Back to Blog
Compliance

The 2026 Tax-Season Cybersecurity Checklist for Accounting Firms

If the IRS asked today, could your firm produce its WISP, breach response plan, and training logs in under five minutes? This is the checklist that makes the answer yes.

April 22, 2026
·
8
min read

The five-minute test

Tax firms lose client trust one incident at a time, and the IRS is paying closer attention every year. Publication 4557 tells you what is required. The FTC Safeguards Rule tells you how to prove it. Your clients, who trust you with Social Security numbers, bank accounts, and their most private financial history, quietly expect all of it to be handled.

Here is a simple test: if a new IRS reviewer walked into your office tomorrow and asked to see your Written Information Security Plan, your most recent phishing training log, your last password policy update, and your breach response plan, could you produce all four in under five minutes?

For most small firms, the honest answer is no. Not because owners do not care, but because the rules are scattered across at least three authorities and the tools are built for IT departments that small firms do not have.

This checklist fixes that. Run through it once before your next filing season. Fix the gaps. Save the evidence. Move on.

1. Written Information Security Plan (WISP)

Required by the IRS for every tax preparer, required by the FTC Safeguards Rule for every firm that handles customer financial information. Not optional, not a template you store and forget.

  • You have a written WISP dated within the last 12 months.
  • It names a qualified individual responsible for security (owner, employee, or outsourced provider is acceptable).
  • It lists all systems and vendors that touch client data.
  • It documents your access controls, encryption standards, and backup process.
  • It includes your incident response plan and notification obligations by state.
  • Every employee has read it and signed an acknowledgment.

If your WISP is a PDF you downloaded in 2019 and never touched again, it is not a WISP. It is a liability with a filename.

2. Endpoint protection

Every device that touches client data is a potential entry point. Firms that rely on consumer antivirus products built for grandparents are not protected. They are insured against 2010 threats.

  • Business-grade endpoint detection and response is installed on every firm-owned laptop, desktop, and server.
  • Remote devices used for preparer work are covered, not excluded.
  • A 24/7 security operations center is receiving alerts from those devices.
  • Ransomware behavioral detection is enabled, not just file-based scanning.
  • You have a documented process for isolating a compromised device in under an hour.

3. Email and phishing defense

More than nine out of ten attacks on accounting firms start with email. A spoofed IRS notice, a fake W-9 request from a client, an invoice from a vendor you actually use. The sophistication now exceeds what human judgment alone can catch reliably.

  • Advanced email filtering is in place on every firm mailbox.
  • Multi-factor authentication is enforced on email, practice management software, and portals.
  • Impersonation protection is configured for the owner, the managing partner, and anyone who requests wires.
  • Employees have completed a phishing training module in the last 90 days.
  • You have run at least one controlled phishing simulation and retrained anyone who failed.

4. User training and access

The IRS treats training as a security control, not a nice-to-have. It expects you to prove that people know what phishing is, what to do if a device is lost, and how to report a suspicious request.

  • Every employee has completed security awareness training in the current year.
  • Training records are stored and retrievable. If the IRS asks, you can produce them.
  • Access to client data is granted by role, not by default. Seasonal staff and interns get the minimum they need, for the minimum window they need it.
  • When someone leaves, their access is revoked the same day, across every system.

5. Incident response

An attack that is contained in an hour is a bad morning. An attack that is contained in a week is an existential event. The difference is almost always preparation, not luck.

  • You have a written incident response plan with named contacts for legal, cyber insurance, and technical response.
  • You know which state notification laws apply based on where your clients live, not just where your firm is located.
  • You have pre-drafted client notification templates that your attorney has reviewed.
  • You have tested a restore from backup in the last 90 days and confirmed the restore actually works.
  • If you use cyber insurance, you know the phone number to call, before you need it.

6. Vendor management

If your tax software, your practice management system, your payroll provider, or your document portal gets breached, your clients will not read the press release. They will call you.

  • You keep a list of every vendor with access to client data.
  • For each vendor, you have verified they carry appropriate certifications (SOC 2 Type II at minimum).
  • You have a signed data processing agreement with every vendor that stores client data.
  • When you stop using a vendor, you follow up and confirm your data was deleted.

7. The evidence folder

Everything above is only as good as your ability to prove it when asked. Create one folder, physical or digital, labeled Security Evidence, and keep these artifacts in it:

  1. The signed WISP, dated within the last 12 months.
  2. The most recent phishing simulation results and remediation notes.
  3. Current training completion records for every employee.
  4. A current inventory of devices, users, and vendors.
  5. The last three months of alerts closed by your security operations center (a one-page summary is fine).
  6. Cyber insurance policy with named claims contact.

What to do this week

If this list left you with more red marks than you expected, that is normal. Most firms are in the same position until they make a deliberate move. The firms that avoid a bad year are the ones that stop treating security as a tax-season emergency and start treating it as a background utility, like the internet itself.

Start with the three items that would hurt the most if a breach happened tomorrow: a current WISP, business-grade endpoint protection, and multi-factor authentication on email. Those three close roughly 80 percent of the realistic risk for a small tax firm. Everything else in this checklist adds depth.

The cost of doing this is measured in hundreds of dollars a month. The cost of not doing it starts at $50,000 in FTC fines and rises from there.

A 15-minute conversation with our team will tell you where you actually stand and what, if anything, you need to fix before your next filing season. No pitch. Just an honest read on your exposure and the fastest way to close the gaps that matter.

Book a 15-minute WISP and security review

Kenny Berrios
CEO and Co-owner, Watch Cloud Cyber Security

Kenny Berrios leads Watch Cloud Cyber Security, an MSSP built for tax and accounting firms. He helps owners translate FTC Safeguards, IRS Pub 4557, and state privacy laws into operational defenses that protect client data without disrupting tax season.

FREE GAP ANALYSIS

See exactly where your WISP falls short

Five minutes. We compare your documentation against FTC Safeguards and IRS Publication 4557, flag every gap, and hand you a prioritized fix list.

Start My Free Gap Analysis
MORE FROM THE BLOG

Keep reading

Compliance

Annual WISP Review Checklist: 9 Items the IRS and FTC Both Want

June 16, 2026
Compliance

What Is a Qualified Individual Under FTC Safeguards (Plain English)

June 2, 2026
Compliance

FTC Safeguards Penalty Math: What $50,644 Per Violation Actually Costs Your Firm

April 28, 2026