CPA firm cybersecurity policy setup is the process of creating and managing a Written Information Security Plan (WISP) to protect sensitive client data and satisfy federal regulations. Under IRS Publication 4557 and the FTC Safeguards Rule, all U.S. professional tax preparers must maintain a WISP and designate a Qualified Individual to oversee it. The FTC Safeguards Rule took full effect on june 9, 2023, and added breach notification requirements in may 2024. That means a generic one-page security document filed away in a drawer no longer satisfies regulators or cyber liability insurers. This guide walks CPA firms through the core requirements, practical controls, and the steps needed to build a policy that actually holds up.
What are the core regulatory requirements for CPA firm cybersecurity policies?
The FTC Safeguards Rule (16 CFR Part 314) and IRS Publication 4557 together form the legal foundation for accounting firm cyber risk management. Both frameworks require a written security program, not just a verbal commitment. Failing to meet either standard exposes your firm to regulatory penalties, civil liability, and loss of client trust.
The mandatory elements every WISP must address include:
- Written Information Security Plan (WISP): A formal, documented program covering all systems that store or process client financial data.
- Qualified Individual: A formally designated person with authority to oversee, enforce, and update the security program. This person does not need deep IT expertise but must have documented authority and training to manage vendor relations and incident responses.
- Multi-factor authentication (MFA): MFA is mandatory for every individual accessing customer information systems, including email, tax software portals, and admin accounts. At least two factor types are required under FTC standards.
- Encryption: Data at rest and in transit must be encrypted. Technologies such as BitLocker, FileVault, and TLS 1.2 or higher satisfy this requirement.
- Risk assessments and testing: Firms without continuous monitoring must conduct annual penetration testing and vulnerability assessments every six months under FTC Safeguards Rule 16 CFR 314.4(d).
- Incident response plan: A documented procedure for detecting, containing, and reporting breaches, including breach notification obligations effective since may 13, 2024.
Pro Tip: Assign your Qualified Individual before you draft the WISP. The designation must appear in the document itself, and that person must formally approve all third-party security controls from day one.
Which technical and administrative controls should CPA firms implement?
Technical controls are the machinery that makes your WISP enforceable. Without them, the policy document is a liability, not a protection. CPA firms need a layered set of controls that address endpoints, identity, data, and human behavior.
Endpoint and network protection
Endpoint detection and response (EDR) or managed detection and response (MDR) tools monitor devices in real time and generate alerts when suspicious activity occurs. Every workstation and server that touches client tax data needs coverage. Unmanaged servers running legacy operating systems are a direct path to non-compliance and breach exposure.
Identity and access management
Password and account management policies must enforce length-focused passwords, prohibit shared logins, and require a password manager for all staff. Privileged access must be separated so that standard users cannot access administrative functions. Conditional access controls, which restrict login based on device health or location, add a second layer of identity verification beyond MFA.
Provisioning and deprovisioning workflows must be documented with evidence retention. When a staff member leaves, their accounts must be disabled immediately, and that action must be logged.
Data protection and backup
Encryption using BitLocker for Windows endpoints and FileVault for macOS devices protects data at rest. TLS 1.2 or higher protects data moving between systems and client portals. Backup strategy must include tested restores, not just scheduled backups. A backup that has never been tested is not a backup. Firms should follow a 3-2-1 approach: three copies of data, on two different media types, with one copy offsite or in the cloud.
Human factors and vendor risk
Cybersecurity training and phishing simulation programs must be managed with completion tracking to provide evidence for compliance audits. One-time annual training is not sufficient. Quarterly phishing simulations with documented results satisfy both IRS and FTC expectations for ongoing workforce awareness.
Vendor risk management requires written contractual safeguards with every third party that accesses client data. Your Qualified Individual must personally approve those contracts and review them at least annually.
Pro Tip: Use a password manager with admin reporting features so you can generate access logs on demand. Regulators and insurers increasingly ask for this evidence during audits.
How do CPA firms create and maintain a WISP?
Building a WISP from scratch feels daunting, but the process follows a clear sequence. The goal is a document that reflects your actual IT environment, not a generic template copied from the internet.
- Start with a framework-aligned template. Use a WISP template built around IRS Publication 4557 and FTC Safeguards Rule requirements. Customize every section to reflect your firm’s actual systems, software, and vendor relationships. Generic language that does not match your environment creates audit exposure.
- Conduct and document a formal risk assessment. Identify every system, device, and third-party service that touches client data. Rate each for likelihood and impact of a breach. Document your rationale for every control you select or decline. This record protects you if regulators question your decisions.
- Formally designate your Qualified Individual. Formal documentation of the Qualified Individual’s role, training, and authority is required. Failure to properly appoint and empower this role can result in non-compliance penalties. The designation must be in writing, signed, and dated.
- Implement and document all controls. Deploy MFA, encryption, EDR, and backup systems. Capture screenshots, configuration exports, and vendor agreements as evidence. The WISP must reference these controls, and your evidence file must prove they are active.
- Establish a review and update cycle. Review the WISP at least annually and after any significant change to your IT environment, a breach event, or a regulatory update. Set calendar reminders and assign the review task to your Qualified Individual.
- Tie incident response into the WISP. Your breach response procedure must be a named section of the WISP, not a separate document that staff cannot find. Include contact lists, notification timelines, and escalation paths.
- Embed training evidence. Attach or reference training completion records and phishing simulation results within the WISP evidence file. Regulators expect to see proof that staff received training, not just a policy that says training happens.
The table below summarizes the key WISP components and their compliance purpose.
| WISP Component | Compliance Purpose |
|---|---|
| Risk assessment documentation | Demonstrates due diligence and justifies control selections |
| Qualified Individual designation | Satisfies FTC and IRS governance requirements |
| MFA and encryption records | Proves technical safeguards are active and configured |
| Incident response procedure | Meets breach notification obligations under FTC Safeguards Rule |
| Training completion records | Provides evidence of ongoing workforce security awareness |
What common pitfalls do CPA firms face in cybersecurity policy setup?
The most dangerous assumption in accounting firm data protection is that creating the WISP document equals compliance. Many CPA firms rely on generic WISP templates and assume document filing fulfills their obligations. Regulators and insurers evaluate whether controls are actually running, not whether a policy exists on paper.
Common pitfalls include:
- Treating the WISP as a one-time task. A WISP must be a dynamic, living document that evolves with your firm’s systems and risk profile. Static policies increase liability rather than reduce it.
- Ignoring the Qualified Individual role. Appointing someone in name only, without authority or training, fails the governance test. This person must actively manage vendor contracts and approve incident responses.
- Lacking usable logs. Proper logging and centralized monitoring are required under the FTC Safeguards Rule to detect unauthorized access. Firms without a SIEM or equivalent solution cannot generate the breach detection evidence regulators require.
- Running unmanaged infrastructure. Servers without patch management, endpoint protection, or access logging are a direct compliance gap. Many small firms inherit legacy infrastructure and never address it formally.
- Overemphasizing technology without governance. Buying security tools without assigning ownership and review cycles produces a false sense of protection. Security is fundamentally a management responsibility. Firms that focus only on tools without governance structure will struggle to protect client data effectively.
“A cybersecurity policy that describes controls your firm does not actually run is worse than no policy at all. It creates documented proof that you knew the risk and failed to act.”
Partnering with an external IT provider for compliance auditing and evidence review closes the gap between what your WISP says and what your systems actually do. That alignment is what survives an audit.
Key Takeaways
A compliant CPA firm cybersecurity policy requires a formally documented WISP, a designated Qualified Individual with real authority, and active technical controls that produce verifiable evidence.
| Point | Details |
|---|---|
| WISP is legally mandatory | IRS Publication 4557 and the FTC Safeguards Rule require a written security program for all tax preparers. |
| Qualified Individual must be formal | Designate this role in writing with documented authority, training, and vendor approval responsibilities. |
| MFA and encryption are non-negotiable | All systems accessing client data require at least two-factor authentication and encryption at rest and in transit. |
| Testing frequency is regulated | Without continuous monitoring, firms must run annual penetration tests and vulnerability scans every six months. |
| Evidence beats intention | Logs, training records, and configuration exports prove compliance. A policy document alone does not. |
What we have learned from CPA firm cybersecurity work
The firms that struggle most with cybersecurity compliance are not the ones with the worst technology. They are the ones where no single person owns the outcome. A partner who assumes the IT vendor handles compliance, while the IT vendor assumes the partner reviews the policy, produces a gap that neither party sees until a breach or audit exposes it.
At 247techify, we see this pattern repeatedly. The Qualified Individual designation exists precisely to close that gap. When one person has formal authority and accountability, the WISP stops being a document and starts being a program. That shift changes everything: vendors get reviewed, logs get checked, and training gets tracked.
The firms that get this right treat their WISP review the same way they treat a tax filing deadline. It goes on the calendar, it has an owner, and it does not slip. The ones that treat it as a background task find themselves scrambling when a client asks for proof of their security controls or when an insurer requests evidence before renewing a cyber liability policy.
The technical controls matter, but governance is the multiplier. A well-configured EDR tool with no one reviewing its alerts is the same as no EDR tool. Build the governance structure first, then layer the technology on top of it. That sequence produces compliance that holds up under scrutiny.
— 247techify Team
How 247techify supports CPA firms with cybersecurity compliance
CPA firms that need to close the gap between their WISP and their actual security posture have a clear path forward with 247techify.
247techify delivers managed cybersecurity services built for regulated industries, including CPA firms that must satisfy IRS Publication 4557 and FTC Safeguards Rule requirements. Services include managed detection and response, MFA enforcement, patch management, and tested cloud backup, all with the documentation your Qualified Individual needs to demonstrate compliance. 247techify’s team supports evidence gathering, vendor risk reviews, and incident response planning so your WISP reflects what your systems actually do. With a response time under 30 minutes and a 98% client satisfaction rate, 247techify gives CPA firms a dependable partner for ongoing IT compliance and security program management.
FAQ
What is a WISP and why do CPA firms need one?
A Written Information Security Plan (WISP) is a formal document that describes how a firm protects client data. IRS Publication 4557 and the FTC Safeguards Rule make it legally mandatory for all U.S. tax preparers.
Who qualifies as the Qualified Individual under the FTC Safeguards Rule?
The Qualified Individual does not need to be an IT expert but must have formal written designation, documented training, and the authority to enforce security policies and approve vendor contracts.
How often must CPA firms test their cybersecurity controls?
Firms without continuous monitoring must conduct annual penetration testing and vulnerability assessments every six months under FTC Safeguards Rule 16 CFR 314.4(d).
Does MFA apply to all systems in a CPA firm?
MFA is mandatory for all individuals accessing customer information systems, covering email, tax software, client portals, and administrative accounts, with very limited exceptions.
Can a CPA firm use a free WISP template and stay compliant?
A template is a starting point, not a finished product. Firms must customize the template to reflect their actual IT environment, implement every control the document describes, and maintain ongoing evidence of those controls to satisfy regulators and insurers.