Accounting firms are a target for a simple reason: they hold financial access that's extraordinarily valuable. Tax returns, bank account numbers, payroll data, business financials — all of it concentrated in one place, often accessed by a small staff who are already stretched thin during busy season. That combination of high-value data and time pressure is exactly what attackers look for.
The IRS requires written information security plans for all tax preparers under the Gramm-Leach-Bliley Act. Many firms have a document that satisfies this requirement on paper. Far fewer have the technical controls that make it real.
The threats accounting firms face most
Phishing during busy season. Tax season is when your staff is most overloaded and least likely to slow down and scrutinize a suspicious email. Attackers know this and time campaigns accordingly. A convincing email from a "client" with an attached W-2 is all it takes.
Credential theft and portal access. Many firms use client portals for document exchange. If a staff member's credentials are compromised, an attacker can access client documents silently — often for weeks before detection.
Ransomware before the April deadline. A ransomware attack timed for late March puts a firm in an impossible position: pay the ransom or miss client deadlines. Attackers targeting accounting firms know this leverage exists and exploit it.
What the written security plan actually requires
The FTC Safeguards Rule (which applies to tax preparers under GLBA) requires firms to document specific controls: a designated security coordinator, risk assessments, employee training, access controls, and incident response procedures. The 2023 updates strengthened these requirements and added mandatory reporting for certain breach types.
Beyond the written plan, the controls that most directly reduce risk are:
- MFA on all systems — especially tax software, portals, and email
- Role-based access controls — staff access only the client files they're actively working on
- Encrypted, offsite backups — tested for restore, not just running in the background
- Staff phishing training — particularly for the administrative and junior staff who are most targeted
Uptime during busy season
A ransomware attack in February isn't just a security incident — it's a business-threatening event. Every day offline during tax season represents client deadlines missed and revenue that can't be recovered. The cost of prevention is a fraction of the cost of recovery at the worst possible time.
A security review scheduled outside of busy season — late spring or fall — lets you identify and close gaps without the time pressure. That's the conversation worth having now, not in March.
