From ‘best practice’ to ‘required’: Securing your CPA firm in 2025

In my decades of working with CPA firms, I've consistently observed one troubling reality: While firms are well-versed in protecting client financial data through traditional means, many still lack a formalized security approach. This gap becomes even more concerning when you realize the frequency of threats:
- In 2024, the IRS received over 250 reports of data breach incidents from tax professionals, impacting more than 200,000 clients.
- Accounting firms face an average of 900 cyberattack attempts during tax season alone.
Despite the threats, many accountants continue operating under two dangerous assumptions: that their firm isn't an interesting target, or that their IT person has security "handled."
Both assumptions are wrong. Accounting firms are increasingly targeted specifically for their access to tax applications and data, which can be quickly monetized by hackers. Plus, many accountants maintain a somewhat lackadaisical attitude toward security, making them easier targets.
WISP: More Than Just Paperwork
When you renew your PTIN, you confirm awareness of your "legal obligation to have a data security plan." This Written Information Security Plan (WISP) isn't just regulatory compliance — it's your firm's roadmap for protecting sensitive information.
A comprehensive WISP needs to include several key components to ensure comprehensive protection of sensitive information. Completing a compliant WISP is a feat that most firms, in my experience, would not be able to manage on their own…unless they have a dedicated IT department.
For this reason, my recommendations vary by your firm’s staffing demographics:
- Firms without an IT consultant: You will need expert help to create your WISP.
- Firms with an outside IT consultant: Your IT consultant may be able to help gather pertinent information, but if they do not have prior experience managing WISP creation, find a firm-specific consultant to help.
- Firms with a dedicated IT team: Your team may be able to help create a compliant WISP. Expect the process to last a few weeks, at least, and plan for recurring updates at least annually.
If you choose to take on WISP creation alone, ensure you have read through all necessary documentation from the FTC, NIST, FCC, and IRS, as well as trusted DIY resources:
- IRS Publication 5708: "Creating a Written Information Security Plan for your Tax & Accounting Practice"
- How to create your WISP (plus free template)
Personnel training
Your security strategy is only as strong as your weakest link — which is often the human element. A well-executed WISP will have noted administrative safeguards, such as records of employee security policy training. Simply noting this information is only one piece of the puzzle.
To ensure you and your staff are keeping up with the latest cybersecurity threats impacting firms, and receive proper training to address those threats, I recommend signing up with a firm-specific training program. General security training is a good start, but CPAs must be aware of the more targeted threats.
Look for a provider offering:
- Year-round educational videos
- Ongoing simulated phishing attempts
- Social engineering awareness
- Warning signs of compromise
- Steps to take when a breach is suspected
Training shouldn't be a one-and-done event. Scheduling regular reminders about phishing threats is particularly important during tax season and holidays when scams peak.
Take action now
While there's no 100% effective way to prevent cybersecurity breaches, a proactive approach combining robust technical controls, comprehensive personnel training, and a formalized security plan will significantly reduce your firm's risk exposure.
Stay safe out there!
Roman H. Kepczyk, CPA.CITP, CGMA is director of Firm Technology Strategy for Rightworks and partners exclusively with accounting firms on production automation, application optimization and practice transformation. He has been consistently listed as one of INSIDE Public Accounting’s Most Recommended Consultants, Accounting Today’s Top 100 Most Influential People, and CPA Practice Advisor’s Top Thought Leaders.