What You're Now Required to Do

Tax preparer cybersecurity compliance requirements that took shape in 2025 are now fully enforced mandates for the 2026 filing season — and the consequences for non-compliance extend directly to your ability to practice. The IRS ties your Preparer Tax Identification Number (PTIN) and Electronic Filing Identification Number (EFIN) to security compliance, meaning a failure to implement required controls isn't just a regulatory problem. It's a threat to your license to prepare returns.

The scale of the underlying risk explains the regulatory urgency. Tax-related identity theft resulted in over $2.3 billion in fraudulent refunds in 2024, with compromised tax professional credentials accounting for 34% of those incidents according to the IRS Criminal Investigation Division. Tax professionals handle more sensitive financial data per client than most financial institutions — Social Security numbers, investment records, bank account details, and personally identifiable information — making them targets for sophisticated attacks designed to file fraudulent returns before your clients even know they've been compromised.

Three federal frameworks govern what you must do: IRS Publication 4557, the FTC Safeguards Rule under 16 CFR § 314, and applicable state data breach notification laws. Together they require a Written Information Security Plan (WISP), specific technical controls including multi-factor authentication (MFA) and encryption, a designated Qualified Individual responsible for your security program, and documented employee training. This guide walks through each requirement with the specificity needed to build a defensible compliance posture before the 2026 filing season closes.

Tax Cybersecurity By the Numbers

$2.3B
Fraudulent Refunds via Identity Theft

IRS Criminal Investigation Division, 2024

34%
Incidents Tied to Compromised Tax Pro Credentials

IRS Criminal Investigation Division, 2024

82%
Of Breaches Involve the Human Element

Verizon 2025 Data Breach Investigations Report

The Federal Regulatory Framework: Three Overlapping Mandates

Tax preparer cybersecurity compliance sits at the intersection of IRS credential requirements, FTC financial privacy law, and state breach notification statutes. Understanding how these frameworks overlap — and where they diverge — helps you avoid the gaps that regulators and forensic investigators look for after an incident.

IRS Publication 4557: The Security Six Foundation

IRS Publication 4557, titled "Safeguarding Taxpayer Data," establishes six baseline controls that apply to all return preparers who handle taxpayer information. These represent the minimum security posture the IRS expects before issuing or renewing PTIN and EFIN credentials:

  • Anti-virus/endpoint protection on every device that accesses tax systems
  • Firewalls preventing unauthorized inbound and outbound network access
  • Two-factor authentication on tax software, email, and cloud storage
  • Drive encryption protecting data at rest on laptops, desktops, and external drives
  • Backup procedures using offline or cloud-based storage with tested restoration
  • Software updates applied promptly to patch known vulnerabilities

The IRS can suspend or revoke PTIN and EFIN credentials for practitioners who fail to implement these controls. For a detailed breakdown of how credential requirements intersect with security documentation, see our guide to PTIN and WISP requirements for tax preparers.

FTC Safeguards Rule: Program-Level Security Requirements

The Gramm-Leach-Bliley Act (GLBA) Safeguards Rule under 16 CFR § 314, enforced by the Federal Trade Commission, requires financial institutions — a category that includes tax preparation firms under GLBA — to develop, implement, and maintain information security programs. The June 2023 amendments removed prior size-based exemptions entirely, meaning solo practitioners and two-person offices face the same requirements as regional accounting firms.

The rule mandates designation of a Qualified Individual responsible for overseeing, implementing, and enforcing the security program. This person must have the authority and resources to implement controls and must report program status to the board or senior management at least annually. For solo practitioners, the tax professional typically serves as their own Qualified Individual. For the full scope of FTC requirements, our FTC Safeguards Rule guide for tax preparers covers each of the 16 program elements the rule specifies.

2026 Filing Season Compliance Deadline

The IRS requires all tax preparers to have an updated, documented Written Information Security Plan in place for the 2026 filing season. The FTC Safeguards Rule mandates an annual risk assessment — if you haven't completed one for 2026, that gap creates regulatory exposure. Practitioners without a compliant WISP face potential PTIN suspension during renewal review. Download our free 2026 WISP template to get compliant before the deadline.

Written Information Security Plan: Your Compliance Backbone

The WISP sits at the center of both IRS and FTC compliance. IRS Publication 5708 provides a sample WISP structure the agency officially recommends, while the FTC Safeguards Rule specifies 16 program elements a compliant plan must address. A WISP that satisfies the FTC's requirements generally meets or exceeds IRS expectations simultaneously.

A compliant WISP must document your risk assessment findings and remediation plans, describe the technical and administrative controls you have in place, name your Qualified Individual and define their responsibilities, outline your vendor oversight procedures, and specify your incident response and breach notification procedures. The plan must be reviewed at minimum annually and updated whenever you add systems, change vendors, or experience a security incident. Each revision should carry a date, and prior versions should be retained for at least three years to demonstrate compliance history.

Our IRS Written Information Security Plan guide covers specific elements you need, and our WISP template for tax preparers provides a ready-to-customize document aligned with both IRS Publication 4557 and the FTC Safeguards Rule. For a broader look at the compliance package, the all-in-one compliance package bundles templates, training resources, and review procedures into a single system.

Many practitioners download a template and file it away without customizing it to their actual environment. Regulators and forensic investigators examining a post-breach WISP will immediately identify generic language that doesn't reflect real controls. A document naming your specific tax software, your cloud storage provider, your MFA application, and your backup vendor is defensible under scrutiny. A generic one is not.

Tax Practice Security Implementation Roadmap

1

Conduct a Risk Assessment

Inventory all systems, devices, and vendors that store or process taxpayer data. Identify gaps against IRS Publication 4557 and FTC Safeguards Rule requirements. Document findings — this assessment is your WISP foundation and must be repeated annually.

2

Designate a Qualified Individual

Formally appoint the person responsible for your security program. For solo firms, this is you. For multi-person practices, this person needs authority to implement controls, direct resources, and report to leadership at least once per year.

3

Deploy Technical Controls

Install Endpoint Detection and Response (EDR) on all devices, enable MFA on tax software and email, encrypt all drives, configure firewalls, and establish automated backup with tested restoration procedures.

4

Document Your WISP

Build or customize a Written Information Security Plan covering all 16 FTC Safeguards Rule program elements. Include your Qualified Individual designation, risk assessment findings, control descriptions, vendor list, and incident response procedures.

5

Train Your Team

Conduct security awareness training for all staff with access to client data. Document completion with signed rosters and quiz scores. Cover phishing recognition, credential hygiene, and the W-2 and IRS impersonation scams that peak during filing season.

6

Establish Vendor Contracts

Review all service provider agreements for tax software, cloud storage, and IT support. Add data protection clauses covering encryption, access controls, incident notification timelines, audit rights, and data deletion procedures on contract termination.

7

Implement Ongoing Monitoring

Schedule quarterly vulnerability scanning, annual penetration testing, and continuous log monitoring. Set a calendar reminder for your annual WISP review and risk assessment to maintain compliance year over year.

Technical Controls: Building Defense-in-Depth Protection

Endpoint Detection and Response vs. Traditional Antivirus

The IRS Security Six requires anti-virus software, but signature-based antivirus no longer provides adequate protection against the threats actively targeting tax practices. Modern ransomware uses polymorphic code and fileless attack techniques that evade signature detection entirely. Endpoint Detection and Response (EDR) solutions address this through behavioral analysis — detecting suspicious activity patterns rather than waiting for a known malware signature.

According to the IBM Cost of Data Breach Report 2025, organizations using EDR detected breaches 220 days faster than those relying on legacy antivirus, reducing average breach costs by $1.76 million. For a tax practice handling thousands of returns containing Social Security numbers and financial account data, detection speed is the difference between a contained incident and a practice-ending breach. Our guide to managed detection and response for small businesses explains how tax practices can access enterprise-grade EDR without dedicated IT staff.

Multi-Factor Authentication: Implementation Quality Matters

Microsoft's security research demonstrates that MFA blocks 99.9% of automated credential attacks. However, implementation quality determines how much of that protection you actually receive. SMS-based authentication — receiving a verification code via text message — provides weaker protection than app-based or hardware token methods because SIM-swapping attacks can redirect your text messages to an attacker's device before you ever see the code.

The NIST Special Publication 800-63B Digital Identity Guidelines rank authentication methods by assurance level. For tax professionals, authenticator app-based MFA — Google Authenticator, Microsoft Authenticator, Duo — provides the Level 2 assurance that satisfies both IRS and FTC requirements. Hardware security keys using FIDO2/WebAuthn provide Level 3 assurance and are increasingly supported by major tax software platforms.

MFA must be enabled on every system that stores or processes taxpayer data: your tax preparation software, email, cloud document storage, client portal, and any remote access tools. Enabling MFA on some systems while leaving others unprotected creates the gaps attackers look for first. For the specific threats facing client-facing portals and remote access tools, our analysis of online tax filing security risks covers the most common attack vectors.

WISP and Technical Controls Compliance Checklist

  • Designate a named Qualified Individual responsible for your security program
  • Complete a written risk assessment covering all systems that store or process taxpayer data
  • Deploy EDR or managed antivirus on every device used for tax work
  • Enable MFA on tax software, email, cloud storage, and remote access tools
  • Encrypt all drives on laptops, desktops, and external storage devices
  • Implement and test an automated backup with offline or cloud-based copy
  • Document a Written Information Security Plan with all FTC Safeguards Rule elements
  • Conduct security awareness training for all staff and document completion with signed rosters
  • Review all vendor contracts and add data protection clauses covering notification and deletion
  • Write and test an incident response plan with breach notification procedures and contact lists
  • Schedule annual WISP review, risk assessment, and independent penetration test

Employee Security Training: Turning Your Biggest Risk Into a Defense Asset

The Verizon 2025 Data Breach Investigations Report attributes 82% of breaches to the human element — phishing, credential misuse, and social engineering. For tax practices, that risk concentrates during January through April when filing volume peaks and staff are processing high volumes of client communications under time pressure. Attackers time their campaigns accordingly.

The FTC Safeguards Rule mandates documented security training for all personnel with access to customer information, delivered during onboarding and periodically thereafter based on role, responsibilities, and the evolving threat environment. During filing season, the threats your team needs to recognize include:

  • W-2 phishing schemes — fraudulent emails impersonating employers or clients requesting employee tax documents for supposed verification, designed to harvest credentials or deliver malware
  • IRS impersonation calls — callers posing as IRS agents demanding immediate action on supposed compliance issues, used to extract login credentials or authorize fraudulent wire transfers
  • Business email compromise (BEC) — spoofed executive emails requesting urgent wire transfers or changes to direct deposit information, timed to coincide with the administrative load of filing season
  • Credential harvesting sites — fake tax software login pages distributed via phishing emails that capture credentials and relay them to attackers in real time

Training documentation requirements under the FTC Safeguards Rule include signed attendance rosters, completion certificates from your training platform, quiz scores demonstrating understanding (an 80% passing threshold is a reasonable benchmark), and records of annual refresher sessions. The IRS Security Summit program publishes free training materials at IRS.gov each filing season that meet FTC documentation requirements when paired with sign-in sheets and completion acknowledgments.

Bottom Line on Training

Security awareness training must be periodic, role-relevant, and documented — not a one-time onboarding checkbox. The FTC Safeguards Rule requires updates as the threat environment evolves, which means adding targeted training whenever the IRS issues a new scam alert, a new phishing campaign targets your software vendor, or your team's roles and access levels change.

Incident Response Planning and Breach Notification Requirements

A documented incident response plan serves two distinct purposes: it reduces breach costs by enabling faster, more organized response, and it demonstrates regulatory good faith when you're required to notify agencies and affected individuals. The IBM Cost of Data Breach Report found that organizations with documented response plans detected breaches 54 days faster and saved an average of $1.49 million compared to firms without formal plans.

The FTC Safeguards Rule mandates written incident response procedures. The NIST Computer Security Incident Handling Guide (Special Publication 800-61) provides the standard four-phase framework that regulators recognize: Preparation, Detection and Analysis, Containment/Eradication/Recovery, and Post-Incident Activity. Your tax practice incident response plan should follow this structure and include specific contact lists, escalation procedures, pre-drafted notification templates, and a tested restoration procedure for your backup systems.

Breach Notification: Who You Must Notify and When

Notification timelines run from the date of discovery — when you have reasonable belief that unauthorized access occurred — not from the actual breach date, which may be weeks earlier. Multi-layered notification requirements mean you may simultaneously report to federal agencies, state regulators, and affected clients:

  • IRS notification — report immediately through the IRS Data Theft Information Reporting System when PTIN, EFIN, or e-Services credentials are compromised; also contact your local IRS stakeholder liaison directly
  • FTC notification — required under GLBA Safeguards Rule for breaches affecting consumer financial information that trigger state notification thresholds
  • State notification — all 50 states have breach notification laws with varying timelines (30–90 days is typical) and scope; some require notification to the state attorney general in addition to affected individuals
  • FBI IC3 reporting — submit a complaint at ic3.gov for cybercrime incidents including ransomware and business email compromise; this assists federal investigations and supports cyber liability insurance claims

Pre-drafting notification letters and maintaining a current client contact list is part of incident preparation, not something to build during an active breach. Build these materials into your WISP and test them before you need them.

Vendor Oversight, Ongoing Monitoring, and PTIN Documentation

Third-Party Risk Management

Tax practices rely on cloud-based tax software, document management portals, payroll services, and IT support providers — all of which handle or can access client data. The FTC Safeguards Rule explicitly requires tax professionals to exercise due diligence when selecting service providers and to include contractual data protection obligations in vendor agreements.

Before engaging any vendor with access to taxpayer data, verify their security posture by reviewing their SOC 2 Type II report, ISO 27001:2022 certification, or equivalent independent security attestation. Request a completed security questionnaire covering encryption standards, access controls, breach notification timelines, and their own vendor oversight practices. Your vendor contracts must include encryption requirements for data in transit and at rest, defined access controls limiting which personnel can reach your client data, a notification obligation requiring the vendor to alert you within a defined window of discovering a breach affecting your data, audit rights allowing periodic security reviews, and a data deletion procedure specifying how your information is destroyed when the contract ends.

PTIN Renewal: What the IRS Wants to See

The IRS increasingly scrutinizes security practices during PTIN renewal, with examiners requesting evidence of implemented controls and documented policies. Be prepared to produce the following on request when renewing for the 2026 filing season and beyond:

  • Screenshots showing active EDR or antivirus protection on all devices used for tax work
  • Firewall configuration documentation demonstrating network perimeter controls
  • MFA enabled on tax software and email (settings screenshots serve as documentation)
  • Drive encryption verification — BitLocker on Windows, FileVault on Mac
  • Backup procedure documentation including schedules and restoration test results
  • Your Written Information Security Plan with a current-year revision date
  • Employee training records with signed rosters, completion certificates, and assessment scores
  • Vendor contracts with data protection clauses for all service providers
  • Your incident response plan with tested notification procedures and pre-drafted letters
  • Annual risk assessment results documenting current threats and control effectiveness

Organize these documents in labeled electronic folders with version control and a backup copy. A well-organized compliance folder takes minutes to produce under examination pressure; a disorganized one takes days and creates a poor first impression with investigators. For full guidance on the data protection requirements applicable to tax practices, and for the latest IRS sample plan language, our IRS Publication 5708 sample WISP guide explains how to use the agency's own template as your starting point.

Get a Free Tax Practice Security Assessment

Our cybersecurity experts will evaluate your current compliance posture against IRS Publication 4557 and the FTC Safeguards Rule and provide actionable recommendations for the 2026 filing season.

Frequently Asked Questions

Tax preparers must meet requirements under two primary federal frameworks: IRS Publication 4557's Security Six controls (anti-virus/EDR, firewall, two-factor authentication, drive encryption, data backups, and software updates) and the FTC Safeguards Rule (16 CFR § 314), which requires a written information security program, a designated Qualified Individual, documented annual risk assessments, employee training, vendor oversight, and a written incident response plan. State data breach notification laws add a third compliance layer with varying timelines. Both PTIN and EFIN credentials are tied to security compliance — the IRS can suspend or revoke them for practitioners who cannot demonstrate adequate controls.

Yes. The IRS ties PTIN and EFIN credentials to security compliance under IRS Publication 4557. Examiners can request evidence of implemented controls during PTIN renewal review or during investigations following client data incidents. Practitioners who cannot demonstrate the Security Six baseline controls — or whose credentials were compromised due to inadequate security — face suspension or revocation. Credential loss means you cannot legally prepare returns or e-file on behalf of clients, which effectively ends your practice until credentials are reinstated.

Yes. The June 2023 amendments to the FTC Safeguards Rule eliminated all prior size-based exemptions. Every tax preparation business that collects consumer financial information — including sole proprietors and two-person offices — must maintain a written information security program meeting all 16 program elements specified under 16 CFR § 314. The rule defines tax preparers as financial institutions under the Gramm-Leach-Bliley Act because they handle consumer financial data, regardless of whether they provide lending or banking services.

The Qualified Individual is the person formally designated to oversee, implement, and enforce your information security program. This individual must have the authority and resources to implement controls and must report the status of the security program to the board of directors or senior management at least annually. For solo practitioners, the tax professional themselves typically serves as the Qualified Individual. The FTC does not require specific certifications, but the individual must have sufficient knowledge and authority to manage the program effectively. You must document this designation by name in your WISP.

The FTC Safeguards Rule requires an annual review of your WISP and an annual risk assessment at minimum. You must also update the plan whenever material changes occur: adding new systems or software, onboarding or offboarding vendors with access to client data, experiencing a security incident, changing the scope of your practice, or when new regulatory guidance identifies threats your current controls do not address. Each revision should be dated, with prior versions retained for at least three years to demonstrate your compliance history if the IRS or FTC requests documentation.

Prepare documentation covering all six Security Six controls: screenshots of active EDR or antivirus software on all devices, firewall configuration records, MFA enabled on tax software and email (settings screenshots), drive encryption status showing BitLocker or FileVault active, backup schedules with restoration test results, and a software patch management policy. Beyond the Security Six, maintain your current WISP with its revision date, employee training records with signed rosters and quiz scores, vendor contracts with data protection clauses, your incident response plan with notification procedures, and your most recent annual risk assessment. Organize these in clearly labeled electronic folders for rapid production if the IRS requests them during renewal or examination.

Yes. The FTC can impose civil penalties of up to $51,744 per violation per day under the Safeguards Rule, with each affected individual potentially counted as a separate violation. State attorneys general can bring additional enforcement actions under state breach notification and privacy laws. Beyond regulatory penalties, tax professionals face civil liability from affected clients, loss of PTIN and EFIN credentials, reputational damage, and direct breach response costs including forensic investigation, client notification, and credit monitoring services. Cyber liability insurance covers some costs, but policies typically exclude losses arising from failure to maintain baseline compliance controls.

The FTC Safeguards Rule requires training that is relevant to each employee's role and responsibilities, delivered during onboarding and periodically thereafter. Adequate training covers threat recognition (phishing, social engineering, credential theft), password hygiene and MFA use, data handling procedures specific to tax practice environments, and incident reporting protocols. Training must be documented with signed attendance rosters or digital acknowledgments, completion certificates, and assessment scores. Annual refreshers are the minimum requirement, with targeted updates when major new threats emerge — such as the W-2 phishing campaigns and IRS impersonation schemes the IRS Security Summit warns about at the start of each filing season.

Act on the following steps in sequence: isolate affected systems to prevent further unauthorized access by disconnecting them from your network, change all passwords and MFA credentials for potentially compromised accounts immediately, notify the IRS through the Data Theft Information Reporting System and contact your local IRS stakeholder liaison, report to the FBI Internet Crime Complaint Center at ic3.gov, engage your IT security provider or incident response team for forensic investigation to determine the scope, and notify affected clients per your state's breach notification timeline. Do not delay notification while waiting for certainty about breach scope — timelines run from discovery, not confirmation. A pre-written incident response plan with pre-drafted notification letters dramatically reduces response time and cost when you need it most.

Share

Share on X
Share on LinkedIn
Share on Facebook
Send via Email
Copy URL
(800) 492-6076
Share

Schedule

Need help with IRS compliance?

Our tax cybersecurity specialists can review your security posture and help you get compliant.

Protect your tax practice from cyber threats

Schedule a free consultation to assess your firm's security posture.