Skip to content
Veteran-Owned. Built by engineers who've actually done the work.
Solution · CPA and Accounting

FTC-ready. Tax-season-ready. Year-round.

FTC Safeguards Rule compliance, IRS Publication 4557 alignment, and detection tuned for the threats that target accounting practices: tax-season phishing, W-2 fraud, and client 1040 theft.

Schedule a ConsultationSee Pricing

The FTC Safeguards Rule now requires breach notification within 30 days of any event affecting 500+ consumers. Effective May 13, 2024.

16 CFR Part 314, FTC Safeguards Rule Amendment

What CPA Practices Face

Accounting firms hold complete financial profiles for hundreds or thousands of clients. The threat profile is concentrated and seasonal.

Seasonal
Tax-Season Phishing
January through April attack volume spikes dramatically. Tax-themed phishing targeting both your staff and your clients. Detection needs to keep pace.
Wire Fraud
W-2 Fraud Schemes
Spoofed executive emails requesting bulk W-2 exports for 'audit' purposes. Payroll teams remain a primary target.
Identity
Client 1040 Theft
Attackers harvest client tax returns to file fraudulent refund claims with the IRS. Your clients become victims; your practice gets the inquiry.
Credentials
Tax Software Account Compromise
Lacerte, ProConnect, Drake, and other tax software accounts are high-value targets. We monitor for credential compromise and unusual access patterns.
Regulatory
IRS Publication 4557 Compliance
Required written information security plan (WISP), data security framework, and incident response plan. We provide the documentation.
FTC
Safeguards Rule Notification
30-day breach notification clock for events affecting 500+ consumers. Public reporting database. We manage the timeline.
Compliance Frameworks

Accounting practices operate under federal regulation through the FTC Safeguards Rule and IRS guidance. Carbynix Fortress includes the documentation and incident response support required by both.

FTC Safeguards Rule
16 CFR Part 314, applies to non-banking financial institutions including CPAs
IRS Publication 4557
Safeguarding Taxpayer Data, mandatory WISP
IRS Publication 5293
Data Security Resource Guide for Tax Professionals
State Tax Practitioner Rules
Many states have additional CPA cybersecurity rules
AICPA SOC 2
Increasingly required by client diligence
Client Specific Frameworks
Healthcare clients require BAAs, financial clients require additional controls
Why CPA Practices Choose Carbynix

Accounting practices are explicitly named under the FTC Safeguards Rule. We've built coverage specifically for that obligation.

WISP Documentation Included
FTC Safeguards Rule requires a written information security plan. Fortress includes the WISP template, customization, and continuous evidence collection.
Tax Season Surge Coverage
Detection thresholds adjust for January through April when phishing attempts surge. We don't get overwhelmed when attackers expect you to be.
Tax Software Integration
Detection content includes monitoring for unusual access to common tax preparation software platforms and IRS e-services accounts.
FTC Notification Support
When the 30-day FTC notification clock starts, we manage the timeline, draft the filing, and coordinate with your counsel.
Recommended Tier
Guardian Baseline
$15/endpoint/month

Solo CPAs and small practices (under 25 endpoints) typically start with Guardian for monitoring and detection coverage.

  • 24/7/365 detection and response
  • Tax-season-tuned detection content
  • Endpoint, cloud, and identity monitoring
  • Add Aegis WISP package separately if needed
Fortress for Larger Practices
$22/endpoint/month

Practices with 50+ endpoints, 1099 contractor staff, or annual revenue above $5M should default to Fortress.

  • Everything in Guardian
  • $250,000 breach warranty (critical given FTC public reporting)
  • FTC Safeguards Rule WISP package included
  • 30-day FTC notification clock management
  • 10 hours of IR per month for tax-season incidents
  • Continuous threat hunting
Common Questions
We're a 5-person CPA practice. Is Carbynix overkill?
No. The FTC Safeguards Rule applies regardless of practice size. The 25-endpoint minimum on Guardian fits most small practices, and the $500 per month floor is comparable to other compliance line items.
Do you support practices that don't take payments (return preparation only)?
Yes. The FTC Safeguards Rule applies to any 'financial institution' including tax preparers regardless of whether they process payments. Coverage is the same.
What about IRS PTIN data security questions?
Our compliance package includes the documentation needed to answer IRS PTIN renewal data security questions accurately. Your written information security plan is the central document.
Can you help with state-specific CPA cybersecurity rules?
Yes. State CPA boards increasingly publish their own cybersecurity expectations. Our compliance documentation is updated to reflect state-specific requirements during onboarding.

Stay ahead of the FTC clock.

Schedule a consultation. We'll review your practice's FTC Safeguards Rule posture, scope appropriate coverage, and confirm whether Guardian or Fortress is the right fit.

Schedule a ConsultationSee Compliance Programs