Skip to content

Free 15-minute cybersecurity consultation — no obligation

Book Free Call
Tax46 min readDeep Dive

Cybersecurity for Tax Professionals 2025: Complete IRS Compliance Guide

IRS cybersecurity compliance guide for tax professionals: Publication 4557, FTC Safeguards Rule, WISP requirements, and ransomware defense for 2026.

Cybersecurity for Tax Professionals 2025: Complete IRS Compliance Guide - irs cybersecurity compliance guide

Tax professionals handle the most sensitive financial data in America — Social Security numbers, bank account details, employer identification numbers, and complete financial histories for millions of taxpayers. Federal law treats that responsibility as a legal obligation with penalties reaching $100,000 per violation. This IRS cybersecurity compliance guide for 2026 covers the mandatory requirements every tax preparer, CPA, and accounting firm must meet under three overlapping federal frameworks: IRS Publication 4557 "Safeguarding Taxpayer Data", the FTC Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA), and IRS Publication 1075.

The regulatory environment shifted significantly after the FTC amended its Safeguards Rule in June 2023, replacing general guidance with prescriptive technical requirements. Tax professionals who once had flexibility in their approach now face specific mandates for continuous monitoring, penetration testing, encryption of data at rest and in transit, and documented incident response — all backed by FTC enforcement authority. Meanwhile, threat actors have taken notice: the IRS Security Summit reports ransomware attacks targeting tax firms increased 87% year-over-year, with average ransom demands reaching $287,000 for mid-sized practices.

This guide gives tax preparers and accounting firms a practical roadmap to meet 2026 regulatory requirements while building proven defenses against phishing attacks and business email compromise (BEC) campaigns that specifically target the tax industry during filing season.

The 2026 IRS Cybersecurity Compliance Framework

Tax professionals operate under multiple overlapping regulatory requirements that establish baseline security standards and enforcement mechanisms. Understanding how these frameworks interact is the first step toward building a defensible compliance program.

IRS Publication 4557: Your Primary Obligation

IRS Publication 4557, "Safeguarding Taxpayer Data," outlines the mandatory security measures every preparer acknowledges when applying for or renewing a Preparer Tax Identification Number (PTIN). The publication establishes minimum security expectations and directs preparers toward the IRS Security Summit's recommended controls. Non-compliance can result in PTIN suspension — effectively ending a preparer's ability to file returns on clients' behalf.

Publication 4557 works in tandem with the FTC Safeguards Rule, which classifies tax preparers as "financial institutions" under the GLBA. This classification means the full weight of FTC enforcement authority applies to your practice, with civil penalties up to $100,000 per violation. The amended rule, effective June 2023, introduced specific technical mandates well beyond the original general guidance: continuous monitoring, annual penetration testing, defined encryption standards, and documented incident response procedures — with written evidence of each.

IRS Publication 1075: Federal Tax Information Security Guidelines

IRS Publication 1075 establishes detailed security guidelines for federal tax information (FTI) handling. While it primarily targets federal, state, and local tax administrators, its security control framework provides authoritative technical guidance that all tax professionals can apply. Publication 1075 specifies minimum encryption standards — AES-256 for data at rest and TLS 1.2 or higher for data in transit — along with authentication requirements and monitoring controls for all systems handling FTI. These standards align closely with what the FTC Safeguards Rule demands, making Publication 1075 a useful technical reference for any practitioner handling taxpayer information.

Together, these three frameworks — Publication 4557, the FTC Safeguards Rule, and Publication 1075 — define a complete compliance baseline. For a detailed breakdown of how FTC requirements apply specifically to tax practices, see our FTC Safeguards Rule guide for financial institutions.

Tax Practice Cybersecurity: By the Numbers

$4.88M
Avg. Data Breach Cost

IBM Cost of Data Breach Report 2024

$100K
FTC Penalty Per Violation

Gramm-Leach-Bliley Act enforcement ceiling for non-compliant firms

87%
Ransomware Increase YoY

IRS Security Summit reporting on attacks targeting tax firms

The IRS Security Six: Required Controls for Every Tax Practice

The IRS Security Summit — a coalition of the IRS, state tax agencies, and the private tax community — established six fundamental security categories that all tax professionals must address. These represent the baseline your practice must meet to satisfy IRS expectations and demonstrate good-faith compliance during an audit or breach investigation.

1. Anti-Virus and Anti-Malware Protection

Deploy Endpoint Detection and Response (EDR) solutions that go beyond signature-based detection to identify behavioral anomalies and zero-day threats. Modern EDR platforms use machine learning to detect ransomware encryption patterns, credential theft attempts, and lateral movement indicators before significant damage occurs. Signature-only antivirus is insufficient against the threats targeting tax practices in 2026.

2. Firewalls

Implement next-generation firewalls with intrusion prevention systems (IPS) and application-layer filtering to block malicious traffic before it reaches internal systems. Network segmentation — isolating systems that store taxpayer data from general business networks — limits how far an attacker can move if they compromise a single workstation.

3. Multi-Factor Authentication (MFA)

Require MFA on all systems accessing taxpayer data: tax software, email, cloud storage, and remote access portals. Prioritize phishing-resistant MFA methods such as FIDO2 hardware tokens or authenticator apps over SMS-based codes, which remain vulnerable to SIM swapping attacks. The IRS mandates MFA for all e-Services accounts; extend that same standard throughout your practice.

4. Backup Procedures

Maintain encrypted, offline backups following the 3-2-1 rule: three copies of data, on two different media types, with one stored offsite. Use write-once-read-many (WORM) backup technology that prevents ransomware from encrypting or deleting your backups. Test restoration procedures monthly — a backup you have never tested is not a backup you can rely on when it matters.

5. Drive Encryption

Encrypt all devices storing taxpayer data using FIPS 140-2 validated encryption modules, including laptops, desktops, external drives, and mobile devices. Full-disk encryption ensures data remains protected even if a device is lost or stolen — a common threat vector for practices where employees work outside the office.

6. Virtual Private Networks (VPNs)

Require VPN connections for all remote access to practice networks, ensuring encrypted transmission of sensitive data over untrusted networks. Configure VPNs with split-tunneling disabled so all traffic routes through the secure tunnel. For guidance on selecting the right solution, see our VPN selection guide for tax professionals.

2026 Compliance Requirement

The IRS requires all tax preparers filing 11 or more returns annually to maintain a current, signed Written Information Security Plan (WISP) before each filing season. The FTC Safeguards Rule applies to sole practitioners as well — there is no size exemption. Firms without a compliant plan face PTIN suspension and FTC civil penalties up to $100,000 per violation.

Written Information Security Plan: Your Compliance Foundation

The Written Information Security Plan (WISP) is the central artifact of your entire compliance program — the document that demonstrates to the IRS, FTC, and state regulators that you have taken your data security obligations seriously. It must be living, signed by a responsible party, and updated at least annually or whenever your technology environment changes materially.

The IRS published IRS Publication 5708, which includes a sample WISP template designed for small tax practices. That template is a useful starting point, but it requires customization to reflect your actual systems, vendors, and risk profile. A generic template that doesn't match your technology stack or workflow will raise questions during an audit. Your WISP must address who is responsible for security, what systems are in scope, how you assess and manage risk, what technical controls you've implemented, how you train employees, how you manage vendors, and how you respond to incidents.

IRS guidance requires tax preparers who file 11 or more returns annually to maintain a WISP. The FTC Safeguards Rule applies even to sole practitioners handling any consumer financial information — which includes all taxpayer data. There is no size exemption under either framework. For a step-by-step build guide and a free customizable template, visit our 2026 WISP template page. For guidance on the PTIN-specific requirements that trigger WISP obligations, see our PTIN and WISP requirements guide.

Following this IRS cybersecurity compliance guide means your WISP must include more than a list of intentions. It must document specific controls in place, name the person responsible for each, and include evidence that employees have reviewed and acknowledged the plan. Regulators treat unsigned or undated WISPs as absent — a documented, version-controlled plan with annual review dates provides the evidentiary foundation you need if your firm is ever audited or investigated. For additional detail on building a WISP from scratch, see our guide on how to create a WISP and the dedicated IRS Written Information Security Plan overview.

How to Build a Compliant WISP in 6 Steps

1

Designate a Security Coordinator

Name one person responsible for your information security program. This individual owns the WISP, coordinates annual reviews, and serves as the point of contact for breach response.

2

Inventory All Systems and Data

Catalog every device, application, and third-party service that stores, processes, or transmits taxpayer data — including tax software, cloud storage, email platforms, and remote access tools.

3

Conduct a Written Risk Assessment

Evaluate human, technical, and third-party risks using a structured methodology such as NIST SP 800-30. Document identified vulnerabilities, likelihood ratings, and remediation priorities.

4

Document Your Security Controls

Record each control you have in place for the IRS Security Six categories: anti-malware, firewalls, MFA, backups, encryption, and VPN. Include vendor names, configuration standards, and testing schedules.

5

Build Your Incident Response Procedures

Define the steps your practice will take when a breach or suspected breach occurs — who to notify, how to contain the incident, when to involve law enforcement, and how to notify affected clients.

6

Schedule Annual Review and Employee Training

Set a calendar date to review and update the WISP each year. Document employee security awareness training sessions with attendance logs and assessment results to demonstrate ongoing compliance.

Risk Assessment Methodology for Tax Practice Security

Every compliant security program starts with a documented risk assessment. The FTC Safeguards Rule requires a written assessment annually, and IRS Publication 4557 expects you to identify and address threats to the confidentiality of taxpayer data. The National Institute of Standards and Technology (NIST) Special Publication 800-30 Rev. 1 provides a structured, scalable framework adaptable to practices of any size.

Tax-specific risk assessments must evaluate three dimensions: human factors, technical vulnerabilities, and third-party risks. Each requires a different analytical approach and produces different remediation priorities.

Human Factor Risks

Employee errors account for 88% of data breaches, according to Stanford University research. Your risk assessment must evaluate password practices, phishing susceptibility, physical security awareness, and remote work habits across your staff. Social engineering attacks targeting tax professionals increased 156% in 2024, with criminals impersonating IRS agents, software vendors, and clients to steal credentials or install malware. Phishing simulations provide the most accurate measure of actual susceptibility — self-reported assessments consistently underestimate the real risk. For more on how attackers approach these campaigns, see our guide on phishing tactics and defenses.

Technical Vulnerabilities

Vulnerability scanning identifies unpatched software, misconfigured systems, and weak encryption implementations across your technology environment. The Common Vulnerability Scoring System (CVSS) provides standardized risk ratings: high-severity vulnerabilities (CVSS 9.0–10.0) require remediation within 24 hours, and moderate-severity issues (CVSS 7.0–8.9) warrant action within 7 days, per practices aligned with NIST SP 800-40 Rev. 4. Annual penetration testing — now required by the FTC Safeguards Rule — actively attempts to exploit identified vulnerabilities to confirm their real-world severity rather than relying on theoretical scores alone.

Third-Party Risks

Every vendor with access to your client data introduces potential vulnerabilities into your environment. Cloud storage providers, tax software companies, IT support firms, and payroll processors all require security assessments before you share access to taxpayer data. The FTC Safeguards Rule specifically requires you to oversee service providers' security practices through written contracts and ongoing monitoring — not just a one-time questionnaire. Assuming your software vendor handles all security leaves your clients exposed when that vendor experiences a breach, and leaves you legally liable for failing to conduct adequate due diligence. For guidance on securing client data sharing specifically, see our guide on tax client portal security.

Ransomware and Advanced Threat Defense for Tax Practices

Ransomware remains the dominant threat to tax practices. The FBI's Internet Crime Complaint Center (IC3) ranks tax professionals among the top five most targeted industries, and attackers specifically time campaigns around filing season when practices operate under maximum pressure. Modern ransomware operations employ double extortion — encrypting your data while threatening to publish stolen client information unless you pay, regardless of whether you can restore from backup.

Effective ransomware defense requires layered controls so that when one fails, others limit the damage:

  • Email security gateways using machine learning detect malicious attachments and suspicious links before messages reach user inboxes, with sandbox analysis for unknown file types.
  • EDR with behavioral detection monitors for ransomware indicators — rapid file encryption, shadow copy deletion, suspicious PowerShell execution — and provides automated response including process termination and network isolation.
  • Network segmentation isolates taxpayer data systems from general business networks, limiting lateral movement when an initial compromise occurs.
  • Immutable WORM backups prevent ransomware from encrypting or deleting your restoration point, ensuring you can recover without paying a ransom.

Practices that want real-time threat detection without building an internal security operations team should evaluate managed detection and response (MDR) services designed for small and mid-sized firms. For a detailed breakdown of ransomware mechanics and defensive architecture, see our ransomware guide.

Business Email Compromise: The Filing-Season Threat

Business email compromise (BEC) attacks cost businesses $2.7 billion in losses in 2023, according to FBI IC3 reporting. Tax professionals face targeted campaigns during filing season when criminals impersonate clients requesting refund deposit changes, partners requesting W-2 data for urgent returns, or payroll systems requesting wire transfers. These attacks succeed because they exploit trusted relationships and time pressure — both abundant from January through April.

Effective BEC prevention requires technical and process controls working together. On the technical side, deploy DMARC (Domain-based Message Authentication, Reporting and Conformance), DKIM (DomainKeys Identified Mail), and SPF (Sender Policy Framework) to authenticate outbound email and help identify spoofed domains impersonating your clients or colleagues. Configure your email security platform to flag external messages claiming to come from internal addresses.

On the process side, establish a verbal verification requirement for any request involving changes to financial account information, payment instructions, or unusual data sharing — regardless of how legitimate the email appears. No email-only authorization for financial changes. Document this policy in your WISP and train every staff member who handles client communications or financial transactions. The majority of successful BEC attacks could have been stopped with a 30-second call to a known phone number.

Bottom Line

No tax practice is too small to be targeted. Criminals prioritize firms based on the value of the data they hold — not their headcount. A sole practitioner with 50 clients holds 50 complete financial profiles. Layered security controls, a current WISP, and documented annual training are what distinguish a practice that survives a breach from one that doesn't.

Compliance Documentation and Audit Readiness

Meeting security requirements is one challenge. Proving you meet them is another. During an IRS audit, FTC investigation, or data breach inquiry, the quality and completeness of your documentation often determines whether you face maximum penalties or can demonstrate documented, good-faith compliance that regulators weigh in mitigation.

The FTC requires retention of compliance documentation for a minimum of seven years, consistent with IRS Publication 1075 guidance. Tax practices must maintain these records at minimum:

  • Current WISP: Version-controlled document with annual review dates and an authorized signature. Track all amendments with effective dates and rationale for each change.
  • Risk Assessment Reports: Annual assessments and any triggered reassessments, documenting identified vulnerabilities, CVSS scores, likelihood-impact ratings, and remediation timelines and completion status.
  • Vendor Security Assessments: Due diligence documentation for all third-party service providers with access to taxpayer data, including SOC 2 Type II reports, completed security questionnaires, and the security provisions in your executed service contracts.
  • Training Records: Attendance logs, completion certificates, assessment scores, training content descriptions, and delivery dates for all security awareness sessions. Document remedial training for employees who fail phishing simulations or knowledge assessments.
  • Incident Logs: Detailed records of every security event — including minor incidents — with detection timestamps, affected systems, response actions taken, root cause analysis, and remediation measures. Thorough logs demonstrate active monitoring, which regulators view favorably during enforcement proceedings.

Practices with well-maintained records consistently receive better outcomes in enforcement actions than those who scramble to reconstruct events after the fact. For a detailed incident response framework adapted to tax practices, see our tax practice incident response guide and the NIST incident response framework overview.

Managing Third-Party Security Risk

The FTC Safeguards Rule explicitly requires tax professionals to implement procedures for evaluating and monitoring service providers' security practices — not just at the start of a relationship, but on an ongoing basis. This requirement extends to every vendor that accesses, stores, or transmits taxpayer data on your behalf: cloud storage providers, tax software companies, IT support firms, payroll processors, and document management platforms.

Initial vendor assessments should collect SOC 2 Type II reports, completed security questionnaire responses addressing specific FTC Safeguards Rule requirements, proof of cyber liability insurance with a minimum $2 million coverage limit, and incident response documentation including a 24-hour breach notification commitment. Vendors who cannot produce these materials warrant additional scrutiny before you share access to client data.

Service agreements must specify encryption standards, access control requirements, breach notification timelines, your right to audit vendor security practices, and data destruction procedures upon contract termination. A vendor relationship without these written provisions creates compliance gaps even if the vendor maintains strong security practices — regulators require documented evidence, not assumptions. For more on managing the specific risks of client-facing portals, see our guide on online tax filing security risks.

Physical Security for Federal Tax Information

While most tax practices focus on digital threats, physical security controls are also required under IRS Publication 1075 and the FTC Safeguards Rule. Physical safeguards for federal tax information include locked server rooms or filing cabinets for paper records, screen privacy filters on workstations in shared spaces, visitor access logs, and clean-desk policies that prevent sensitive documents from remaining visible after hours. For a detailed breakdown of the physical security requirements tied to federal tax information handling, see our guide on physical security practices required for FTI.

Cyber Insurance: A Necessary Layer

A WISP and strong technical controls reduce your breach risk; cyber insurance addresses the residual risk that remains. A tax practice breach can trigger forensic investigation fees, breach notification costs, regulatory defense expenses, client credit monitoring obligations, and civil liability — costs that can reach six figures even for a small practice. Cyber liability policies designed for professional services firms provide coverage for these expenses when properly structured.

Confirm that your policy covers regulatory defense costs, not only first-party breach response, and verify that coverage applies to the categories of data your practice handles. Most underwriters now require evidence of security controls before binding coverage — your current WISP and training records directly support favorable underwriting terms. For information on data protection services built for tax firms, see our tax practice data protection page.

2026 IRS Cybersecurity Compliance Checklist

  • Maintain a current, signed WISP reviewed and updated within the last 12 months
  • Complete an annual written risk assessment documenting all identified vulnerabilities and remediation priorities
  • Deploy EDR on all workstations and servers that store or process taxpayer data
  • Require MFA on tax software, email, cloud storage, and all remote access portals
  • Enable full-disk encryption using FIPS 140-2 validated modules on all devices handling taxpayer data
  • Maintain encrypted, offsite backups using WORM technology and test restoration monthly
  • Deploy DMARC, DKIM, and SPF email authentication to block BEC and spoofing attacks
  • Conduct annual penetration testing as required by the amended FTC Safeguards Rule
  • Document vendor security assessments for all third parties with client data access, including SOC 2 Type II reports
  • Maintain security awareness training records with attendance logs and assessment scores for all staff
  • Retain all compliance documentation — WISPs, risk assessments, incident logs — for a minimum of 7 years
  • Carry cyber liability insurance with regulatory defense coverage and verify it applies to taxpayer data categories

Free 2026 WISP Template for Tax Professionals

Download a customizable Written Information Security Plan template built specifically for tax preparers, CPAs, and accounting firms. Meets IRS Publication 4557 and FTC Safeguards Rule requirements.

Putting This IRS Cybersecurity Compliance Guide Into Practice

The frameworks described throughout this guide — IRS Publication 4557, the FTC Safeguards Rule, and IRS Publication 1075 — share a common structure: identify your risks, implement controls, document your actions, train your people, and review the program annually. That cycle is not a one-time project; it is an ongoing operational discipline that evolves as your technology environment and the threat environment change.

For most small and mid-sized tax practices, the most direct path to compliance is engaging a managed security provider that specializes in tax professional requirements. This approach provides the continuous monitoring, EDR deployment, vulnerability management, and documentation support that the FTC Safeguards Rule demands — without requiring you to build an internal security operations function from scratch. Practices that have already implemented the IRS Security Six controls and maintained a current WISP should focus next on annual penetration testing and supply chain risk management, the two areas where enforcement actions most commonly identify gaps.

The tax preparer cybersecurity page provides an overview of Bellator Cyber Guard's managed security services for tax professionals, including endpoint protection, compliance documentation support, and incident response. For a complete package that addresses every element of this IRS cybersecurity compliance guide, see our all-in-one compliance package for tax practices. You can also review frequently asked questions about tax cybersecurity for quick answers on common compliance concerns.

Book a Free Tax Cybersecurity Assessment

Our security experts will evaluate your current WISP, controls, and compliance posture against IRS Publication 4557 and FTC Safeguards Rule requirements — and provide a clear remediation roadmap.

Frequently Asked Questions

Tax professionals are required to comply with IRS Publication 4557, which mandates a Written Information Security Plan (WISP), implementation of the IRS Security Six controls, and annual security awareness training. The FTC Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA) applies in parallel, classifying tax preparers as financial institutions and imposing prescriptive technical requirements including continuous monitoring, annual penetration testing, and defined encryption standards. Together, these frameworks define what a defensible compliance program must include in 2026.

IRS guidance requires any tax preparer filing 11 or more returns annually to maintain a WISP. The FTC Safeguards Rule extends that requirement to sole practitioners handling any consumer financial information — which includes all taxpayer data. There is no size exemption under either framework. Even a one-person practice with a handful of clients falls within scope if it handles taxpayer Social Security numbers, bank account details, or income information.

The FTC can assess civil penalties up to $100,000 per violation under its GLBA enforcement authority. Non-compliance with IRS Publication 4557 requirements can also result in PTIN suspension, which prevents a preparer from filing returns on clients' behalf. State data protection laws may impose additional penalties depending on the location of affected clients.

The amended FTC Safeguards Rule, effective June 2023, requires tax preparers to implement: a written risk assessment, a WISP with a designated security coordinator, multi-factor authentication on all systems accessing client data, AES-256 encryption for data at rest, TLS 1.2 or higher for data in transit, annual penetration testing, continuous monitoring of authorized user activity, a written incident response plan, and written security agreements with all service providers that handle client data. Each of these elements must be documented with evidence of implementation.

Your WISP must be reviewed and updated at minimum annually. You should also update it whenever your technology environment changes materially — such as adopting a new tax software platform, adding a cloud storage service, or changing your remote access infrastructure. Document each revision with an effective date and the rationale for the change to maintain a defensible version history.

The IRS Security Six is a set of six fundamental security controls the IRS Security Summit recommends for all tax professionals: (1) anti-virus and anti-malware protection, (2) firewalls, (3) multi-factor authentication, (4) backup procedures, (5) drive encryption, and (6) virtual private networks for remote access. These represent the minimum baseline for a defensible security program under IRS Publication 4557 and form the foundation every WISP should document.

No. Cyber insurance covers residual risk after controls are in place — forensic investigation fees, breach notification costs, regulatory defense expenses, and civil liability. Most underwriters now require evidence of security controls before binding coverage. A current WISP, MFA deployment, and documented employee training directly support favorable underwriting terms and are generally required to maintain coverage after a claim.

The FTC Safeguards Rule requires retention of compliance documentation for a minimum of seven years. This includes your current and prior WISPs, annual risk assessment reports, vendor security assessment records, employee security training logs and assessment scores, and incident logs for all security events. Thorough documentation is often the deciding factor in enforcement outcomes — regulators treat firms with complete records more favorably than those reconstructing events after the fact.

Ransomware operators target tax practices during filing season when practices operate under time pressure and are less likely to delay paying a ransom. Modern attacks use double extortion — encrypting your data while threatening to publish stolen client Social Security numbers, bank details, and financial records unless you pay. Entry points typically include phishing emails impersonating software vendors or the IRS, unpatched vulnerabilities in remote access systems, and compromised credentials obtained through prior data breaches.

IRS Publication 1075 establishes security guidelines for federal tax information (FTI) handling. It primarily targets federal, state, and local tax administrators, but its security control framework — including AES-256 encryption requirements, TLS 1.2 minimum for data in transit, and access control standards — provides authoritative technical guidance that all tax professionals can apply. Practitioners handling FTI on behalf of government agencies have direct obligations under Publication 1075 in addition to their Publication 4557 and FTC Safeguards Rule requirements.

Share

Share on X
Share on LinkedIn
Share on Facebook
Send via Email
Copy URL
(800) 492-6076
Share

Schedule

Need help with IRS compliance?

Our tax cybersecurity specialists can review your security posture and help you get compliant.

Protect your tax practice from cyber threats

Schedule a free consultation to assess your firm's security posture.