IRS Cybersecurity Requirements for CPAs and Accounting Practices

In its efforts to combat identity theft and related tax refund fraud, the IRS in October 2022 issued Publication 5708, which imposes new cybersecurity obligations on tax professionals, including CPAs and accounting practices. In addition, tax and accounting professionals are considered financial institutions under the Gramm-Leach-Blilely Act (GLBA), and are required to comply with the FTC’s SafeGuards Rule.

These obligations all focus on the requirement to protect their information systems as well as the consumer information stored in them.

Central to these obligations is the creation and implementation of a Written Information Security Plan, or “WISP”. A typical WISP will require each firm to:

a. Designate employee(s) to coordinate its information security program

b. Identify and Assess Risks to customer information in each aspect of a company’s operation, and evaluate the current safeguards for controlling these risks

c. Design, Implement, Regularly Monitor and Test a safeguards program

d. Use Service Providers with Similar Consumer Information Safeguards through contract terms

e. Evaluate and Adjust Program reflecting changed relevant circumstances (e.g., business operations, results of security assessments and tests, legal input)

The FTC SafeGuards Rule also applies to other businesses considered to be financial institutions, including mortgage brokers, real estate appraisers, universities, non-bank lenders, and check cashing businesses.