If you prepare tax returns for clients, the IRS requires you to have a Written Information Security Plan. It’s not optional. It’s not a suggestion. It’s a requirement under IRS Publication 4557, and it applies to every firm regardless of size.

The National Association of Tax Professionals just partnered with a cybersecurity firm to launch an AI governance and cybersecurity curriculum specifically for tax professionals. The fact that a major industry group felt this was urgent enough to build a dedicated program tells you something about where the profession stands: most firms know they need a plan, but many don’t actually have one that would survive scrutiny.

What the IRS actually requires

IRS Publication 4557 (“Safeguarding Taxpayer Data”) lays out the expectation: every tax professional must create and maintain a Written Information Security Plan (WISP). The plan needs to cover how you protect client data across your entire operation, from intake through storage and eventual disposal.

At minimum, a WISP should address:

Risk assessment. What data do you have, where is it stored, and what are the threats to it?
Access controls. Who in your firm can access client tax data, and how is that access managed?
Physical security. Are servers, workstations, and paper files in locked, controlled areas?
Employee training. Does your staff know how to recognize phishing, handle sensitive data, and report incidents?
Incident response. If something goes wrong, what’s the plan? Who do you contact, and in what order?
Vendor management. If you use a cloud tax platform, a document portal, or an IT provider, how are you verifying their security practices?

The IRS doesn’t prescribe a specific format. But they do expect it to exist, to be documented, and to be reviewed regularly.

The FTC Safeguards Rule adds teeth

CPA firms and tax preparers are also classified as “financial institutions” under the FTC’s Safeguards Rule (updated in 2023). That classification brings federal cybersecurity requirements that go beyond what the IRS alone mandates.

The Safeguards Rule requires:

A designated qualified individual responsible for information security (this can be outsourced)
Written risk assessments performed periodically
Encryption of client data both in transit and at rest
Multi-factor authentication for anyone accessing client information
Continuous monitoring or annual penetration testing
An incident response plan
Reporting to your board or governing body (for firms large enough to have one)

The enforcement mechanism is real. The FTC can bring action against firms that fail to comply, and state attorneys general can enforce violations as well. Iowa’s AG office has been increasingly active on consumer data protection enforcement.

Why this matters right now

Three things are converging:

Cyber insurance carriers are asking. If your firm carries a cyber insurance policy (and you should), your next renewal questionnaire will almost certainly ask whether you have a WISP, whether you’ve conducted a risk assessment in the past 12 months, and whether you enforce MFA. Answering “no” to any of these can result in higher premiums, reduced coverage, or outright denial.

AI tools are expanding the attack surface. If your staff is using AI tools to draft client communications, summarize financial documents, or research tax positions, that’s client data flowing through systems you may not have evaluated. The NATP’s new AI governance curriculum exists because the profession recognizes this is a gap.

The IRS is increasing enforcement visibility. The IRS Criminal Investigation division works with the FBI on tax-related identity theft cases. Firms that suffer breaches without having a documented security plan face significantly more scrutiny, and potentially more liability, than those that can demonstrate they took reasonable precautions.

What “reasonable” actually looks like

You don’t need a 50-page document or a six-figure security budget. For a small CPA firm, a reasonable WISP and Safeguards Rule compliance program looks like:

A documented plan. Written down, reviewed annually, signed by the firm’s designated security person.
MFA everywhere. On your email, your tax software, your document portal, your cloud storage. No exceptions. (And be aware that some newer attacks bypass MFA entirely, which is why monitoring matters too.)
Encrypted client data. Both on your local systems and in transit. If you’re emailing client documents unencrypted, that’s a compliance gap.
Annual security training. At least once a year, everyone in the firm needs training on phishing recognition, data handling, and incident reporting.
Managed endpoint protection. Antivirus alone hasn’t been sufficient for years. You need endpoint detection and response (EDR) that’s actively monitored.
A qualified IT provider. The Safeguards Rule explicitly allows you to outsource the “qualified individual” role. But you need someone who understands both the technical requirements and the regulatory context.

The gap between “we’re fine” and “we’re compliant”

Most small CPA firms have some security measures in place. Password policies, maybe a firewall, probably some form of backup. The issue isn’t that they have zero security. It’s that they don’t have the documentation, the formal risk assessment, or the incident response plan that regulators and insurers expect.

The difference between “we’re pretty careful” and “we can demonstrate compliance” is usually a few hours of focused work with someone who knows the requirements. It’s not expensive or disruptive. But it does need to be done intentionally, not assumed.

If your firm handles client financial data and you can’t point to a written security plan that addresses IRS 4557 and FTC Safeguards Rule requirements, that’s worth fixing before your next insurance renewal asks you to certify it in writing.