15-day free trial. No credit card. Test it before next season.

Verito
Reference guide

Security best practices for tax firms

A plain-language reference on what the FTC Safeguards Rule and IRS Pub 4557 actually require, what good enough looks like, and where Verito fits.

Take the security assessmentDownload the WISP template
Aligned with FTC and IRS guidelines

What you'll learn

The four things this guide covers

  • The FTC and IRS rules that apply to tax firms, in plain language.
  • The IRS Security Six and what each control means in practice.
  • The FTC Safeguards Rule essentials, element by element.
  • How responsibilities split between your cloud, your endpoints, and your firm.

Why security matters for tax firms

Tax preparers handle the records that everyone wants to steal: Social Security numbers, income data, banking details, and full client identities. That is the exact set of information the Federal Trade Commission and the IRS designed their security rules around.

Two rules apply to almost every firm that prepares returns for compensation. They overlap heavily, and a single written security plan can satisfy both.

Rule 1

FTC Safeguards Rule (16 CFR §314)

Requires non-banking financial institutions, including tax preparers, to maintain a written information security program with specific elements. Updated significantly in 2021 and 2023.

Read the full guide

Rule 2

IRS Publication 4557

The IRS guide for safeguarding taxpayer data. Centers on a Written Information Security Plan (WISP) and the "Security Six" set of basic controls.

Read the full guide

Sources

FTC Safeguards Rule: 16 CFR Part 314. IRS Publication 4557: Safeguarding Taxpayer Data.

The IRS Security Six

The IRS calls out six controls every tax preparer should have in place. Each is technical, each is achievable for a small firm, and each one shows up on IRS audit checklists.

1. Anti-virus / anti-malware

Protection running on every desktop, laptop, and server. Modern endpoint protection adds behavior detection on top of signature scanning, which matters because tax-season phishing payloads change constantly.

2. Firewall

A network firewall at your office and host-level firewalls on each device. The point is to block inbound traffic that has no business reaching your machines, and to control which outbound connections an infected machine can make.

3. Multi-factor authentication

A second factor (typically a code from a phone app) required at sign-in. MFA is the single highest-leverage control on this list. It blocks the vast majority of credential-theft attacks even when a password leaks.

4. Backups

Regular, tested backups of client data, with at least one copy that ransomware on your machines cannot reach. A backup you have never restored from is not a backup; test your recovery at least quarterly.

5. Drive encryption

Full-disk encryption on every laptop and the file server. The IRS treats an unencrypted laptop loss the same as a disclosure; an encrypted one is recoverable as a routine asset replacement.

6. Virtual private network (VPN)

A VPN for remote access to firm systems, so traffic between a remote staff member and the office is encrypted end to end. Increasingly replaced or supplemented by zero-trust access tools, which serve the same purpose.

MFA in plain language

Multi-factor authentication means signing in requires something you know (a password) plus something you have (a code on your phone, a hardware key, or a push notification). An attacker who steals your password still cannot get in without the second factor.

VPN in plain language

A virtual private network creates an encrypted tunnel between a remote computer and a trusted network. Anyone on the same Wi-Fi as the remote computer sees only encrypted traffic, not the data flowing inside the tunnel.

FTC Safeguards Rule essentials

Section 314.4 of the rule lists the elements every covered firm's information security program must include. Below are the ones that matter most for a typical tax practice.

§314.4(a)

Designate a Qualified Individual

One named person is responsible for your security program. They do not need to be a security professional. A managing partner, an office manager, or an outside MSP can be the Qualified Individual, as long as the role is named in writing.

§314.4(b)

Conduct a written risk assessment

A documented review of where client data lives, who can reach it, and what could go wrong. The assessment is the foundation that every safeguard you choose has to map back to.

§314.4(c)

Implement risk-based safeguards

Specific controls the rule names: access controls, an inventory of customer information, encryption of customer data at rest and in transit, secure development practices for any apps you build, multi-factor authentication for anyone accessing customer information, secure disposal, change management, and monitoring of authorized user activity.

§314.4(d)

Test and monitor effectiveness

Either continuous monitoring or, at minimum, annual penetration testing plus vulnerability assessments at least every six months. Document the results.

§314.4(e)

Train your staff

Security awareness training for everyone who touches client data. Specialized training for anyone with elevated access. Refresh as threats evolve, at least once a year.

§314.4(f)

Oversee your service providers

Use providers capable of maintaining appropriate safeguards, require those safeguards by contract, and periodically assess them. Your hosting provider, your tax software vendor, and your bookkeeping integrations are all in scope.

§314.4(h)

Have a written incident response plan

A document that names who decides what during a security incident, what gets communicated to whom, what evidence gets preserved, and how you recover. The plan lives inside your broader written security plan; the response is whatever you do when an incident happens.

Get the free IR plan template

What's not covered here

This guide focuses on the §314.4 elements that apply to a typical tax practice. The full rule includes additional requirements at §314.4(g) (program adjustment) and §314.4(i) (annual board reporting) that may apply to your firm. Read the full rule before relying on this summary.

A practical baseline for small firms

Not perfect security. Just the floor a firm of under 25 staff should clear before tax season. If every item below is in place and documented, you can credibly defend your program against an FTC or IRS review.

  1. 1Multi-factor authentication on every account that touches client data: email, hosting, tax software, password manager, accounting platforms.
  2. 2Full-disk encryption on every laptop and the file server. Mobile devices encrypted by default.
  3. 3Endpoint protection on every device. Centrally managed if at all possible.
  4. 4Daily backups, with at least one copy that ransomware on your machines cannot reach. Restore tested at least quarterly.
  5. 5A written security plan (WISP) that fits your firm size. Reviewed by the Qualified Individual at least once a year.
  6. 6An access list. Who has access to what, reviewed on hire, role change, and termination.
  7. 7A short staff training session on phishing and password practices, at least once a year. Documented.

How security responsibilities split

Security for a tax firm spans three places: the cloud where your software runs, the endpoints your team uses to reach it, and the firm itself. Most controls map cleanly to one of the three. Knowing which is which makes it obvious where to focus and what to outsource.

Cloud

your hosted environment

  • Server-side encryption at rest
  • Datacenter physical security
  • Network firewall in front of hosted systems
  • Backup infrastructure (storage layer)
  • Patching of hosted operating systems
  • MFA on the hosted environment login

Endpoints

laptops, identities, network

  • Laptop drive encryption
  • Endpoint protection (advanced antivirus)
  • Identity MFA enforcement
  • Email filtering and security
  • Mobile device management
  • Patching for endpoint OS and apps
  • Phishing simulation and training

Your firm

always your responsibility

  • Acceptable use policy
  • WISP / written security plan
  • Staff training participation
  • Vendor reviews (per §314.4(f))
  • Tax-season access changes
  • Reporting incidents you observe

Where Verito fits: VeritSpace covers most of column one: encrypted hosting, network firewall, server backups, patching of the hosted environment. VeritGuard covers most of column two: laptops, identities, email, training, mobile devices. Column three is always yours to own; we help you write the policies, but the firm signs and follows them.

Frequently asked questions

Do small firms really need a written information security plan?
Yes. The IRS expects every paid preparer to have a written plan; Pub 4557 frames it as a baseline, not a 'large firm only' requirement. The FTC Safeguards Rule has scaled requirements but never zero. A short, plain-language WISP that fits your actual practice is far better than no plan, and it is what an examiner will ask for.
What's the difference between the FTC Safeguards Rule and IRS Pub 4557?
The FTC rule is law; Pub 4557 is the IRS's how-to guide for the same area. They overlap heavily. A single security plan can satisfy both, and most small-firm WISP templates are written that way on purpose.
Does using a SOC 2 certified host make us compliant on its own?
No. A certified host helps you meet the cloud-side controls (column one in the responsibilities split). You still own column three entirely, and most of column two: endpoints, identities, training, vendor oversight is on you regardless of who hosts your software. A good host reduces scope; it does not eliminate it.
What does Verito actually cover here, and what stays with us?
VeritSpace covers cloud-side: encryption at rest, datacenter security, server backups, network firewalling, hosted-OS patching, and MFA on the hosted environment. VeritGuard covers endpoint-side: laptop encryption, advanced antivirus, identity MFA, email filtering, mobile device management, phishing training. You always own policies, training participation, vendor reviews, access changes, and incident reporting. VeritComplete bundles both layers under one contract.
How often should we review our security plan?
At least once a year, plus any time something material changes: a new system added, a vendor swapped, a staffing change at the Qualified Individual role, or a near-miss incident. Document the review date in the plan itself; that is what an examiner will look for first.

Pick your next step

Three ways to move from reading to doing. None of them cost anything to start.

Take the assessmentDownload the WISP templateTalk to us