Cloud security tips for CPA firms are not the same advice you would give a random small business. A tax or accounting practice handles SSNs, EFIN credentials, payroll data, and bank routing numbers, all of it covered by federal law. The FTC Safeguards Rule has required tax preparers to run a written information security program, enforce multi-factor authentication, encrypt customer data, and designate a qualified individual since the June 9, 2023 compliance deadline<\/a>. Most small firms still treat these as optional. They are not.<\/p>\n This guide is twelve practices, each one mapped to the rule that requires it, the way Verizon’s data on actual breaches says it should be implemented, and the practical step a 1 to 50 person firm can take this quarter. No fluff. No throat-clearing intros. Just the work.<\/p>\n A CPA firm sits under a stack of overlapping mandates that most generic IT advice ignores. The FTC Safeguards Rule treats your firm as a financial institution under the Gramm-Leach-Bliley Act. IRS Publication 4557 requires every PTIN holder to maintain a Written Information Security Plan, and Line 11 of PTIN renewal Form W-12<\/a> asks you to certify that you have one. State data-protection laws, AICPA professional standards, and your cyber insurance carrier all stack on top.<\/p>\n Then there is tax season. From late January through April, your firm runs at workload levels a normal SMB never sees. Your software stack, your bandwidth, your support response time, and your endpoint posture all face their hardest test in the same eight-week window. A cloud security plan that ignores tax-season behavior is a plan that fails in March.<\/p>\n The threat landscape is matched to the workload. The FBI and CISA joint advisory on BianLian ransomware<\/a> calls out professional services, including accounting and law firms, as a primary target. Verizon’s 2025 Data Breach Investigations Report found that 22% of breaches start with stolen credentials and 60% involve a human element<\/a>. Both numbers describe a CPA firm employee being phished during peak season more accurately than any abstract threat model.<\/p>\n The twelve practices below are organized so you can read top to bottom or jump to the rule you are trying to satisfy. Each section opens with a passage-independent statement, followed by the regulatory grounding, the how-to, and the Verito angle if it applies.<\/p>\n Dedicated cloud infrastructure means your firm’s tax and accounting applications run in an environment that no other tenant shares. Shared hosting splits compute, memory, and sometimes storage across many customers on the same server. For a firm preparing returns, the difference shows up in three places: tax-season performance, isolation during a security incident, and audit defensibility.<\/p>\n The FTC Safeguards Rule, codified at 16 CFR Part 314, requires firms to take reasonable steps to vet service providers and to oversee them throughout the relationship. A dedicated environment makes that oversight much easier to evidence. You can point to the rack, the SOC 2 Type II report, the patch schedule, and the access logs that apply to your firm specifically, not a multi-tenant abstraction.<\/p>\n How to put this into practice:<\/p>\n\n\n Verito’s VeritSpace dedicated hosting<\/a> runs your tax suite, QuickBooks, Drake, Lacerte, ProSeries, and UltraTax on private environments built specifically for accounting firms. SOC 2 Type II audited annually. 100% uptime since 2016<\/a>. The performance you see on March 14 matches what you saw on January 14, because no other firm’s workload is sharing your compute.<\/p>\n Multi-factor authentication is the single highest-impact cloud security control a CPA firm can deploy. Microsoft’s research on account compromise shows that MFA blocks 99.2% of automated account-takeover attacks, and 99.9% of compromised accounts had no MFA enabled at all<\/a>. The Verizon DBIR 2025 puts stolen credentials at 22% of all breaches, the largest single initial-access vector.<\/p>\n The FTC Safeguards Rule mandates MFA at 16 CFR 314.4(c)(5). The mandate covers any individual accessing customer information. That includes you, your staff, your seasonal preparers, your bookkeeper, and any contractor with credentials. The IRS reinforces it in Publication 4557<\/a>, naming MFA as a required safeguard for taxpayer data.<\/p>\n How to put this into practice:<\/p>\n\n\n VeritGuard managed IT<\/a> enforces MFA across every account that touches client data, ties enforcement to your identity provider, and produces the documentation your insurance carrier asks for at renewal.<\/p>\n Encryption protects client data when an attacker bypasses other controls. The FTC Safeguards Rule at 16 CFR 314.4(c)(3) requires encryption of customer information both at rest and in transit, with a written justification if you elect a compensating control instead. There is no realistic compensating control for an accounting firm. Implement encryption.<\/p>\n The federal breach notification deadline that follows from this matters. Under the Safeguards Rule’s 2024 amendment, a firm must notify the FTC within 30 days of a security event involving the unencrypted information of 500 or more consumers. Encrypted data, properly keyed and stored, generally does not trigger that notification. Encryption changes the math during a breach.<\/p>\n How to put this into practice:<\/p>\n\n\n VeritSpace<\/a> encrypts data at rest with AES-256 and uses TLS 1.2 or higher for every connection. Documentation is part of the SOC 2 package, which means you can hand it to your insurance carrier without a fire drill.<\/p>\n Backups are the only control that recovers a firm from ransomware without paying the ransom. The 3-2-1 rule is the floor: three copies of your data, on two different media types, with one copy stored off-site. CISA publishes 3-2-1 backup guidance for small and medium businesses<\/a>, and the rule is referenced in IRS Publication 4557 as standard practice for tax data.<\/p>\n Untested backups are not backups. Plenty of firms learn during a ransomware event that the nightly job has been failing for six weeks, that the off-site copy has not been validated, or that restoration takes 72 hours when the firm has 8. The control is recovery, not the backup itself.<\/p>\n How to put this into practice:<\/p>\n\n\n For a deeper walkthrough of how the backup tiers stack against each other, our guide to managed backup services for accounting firms<\/a> covers BaaS versus DRaaS economics. Verito’s managed backup includes immutable copies, quarterly recovery tests, and the documentation a WISP<\/a> requires.<\/p>\n Patching is the unglamorous work that prevents most opportunistic intrusions. The FTC Safeguards Rule requires periodic vulnerability assessments at 16 CFR 314.4(d)(2), and IRS Publication 4557 names timely patching as a baseline safeguard for taxpayer data.<\/p>\n Most CPA firms patch their own laptops and forget the rest. The rest is where attackers live. Routers and firewalls have firmware. Hosted servers have OS and database patches. Tax software releases monthly fixes during the season, and the patch cadence accelerates between January and April. A firm with strong patching practice in October falls behind by March without a written process.<\/p>\n How to put this into practice:<\/p>\n\n\n VeritGuard handles patching for the workstations and servers it manages, on a tax-season aware schedule that does not collide with peak filing days. Patch reports map directly to FTC Safeguards 314.4(d)(2) and the related IRS Publication 4557 controls.<\/p>\n Most breaches involve a person, not a zero-day. Verizon’s 2025 DBIR puts the human element at 60% of breaches, with stolen credentials and phishing leading the access vectors. Training is the only control that addresses the human element directly.<\/p>\n The FTC Safeguards Rule requires security awareness training at 16 CFR 314.4(e). The rule does not specify a format or vendor, only that training is provided to all personnel and is updated to reflect risk-assessment results. IRS Publication 4557 reinforces this for any practice that holds a PTIN.<\/p>\n How to put this into practice:<\/p>\n\n\n For more on the controls a firm trains its team to operate, our overview of cybersecurity for accounting firms<\/a> walks through the underlying stack, and our piece on what happens when your only IT person leaves<\/a> covers the operational fragility that training alone cannot fix.<\/p>\n Phishing is the single most common initial-access vector for CPA firm breaches. Verizon’s 2025 DBIR ranks phishing at 16% of initial access events overall, and higher in professional services. A wire fraud incident often starts with a single compromised mailbox that an attacker reads quietly for days before launching the actual fraud.<\/p>\n The FTC Safeguards Rule requires monitoring and detection at 16 CFR 314.4(d), and email security is a primary place that monitoring lives in practice. Tax season makes the problem worse. Lookalike IRS domains, fake e-file confirmations, and impersonated clients all spike between February and April.<\/p>\n How to put this into practice:<\/p>\n\n\n VeritGuard managed IT layers a tax-firm tuned email security gateway in front of Microsoft 365 or Google Workspace, with attachment sandboxing, link rewriting, and the alerts piped to a 24×7 SOC.<\/p>\n Least privilege means each person and system gets only the access required to do the job, and no more. The FTC Safeguards Rule mandates access controls at 16 CFR 314.4(c)(1), specifically requiring authentication and access controls limited to authorized users.<\/p>\n The two failure modes are identical across CPA firms. The first is leftover access. Seasonal staff who finished in April still hold credentials in October. The second is privilege creep. A staff member promoted from preparer to manager added permissions and never removed the old ones, ending up with broad domain rights that nobody intended.<\/p>\n How to put this into practice:<\/p>\n\n\n VeritGuard ties access controls to your identity provider, automates quarterly review reports, and gives you the audit trail an FTC investigator or insurance carrier asks about first.<\/p>\n Zero trust replaces the old castle-and-moat network model with a simple rule: never trust, always verify. NIST SP 800-207<\/a>, published August 11, 2020, is the canonical reference architecture for zero trust. It does not require an enterprise budget. The principles apply at any firm size.<\/p>\n For a CPA firm, the practical version is segmentation. Your tax software and client data sit on a different network segment than your guest Wi-Fi. Your accounting workstations cannot freely reach your IoT printers. Your Drake or Lacerte server is not pingable from a coffee-shop laptop just because the user logged into the VPN.<\/p>\n How to put this into practice:<\/p>\n\n\n Verito’s VeritGuard managed IT<\/a> implements zero-trust principles tuned to firm size. Conditional access, device posture, and microsegmentation mapped to NIST SP 800-207, without enterprise pricing.<\/p>\n The FTC Safeguards Rule requires vendor oversight at 16 CFR 314.4(f). The rule does not let you outsource the obligation. Choosing a hosting provider, a backup vendor, or a payroll processor does not remove your responsibility to evidence that they implement appropriate safeguards. The rule names this explicitly.<\/p>\n The standard for cloud providers is SOC 2 Type II. Type I checks that controls exist on a single date. Type II checks that controls operated effectively over a period of at least six months. AICPA’s SOC 2 framework<\/a> defines the Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy) that the audit covers.<\/p>\n How to put this into practice:<\/p>\n\n\n Verito provides SOC 2 Type II audit reports to firms on request, with the CUECs called out so your WISP<\/a> picks them up correctly. The first ask in any vendor evaluation should be the SOC 2 report. The second should be a customer reference at a similar-size firm.<\/p>\n An incident response plan is the document that turns a breach from an existential crisis into a defined process. The FTC Safeguards Rule requires a written incident response plan at 16 CFR 314.4(h), with specific elements: goals, roles, the events that trigger the plan, communications and information sharing, evaluation, and reporting.<\/p>\n Ransomware is the dominant scenario. The FBI and CISA BianLian advisory<\/a> describes a group that has specifically targeted professional services firms, including accounting, with double-extortion ransomware that both encrypts data and threatens to release it. The IBM 2025 Cost of a Data Breach Report puts the global average breach cost at $4.44 million, the U.S. average at $10.22 million, and financial services at $5.56 million<\/a>. A small firm hit during tax season faces both the technical loss and the seasonal revenue collapse.<\/p>\n How to put this into practice:<\/p>\n\n\n For a deeper read on the regulatory framing your incident response plan documents, our coverage of the FTC Safeguards Rule<\/a> walks through what an investigator looks for when an incident is reported.<\/p>\n The Written Information Security Plan<\/a> is the single document that ties every other practice on this list together. The FTC Safeguards Rule requires a written plan at 16 CFR 314.3, and IRS Publication 4557 requires every PTIN holder to maintain one. PTIN renewal Form W-12 Line 11<\/a> asks you to certify that you have a WISP, signed under penalty of perjury.<\/p>\n The risk assessment is the input that drives the plan. It identifies the data your firm holds, where it lives, who can reach it, the threats most likely to compromise it, and the controls in place to manage that risk. The Safeguards Rule requires a written risk assessment, periodically refreshed.<\/p>\n How to put this into practice:<\/p>\n\n\n Our deep dive on the FTC Safeguards Rule for bookkeepers and tax preparers walks through the nine WISP sections and the law underneath them. VeritShield WISP is a turnkey product for firms that want a compliant, audit-ready plan in 5 business days, customized to your systems and vendors.<\/p>\n If your firm is preparing for an insurance renewal, an FTC inquiry, or a client request for evidence, this is the table that consolidates the citation for each practice on this list.<\/p>\n
\n
\n![\"Cinematic](\"https:\/\/verito.com\/blog\/wp-content\/uploads\/2026\/05\/cloud-security-tips-cpa-firms-hero-scaled-1.jpg\")
<\/figure>\n\n\nWhy Cloud Security for CPAs Is Different<\/strong><\/span><\/h2>\n
\n1. Move to Dedicated, Not Shared, Infrastructure<\/strong><\/span><\/h2>\n
\n
\n2. Multi-Factor Authentication Everywhere<\/strong><\/span><\/h2>\n
\n
\n3. Encryption at Rest and in Transit<\/strong><\/span><\/h2>\n
\n
\n![\"Cinematic](\"https:\/\/verito.com\/blog\/wp-content\/uploads\/2026\/05\/cloud-security-tips-cpa-firms-mfa-encryption-scaled-1.jpg\")
<\/figure>\n\n\n4. 3-2-1 Backups With Tested Recovery<\/strong><\/span><\/h2>\n
\n
\n5. Patch and Vulnerability Management<\/strong><\/span><\/h2>\n
\n
\n6. Annual and Ongoing Employee Security Training<\/strong><\/span><\/h2>\n
\n
\n7. Phishing Prevention and Email Security<\/strong><\/span><\/h2>\n
\n
\n![\"Cinematic](\"https:\/\/verito.com\/blog\/wp-content\/uploads\/2026\/05\/cloud-security-tips-cpa-firms-phishing-scaled-1.jpg\")
<\/figure>\n\n\n8. Least-Privilege Access Controls<\/strong><\/span><\/h2>\n
\n
\n9. Network Segmentation and Zero Trust Architecture<\/strong><\/span><\/span><\/h2>\n
\n
\n10. Vendor and Cloud Provider Vetting<\/strong><\/span><\/h2>\n
\n
\n11. Written Incident Response Plan<\/strong><\/span><\/h2>\n
\n
\n![\"Cinematic](\"https:\/\/verito.com\/blog\/wp-content\/uploads\/2026\/05\/cloud-security-tips-cpa-firms-incident-scaled-1.jpg\")
<\/figure>\n\n\n12. WISP and Ongoing Risk Assessments<\/strong><\/span><\/h2>\n
\n
\nThe Twelve Practices Mapped to the Rule<\/strong><\/span><\/h2>\n