Tax Time Again: IT Security for Accounting Firms

Jeff Cook, SOC Director, Coalfire

As the end of another busy tax season approaches, it is important for accounting firms to remember their obligations related to data security. Accounting firms maintain a significant amount of data on behalf of their own employees and clients. These firms house financial records, tax information, corporate intellectual property, legal documents, healthcare records, and/or other privacy information, all of which is valuable to cybercriminals. This data can be used for ransom, filing fraudulent tax returns, or sold on the dark web. Should this occur, firms could face a loss of reputation, clients, and money. In the months leading up to April, the number of client engagements (and data) increases significantly, in turn, increasing risk.

To help combat this, Federal law gives the Federal Trade Commission (FTC) authority to set data safeguard regulations, according to IRS Publication 4557, Safeguarding Taxpayer Data. Under the FTC Safeguards Rule, tax return preparers (and firms) must create and enact security plans to protect client data. 

As summarized, the FTC Safeguards Rule states that firms must:

  • Have security plans appropriate for the firm’s size and complexity, nature and scope of activities, and the sensitivity of the client data it maintains
  • Have designated employee(s) to coordinate the Information Security program
  • Identify and assess risks to client information, as well as evaluate and monitor the effectiveness of how those risks are addressed
  • Have a vendor management (oversight) program for any service providers that also maintain client data to determine their appropriate safeguards
  • Adjust the Information Security program as necessary for any changes (including firm business or operations, or results of testing and monitoring) 

*** Do not delay implementing corrective actions based on findings!***

Online providers of individual income tax returns must also comply with IRS Publication 1345, Handbook for Authorized IRS e-file Providers of Individual Income Tax Returns. Specifically, firms must comply with the six security and privacy standards set forth in that publication:

  1. Minimum encryption standards for data transmission
    1. Have a valid and current Extended Validation SSL Certificate using SSL 3.0 / TLS 1.0 or later
    2. Have minimum 1024-bit RSA and 128-bit AES
  2. External vulnerability scans
    1. Contract with an independent third-party vendor that is certified by the Payment Card Industry (PCI) Security Standards Council (SSC) and listed as a current Approved Scanning Vendor (ASV)
    2. Execute weekly external network vulnerability scans of all system components according to PCI Data Security Standard (DSS) requirements
    3. If the firm system(s) are hosted by another organization, that organization must also comply with PCI DSS requirements
  3. Information privacy and safeguard policies
    1. Policies should be developed to satisfy the following statement: “We maintain physical, electronic, and procedural safeguards that comply with applicable law and federal standards”
    2. Firm compliance with these policies must be certified by a privacy seal vendor acceptable to the IRS
  4. Website challenge-response test
    1. Implement an effective challenge-response protocol (e.g., CAPTCHA)
    2. No data is to be collected, transmitted, or processed until successful completion of the test
  5. Public domain name registration
    1. Provider website must be registered with a domain name registrar that is in the United States and accredited by the Internet Corporation for Assigned Names and Numbers (ICANN)
    2. Domain name must be locked and not private
  6. Report security incidents
    1. Incidents include the unauthorized disclosure, misuse, modification, or destruction of taxpayer information
    2. Report security incidents to the IRS no later than the next business day
    3. If the website is the proximate cause of the incident, cease collecting taxpayer information via the website immediately and until the underlying cause/s of the incident are successfully resolved
    4. Follow the IRS instructions for reporting website security incidents
  7. In addition, consider:
    1. Reporting the incident to the FBI, Secret Service (if directed by the IRS), or local police
    2. Contacting any affected states
    3. Contacting proper security experts (to determine scope of breach and prevent further damage)
    4. Contacting the firm’s insurance company to see if the firm is covered

Protecting both your firm and the personal information your firm is accountable for is a smart business decision for professional services firms; however, it is particularly beneficial for accounting firms during tax season. Consider engaging cybersecurity professionals for assistance with your information and network security, internal control environment, and testing your current safeguards. I also strongly recommend checking with your insurance provider to inquire about data theft coverage/cyber insurance.

Jeff Cook


Jeff Cook — SOC Director, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS