E-mail
 Print
Technology Blog »

Even More Cybersecurity Compliance Rules for CPAs 2025


CPA working on a laptop with cybersecurity icons representing 2025 compliance and data protection for accountants
by Rich Delaney, CSO

Cybersecurity regulations keep continuing to evolve, and 2025 brings even more compliance rules that Certified Public Accountants (CPAs) must be aware of at both the federal and state levels. With financial professionals handling sensitive client information, regulatory bodies are further tightening cybersecurity rules to mitigate risks of data breaches and cyber threats. Here’s what CPAs in the U.S., and specifically in New York and New Jersey, need to know to stay compliant.

Federal Cybersecurity Compliance Rules for CPAs in 2025

The Financial Crimes Enforcement Network (FinCEN) has introduced expanded Beneficial Ownership Information (BOI) reporting requirements, which took effect on January 1, 2025. These rules impact many business entities, including LLCs and foreign-owned U.S. entities, requiring CPAs to:

  • Report expanded beneficial ownership details.
  • Comply with stricter Know Your Client (KYC) and Anti-Money Laundering (AML) protocols.
  • Maintain enhanced data privacy measures to protect client-sensitive information.
  • Avoid penalties of up to $500 per day for non-compliance.

Source: FinCEN BOI Reporting

Additionally, broader data privacy and cybersecurity laws have been enacted, requiring CPA firms to implement even stronger cybersecurity measures to protect client financial data from cyber threats.

Source: Green Growth CPAs

New York’s Updated Cybersecurity Compliance Rules for 2025

New York continues to strengthen its cybersecurity requirements. The New York Department of Financial Services (NYDFS) Cybersecurity Regulation (23 NYCRR Part 500) has been updated, with significant changes taking effect on November 1, 2024. CPAs working with financial institutions or operating under NYDFS regulations should be prepared for the following:

  • Independent Cybersecurity Audits: Larger firms must conduct regular independent audits of their cybersecurity policies and procedures.
  • Annual Cybersecurity Policy Approvals: Policies must be reviewed and approved annually by senior management or governing bodies.
  • Mandatory Chief Information Security Officer (CISO): Companies must designate a CISO to oversee their cybersecurity programs.
  • Stronger Vulnerability Management: Firms must implement proactive monitoring, penetration testing, and patch management for cyber vulnerabilities.
  • Multi-Factor Authentication (MFA) Compliance: MFA is now mandatory for anyone accessing financial systems and client records.
  • Incident Response Plans: CPAs must develop and maintain written incident response and Business Continuity plans to prepare for cyber incidents.

Failure to comply with these expanded regulations could result in fines, legal action, and reputational damage.

Source: Bonadio Group

New Jersey’s Expanded Cybersecurity Compliance Rules for CPAs in 2025

New Jersey has also introduced stronger data protection mandates for CPAs and financial professionals. The Disclosure and Accountability Transparency Act (NJ DaTA) establishes firm security requirements, including:

  • Enhanced Security Measures: CPA firms must implement risk-based security controls to safeguard sensitive financial data.
  • Breach Notification Obligations: Firms must promptly report data breaches to both clients and regulatory authorities.
  • Professional Conduct Standards: Under the New Jersey Public Accountants Law (Section 47:3-6), CPAs must exercise reasonable care and skill, which includes following strict cybersecurity protocols.

Source: New Jersey Division of Consumer Affairs

How CPAs Can Stay Compliant in 2025

To ensure compliance with these evolving cybersecurity rules, CPAs should take the following proactive measures:

  • Conduct a Cybersecurity Risk Assessment: Identify vulnerabilities in your current security framework.
  • Implement Multi-Factor Authentication (MFA): Secure access to sensitive financial data and client accounts.
  • Appoint a Chief Information Security Officer (CISO) or Security Lead: Even small firms should have a dedicated cybersecurity professional.
  • Train Employees on Cybersecurity Best Practices: Reduce risk by ensuring all staff understands Phishing attacks, data protection, and secure file-sharing methods.
  • Update Incident Response and Business Continuity Plans: Prepare for potential cyber incidents with pre-defined action steps.
  • Work with a Managed IT Services Provider (MSP): Partnering with cybersecurity experts like Delaney Computer Services (DCS) can ensure compliance with federal and state regulations while enhancing your firm’s security posture.

Final Thoughts

As cyber threats continue to evolve, so do the rules designed to protect financial data. CPAs operating in New York, New Jersey, and across the U.S. must stay informed and compliant with the latest cybersecurity mandates to avoid penalties and protect their clients. If you need assistance ensuring compliance with the latest cybersecurity rules, Delaney Computer Services (DCS) specializes in cybersecurity solutions tailored for CPA firms.

Contact us today to learn how we can help secure your firm and ensure full Regulatory Compliance in 2025 and beyond.


Organizations should immediately review their security settings, update any weak points, and implement the suggested mitigations. For further assistance or to schedule a security audit, don't hesitate to contact our cybersecurity team.

Call Now!
Contact Us