VPN for Accountants and CPAs: IRS Security Six Compliance in 2026

If you prepare tax returns professionally, cybersecurity is no longer optional — it is a federal requirement. The IRS Security Six framework, outlined in IRS Publication 4557, establishes mandatory cybersecurity controls for every tax professional with a Preparer Tax Identification Number. A VPN is one of the six required safeguards. With 83% of tax professionals now working remotely at least part-time, the way you connect to client data matters as much as the data itself.

The average data breach costs a tax practice $4.88 million, according to IBM's 2025 Cost of Data Breach Report. PTIN suspension — the IRS's enforcement tool for non-compliant preparers — can halt your ability to file returns entirely. Here is what accountants and CPAs need to know about VPNs, the IRS Security Six, and how to document your compliance properly.

What the IRS Security Six Requires

IRS Publication 4557 and the FTC Safeguards Rule require all tax preparers to implement six core cybersecurity controls. A VPN addresses the encryption and secure remote access requirements that sit at the center of that framework:

• Security Plan. A Written Information Security Plan (WISP) documenting your VPN policies and how you protect nonpublic personal information (NPPI)
• User Authentication. Multi-factor authentication for all connections to systems containing client data
• Access Controls. Restrictions limiting what data can be accessed and by whom
• Encryption. AES-256 encryption for client data in transit — this is where a VPN is directly required
• Data Disposal. Secure deletion protocols for records containing NPPI
• Monitoring. Logging of connections and access attempts to client systems

The FTC Safeguards Rule is equally explicit: financial institutions and tax preparers must encrypt all data in transit when accessing client information remotely. If you are working from a home office, a coffee shop, a client's location, or anywhere outside a secured network, every connection to tax software, client portals, or your practice management system needs to be encrypted.

Why Accountants Are High-Value Targets

Tax professionals aggregate more sensitive financial data per client than virtually any other professional category. A single client file contains Social Security numbers, bank account details, investment account information, employer identification numbers, and complete financial history. During tax season, a single preparer may handle hundreds of such files simultaneously.

Attackers know this. According to Verizon's 2025 Data Breach Investigations Report, over 80% of hacking-related breaches involve compromised or weak credentials — and remote access is the primary attack vector. When a CPA connects to their practice management software from a home network or hotel WiFi without a VPN, those credentials travel across an unprotected connection that can be captured with widely available tools.

The IRS has seen this pattern repeatedly. High-profile attacks on tax firms in 2024 and 2025 led to intensified enforcement of PTIN security requirements. Preparers who cannot demonstrate compliant security controls during an IRS audit face PTIN suspension — and once your PTIN is suspended, you cannot legally prepare tax returns for compensation.

What Constitutes a Compliant VPN for Tax Professionals

Not every VPN meets IRS Security Six requirements. The framework's specific demands narrow the field considerably:

AES-256 encryption. The IRS specifies AES-256 as the minimum encryption standard. Older or weaker encryption protocols do not satisfy the requirement regardless of other features. CyberFence uses AES-256-GCM — the current gold standard for symmetric encryption.

US-operated infrastructure. When you connect through a VPN, your encrypted traffic passes through that provider's servers. For tax professionals handling US taxpayer data, a VPN operated under US law, subject to US jurisdiction, provides clearer legal accountability than foreign-operated services. This also simplifies your WISP documentation — you can identify the provider's jurisdiction unambiguously.

Zero-logs policy covering client data. Your VPN provider should not retain records of which tax software platforms you accessed, your connection timestamps linked to client sessions, or any other data that could reconstruct your professional activity. A provider that logs this information has effectively created a record of your client interactions under their ownership — a significant confidentiality problem for a CPA practice.

Coverage across all practice devices. Modern CPA practices involve laptops for office work, tablets for client meetings, and smartphones for remote access. A VPN that covers all five platforms — iOS, iPad, Android, Mac, and Windows — under a single subscription ensures no device creates a gap in your encryption coverage.

Documentable for your WISP. The IRS requires your Written Information Security Plan to document the specific security controls you have implemented. A VPN that provides clear, accessible documentation of its encryption standard, logging policy, and operational jurisdiction gives you what you need to write accurate WISP language and defend it in an audit.

The Four Scenarios Where a VPN Is Non-Negotiable

Working From Home on a Shared Network

Home networks carry risk that office networks do not. Other household members, IoT devices, and routers that have not been updated in years all create potential vulnerabilities on the same network segment as your work device. A VPN creates an encrypted tunnel from your device directly to the internet, bypassing the risk of other devices on the home network and preventing ISP-level visibility into your professional connections.

Accessing Tax Software From a Client's Office

When you visit a client's location and connect to their WiFi to access your practice management software, you are on a network you do not control and cannot audit. The same applies to conference rooms at financial institutions, co-working spaces, and hotel business centers during tax season travel. A VPN running on your device protects your credentials and client data regardless of the network you are on.

Using Cloud-Based Tax Software

The major tax preparation platforms — Lacerte, Drake, ProConnect, UltraTax — all have cloud or remote access components. Every connection to these platforms over an unencrypted connection is a potential credential capture point. A VPN encrypts the connection from your device to the platform, protecting your login credentials and the client data you access during each session.

Transmitting Returns and Documents

Email and document portals used to transmit completed returns, engagement letters, and supporting documents all benefit from encrypted connection protection. Even when the document platform itself uses HTTPS, a VPN provides an additional layer of encryption at the network level and prevents network-level observers from identifying which platforms you are accessing and when.

Documenting VPN Use in Your WISP

The IRS requires your Written Information Security Plan to specifically address how you protect data in transit. A compliant WISP section covering your VPN should include:

• The name of your VPN provider and the encryption standard used (e.g., CyberFence, AES-256-GCM encryption)
• A statement that the provider operates under US law with a verified zero-logs policy
• Which devices are covered and the requirement that the VPN is active whenever accessing client data remotely
• The policy for what happens if the VPN connection drops (stop work, reconnect, then resume)
• Who is responsible for ensuring VPN software is current across all practice devices

This documentation does not need to be complex. A one-page addition to your existing WISP that addresses these five points creates a defensible record. What IRS auditors look for is evidence that you have thought through the control and implemented it intentionally — not that you have deployed enterprise-grade infrastructure.

For more context on evaluating VPN providers for compliance use, see our guide on how to verify a VPN's no-logs policy and our post on VPN compliance for financial advisors under SEC Regulation S-P.

The Bottom Line for CPA Practices

The IRS Security Six is not guidance — it is a compliance requirement tied to your PTIN eligibility. The FTC Safeguards Rule is not voluntary — it applies to every tax preparer handling nonpublic personal information. A VPN with AES-256 encryption is a specific, documentable control that directly addresses the encryption requirement in both frameworks.

At $7.99 per month or $88.21 per year, CyberFence costs less than an hour of your billing rate. The alternative — a data breach averaging $4.88 million in costs, or a PTIN suspension that halts your practice — is not a risk worth carrying when the compliance solution is this accessible.