Security for Texas CPA Firms  •  IRS WISP • FTC Safeguards • AICPA SOC 2 • SDVOSB

Texas CPA firms are now financial institutions under FTC. Treat your firm like one.

The FTC Safeguards Rule expanded June 2023 — tax preparers and accounting firms now face the same data security obligations as banks. Every PTIN holder must maintain a Written Information Security Plan. Most Texas firms don't have one that would survive an IRS audit. 2024–2025 saw a targeted ransomware wave against accounting firms during tax season.

Get your free $2,500 assessment → FTC Safeguards deadline tracker ↗
📋
IRS WISP Enforcement Is Active. IRS Publication 5708 requires every tax preparer with a PTIN to maintain a Written Information Security Plan. The IRS has identified WISP non-compliance as a top audit trigger for tax professionals. A template WISP downloaded from the internet will not survive a Safeguards Rule examination. CoreRecon delivers a firm-specific WISP with the operational security program behind it.
Threat Reality — CPA Firms & Tax Practices

Attackers schedule hits
around your filing deadlines.

Ransomware groups maintain accounting sector targeting playbooks. They know your March 15 corporate and April 15 individual deadlines. They know you can't delay a client's filing while recovering from an attack. LockBit, BlackCat, and Play ransomware groups all publicly listed confirmed accounting firm victims in 2024–2025. Texas CPA firms are in the crosshairs — and most have no 24/7 monitoring.

Tax-Season Ransomware Targeting
The Filing Deadline Attack Pattern
Ransomware affiliates specifically time accounting firm attacks to coincide with March and October filing deadlines — the operational pressure of delivering returns under deadline makes firms more likely to pay immediately. The average ransom demand for accounting sector victims was $847,000 in 2024–2025. Daixin Team published data from a Texas regional accounting firm in Q1 2025. Average dwell time before detonation: 11 days.
Client PII & SSN Exfiltration
Double Extortion on Your Client Data
Modern ransomware groups exfiltrate before encrypting. An accounting firm's data is a uniquely high-value target: client SSNs, W-2s, Schedule K-1s, bank account numbers, business financial statements, and payroll records. Data published from one mid-size CPA firm typically includes PII for hundreds of businesses and thousands of individuals. FTC Safeguards Rule mandates breach notification to affected clients and the FTC within 30 days.
Wire Fraud & BEC via Trust Accounts
Business Email Compromise Targeting Client Funds
Business Email Compromise attacks against CPA firms exploit the trusted role accountants play in client financial decisions. Attackers compromise firm email accounts and intercept wire instructions — particularly around M&A transactions, real estate closings, and payroll runs that accounting firms manage. The FBI IC3 reported over $2.9B in BEC losses in 2023 with professional services firms — including accounting — as the fastest-growing target sector.
Accounting Firm Compliance Landscape

Four mandates.
One team to manage them all.

Texas CPA firms now operate under more data security mandates than most healthcare organizations — and with smaller IT staff. Here's every regulation in scope and how CoreRecon covers it.

Framework Who's in Scope Key Requirements Penalty / Consequence CoreRecon Coverage
IRS Pub 5708 — WISP Every tax preparer with a PTIN; sole practitioners, CPA firms, enrolled agents Written WISP documenting data protection; named security coordinator; annual risk assessment; employee training; incident response procedure IRS penalties; PTIN suspension or revocation; audit trigger Sentinel Firm-specific WISP authoring, security coordinator designation support, annual risk assessment
FTC Safeguards Rule (16 CFR §314) Tax preparers, CPA firms, and any financial institution (expanded June 2023) Qualified Individual designation; written risk assessment; MFA on all customer financial data systems; encryption at rest/in transit; written incident response plan; annual board reporting FTC enforcement up to $50,120/violation; civil suits; mandatory corrective action Fortress Full Safeguards Rule program — QI documentation, MFA deployment, encryption posture, IRP authoring, board reporting template
AICPA SOC 2 Trust Services CPA firms with enterprise/institutional clients requiring vendor security assurance Security, Availability, and Confidentiality Trust Services Criteria; continuous monitoring; access controls; change management; vendor oversight Loss of enterprise client engagements; contract termination; inability to bid on institutional audits Command SOC 2 readiness program — continuous monitoring evidence, access control documentation, audit-ready evidence packages
Texas TSBPA Rule 501.74 + TX BC §521.053 All Texas-licensed CPAs and CPA firms Reasonable client data safeguards; prompt breach notification (60 days); license-level accountability for gross negligence in data protection TSBPA disciplinary action; license suspension; breach notification to thousands of affected clients; state AG enforcement Fortress Breach detection with 60-day notification workflow, client PII access monitoring, TSBPA incident documentation
See all Texas compliance deadlines including FTC Safeguards & IRS WISP →
Confirmed Accounting Sector Incidents

What actually happened.
What would have stopped it.

Publicly disclosed accounting and tax firm breaches from 2024–2025. Attack vectors, client impact, and the specific detection capability that would have intervened before the damage.

Texas Regional CPA Firm — Q1 2025
Tax-Season Ransomware — Daixin Team
Attack Vector
Phishing email targeting a tax staff member with a fake IRS e-services notification. Credentials harvested via lookalike domain. Attacker accessed tax software with stored client data and established persistence using a legitimate remote access tool.
Impact
Client tax returns, SSNs, W-2s, and business financials for 340+ clients exfiltrated. Ransomware deployed February 28 — three weeks before corporate filing deadline. Firm paid partial ransom; Daixin still published a sample data set. FTC Safeguards breach notification required.
What would have changed it: Email threat detection and anomalous credential use alerting. The IRS lookalike domain was registered 4 days before the attack — threat intel would have flagged it. This is Sentinel-tier coverage.
Mid-Size Accounting Group — Q3 2024
BEC via Compromised Partner Email
Attack Vector
Partner's Microsoft 365 account compromised through credential stuffing — password reused from a prior data breach. Attacker monitored email for 6 weeks, then inserted fraudulent wire instructions into an active M&A transaction advisory thread.
Impact
$1.1M wire transfer to attacker-controlled account. Client sued the firm for negligence — case settled for undisclosed amount. Texas State Bar notified; malpractice carrier increased premiums 140%. The firm had no MFA on email and no anomalous login detection.
What would have changed it: MFA enforcement on all accounts plus anomalous login detection. The attacker logged in from a foreign IP at 2am — that's an automatic alert. This is Fortress-tier coverage.
National Tax Prep Chain — 2024
Supply Chain — Tax Software Vendor Breach
Attack Vector
Third-party cloud-based tax preparation software vendor breached via API vulnerability. Attacker extracted stored client tax data across all firm accounts on the platform. Disclosed 14 weeks after initial breach — well outside any reasonable IRS WISP incident response timeline.
Impact
2.4 million client tax records compromised across hundreds of CPA firms. Individual firms received vendor notification 3 months after breach. FTC Safeguards Rule required firms to notify their clients regardless of where the breach occurred — firms with no IR plan scrambled.
What would have changed it: Vendor risk monitoring and a pre-written FTC Safeguards incident response plan. Firms with documented IR plans activated in under 24 hours. Unprepared firms took 3–6 weeks. This is Fortress-tier readiness.
Free Assessment Tool — 5 Minutes

Does Your Firm Have a WISP That Would Survive an IRS Audit?

Use the free security assessment to benchmark your firm's posture against IRS Publication 5708 and the FTC Safeguards Rule. Understand your exact gaps before the IRS does.

Get WISP Assessment →
Pricing for Texas CPA Firms & Accounting Practices

WISP-compliant SOC.
Month-to-month. No enterprise contract.

CoreRecon's pricing for accounting firms covers the people and infrastructure that touch client financial data — partner workstations, staff endpoints, servers, and file storage systems. Month-to-month. No minimums. WISP documentation and FTC Safeguards compliance package included.

Tier Price / Endpoint / Month What's Included Best For
Sentinel $89 24/7 SOC monitoring, endpoint detection & response, IRS WISP authoring & maintenance, annual risk assessment, employee phishing simulation, email threat detection, attack surface management, monthly executive reports, IR Letter for cyber insurance Solo practitioners and small CPA firms (<10 staff); IRS WISP compliance; cyber insurance requirements; basic FTC Safeguards baseline
Fortress $109 All Sentinel + full FTC Safeguards Rule program (QI documentation, written risk assessment, MFA enforcement, encryption posture, incident response plan, board reporting template), anomalous login detection, SIEM, vendor risk monitoring, TSBPA breach notification workflow Mid-size CPA firms (10–50 staff); full FTC Safeguards Rule compliance; enterprise client requirements; firms handling M&A or trust account transactions
Command $129 All Fortress + AICPA SOC 2 readiness program (Trust Services Criteria mapping, continuous monitoring evidence collection, access control documentation, audit-ready evidence packages, SOC 2 auditor liaison support), annual tabletop exercises, pen testing Regional and national firms needing SOC 2 for institutional clients; audit & advisory practices with Fortune 500 clients; firms handling PE/M&A transactions requiring vendor security certification
* Accounting firm pricing covers partner and staff endpoints, servers, and file storage systems with client financial data. The free assessment maps your exact endpoint footprint and identifies which tier addresses your specific WISP and Safeguards obligations.
The CoreRecon Track Record

Texas clients. Real outcomes.
Sectors that handle sensitive data.

6
Active Texas clients
30min
Incident response SLA
$0
Ransom payments (monitored clients, 2025)
$0
Cost to start (free assessment)

CoreRecon serves 6 Texas clients across municipalities, law firms, oil & gas, healthcare, and defense. SDVOSB-certified. AT&T vendor for State of Texas incident response. Zero ransomware payments among monitored clients in 2025. We don't publish logos without client permission — the track record speaks in outcomes.

Frequently Asked Questions

What CPA firm partners
and managing principals ask us.

Active Breach? 24/7 Emergency Response
Firm under attack during tax season? We respond in 30 minutes.
No retainer required. AT&T TX state vendor. SDVOSB-certified. No voicemail.
📞 (800) 955-2596 Or submit emergency intake form →
Free Security Assessment — $2,500 Value

Find out whether your firm's WISP would survive an IRS examination — before the IRS does.

Most CPA firms operate with a template WISP that hasn't been updated and a security posture that wouldn't meet FTC Safeguards Rule requirements. Our free assessment maps your current posture against IRS Publication 5708, the FTC Safeguards Rule, and TSBPA Rule 501.74 — and delivers a prioritized remediation plan. No credit card. No commitment.

Request your free assessment →

Delivered within 14 days  •  No credit card  •  WISP gap analysis included

Threat Intelligence — Q4 2026
2 Accounting Firms Hit. INC Ransom + SRG. WISP Non-Compliance Risk.
Q4 2026 Texas Cyber Threat Brief: accounting sector incident breakdown, SRG + INC Ransom targeting CPA firms, WISP compliance requirements, FTC Safeguards Rule exposure. Free PDF download.
Download Q4 Brief →
Free Interactive Tool
What Would a Ransomware Attack During Tax Season Actually Cost Your Firm?
Model client notification costs, FTC penalty exposure, ransom demand, recovery expenses, and malpractice risk. Takes 30 seconds.
Calculate My Risk →
Renewing Cyber Insurance This Year?
Check Your Carrier Readiness Before Your Broker Does
38 questions mirroring what Coalition, At-Bay, Travelers, Chubb, and Beazley actually underwrite. Know your gaps — and which CoreRecon tier closes them.
Check My Readiness →
2-Minute Diagnostic · Free
Not Sure Which Regulations Apply to You?
Answer 7 questions. Get a ranked map of every federal and Texas regulation your organization is subject to — with deadlines, penalties, and the CoreRecon tier that covers each one.
Run the 2-Minute Mapper →