“Protect Your Clients; Protect Yourself.”
This familiar phrase from the IRS serves as a timely reminder for all CPAs and tax professionals to always stay protected, especially as tax season approaches. For CPA firms, this message underscores a critical reality: protecting your client’s data is not just about compliance, it’s about safeguarding your reputation, your clients’ trust, and the integrity of your firm.
In their recent IRS Security Summit held in July 2025, which was geared specifically toward tax professionals, the IRS emphasized that organized identity-theft schemes, phishing attacks, and ransomware campaigns still target CPA firms and electronic filing systems. This serves as a vital reminder for tax professionals to remain vigilant and bolster internal controls ahead of the next filing season.
As cybercriminals become savvier, the IRS data security plan consistently emphasizes that even start-up firms implement enterprise-level protections that integrate technology, training, and tested response plans to lower risks and meet changing federal standards.
This blog explains what these new IRS data security guide rules mean, their impact on CPA operations, and practical steps firms should take to adapt by strengthening cybersecurity, meeting federal expectations, and protecting clients’ confidence.
What are the Recent IRS Updates to CPA Firms on Data Security?
Publication 1075: Tax Information Security Guidelines
Publication 1075 provides guidelines for financial institutions with access to Federal Tax Information (FTI). It serves as a reference to ensure all security standards are followed. It details the required policies, practices, controls, and safeguards necessary to protect the confidentiality of FTI. Since January 1, 2025, all recipients of Federal Tax Information (FTI), such as tax professionals, contractors, and government agencies, are required to follow stronger security and privacy controls under the new IRS Publication 1075.
The expanded scope includes all organizations that access, store, transmit, or process Federal Tax Information (FTI) and share responsibility among vendors, teams, and systems. Role-based security awareness training must be conducted annually for all employees, as well as ongoing insider-threat programs. Controlled access protection, both physical and system, is also required under Publication 1075, so sensitive information is not accessed by unauthorized individuals.
Organizations need to make sure they have adequately documented incident response procedures in case of FTI-related security incidents, such as requirements for reporting to the IRS Office of Safeguards.
IRS Publication 4557
Publication 4557 is a practical handbook for a CPA firm’s cybersecurity from IRS data security. It presents suggestions for risk evaluations, access controls, encryption, employee training, backup procedures, patching, and vendor management. Companies have to document how every control applies to them, maintaining audit records of cybersecurity activity.
Bringing your internal policies and procedures into alignment with Publication 4557 strengthens your overall security posture and prepares you for audits, regulatory inquiries, or cyberattacks. Make Publication 4557 more than a list of checkmarks; it’s a strategic document that demonstrates your firm is actively reducing data risk.
Publication 5708: Written Information Security Plan (WISP) is Now Mandatory
WISP spells out how your business prevents, detects, responds to, and recovers from security breaches. IRS guidance and a template for a WISP can be found in Publication 5708, with the emphasis that plans must be current, tailored, and exercised on a regular basis. Oral or informal policies no longer cut it.
All tax professionals must have a Written Information Security Plan, or WISP. This is an FTC Safeguards Rule regulatory requirement.
Whatever the nature of your practice, whether one-partner or multi-partner, your WISP has to be written, updated, and auditable. It should be annually reviewed or with material changes in business. In audit or review for enforcement, the IRS or FTC might ask to view it. A WISP demonstrates compliance, as well as notifies your practice of its concern for the protection of taxpayer information.
A WISP designed to comply with 2025 standards should include:
1. Data mapping and inventory: Inventory all taxpayer data, its storage sites, and transit.
2. The Security Six: Cybersecurity controls at the enterprise level:
- Anti-virus software
- Firewalls that are properly set up
- Two-factor authentication (2FA) on every system of high value
- Encryption of data for stored and transmitted data
- Secure backups of data
- Secure communication means, such as encrypted email and client portals
How CPA firms need to adapt to the new IRS Data Security Guidelines
Multi-Factor Authentication (MFA)
IRS data security now has a minimum requirement of multi-factor authentication (MFA) on all systems that handle taxpayer data. Passwords alone are no longer enough to protect client data. MFA provides an additional level of protection by requiring users to authenticate their identity through more than one factor. An IRS data security plan example would be authenticator applications or hardware devices, instead of their less secure SMS-based verification.
MFA needs to be enabled on all employee accounts, admin access, and remote-access programs. They cover IRS e-Services, e-file sites, tax software, cloud computing, and client-facing applications. MFA significantly reduces the risk of stolen credentials and affirms to clients that your firm is serious about data security.
FTC Safeguards Rule Alignment and Enforcement Risk
The IRS data security guide has consequently expanded its conformity with the FTC Safeguards Rule to render tax preparers federally covered financial institutions. Compliance is presently required in terms of maintaining full written security programs, having an appropriate qualified person to furnish data protection oversight, conducting ongoing risk assessments, and monitoring service providers.
Non-compliance has severe repercussions, ranging from FTC investigations to e-file authorization loss, state fines, and reputational damage. Regardless of whether your company is equipped with cybersecurity controls, poorly documented evidence will lead to non-compliance findings. In short terms, documentation is as vital as the security controls implemented.
Incident Response and Breach Readiness
An approved incident response plan is the minimum requirement for CPA firms. Your WISP must contain such a plan, which specifies detection, containment, investigation, and recovery procedures from security incidents. The WISP should also contain procedures for notification of clients, the IRS, and law enforcement.
Firms must maintain up-to-date internal responder, insurer, and attorney lists and prepare notice templates in advance. Conducting yearly tabletop exercises or simulations keeps your employees ready to move quickly and effectively. Swift, unified action minimizes regulatory risk and protects your firm’s reputation.
Vendor and Third-Party Oversight
IRS data security guide focuses on the mutual responsibility of vendor management. CPA firms are to ensure that all service providers, including cloud vendors, software vendors, and e-file transmitters, have adequate security controls in place. Contracts must include data-protection requirements and breach-notification requirements.
Even if third-party vendors are handling confidential data, ultimately, your company is held accountable for compliance. Conduct high-level due diligence initially, request security attestation such as SOC 2 reports, include cybersecurity terms in contracts, and regularly keep an eye on your vendors’ security posture. A single weak link will destabilize your entire system of compliance, so vendor monitoring is not an option.
Conclusion
As CPA firms look to navigate a constantly growing regulatory and digital environment, the value of sound data protection cannot be greater. Preserving client data is an elemental responsibility that goes beyond compliance; it’s a reflection of your firm’s commitment to trust, professionalism, and long-term success.
By means of active measures, successful policies, and a culture of security awareness, businesses are capable of reducing risks, responding effectively to incidents if they do occur, and upholding the trust their customers have in them. Being responsive and vigilant translates to your business being prepared for today’s challenges as well as resilient against tomorrow’s attack.
