Get 80% off your plan for your first 3 months*
Guide

Cybersecurity for accountants and bookkeepers: how to protect your practice

Protect your practice from cyber threats with actionable security strategies built for accounting professionals.

3 partners discuss cybersecurity best practices at a desk

Written by Ebony-Storm Halladay — Freelance accounting copywriter, 10 years. Read Ebony's full bio

Published Thursday 11 June 2026

Table of contents

Key takeaways

  • The average data breach now costs $4.44 million globally, and accounting practices are prime targets because of the sensitive financial data they hold. AI-powered threats like deepfake scams and sophisticated phishing are raising the stakes.
  • US accounting and bookkeeping practices must comply with the FTC Safeguards Rule, the Gramm-Leach-Bliley Act, and IRS Publication 4557, which all require a Written Information Security Plan (WISP) and ongoing risk assessments.
  • A layered security approach, including multi-factor authentication, access controls, encryption, employee training, and vendor risk management, is essential for protecting client data and your reputation.
  • Building a formal cybersecurity plan isn't optional. Start with a risk assessment, develop your WISP, implement controls, and commit to regular audits to stay ahead of evolving threats.

Understanding cybersecurity risks for accounting practices

Accounting and bookkeeping practices handle some of the most sensitive data in any industry: tax returns, Social Security numbers, bank account details, and confidential financial records. That makes your practice a high-value target for cybercriminals. The global average cost of a data breach reached $4.44 million in 2025, and threats are growing more sophisticated every year.

Understanding the specific risks your practice faces is the first step toward building stronger defenses. Here are the most common threats targeting accounting professionals today.

  • Phishing: Cybercriminals send messages that appear to come from a trusted source, such as a client, the IRS, or a software vendor. These emails, texts, or calls aim to trick you into clicking a malicious link, downloading malware, or sharing sensitive credentials. Tax season brings a sharp increase in phishing attempts targeting practitioners.
  • AI-powered threats: Attackers are now using artificial intelligence to craft highly convincing phishing emails, generate deepfake audio or video impersonating clients or colleagues, and create synthetic identities for fraud. These AI-generated attacks are harder to detect because they lack the spelling errors and awkward phrasing that once made phishing obvious.
  • Business Email Compromise (BEC): In a BEC attack, a cybercriminal gains access to or impersonates a legitimate business email account to redirect payments, request wire transfers, or extract sensitive data. BEC attacks specifically target firms that handle financial transactions and are among the costliest forms of cybercrime.
  • Ransomware: Attackers encrypt your files and systems, making them inaccessible until you pay a ransom. During a ransomware attack, your entire practice can grind to a halt, leaving you unable to access client records, file returns, or meet deadlines.
  • Malware: This broad category includes viruses, spyware, trojans, and other malicious software designed to access, damage, or steal your data. Malware can enter your systems through email attachments, compromised websites, or infected USB drives.
  • Data breaches: Information is stolen or accessed without authorization. Breaches can result from external attacks, but they also happen through employee mistakes, misconfigured systems, or lost devices. Even a single exposed record can trigger regulatory consequences.
  • Vendor and third-party risks: Your practice likely relies on multiple software platforms, cloud services, and technology vendors. A security vulnerability in any of these third-party systems can expose your data, even if your own defenses are strong.

Why cybersecurity matters for your practice

Strong cybersecurity isn't just a technical concern; it's a business imperative. The consequences of a breach extend well beyond the immediate cost of remediation, touching every part of your practice from client relationships to regulatory standing.

Trust and reputation. Your clients share their most sensitive financial information with you. A data breach can permanently damage the trust you've spent years building. In a competitive market, the perception that your practice takes security seriously can be a meaningful differentiator when winning new clients.

Regulatory compliance. US accounting and bookkeeping practices are classified as financial institutions under the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule. These regulations require you to develop and maintain a Written Information Security Plan (WISP), designate a qualified individual to oversee your security program, and conduct regular risk assessments. IRS Publication 4557 reinforces these requirements specifically for tax professionals, mandating a WISP and full implementation of the Security Six controls regardless of firm size.

Breach notification requirements. Under the FTC's updated Safeguards Rule, which took effect in May 2024, financial institutions must notify the FTC within 30 days of discovering a breach involving the unencrypted information of 500 or more consumers. Depending on your state, additional notification requirements may apply. These timelines create real urgency around having a tested incident response plan.

Business continuity. A major cyber attack can shut down your operations for days or weeks. During tax season or other peak periods, even a brief disruption can mean missed deadlines, lost revenue, and frustrated clients. Strong cybersecurity practices help keep your operations running smoothly.

Legal liability. Depending on the nature and severity of a breach, your practice could face lawsuits, regulatory fines, or professional liability claims. Having documented security policies and procedures in place demonstrates due diligence and can reduce your exposure.

Cybersecurity best practices for accountants and bookkeepers

Protecting your practice requires a layered approach. No single tool or policy can cover every threat, but combining these best practices creates a strong security posture that evolves with the risk landscape.

Password management and multi-factor authentication

Use a password manager to generate and store strong, unique passwords for every platform and device. Reusing passwords across accounts is one of the most common vulnerabilities in any practice. Set a schedule to rotate credentials regularly, and never share passwords through email or messaging apps.

Multi-factor authentication (MFA) should be enabled on every system that supports it, especially those containing client data. IRS Publication 4557 and the updated Publication 5708 make clear that MFA is required for all users accessing systems with customer information, whether they're in the office or working remotely. Even if an attacker obtains a password, MFA adds a critical second barrier.

Access management

Apply the principle of least privilege across your practice: give each team member access only to the data and systems they need to do their job. Role-based access controls reduce the number of people who can reach sensitive information, which limits the potential impact of a compromised account.

Review access permissions regularly, especially when team members change roles or leave the practice. With Xero, you can customize user roles and permissions for every person with access, keeping tight control over who sees what.

Secure client communication

Email remains a primary attack vector for accounting practices. Whenever possible, use secure client portals or encrypted file-sharing platforms to exchange sensitive documents rather than standard email. If you must send sensitive information by email, use end-to-end encryption.

Establish clear communication protocols with your clients. Let them know how your practice will and won't contact them, so they can recognize suspicious messages. This is especially important during tax season when phishing attempts spike.

Data encryption

Encrypt sensitive data both at rest and in transit. Encryption at rest protects files stored on your servers, devices, and cloud platforms. Encryption in transit protects data as it moves between systems, for example when you send files to a client or sync data with your accounting software.

Full-disk encryption on all practice laptops and devices is a baseline requirement. If a device is lost or stolen, encryption ensures the data on it remains unreadable without the proper credentials.

Software updates and firewalls

Software developers regularly release updates that patch security vulnerabilities. Delaying these updates leaves your systems exposed to known threats. Enable automatic updates where possible, and establish a process for applying patches promptly on systems that require manual intervention.

If your practice has an internal network, configure a firewall to monitor incoming and outgoing traffic and block suspicious activity. Pair your firewall with anti-virus and anti-malware software, and keep those tools updated as well.

Vendor risk management

Every third-party tool and service your practice uses introduces potential risk. Before onboarding a new vendor, evaluate their security practices, data handling policies, and compliance certifications. Look for vendors that undergo independent security audits and can demonstrate SOC 2 compliance or equivalent standards.

Maintain an inventory of all vendors with access to your data, and review their security posture periodically. If a vendor experiences a breach, you need to know quickly and understand what data may be affected.

Employee training

Your team is both your first line of defense and your biggest potential vulnerability. Regular cybersecurity training should cover recognizing phishing attempts, safe browsing habits, proper data handling, and incident reporting procedures. Don't limit training to an annual session; deliver targeted updates when new threats emerge.

Run simulated phishing exercises to test your team's awareness and identify areas for improvement. The Cybersecurity and Infrastructure Security Agency (CISA) offers free cybersecurity training resources that can supplement your internal program.

Using secure software

The platforms you use to run your practice directly affect your security posture. Choose software with built-in security features like encryption, MFA, user permissions, and audit logging. Cloud-based platforms that maintain their own security infrastructure can reduce the burden on your practice compared to managing on-premises servers.

Xero uses encryption to protect data, provides granular user management and permissions, and supports multi-factor authentication to help keep your practice and client information safe. You can learn more about how your data is protected on the Xero security page.

How to create a cybersecurity plan for your practice

A cybersecurity plan gives your practice a structured framework for preventing, detecting, and responding to threats. Whether you're formalizing existing practices or starting from scratch, these steps will help you build a plan that meets regulatory requirements and protects your clients.

1. Identify assets and risks

Start by cataloging the data and systems your practice relies on: client records, tax returns, financial statements, payroll data, proprietary software, and hardware. For each asset, identify the threats it faces and the potential impact of a compromise.

Conduct a formal risk assessment to evaluate vulnerabilities in your current setup. This includes reviewing software versions, password practices, network configurations, and physical security. The FTC Safeguards Rule requires periodic risk assessments, so document your findings and the steps you take to address them.

2. Develop your WISP

A Written Information Security Plan (WISP) is a regulatory requirement under both the FTC Safeguards Rule and IRS Publication 4557. Your WISP should document your data protection policies, procedures, and safeguards in detail. It needs to designate a qualified individual responsible for overseeing your security program.

Include sections covering data classification, access controls, encryption standards, incident response procedures, breach notification protocols, and employee training requirements. The IRS provides guidance through Publication 4557 to help tax professionals build a compliant WISP, regardless of firm size.

3. Implement access controls

Set up role-based access controls so that sensitive data can only be reached by authorized personnel who need it for their work. Enforce strong, unique passwords and require MFA on all accounts that access client information.

Review and update access permissions whenever team members join, change roles, or leave your practice. Promptly revoke access for departing employees to eliminate a common and preventable risk.

4. Secure your network and physical environment

Deploy firewalls, intrusion detection systems, and encryption protocols to protect your network infrastructure. Segment your network to isolate sensitive data from less critical systems. Keep all software patched and up to date.

Don't overlook physical security. Secure servers, workstations, and storage devices with locks or restricted access. If your team works remotely, require the use of VPNs and encrypted connections, and prohibit the use of public wi-fi for accessing practice systems.

5. Establish backup and recovery

Set up automated, regular backups of all critical data and systems. Store backups in a separate, secure location, whether that's an offsite facility or a cloud-based service, so they're protected from the same threats that could affect your primary systems.

Test your recovery process periodically to confirm you can restore data and resume operations within an acceptable timeframe. Under the Gramm-Leach-Bliley Act, financial institutions are required to maintain data integrity, making reliable backups a compliance requirement as well as a business continuity measure.

6. Train your team

Build cybersecurity training into your practice's regular schedule. Cover the threats most relevant to accounting professionals, including phishing, BEC, ransomware, and social engineering. Make sure every team member knows how to report a suspected incident.

Go beyond awareness by running practical exercises like simulated phishing tests. Document all training activities as part of your WISP, since both the FTC Safeguards Rule and IRS Publication 4557 expect ongoing security education for staff.

7. Perform regular audits and stay informed

Schedule annual cybersecurity audits at a minimum, and consider more frequent reviews given how quickly threats evolve. The FTC Safeguards Rule requires periodic risk assessments, so build this into your compliance calendar.

Bring in a third-party expert for independent assessments and penetration testing. Stay current with emerging threats by following resources from CISA, the IRS, and industry groups. Regularly update your WISP, policies, and procedures to reflect new risks and changes in your technology environment.

Strengthen your practice's security with Xero

Building a secure, modern practice takes the right combination of policies, training, and technology. Choosing platforms that prioritize security helps reduce risk while giving you the tools to serve clients confidently.

Xero provides built-in security features including data encryption, multi-factor authentication, and granular user permissions, so you can focus on growing your practice and advising clients. Join the partner program to access free practice-use software, dedicated support, and tools designed to help accounting and bookkeeping professionals build stronger practices.

FAQs on cybersecurity for accountants and bookkeepers

Here are some frequently asked questions about cybersecurity requirements and best practices for accounting and bookkeeping professionals.

Do I need to comply with the FTC Safeguards Rule?

Yes. The Gramm-Leach-Bliley Act defines "financial institutions" broadly enough to include accounting and bookkeeping practices. The FTC Safeguards Rule requires you to maintain a WISP, designate a qualified individual to manage your security program, and conduct regular risk assessments. As of May 2024, you must also notify the FTC within 30 days if a breach affects the unencrypted information of 500 or more consumers.

What is IRS Publication 4557 and how does it relate to the FTC Safeguards Rule?

IRS Publication 4557 is the IRS's security guidance specifically for tax professionals. It requires all tax preparers to create and maintain a WISP and implement the Security Six controls, regardless of firm size. Publication 4557 complements the FTC Safeguards Rule; both frameworks require a WISP, but Publication 4557 adds IRS-specific expectations around protecting taxpayer data and reporting data theft to the appropriate IRS stakeholder liaison.

How can I tell if an email or message is a phishing attempt?

Watch for urgent requests for sensitive information, slight misspellings in email addresses or domains, generic greetings instead of personalized messages, and unexpected attachments or links. AI-generated phishing is making these emails harder to spot, so verify any unusual request through a separate, trusted communication channel before acting on it. As a general rule, the IRS will not initiate contact via email.

How are AI-powered threats changing cybersecurity for accountants?

AI is enabling attackers to produce highly convincing phishing emails, generate deepfake audio and video that impersonates clients or colleagues, and create synthetic identities for fraud. These attacks are more personalized and harder to detect than traditional threats. Defending against them requires stronger verification procedures, ongoing team training focused on AI-specific scenarios, and layered security controls that don't rely solely on human judgment.

Do smaller accounting firms need cybersecurity plans too?

Yes, there's no minimum size threshold. IRS Publication 4557 applies to all tax preparers, including solo practitioners. The FTC Safeguards Rule similarly applies regardless of firm size. Smaller firms are often targeted precisely because attackers assume they have weaker defenses. A scaled-down cybersecurity plan that covers the fundamentals, including a WISP, MFA, access controls, and employee training, is both a legal requirement and a practical necessity.

Disclaimer

Xero does not provide accounting, tax, business or legal advice. This guide has been provided for information purposes only. You should consult your own professional advisors for advice directly relating to your business or before taking action in relation to any of the content provided.

Get one month free

Sign up to any Xero plan, and we will give you the first month free.