VPN for Accountants and CPAs: IRS WISP Compliance and Client Data Protection

If you prepare even one tax return for a client, federal law requires you to have a Written Information Security Plan — and that plan must include encryption for client data transmitted over networks. A VPN is one of the most direct and practical ways to satisfy that requirement.

This isn't a gray area. The IRS, in its July 2025 Security Summit reminder, stated explicitly that all tax professionals are "required by law" to protect client data under the Gramm-Leach-Bliley Act (GLBA) — and that WISP compliance is mandatory for every firm, regardless of size, as a condition of PTIN renewal (IRS Security Summit, July 2025).

As of 2026, IRS Form W-12 (PTIN application and renewal) includes Line 11, which requires applicants to affirmatively certify they have a compliant WISP. Falsely checking that box constitutes perjury. Yet 80% of tax firms are still not fully compliant with WISP mandates (WISP Weekly, 2025).

Why Accountants and CPAs Are Prime Targets

Accounting firms hold some of the most valuable personally identifiable information available: Social Security numbers, income records, business financials, bank account information, and years of tax history. This data is worth far more to cybercriminals than a credit card number — it enables comprehensive identity theft, fraudulent tax filings, and business account takeover.

The risk is quantified. L Squared Insurance Agency estimates that accounting firms face a 30–60% probability of a significant cyber event in 2025 (L Squared Insurance, 2025). The average cost of a data breach for financial services firms reached $6.08 million in 2025 — among the highest of any industry (IBM Cost of a Data Breach 2025). Over 80% of breaches in accounting involve human error, typically phishing attacks targeting employee credentials.

Ransomware groups specifically target accounting firms during tax season — Q1 and Q4 — when firms are under deadline pressure and less likely to notice anomalous system behavior. Cyber insurers are increasingly refusing to pay claims where firms failed to maintain a current WISP or conduct annual risk assessments.

What the WISP Requires — And Where a VPN Fits

IRS Publication 5708 and the FTC Safeguards Rule (16 C.F.R. Part 314) enumerate nine required components of a compliant information security program. Two of them directly implicate VPN use:

Encryption of Data in Transit

The FTC Safeguards Rule explicitly requires covered entities — which includes all tax preparers and CPA firms under GLBA — to encrypt client information during transmission over external networks. When you access a cloud-based accounting platform, submit an e-file, log into a client portal, or check email with client attachments from a coffee shop, hotel, or home network, that data is traveling over an external network.

A VPN encrypts all traffic between your device and the internet using AES-256-GCM encryption, satisfying this requirement regardless of what network you're on. Without a VPN, any unencrypted transmission over a public or unsecured network is a direct WISP compliance violation.

Remote Access Security Controls

The 2026 WISP updates — effective for the current filing season — eliminated what was previously called the "in-office exception." All users accessing systems containing client data must use multi-factor authentication, regardless of whether they're connecting from inside or outside the office (Bellator Cyber, 2025). MFA is required; so is encryption of the connection itself.

For remote access to any system containing client data — your accounting software, practice management system, tax preparation platform, or document management system — the connection must be encrypted. A VPN satisfies this control for all remote access scenarios, from a home office to a client site to a travel situation.

The IRS "Security Six" — Where a VPN Appears

IRS Publication 4557 outlines what it calls the "Security Six" — the baseline cybersecurity controls every tax professional should implement. The six are:

1. Anti-virus software
2. Properly configured firewalls
3. Two-factor authentication on every high-value system
4. Encryption of stored and transmitted data
5. Secure backups
6. Secure communication channels — encrypted email and client portals

Items 4 and 6 are directly addressed by a VPN. When you connect through CyberFence, all communications — email, client portals, cloud software, e-file submissions — travel through an encrypted tunnel. The ISP, coffee shop WiFi router, and anyone on the same network see only encrypted traffic. They cannot read or intercept client data in transit.

The Compliance and Enforcement Reality in 2026

The IRS and FTC are no longer treating WISP compliance as a good-faith recommendation. Enforcement consequences in 2026 include:

• Fines starting at $100,000 per incident for GLBA Safeguards Rule violations
• PTIN suspension or revocation — effectively ending your ability to prepare tax returns
• FTC enforcement actions for firms that experience a breach without a compliant WISP
• Breach notification obligations — firms must notify the FTC within 30 days of incidents affecting 500 or more clients
• Client lawsuits — class-action exposure for firms that mishandled client SSNs and financial data

Cyber insurers have aligned with these requirements. Policies increasingly include exclusions for claims where the firm failed to implement documented controls — specifically WISP, MFA, and encryption. A firm that suffers a ransomware attack without these controls in place may find their insurance claim denied, leaving them fully exposed to recovery costs averaging $4.4–6.0 million for financial services breaches.

What "Encryption in Transit" Means in Practice for a CPA

Here are the specific scenarios where unencrypted transmission of client data creates WISP violations — and where a VPN closes the gap:

• Working from home — Home routers are frequently misconfigured, use outdated firmware, and lack enterprise security controls. A VPN encrypts all traffic from your home device before it reaches your router.
• Client site visits — Accessing your practice management system or e-filing platform from a client's office means using their network, which you don't control. A VPN encrypts the session end-to-end.
• Hotels and airports during travel — Tax season frequently involves travel for partner meetings, conferences, and client engagements. Public WiFi at hotels and airports is the most common network-level attack surface. A VPN is non-negotiable in these environments.
• Staff working remotely — If any staff member handles client files from a remote location, their connection must be encrypted. A Teams plan provides VPN protection across your entire staff under one administrative account.
• Email on mobile devices — Accessing client emails with attached tax documents on a smartphone over a cellular or public WiFi connection transmits client data over an external network. A VPN running on the mobile device encrypts this.

CyberFence for CPA Practices and Accounting Firms

CyberFence is a US-operated VPN and cybersecurity platform built by Perez Technology Group in Orlando, Florida. For accounting professionals, the relevant specifications are:

• AES-256-GCM encryption — satisfies the FTC Safeguards Rule and IRS WISP encryption-in-transit requirements
• Zero-log policy — no connection logs, no activity logs, no DNS query records; client session data is not stored
• All 5 platforms covered — iOS, Android, macOS, Windows, and Web App; every device your staff uses for client work is protected under one subscription
• Web Shield DNS filtering — blocks phishing sites, malware distribution domains, and ransomware command-and-control servers at the DNS level; specifically addresses the phishing threat responsible for 80%+ of accounting firm breaches
• US-operated infrastructure — data routing stays within US-operated infrastructure, consistent with GLBA data handling expectations for US financial institutions
• Teams plans with compliance documentation — for multi-person practices, Teams plans include compliance documentation that can be referenced in your WISP to document technical control implementation
• Breach Monitor — monitors staff email addresses against 15 billion+ breach records; alerts when credentials appear in a data breach before they're used in an account takeover attack

How to Document VPN Use in Your WISP

Your WISP must document the technical controls you have in place. When using CyberFence as your encryption-in-transit control, the relevant WISP language would reference:

• The use of a commercial VPN service (CyberFence, operated by Perez Technology Group) for encrypting all data in transit over external networks
• Encryption standard: AES-256-GCM
• Scope: all devices used by staff to access systems containing client data
• Applicability: required when accessing client data from any non-office location, and recommended as a standard practice for all connections

This documentation, combined with MFA implementation and the other WISP components required by IRS Publication 5708, creates a defensible compliance posture under both the IRS and FTC Safeguards Rule frameworks.