Technology Blog »

Cybersecurity Requirements CPAs & Tax Preparers Must Implement in 2024

An image depicting cybersecurity requirements for CPAs and Tax Preparers in 2024

Cybersecurity Requirements for CPAs and Tax Preparers in 2024: Navigating IRS 4557, State Obligations, and the Security Six

Ticking the Right Boxes for Data Security

While IRS Publication 4557 offers voluntary guidelines, ticking the "Data Security Responsibilities" box on the W-12 PTIN renewal form demands a tangible commitment to cybersecurity. To comply in good faith, you need an Information Security Plan (ISP) that's circulated throughout your organization—ideally coupled with training. 

Navigating the Security Six

Beyond the ISP, CPAs and tax preparers must embrace a multi-layered approach to cybersecurity. Here's a breakdown of the essential "Security Six" practices:

  1. Risk Assessment and Security Plan: Conduct a thorough risk assessment to identify potential threats and vulnerabilities. Develop a written ISP detailing the safeguards you'll implement to address those risks.
  2. Access Controls: Fortify your systems with multi-factor authentication (MFA) for sensitive accounts. Implement a "least privilege" approach, granting access only to those who need it. Track employee access for accountability.
  3. Data Encryption: Encrypt sensitive data both in transit and at rest. Ensure your encryption methods meet industry standards.
  4. Software Security: Keep all software up-to-date with the latest security patches. Implement a vulnerability management program to identify and patch vulnerabilities proactively.
  5. Incident Response Plan: Develop and test a comprehensive incident response plan for handling data breaches and other security incidents. Outline communication protocols, data recovery procedures, and mitigation strategies.
  6. Security Awareness Training: Educate employees on cybersecurity best practices, including Phishing awareness, password hygiene, and secure data handling procedures.

State-Specific Obligations for Enhanced Data Security:

New York:

  • New York Data Security Law: Mandates reasonable security practices for personal data, including risk assessments, data encryption, incident response plans, and breach notification procedures.
  • New York Public Accountancy Act: Section 102 requires CPAs to exercise "due care" in their work, potentially encompassing data security measures.

New Jersey:

  • New Jersey introduces  NJ DaTA: NJ has introduced an Assemble Bill A505, New Jersey Disclosure and Accountability Transparency Act, also known as the NJ DaTA mandates reasonable security practices for personal data and breach notification.
  • New Jersey Public Accountants Law: Section 47:3-6 requires CPAs to exercise "reasonable care and skill," potentially including data security measures.


  • Florida Statute 815.062: Requires organizations handling financial information to have "reasonable security" measures in place.
  • Florida Board of Accountancy Rules: Rule 51A-50.040 requires CPAs to "preserve confidentiality of information," potentially encompassing data security measures.

Beyond the Basics: Additional Considerations for 2024:

  • FTC Safeguards Rule: This applies to many tax preparers and accounting firms, further strengthening data security requirements.
  • Phishing Vigilance: Remain vigilant against phishing attacks, a major threat to CPAs and tax preparers.
  • Cloud Security: Use reputable cloud providers with robust security practices, understanding their controls and alignment with your requirements.


Cybersecurity: A Continuous Journey, Not a Destination

Remember, cybersecurity is an ongoing journey, not a destination. Regularly review and update your security measures to stay ahead of evolving threats. By embracing these state-specific obligations, IRS recommendations, industry best practices, and the Security Six, you can protect your clients' data your business reputation, and build trust in today's digital landscape.