CPA Cybersecurity: Protecting the Privacy of Consumer Financial Information

Even small and mid-sized CPAs need to comply with the Gramm Leach Bliley Act's (GLBA's) Privacy and Security Rules to protect the privacy of consumer financial information.

In a 1789 letter, Benjamin Franklin wrote, “in this world, nothing can be said to be certain, except death and taxes.” If the esteemed Franklin were alive today, he would, no doubt, amend his statement to say, “except death and taxes… and data breaches.” Maintaining the privacy of consumer financial information in a digital era becomes even more difficult for certified public accountants as cybercriminals increasingly target tax documents containing non-public information.

Why am I at risk?

As a CPA, you work with clients’ non-public information while filing their taxes. Whether business or personal information, you collect, store, transmit, and process everything from social security numbers and business tax identification numbers to healthcare payment information when clients line-item their healthcare costs.

It’s easy to think, “only the Big Four” need to worry. However, in November 2018, a sole proprietor CPA firm suffered a data breach requiring them to list the information publicly on a variety of government websites to fulfill their breach notification requirements.

Cybercriminals know that small and mid-sized firms lack the staffing resources that the Big Four have. In fact, they count on it.

What are the biggest data breach threats?

According to the American Institute of Certified Public Accountants (AICPA), CPAs face five primary cyber risks.

Account Takeover

When cybercriminals takeover corporate accounts, they obtain rights to financial accounts via phishing and malware. For CPAs, especially small and mid-sized ones, performing online transactions, these account takeovers can not only impact your financial information but also act a way to gain entrance to other systems, databases, and networks. Most people use the same passwords to log in to multiple locations.

Identity Theft

With the information that CPAs handle, personally identifiable information (PII) is a treasure trove for cyber criminals. PII means any information used to distinguish or trace a person’s identity or any information that can be traced to an individual. In other words, everything from name, social security number, birth date, mother’s maiden name, biometric records, medical records, financial records, educational history, or employment information. This information enables cybercriminals to apply for jobs, open accounts, or use people’s credit cards.

Data Theft

Although data theft incorporates identity theft, it also includes information such as trade secrets, employee records, intellectual property, and source code. For CPAs, this can be even more devastating since it will include not only your clients’ PII but also all your employee’s PII as well.


Not all cyberattacks steal information. Ransomware attacks install malware, or malicious code, on computers and then corrupts the files. This corruption keeps you from accessing business-critical data.  Most often, the cybercriminals will try to extort money in exchange for the unreadable data. This attack leads to business disruption costs arising from damaged or lost critical data.

What are the regulatory requirements?

Most CPA firms, large or small, are bound by the Gramm-Leach-Bliley Act  (GLBA). Under GLBA, they need to protect the privacy of consumer financial information. Noncompliance with GLBA can lead to fines or increased audit and regulatory oversight.

For example, when the Internal Revenue Service (IRS) suffered a data breach in 2015, cybercriminals used the free e-filing systems to obtain unauthorized access to taxpayer information. As such, the Federal Trade Commission filed charges against one of the tax preparers, TaxSlayer, for violating GLBA’s Financial Privacy and Security Rules. As part of its settlement, TaxSlayer must refrain from further GLBA violations for twenty years and engage in biennial third-party assessments proving its continued compliance.

In other words, to protect your firm from regulatory fines and burdensome audit requirements, you need to engage in a cybersecurity program with the appropriate risk-mitigating controls.

How to Establish an Appropriate Cybersecurity Program

Creating an information security program doesn’t need to be overwhelming. It does, however, need to incorporate the enterprise risk management (ERM) process.

Identify Information Assets

You need to know everywhere in your office - from devices to filing cabinets - where you collect, transmit, store, and process information. Whether it’s email or the cloud, you need to make sure that you’ve identified every location in your firm where PII, either client or employee, lives.

Assess Risk

Looking at your information assets, you need to determine which ones pose the greatest risk to your firm in the event of a data loss. This can be either business interruption, reputation, or financial risk. The higher the impact, the higher the risk is. Then, you need to look at the places you store information and determine how risky they are. For example, if you’re sending PII over email, the email server is a data risk. The places that store higher risk information are high-risk locations.

Analyze Risk

Analyzing risk is different from assessing risk. Assessing is just listing. Analyzing incorporates a qualitative or quantitative assessment. The analysis usually uses:

Probability of Data Breach X Potential Impact

A high-risk information type has a greater impact to your firm’s finances and reputation. The probability of a data breach comes from how well you’ve secured that information.

Set Controls

Understanding what networks, systems, and software collect, transmit, and store data then allows you to review the ways you can mitigate the risks. The higher risk locations, the ones that store PII and are more likely to be infiltrated, need to have security controls that protect the information. Firewalls, encryption, and multifactor authentication all act as risk mitigation controls.

Monitor Continuously

Risks can change in a moment. In order to protect the privacy of consumer financial information, you need to make sure that your controls effectively mitigate risks. Since cybercriminals evolve their threat methods daily, your controls can go from strong to weak in the span of a single day. Continuously monitoring your control effectiveness with alerts from an automated solution can help ensure that your data remains private and secure.

Purchase Cyber Risk Insurance

Your data is valuable to cybercriminals. Despite setting controls to mitigate risks, the likelihood of a data breach increases every year. To protect yourself from the costs arising from a data breach, you need to purchase cyber risk insurance that protects you from data loss, business interruption costs, data recovery costs, and the inevitable lawsuits.

How Zeguro Enables Tax Professionals

Zeguro understands the struggle small and mid-sized firms face when trying to protect their clients’ information. Our end-to-end solution takes a security-first approach to your cybersecurity by creating a risk analysis, suggesting mitigating controls, providing plain-language polices to document the process, monitoring for threats, and directing customers towards a personally tailored cyber insurance policy.

To start protecting your clients’ privacy, contact us for an insurance quote today.

Zeguro is a cyber safety solution and insurance provider for small to mid-sized businesses (SMBs), offering a comprehensive suite of tools for risk mitigation and compliance, as well as insurance premiums that are tailored to the size, sector and profile of a company.
Learn more →

No items found.
Karen Walsh
Written by

Karen Walsh

Contributing Editor

14 years internal audit experience.; award-winning writing professor. Cybersecurity writer focused on compliance and end-user awareness.

Sign up for the latest news

Oops! Please make sure your email is valid and try again.