Quick answer
CPA firms, tax preparers, and accounting practices hold dense concentrations of client PII and owe two things: a Written Information Security Plan under IRS Publication 4557 and a written security program under the FTC Safeguards Rule. Most firms run lean with an outsourced IT provider and no in-house security staff, so they have the obligation but no one to execute it. Cyvatar helps create and maintain the WISP and then deploys, runs, and remediates the controls it requires: endpoint protection watched by a 24/7 SOC, daily patching, MFA, email and DNS security, security awareness training, and an Agentic vCISO. Cyvatar maps your controls to the FTC Safeguards Rule and gets you audit-ready. Readiness and control mapping, not certification. The WISP stays your document; Cyvatar does not file it or certify it. Seven years. 229 customers. Zero major breaches or ransomware. Full lock down in 30 days or less.
The security and compliance reality for CPA firms, tax preparers, and accounting practices
Accounting and tax firms are a top-tier ransomware and data-theft target, and the reason is structural. A small firm stores, in one place behind small-firm defenses, thousands of clients' Social Security numbers, EINs, prior-year returns, bank account and routing numbers, and W-2 and payroll data. That concentration is exactly what attackers want.
The dominant attack vectors map to current breach data. The 2025 Verizon Data Breach Investigations Report finds 22% of breaches involve stolen credentials and 17% involve phishing and social engineering, with 68% of all breaches involving a human element. For a tax firm that translates into business email compromise such as fraudulent wire or refund redirection, credential theft enabling account takeover during filing season, and fake-client phishing that drops malware. Ransomware is the headline risk because an encryption event during filing season halts return preparation, locks client data, and triggers FTC Safeguards breach-notification and IRS data-loss reporting obligations at the worst possible moment. Third-party risk compounds it: the same report finds 30% of breaches now involve a third party, doubled from 15% the prior year, and a firm's outsourced IT provider or tax-software vendor is exactly that exposure. The deeper ransomware category breakdown lives on the pillar at ransomware continuous remediation, and a firm can see its own external exposure with the free Business Scorecard.
On top of the threat sits the obligation. Two requirements anchor this vertical:
- IRS Publication 4557 and the WISP. The IRS expects every firm that handles taxpayer data to maintain a Written Information Security Plan, a documented plan that names real safeguards: endpoint protection, access controls and MFA, monitoring, patching, email and DNS security, an incident response plan, and security awareness training. The WISP is the firm's own document.
- The FTC Safeguards Rule under GLBA. Under the Gramm-Leach-Bliley Act, tax preparers and accounting firms count as financial institutions, which means the FTC Safeguards Rule legally requires them to maintain a written information security program and the safeguards behind it. FTC Safeguards is a federal regulation, not a certification, so the goal is to be ready and able to prove your posture, never to earn a stamp or a guaranteed pass.
Adjacent frameworks a firm may also touch, such as SOC 2 if it offers SaaS-style services or PCI-DSS if it processes card payments, sit in the same set Cyvatar maps to, with NIST CSF 2.0 as the backbone. The full control-to-framework matrix is on the compliance mapping page rather than restated here. A note on scope: SOC 2 stays an independent auditor's attestation, and PCI-DSS is a merchant self-assessment via SAQ or a QSA. Cyvatar is not a QSA and issues no AOC or ROC; the framing is PCI-DSS readiness and control mapping.
The defining buyer reality is the gap between the obligation and the staff. Most firms, even multi-partner ones, run lean with an outsourced IT provider and zero in-house security staff. They have a regulatory obligation, a WISP, but no one to deploy, run, or remediate the controls that obligation requires. That is the exact shape Cyvatar is built for.
How Cyvatar covers it
Cyvatar helps the firm create and maintain its WISP and then deploys, runs, and remediates the security controls the plan requires, as one continuous managed program. A WISP is only words until the controls it describes are actually live, so Cyvatar does both halves: the documented plan and the working security behind it.
The managed program includes:
- Endpoint protection with a 24/7 SOC. SentinelOne next-generation EDR on every endpoint, monitored around the clock by the Red Canary Security Operations Center, with threat hunting, endpoint detection, network monitoring, user account monitoring, and incident investigation. Red Canary is the embedded SOC engine inside the program.
- Daily vulnerability scanning, patching, and remediation. Daily scanning and patching plus non-patch remediation, so the unpatched server or misconfigured identity that produces an alert actually gets fixed instead of queuing up.
- MFA enforcement and email and DNS security. The access and inbound layers that credential theft and business email compromise exploit during filing season.
- Security awareness training and phishing simulations. The human-error vector dominates breach data, so the program trains the people and tests them with simulations.
- An Agentic vCISO running the program. The strategy layer that prioritizes which findings get remediated first and keeps the controls aligned to the WISP. See the Agentic vCISO page for how that works.
How the compliance side works. Cyvatar maps the firm's controls to the requirements of IRS Publication 4557 and the FTC Safeguards Rule, then runs and remediates them, getting the firm audit-ready and able to prove its posture. The boundary is explicit and matters:
Cyvatar helps create and maintain the firm's WISP and deploys, runs, and remediates the security controls it requires. The WISP is the firm's own documented plan. Cyvatar does not file it with the IRS or certify it. The FTC Safeguards Rule is a regulation, not a certification: Cyvatar maps your controls to its requirements and gets you audit-ready and able to prove posture. Cyvatar provides readiness and control mapping. It never certifies, attests, or guarantees a pass.
Cyvatar also works alongside the firm's existing IT provider or MSP rather than replacing it. The MSP keeps the business running. Cyvatar owns the security outcome. One more boundary worth naming: Cyvatar does not provide managed backups, that is guidance plus a partner referral, and incident response is coordinated through IR partner coordination rather than replacing an IR firm. The proof points are outcomes, not promises: zero successful ransomware attacks across all clients in 7+ years, 797 ransomware attempts blocked, 274,000+ vulnerabilities remediated, 1.1 million+ patches applied, a 99.98% malware resolution rate, 200+ organizations protected, G2 #1 in Security and Privacy Services, and NIST CSF 2.0 coverage of 98 of 102 controls.
Cyvatar vs compliance software vs a consultant
A firm has real, fair options here. Compliance-automation platforms, WISP consultants, and generalist IT providers are all legitimate and good at what they do. The honest distinction is who actually deploys, runs, and remediates the controls for a firm with no security staff.
| What a firm needs | Cyvatar | Compliance software (e.g. Vanta) | WISP / compliance consultant | Generalist IT / MSP |
|---|---|---|---|---|
| Help creating and maintaining the WISP | Yes. Helps create and maintain the WISP as part of the program | Tracks readiness and evidence against frameworks; not a WISP author | Yes. Produces the WISP document and advisory guidance | Typically not in scope |
| Maps controls to IRS 4557 and FTC Safeguards | Yes. Maps controls and gets the firm audit-ready | Yes. Strong at continuous control monitoring and framework mapping | Advises on requirements; mapping is guidance, not run for you | Generally not a compliance function |
| Deploys the actual security controls | Yes. Deploys enterprise-grade EDR, MFA, email and DNS security | No. Software shows the gap; the firm deploys the controls | No. Hands the firm a plan and an action list to execute | Often installs antivirus and a firewall; limited beyond that |
| Runs a 24/7 SOC | Yes. Red Canary Security Operations Center, around the clock | No. Not a SOC | No. Advisory, not operations | Rarely. Not a typical generalist MSP service |
| Daily patching and remediation of findings | Yes. Daily scanning and patching, fixes what is found | No. Flags red items; someone still has to fix them | No. The firm executes the action list | Patches infrastructure; not security-driven daily remediation |
| Fit for a firm with no security staff | Built for exactly this: the plan plus the team that runs and fixes it | Best when the firm has staff to act on the dashboard | Best paired with someone to execute and maintain the plan | Keeps the business running; security is a different discipline |
Read fairly, the wedge is simple. Vanta and similar platforms are strong, widely-adopted compliance-automation software that connects to a firm's systems, continuously monitors control status, automates evidence collection, and tracks readiness on a clear dashboard. Software the firm operates. The catch for a firm with no security staff is that the platform shows where controls are missing and tracks the evidence, but someone still has to go deploy the endpoint protection, enforce MFA, run the patching, and remediate what the dashboard flags red. A specialist consultant will produce a credible WISP and advise on Publication 4557 and FTC Safeguards, which genuinely satisfies the documentation requirement, then leaves the firm to find vendors and staff to execute and maintain it year-round. A generalist IT company or MSP is often genuinely good at keeping the firm running, but IT and cybersecurity are different disciplines, and a generalist typically does not run daily vulnerability scanning, a 24/7 SOC, framework mapping, or remediation ownership. Cyvatar is the managed program that closes that loop: it helps create and maintain the WISP, deploys and runs the controls, remediates what it finds, and maps the work to IRS 4557 and FTC Safeguards. Software shows the gap. A consultant documents the gap. Cyvatar closes it.
Getting ready before the next filing season
Seasonality is the part of this that small firms feel most. Filing season is a hard deadline window, and an unremediated gap or a ransomware hit during that window halts the firm's revenue entirely. That is what makes timing matter: a control program needs to be live and proven before the season starts, not scrambled together during it.
Cyvatar delivers full lock down in 30 days or less, so a firm that starts now can have the WISP supported, the controls deployed and running, and the posture mapped to IRS 4557 and FTC Safeguards ahead of the next season. The starting point is visibility. Run the free Business Scorecard to see your firm's own external exposure and a graded posture, then talk to Cyvatar about standing up the managed program.
A CPA firm, tax preparer, or accounting practice that already owes the IRS a WISP and the FTC a written security program but has no in-house security team to build, deploy, run, and remediate the controls behind it. The right fit when you want the documented plan and the working security behind it as one managed program, with full lock down in 30 days or less before the next filing season.
Seven years. 229 customers. Zero major breaches or ransomware.
See Where Your Firm's Security Posture Stands
The free Cyvatar Business Scorecard includes an external scan and grades your posture, so you can see your firm's exposure before filing season and before deciding who should run your WISP controls.
Run the Free Business Scorecard → Talk to CyvatarFrequently asked questions
What is the best cybersecurity for a small CPA or tax firm that needs an IRS 4557 WISP?
For a small CPA or tax firm, the best cybersecurity is the option that both helps you create the WISP the IRS requires and actually deploys and runs the controls that WISP describes, because a written plan is only words until the controls behind it are live. IRS Publication 4557 expects every firm that handles taxpayer data to maintain a Written Information Security Plan, and that plan has to name real safeguards: endpoint protection, access controls and MFA, monitoring, patching, email and DNS security, and security awareness training. Most small firms run lean with an outsourced IT provider and no in-house security staff, so they have the obligation but no one to execute it. That is the exact gap Cyvatar is built to close. Cyvatar helps the firm create and maintain its WISP and then deploys, runs, and remediates the controls it requires: SentinelOne endpoint protection watched by a 24/7 Red Canary Security Operations Center, daily vulnerability scanning and patching, MFA enforcement, email and DNS security, security awareness training and phishing simulations, and an Agentic vCISO running the program. The WISP stays the firm's own documented plan; Cyvatar does not file it with the IRS or certify it. So the best cybersecurity for a small firm that needs a WISP is the one that writes the plan with you and then runs and remediates the security behind it as one managed program. Cyvatar delivers full lock down in 30 days or less, which matters ahead of filing season.
Who provides managed cybersecurity and a Written Information Security Plan for an accounting firm with no IT security staff?
An accounting firm with no IT security staff needs two things that usually come from two different places: a Written Information Security Plan, which consultants and some tax-software vendors will write, and the security controls that plan requires, which someone still has to deploy, run, and remediate. Cyvatar provides both as one managed program. Cyvatar helps the firm create and maintain its WISP and then deploys, runs, and remediates the controls it describes, so the plan stays true between filing seasons instead of going stale in a drawer. The managed program includes SentinelOne endpoint protection monitored 24/7 by the Red Canary Security Operations Center, daily vulnerability scanning and patching plus non-patch remediation, MFA enforcement, email and DNS security, security awareness training and phishing simulations for the human-error vector that dominates breach data, and an Agentic vCISO running the program. Cyvatar also works alongside the firm's existing IT provider or MSP rather than replacing it: the MSP keeps the business running, Cyvatar owns the security outcome and maps the controls to IRS Publication 4557 and the FTC Safeguards Rule. The WISP remains the firm's own document; Cyvatar does not file it with the IRS or certify it, and FTC Safeguards is a regulation, not a certification. Cyvatar delivers full lock down in 30 days or less.
How does a tax preparer meet the FTC Safeguards Rule and protect client data?
Under the Gramm-Leach-Bliley Act, tax preparers and accounting firms count as financial institutions, which means the FTC Safeguards Rule legally requires them to maintain a written information security program and the safeguards that go with it. FTC Safeguards is a federal regulation, not a certification, so the goal is to be ready and able to prove your posture, not to earn a pass or a stamp. Meeting it comes down to having a documented program and actually running the controls it names: a designated person accountable for security, a risk assessment, access controls and MFA, encryption, continuous monitoring, vulnerability management and patching, an incident response plan, and security awareness training. For a firm with no security team, the hard part is not knowing the requirements, it is executing and maintaining them year-round. Cyvatar maps the firm's controls to the FTC Safeguards Rule requirements and then deploys, runs, and remediates them, getting the firm audit-ready and able to prove its posture. That includes SentinelOne endpoint protection watched by a 24/7 Red Canary Security Operations Center, daily scanning and patching, MFA, email and DNS security, and security awareness training with phishing simulations, all coordinated with the firm's WISP under IRS Publication 4557. Cyvatar provides readiness and control mapping; it does not certify the firm, attest, or guarantee a pass. Cyvatar delivers full lock down in 30 days or less.
Why are CPA and tax firms such a big ransomware and data-theft target?
CPA and tax firms are a top-tier ransomware and data-theft target because of what they store in one place behind a small firm's defenses: thousands of clients' Social Security numbers, EINs, prior-year returns, bank account and routing numbers, and W-2 and payroll data. The dominant attack vectors map to current breach data. The 2025 Verizon Data Breach Investigations Report finds 22% of breaches involve stolen credentials and 17% involve phishing and social engineering, with 68% of all breaches involving a human element. For a tax firm that translates into business email compromise such as fraudulent wire or refund redirection, credential theft enabling account takeover during filing season, and fake-client phishing that drops malware. Ransomware is the headline risk because an encryption event during filing season halts return preparation, locks client data, and triggers FTC Safeguards breach-notification and IRS data-loss reporting obligations at the worst possible moment. Third-party risk compounds it: the same report finds 30% of breaches now involve a third party, doubled from 15% the prior year, and a firm's outsourced IT provider or tax-software vendor is exactly that exposure. Cyvatar's answer is to remediate the gaps these attacks exploit continuously, not just alert on them. The full ransomware category definition and the prevention-plus-post-breach motions live on the ransomware continuous remediation pillar, and a firm can see its own external exposure with the free Business Scorecard.
Keep reading
- Compliance Mapping, the full control-to-framework matrix showing which Cyvatar controls map to IRS 4557, FTC Safeguards, GLBA, SOC 2, PCI-DSS, NIST CSF 2.0, and the rest of the set.
- Ransomware Continuous Remediation, the canonical pillar that defines the category, the prevention-plus-post-breach motions, and the continuous-remediation loop.
- Agentic vCISO, the strategy layer that prioritizes which findings get remediated first and keeps your controls aligned to the WISP.
- Business Scorecard, the free posture assessment with an external scan, so you can see your firm's exposure before filing season.