Your Clients Trust You: Cybersecurity Protects That Trust

Written by Justin Colantonio | May 7, 2025
CPAs build their reputation on trust, and trust is earned by how well you protect the information given to you. 

CPAs build their reputation on trust. Because of that trust, clients hand over their most sensitive information – tax records, payroll files, Social Security numbers, business financials – without hesitation. But in today’s connected world, trust is no longer simply earned through accuracy and prudent advice. It’s earned by how well you protect the information given to you.

While you may not think of yourself as a target, cybercriminals do. In fact, CPA firms are squarely in their sights.

Cybercrime Is All about Opportunity

The image of bold hackers going after Fortune 500 companies still dominates the news, but behind the headlines the real story has changed. Slipups – at all sizes of accounting firms – open the door to online predators and risk destroying the trust you’ve built:

  • 56% of breaches are caused by negligence, most often by untrained staff or poor security practices.
  • 82% of cyberattacks now happen in cloud environments – exactly where CPA firms work every day.
  • Credential theft has nearly doubled. Once attackers are inside a system they often move around undetected for months.

Here’s what the above means: Your clients’ most personal data could be silently compromised without a single alarm going off.

I present these facts not to scare you. Rather, it’s about hoping you recognize that today’s CPA firms are the gatekeepers of financial identity. This role carries more responsibility than ever.

IT Support Isn’t the Same as Cybersecurity

Having a trusted IT provider is important. It should not be, however, the end of your protection plan. Cybersecurity today requires a different level of specialization. Ask yourself:

  • Is your team trained to spot phishing and social engineering?
  • Do you have multifactor authentication enabled across all tools?
  • Are you using password managers and modern endpoint protection?
  • Do you know exactly what your cyber insurance policy requires, and are you meeting those requirements?

If the answer to any of these is “not yet,” the good news is there is still time to act.

Your Risk Is Your Client’s Risk

If your clients are subject to Health Insurance Portability and Accountability Act (HIPAA) protections, SOC 2 compliance, the FTC Safeguards Rule, or Cybersecurity Maturity Model Certification (CMMC) compliance, and you store or transmit their data, you are now part of their risk equation.

More and more businesses are auditing their vendors – especially financial service providers – for cybersecurity readiness. In some cases, being underprepared could cost you the client – not because of anything you did wrong, but because of what you didn’t do right.

The Real Cost of Inaction

Beyond the devastating breach costs and operational downtime, the hidden (and terrifying) cost is reputational erosion. Could your practice withstand the following:

  • Clients questioning your reliability.
  • Referral sources hesitating to recommend you.
  • Time and attention pulled away from your core work.
  • Professional embarrassment in your local or industry network.

Should something go amiss with securing your client data, perhaps the worst part is knowing that most of these terrible outcomes were preventable.

A Modern Cybersecurity Baseline for CPA Firms

You don’t need to overhaul your firm overnight. But here’s what every CPA firm should have in place today:

  • Multifactor Authentication (MFA) – Especially on portals, cloud apps, and email.
  • Endpoint Detection and Response (EDR) – Replaces outdated antivirus.
  • 3-2-1 Backup Strategy – 3 copies of data, 2 formats, 1 offsite and immutable.
  • Employee Awareness Training – Human error is the No. 1 risk factor.
  • Cyber Insurance Policy Review – Ensure you meet new application requirements before filing a claim.

These are no longer “nice-to-haves.” They are the modern foundation of professional protection.

Justin Colantonio is the managing partner of Total Technology Resources, a Philadelphia-based managed security service provider (MSSP) that helps CPA firms protect client data and comply with cyber insurance and Federal Trade Commission mandates. Colantonio has a background in accounting and knows firsthand the stakes CPAs face today.

Sign up for PICPA's weekly professional and technical updates by completing this form.

Statements of fact and opinion are the authors’ responsibility alone and do not imply an opinion on the part of the PICPA's officers or members. The information contained herein does not constitute accounting, legal, or professional advice. For actionable advice, you must engage or consult with a qualified professional.