Multi-factor authentication (MFA) has moved from a recommended best practice to a core requirement for cybersecurity for CPA firms. As cybercriminals increasingly target tax preparers and accounting professionals, MFA has become one of the most effective defenses against data breaches, identity theft, and regulatory penalties.
For CPA firms today, MFA is no longer just about technology—it’s about compliance, business continuity, and protecting client trust in an environment where cybersecurity for CPAs is under constant pressure.
Federal Compliance Is Now Mandatory Under the FTC Safeguards Rule
As of June 2023, the FTC Safeguards Rule, enforced under the Gramm-Leach-Bliley Act (GLBA), requires all tax professionals and accounting firms to implement multi-factor authentication for anyone accessing systems that contain taxpayer data.
This mandate applies to all firms, regardless of size. Solo practitioners, small CPA firms, and large accounting practices are held to the same standard. Tax professionals must also acknowledge their data security responsibilities when renewing their Preparer Tax Identification Number (PTIN) using IRS Form W-12.
The consequences of non-compliance are severe:
- Civil penalties of up to $53,088 per violation (as of 2025)
- Injunctive relief, which may require firms to overhaul security controls under FTC supervision
- Mandatory third-party security assessments and ongoing compliance reporting
- FTC investigations and enforcement actions
- Potential criminal penalties, including up to five years of imprisonment for serious or willful violations
CPA firm cybersecurity requirements also include maintaining a Written Information Security Plan (WISP). This plan must document MFA implementation, designate a qualified security coordinator, and outline procedures for reporting security incidents affecting 500 or more individuals to the FTC within 30 days.
The Growing Cybersecurity Crisis for Accounting Firms
The threat landscape for cybersecurity for accounting firms has reached critical levels. In the first half of 2025 alone, nearly 300 reported data breaches affected as many as 250,000 clients. Cyberattacks against accounting firms have increased by 300%, with tax season serving as the most active attack window.
The financial impact is devastating. The average U.S. data breach now costs $10.22 million per incident. For CPA firms, the damage often includes:
- Ransomware demands exceeding $300,000 per office
- Multi-location firms losing hundreds of thousands of dollars
- Smaller firms paying tens of thousands to recover from a single phishing email
Identity theft continues to rise as well. In 2024, the FTC recorded over 1.1 million identity theft reports, with total fraud losses exceeding $12.5 billion. Employment and tax-related identity theft generated nearly 90,000 complaints, and victims often wait up to two years to receive their legitimate tax refunds.
Why CPA Firms Are Prime Targets for Cybercriminals
CPA firms represent an exceptionally lucrative target. A single tax preparer managing 500 returns holds access to 500 complete identity profiles, including Social Security numbers, banking details, income records, and refund information.
This data enables criminals to:
- File fraudulent tax returns
- Redirect refunds
- Commit long-term identity theft
Attackers also target EFINs, PTINs, and CAF numbers, allowing them to submit fraudulent filings that appear legitimate within IRS systems.
Tax season compounds these risks. High-pressure deadlines, increased data volume, remote work, and temporary staff all create conditions that cybercriminals actively exploit. This is why cybersecurity for CPA firms requires stronger protections during peak seasons—not fewer.
The Evolving Cyber Threats Facing CPAs
Modern attacks against accounting firms are increasingly sophisticated:
- Phishing attacks now average $4.4 million per incident (as of 2025)
- Business email compromise (BEC) attacks often exceed $90,000 per event
- AI-generated phishing emails have increased by more than 1,200%
Tax professionals frequently receive malware disguised as IRS notices, tax software updates, or payroll requests. QR-code phishing and phishing-as-a-service platforms now allow even low-skilled attackers to launch advanced campaigns.
In most CPA firm cybersecurity incidents, the breach begins with compromised login credentials—even when strong passwords are in place.
How Multi-Factor Authentication Protects CPA Firms
Multi-factor authentication stops these attacks by requiring multiple forms of verification before granting access:
- Something the user knows (password)
- Something the user has (authenticator app or security key)
- Something the user is (biometric authentication)
MFA blocks 99% of account compromise attempts and 99.9% of automated authentication attacks, even when passwords are stolen through phishing or data breaches.
For cybersecurity for CPAs, MFA directly neutralizes:
- Phishing attacks
- Credential stuffing from breached passwords
- Brute-force login attempts
- Business email compromise
- Ransomware entry points
Choosing the Right MFA for CPA Firm Cybersecurity
Not all MFA solutions provide the same level of protection.
Highest security (phishing-resistant):
- Hardware security keys (FIDO2 / YubiKey)
- Biometric authentication
Strong protection with usability:
- Authenticator apps (Microsoft Authenticator, Google Authenticator, Duo)
- Secure push notifications
Lower security (use only if necessary):
- SMS-based MFA, which remains vulnerable to SIM-swapping attacks
Advanced firms may also deploy adaptive MFA, which adjusts authentication requirements based on device, location, time, and behavior.
Implementing MFA Across Accounting Firm Systems
Under the FTC Safeguards Rule, MFA must be implemented across all systems accessing taxpayer data, including:
- Tax preparation software
- Email platforms
- Cloud storage and document sharing tools
- VPNs and remote access systems
- Client portals
- Firm computers and laptops
Most professional tax software already supports MFA. CPA firms should also ensure MFA is enabled for email—the most common entry point for attacks.
This is where IT services for accounting firms and managed IT services for accounting firms play a critical role. A qualified IT partner ensures MFA is configured correctly, monitored consistently, and supported when issues arise.
MFA as Part of a Broader Cybersecurity Strategy
While MFA is essential, effective cybersecurity for accounting firms requires a layered approach:
- Encryption for data at rest and in transit
- Role-based access controls
- Ongoing employee security training
- Business-grade firewalls and endpoint protection
- Secure, encrypted backups
- Continuous monitoring and incident response
Reliable IT support for accounting firms ensures these controls work together—especially during tax season when downtime and security failures are most costly.
The Business Case Beyond Compliance
Firms that prioritize CPA firm cybersecurity are better positioned to recover from incidents and maintain client trust. Firms without MFA and proper IT protections often face prolonged shutdowns, regulatory scrutiny, lawsuits, and lasting reputational damage.
The average breach takes 8 months to fully identify and contain. During that time, firms face operational disruption, staff burnout, and client uncertainty. For affected taxpayers, the consequences can last years.
Taking Action Now
Multi-factor authentication is the single most effective cybersecurity control CPA firms can implement today. It is affordable, widely available, and often already built into existing systems.
By enabling MFA and working with trusted providers of managed IT services for accounting firms, tax professionals can protect client data, meet FTC Safeguards Rule requirements, and strengthen their firm’s long-term security posture.
In today’s threat environment, cybersecurity for CPAs is no longer optional. MFA is the foundation of a secure, compliant, and resilient accounting practice.
