a red gradientan orange gradient

Tax Season Cybersecurity: What Clients & Firms Need to Know!

Published on February 12, 2025

Tax season is here, and so are the cybercriminals. Learn how to keep financial data safe with our essential cybersecurity guide for accounting firms and clients!.

Cybersecurity risks during Tax seasonCanadians were shocked by a recent investigation which revealed a surge in privacy breaches at the Canada Revenue Agency (CRA). Over 31,000 material privacy breaches occurred between March 2020 and December 2023 affecting at least 62,000 taxpayers. These breaches, including an incident where hackers compromised taxpayer accounts using credentials associated with H&R Block Canada, have resulted in millions of dollars in fraudulent refunds being paid out.  

If the CRA, the very institution entrusted with our tax information, could be so vulnerable, it begs the question: what safeguards are in place at our local accounting firms and tax preparation services to protect our personal and financial information?

The fact is, tax season isn’t just a busy time for accounting firms — it’s become a prime opportunity for cybercriminals. Cyberattacks on accounting firms have surged by 300% since COVID-19, proving that no firm, big or small, is immune.

This guide will analyze the roles of both clients and firms in securing financial data by covering two critical perspectives:

  • For Clients – What you should ask your accounting firm about cybersecurity.
  • For Firms – Best practices to keep client data secure.

 

 

Essential Cybersecurity Questions to Ask Your Accountant

 

is your accountant protecting your dataClients trust accountants with some of their most sensitive data, yet many never ask about security measures. Here are key questions every client should ask before handing over their financial information:

1. How Do You Protect My Personal & Financial Information?

Why Ask? Your accountant has access to your Social Insurance Number, banking details, and tax records. Understanding how they store, protect, and restrict access to this data is crucial. 

Red Flag: If they rely on email to exchange sensitive documents without encryption, your data could be exposed.

2. Do You Use Multi-Factor Authentication (MFA) for Secure Access?

Why Ask? MFA prevents hackers from accessing systems even if passwords are stolen. 

Red Flag: If employees can access client accounts with only a password, the firm is at higher risk

3. How Would You Respond to a Cyber Incident? 

Why Ask? A secure firm should have an incident response plan and cyber liability insurance.

Red Flag: If the firm has no written policy for responding to cyber incidents, it may not be prepared for a breach.

4. Do You Use Secure Client Portals or Encrypted Email for Document Sharing?

Why Ask? A client portal is the safest way to submit tax forms and banking details.

Red Flag: If they rely on unencrypted email to send sensitive information, your data is at risk.

5. Have You Trained Your Staff on Cybersecurity Best Practices?

Why Ask? Employees are often the weakest link in security. Firms should provide regular cybersecurity training.

Red Flag: If staff haven’t had training in over a year, they may be vulnerable to phishing scams and social engineering attacks.

Icon PinPro Tip for Clients: If your accountant struggles to answer these questions, it may be time to look for a more security-conscious firm.

 

 

Best Practices for Accounting Firm Cybersecurity

 

Accounting firms must invest in cyber security

The sensitive financial data accounting firms possess is highly prized by cybercriminals. Firms must take proactive steps to keep client PII (Personally Identifiable Information) safe both in-transit and at rest. Just one data breach can ruin a hard-earned reputation and decimate client trust. Consider some of the basic controls every accounting firm or tax preparer should implement: 

Mfa1. Multi-Factor Authentication (MFA) & Access Controls

  • Require MFA on all accounts accessing sensitive data, including financial records, personally identifiable information (PII), administrative accounts, privileged access accounts, and any accounts used to access critical systems data.
  • Use role-based access controls (RBAC) to limit employee access based on necessity.
  • Ensure remote workers use secure VPNs (with MFA!) to access company systems.

2. Secure Communication & Document Sharing

  • Use encrypted email or secure client portals instead of email attachments.
  • Educate clients about phishing risks and secure document submission.
  • Protect yourself against BEC (Business Email Compromise) by regularly auditing email forwarding rules for unauthorized changes (Threat actors often redirect emails to their own accounts in order to steal sensitive data).

train your team to recognize phishing emails3. Strengthen Phishing & Ransomware Defenses

  • Conduct regular cyber awareness training for employees.
  • Enable email filtering and malware detection to block suspicious messages.
  • Maintain offline encrypted backups to recover from ransomware attacks.

4. Maintain Regulatory Compliance (PIPEDA)

  • Limit collection of personal information to that which is strictly necessary.
  • Enforce policies limiting the use, disclosure and retention of personal information.
  • Safeguard personal information through physical, organizational, and technological measures.

cyber security for accountants5. Invest in a Cybersecurity Partner

Even firms with internal IT teams may lack the expertise to combat evolving cyber threats. A third-party cybersecurity assessment can help:

  • Identify security gaps before they become breaches.
  • Ensure compliance with Canadian privacy regulations.
  • Provide tailored cybersecurity training for accountants.
  • Offer 24/7 monitoring to detect and stop cyberattacks in real time.

In the event of a suspected cyber security incident, having a qualified IT partner will enable you to swiftly identify, contain, and recover from an attack.

Icon PinPro Tip for Firms: Schedule a cybersecurity assessment now to identify and proactively close any gaps in your security.  

 

 

Cybersecurity: A Must for Clients and Firms This Tax Season

ask your accountant about cyber security

The recent CRA breaches have made it crystal clear: cybersecurity is not optional — it's a necessity, especially with tax season upon us. We should all be on alert when it comes to the security of personal information.

  • Clients must be selective when it comes to their accounting partners and be ready to ask the tough questions about how their data is being protected.
  • Accounting firms must continuously strengthen their defenses, consult with  qualified IT partners and prioritize cybersecurity investments to meet the growing threat.

Don't leave your firm or your clients vulnerable. Contact us today for a cybersecurity assessment and ensure your client data remains secure—during tax season and beyond. Stay secure. Stay compliant. Stay trusted.