IRS Cybersecurity Requirements: What Tax Preparers Must Do

What Tax Preparers Need to Know About Federal Cybersecurity Mandates

The Internal Revenue Service requires all professional tax preparers to implement information security programs protecting client data under federal law. These IRS cybersecurity requirements stem from the Gramm-Leach-Bliley Act (GLBA), which classifies tax professionals as financial institutions subject to the FTC Safeguards Rule.

Criminals target tax professionals and accounting firms because a single breach provides complete financial profiles: Social Security numbers, dates of birth, income records, bank account details, and dependent information. That data enables convincing fraudulent tax returns, synthetic identity theft, and financial fraud that can persist for years after the initial compromise.

The threat continues to grow. Cyberattacks on tax firms have increased sharply as criminal organizations recognize that small and mid-sized practices often lack the security infrastructure of major financial institutions while holding equally sensitive data. A single compromised tax preparer may expose hundreds or thousands of client records in one incident, and the IRS has made it clear that every firm—regardless of size—must meet the same baseline security standards.

This guide explains the specific technical controls, documentation requirements, and operational procedures that constitute full compliance with federal cybersecurity mandates for tax professionals in 2026. We cover the six fundamental security measures (the "Security Six"), Written Information Security Plan (WISP) requirements under IRS Publication 4557, FTC Safeguards Rule obligations, employee training standards, EFIN protection protocols, and the real enforcement consequences firms face for non-compliance.

Legal Framework: Federal Cybersecurity Mandates for Tax Preparers

Tax preparers operate under a layered legal framework requiring specific information security measures. Understanding each layer helps you identify exactly what your practice must do—and which penalties apply for non-compliance.

The Gramm-Leach-Bliley Act (GLBA)

The GLBA classifies tax preparation services as financial institutions subject to federal data protection requirements. This classification is not based on firm size, revenue, or the number of returns you file—it applies to every tax professional who handles client financial information, from solo preparers working out of a home office to national firms with hundreds of locations.

FTC Safeguards Rule

The FTC Safeguards Rule implements GLBA requirements by mandating that financial institutions develop, implement, and maintain thorough information security programs to protect customer information. The rule was significantly updated in 2023 with specific new obligations: designation of a qualified individual to oversee the security program, written risk assessments, access controls, encryption standards, multi-factor authentication, and incident response planning. For a detailed breakdown, see our guide to the FTC Safeguards Rule for tax preparers.

IRS Security Summit and Publication 4557

The IRS Security Summit—a partnership between the Internal Revenue Service, state tax agencies, and private sector tax industry representatives—translates these legal requirements into specific technical standards for tax professionals. IRS Publication 4557 serves as the primary guidance document, requiring tax preparers to create Written Information Security Plans that document their entire security program. Publication 4557 covers everything from physical office security to digital data protection, and the IRS treats it as the benchmark for evaluating whether a tax practice meets federal standards.

Enforcement Penalties

Multiple enforcement mechanisms back these requirements with real consequences. Tax preparers who fail to comply face penalties from federal, state, and IRS authorities simultaneously:

• IRC Section 7216 (Criminal): Knowing or reckless unauthorized disclosure of taxpayer information carries fines up to $1,000 and imprisonment up to one year per violation.
• IRC Section 6713 (Civil): Unauthorized disclosure penalties of $250 per incident, with maximum annual penalties of $10,000 per person.
• FTC Enforcement: The Federal Trade Commission pursues Safeguards Rule violations through civil penalties, injunctive relief, and mandatory corrective action orders. Penalties in enforcement actions have ranged from $10,000 to over $1 million.
• State Penalties: State attorneys general enforce data breach notification laws with penalties ranging from $5,000 to $750,000 depending on jurisdiction. Most states mandate notification within 30–90 days of breach discovery.
• PTIN Suspension: The IRS can suspend your Preparer Tax Identification Number for non-compliance, effectively prohibiting you from preparing federal tax returns.

The Security Six: Fundamental Technical Controls

The IRS Security Summit identified six fundamental technical controls that form the baseline of every compliant security program. These "Security Six" measures represent the minimum protections required under IRS cybersecurity requirements for tax preparers and defend against the most common attack vectors targeting tax practices.

1. Antivirus and Anti-Malware Protection

Traditional signature-based antivirus software detects known malware patterns but fails against modern threats including zero-day exploits, polymorphic malware, and fileless attacks. Professional-grade Endpoint Detection and Response (EDR) solutions monitor behavioral patterns, detect anomalous activity, and provide automated threat response capabilities that go far beyond basic antivirus scanning.

Compliant endpoint protection must be installed on every device that accesses taxpayer data—workstations, laptops, servers, and mobile devices. Systems must maintain current threat definitions through automatic updates, perform regular scheduled scans, provide real-time monitoring of file access and execution, and generate alerts with automated quarantine capabilities. For detailed guidance on selecting the right solution, see our guide to antivirus and endpoint protection for tax professionals.

2. Firewall Protection

Firewalls control network traffic between your internal systems and the internet, blocking unauthorized access while permitting legitimate communication. Every tax practice needs both a hardware firewall at the network perimeter and software firewalls on individual devices.

Configure firewalls to deny all inbound traffic by default and allow only specific, necessary connections. Regularly review and update firewall rules as your technology environment changes, and maintain logs for at least 90 days to support incident investigation. Our firewall setup guide for tax offices walks through configuration step by step.

3. Multi-Factor Authentication (MFA)

MFA requires users to provide two or more verification factors before accessing systems containing taxpayer data. This single control stops the vast majority of credential-based attacks because a stolen password alone cannot grant access. Implement MFA on all tax preparation software, email accounts, cloud storage services, IRS e-Services portals, and any remote access tools. Use authenticator apps or hardware security keys rather than SMS-based codes, which are vulnerable to SIM-swapping attacks.

4. Backup Software and Services

Regular, encrypted backups protect against ransomware, hardware failure, and accidental deletion. Follow the 3-2-1 backup rule: maintain three copies of all taxpayer data, on two different media types, with one copy stored offsite or in the cloud. Test backup restoration quarterly to verify data integrity—a backup you cannot restore is not a backup. All backups containing taxpayer information must be encrypted both in transit and at rest.

5. Drive Encryption

Full-disk encryption protects data on every device that stores or processes taxpayer information. If a laptop is stolen or a hard drive is lost, encryption ensures the data remains unreadable without proper authentication credentials. Enable BitLocker (Windows) or FileVault (macOS) on all workstations and laptops. Encrypt portable storage devices including USB drives used for data transfers. Maintain encryption recovery keys in a secure, documented location separate from the encrypted devices themselves.

6. Virtual Private Network (VPN)

A VPN creates an encrypted tunnel for all data transmitted between remote devices and your firm's network. Any tax preparer who accesses client data from outside the office—including home offices, client sites, or while traveling—must use a VPN connection. Select a business-grade VPN service with strong encryption protocols (AES-256 minimum), a strict no-log policy, and kill switch functionality that blocks internet access automatically if the VPN connection drops unexpectedly.

Written Information Security Plan (WISP) Requirements

A Written Information Security Plan transforms ad-hoc security measures into a documented, compliant program meeting federal standards. The FTC Safeguards Rule explicitly requires financial institutions—including tax preparers—to develop, implement, and maintain written information security plans. For tax professionals, the WISP serves as the central compliance document demonstrating adherence to IRS cybersecurity requirements.

A compliant WISP must address every element mandated by the Safeguards Rule and detailed in IRS Publication 4557:

• Qualified Individual: Designate a specific person to oversee and implement the information security program. In small firms, this is typically the owner or managing partner. The individual does not need formal cybersecurity credentials but must have the authority and resources to enforce the plan.
• Risk Assessment: Identify reasonably foreseeable internal and external threats to client information, including employee error, physical theft, cyberattacks, vendor vulnerabilities, and natural disasters that could disrupt operations.
• Safeguards Implementation: Design and deploy technical, administrative, and physical controls that address each identified risk. Map every control to the specific threat it mitigates.
• Service Provider Oversight: Select vendors capable of maintaining appropriate security and contractually require them to safeguard client data. This applies to cloud hosting providers, tax software vendors, IT support firms, document storage services, and any third party with access to taxpayer information.
• Incident Response Plan: Document step-by-step procedures for detecting, containing, and recovering from security incidents, including client notification protocols, regulatory reporting timelines, and communication templates.
• Monitoring and Testing: Establish procedures for regular monitoring and testing of security controls, including vulnerability assessments, log reviews, and periodic penetration testing.
• Program Evaluation: Periodically review and revise the entire security program based on monitoring results, emerging threats, technology changes, and operational updates.

Your WISP must be a living document, not a one-time checkbox. Every material change to your practice—new software, new employees, office relocation, changes to data handling procedures—should trigger a WISP review and update. At minimum, conduct a formal annual review even if no operational changes have occurred. Bellator Cyber Guard offers a WISP template designed specifically for tax preparers that covers all federal requirements and can be customized to your practice size and technology environment.

Employee Training and Security Awareness

Technical controls only work when staff understand how to use them correctly and recognize the threats those controls defend against. Both the FTC Safeguards Rule and IRS Publication 4557 require documented security awareness training for all employees who handle taxpayer data.

Compliant training programs must include initial security training for all new employees before they access any taxpayer data, annual refresher training covering current threats and updated procedures, role-specific training for staff with elevated access privileges or unique security responsibilities, and documented attendance records proving training completion for each session. The documentation requirement matters—training that is not recorded is training that regulators cannot verify.

Training content should cover phishing recognition and reporting procedures, password security and multi-factor authentication usage, secure handling of taxpayer documents in both digital and physical formats, incident reporting procedures and emergency contacts, acceptable use policies for firm systems and data, physical security requirements including clean desk policies, and remote work security procedures for distributed staff.

The most effective programs go beyond annual classroom sessions. Monthly phishing simulations test whether employees apply what they learned in realistic scenarios. Brief security reminders during tax season—when workloads peak and attention to procedure tends to slip—keep vigilance high when it matters most. Track simulation results over time to identify employees who need additional coaching and to measure your program's overall effectiveness.

EFIN Security and IRS e-Services Protection

Your Electronic Filing Identification Number (EFIN) requires dedicated protections beyond general network security. A compromised EFIN allows criminals to file fraudulent returns under your firm's identity, creating liability, regulatory scrutiny, and reputational damage that can take years to resolve.

EFIN security measures must include restricting access to specifically authorized personnel documented in your practice records, requiring each authorized user to maintain separate login credentials rather than sharing EFIN access, enabling multi-factor authentication on all IRS e-Services portal accounts including sub-accounts created for staff, and establishing monitoring procedures to detect unauthorized usage or suspicious activity patterns.

Build a monthly review of IRS e-Services activity logs into your security routine. Watch for unrecognized logins, unexpected return submissions, changes to contact information or bank account details, and access from unusual locations or IP addresses. The IRS provides these activity logs within e-Services portals—use them. Early detection of unauthorized EFIN usage can mean the difference between a contained incident and a full-scale fraud investigation involving your firm's identity.

Common Compliance Mistakes and Real Enforcement Consequences

Even well-intentioned tax preparers make implementation errors that leave them non-compliant despite genuine security investments. Understanding these patterns helps you avoid wasted resources while achieving effective compliance with IRS cybersecurity requirements for tax preparers.

The most common failure is implementing controls without documentation. Installing antivirus software, configuring firewalls, and enabling MFA means nothing to regulators or insurance carriers if these measures are not recorded in your WISP. Without written evidence, compliance cannot be verified—regardless of what protections are actually in place. A tax practice with strong security but no documentation is, in the eyes of enforcement agencies, indistinguishable from a practice with no security at all.

Other frequent mistakes include treating the WISP as a one-time project rather than a living document that requires regular updates, failing to conduct refresher training after the initial onboarding session, using shared credentials for IRS e-Services and tax software rather than individual accounts, neglecting to encrypt portable devices and backup media, and assuming cloud-based tax software handles all security obligations automatically. Cloud providers manage infrastructure security, but your firm remains responsible for access controls, data handling policies, user training, and incident response.

Enforcement Actions Set Real Precedents

The Federal Trade Commission actively enforces Safeguards Rule compliance against financial services providers, and these cases create precedents that apply directly to tax preparers. Enforcement actions typically result in civil monetary penalties ranging from $10,000 to over $1 million depending on violation severity, mandatory compliance audits by independent assessors at the firm's expense, consent orders requiring specific security implementations with years of ongoing monitoring, and public disclosure of security failures that destroys client confidence and professional reputation.

State attorneys general pursue data breach cases under consumer protection laws and breach notification statutes with increasing frequency. The Verizon Data Breach Investigations Report consistently finds that small businesses face the same threat actors as large enterprises but with far fewer resources to detect and respond to attacks. For tax practices, a breach can trigger simultaneous federal and state investigations, client lawsuits, insurance claims, and IRS scrutiny of your EFIN and PTIN status—all at once.

The cost of prevention is a fraction of the cost of a breach. According to the IBM Cost of a Data Breach Report, the average breach now costs $4.88 million—a figure that would bankrupt most tax practices outright. Even smaller incidents involving a few hundred records can easily exceed $100,000 when you account for notification costs, forensic investigation, legal fees, regulatory fines, and lost clients. Investing in compliance before an incident occurs is not just a regulatory obligation—it is a straightforward business decision.

Achieving and Maintaining Compliance in 2026

Implementing a security program that meets IRS cybersecurity requirements for tax preparers delivers benefits well beyond avoiding penalties. Documented compliance qualifies your practice for cyber insurance premium reductions of 30–50%, substantially reduces breach likelihood through systematic risk management, provides structured incident response procedures that minimize damage when incidents do occur, and creates competitive advantages when serving security-conscious clients or firms that require vendor security documentation before sharing sensitive data.

Start your compliance implementation with these priorities. First, conduct a security assessment that inventories your current protections and identifies gaps against both the Security Six controls and WISP documentation requirements. Second, develop your Written Information Security Plan using IRS Publication 5708's sample WISP as a starting framework, then customize it to your practice's specific technology, staffing, and data handling procedures. Third, implement the Security Six technical controls systematically, prioritizing the highest-risk gaps identified in your assessment. Fourth, build a training program ensuring all staff understand security procedures and their individual responsibilities. Finally, establish ongoing maintenance procedures including quarterly log reviews, annual risk assessments, and continuous monitoring of systems and accounts.

If your practice lacks in-house security expertise, working with a managed security provider that specializes in tax and accounting firm protection eliminates the guesswork and ensures nothing falls through the cracks. The right partner handles technical implementation, WISP documentation, ongoing monitoring, and compliance updates so you can focus your time and energy on serving clients. Whether you choose to manage compliance independently or with professional support, the key is to start now—the cost of delay only increases as enforcement intensifies and threats evolve.