CPA FIRM CYBERSECURITY & COMPLIANCE TRAINING

The regulatory ground beneath accounting firms shifted twice in eighteen months. On June 9, 2023, the FTC Safeguards Rule transitioned from a "reasonable measures" standard to a prescriptive checklist of nine specific technical controls applicable to every tax preparer who handles consumer financial data. Then on May 13, 2024, the FTC adopted a breach-notification amendment that requires non-banking financial institutions, including tax preparation firms, to notify the Federal Trade Commission within 30 days of discovering a security event involving the unencrypted information of 500 or more consumers.

At the same time, IRS enforcement around Publication 4557 and the written information security plan obligation rooted in the Gramm-Leach-Bliley Act has intensified every year since 2022. Stakeholder Liaison field interviews now routinely ask preparers to produce their WISP on demand, and the IRS Security Summit has issued repeated reminders that operating without a WISP is no longer a defensible posture. Firms that ignore this guidance are not just exposing client data, they are creating an unfavorable record that examiners can cite during PTIN renewal, EFIN review, or any audit triggered by a complaint.

The threat landscape has not waited for the rules to settle. Refund-redirect fraud, EFIN takeover, business-email compromise targeting wire instructions, W-2 phishing campaigns, and ransomware against tax-prep workstations spike every January through April. The 2026 filing season is shaping up to look the same. This course gives your firm a structured, current, practical path to meet the law and survive the season.

What changed on May 13, 2024

The breach-notification amendment to 16 CFR Part 314 added a new Section 314.5 requiring covered financial institutions to notify the FTC as soon as possible, and no later than 30 days after discovery, of a notification event affecting 500 or more consumers' unencrypted customer information. Notification is filed through the FTC's electronic notification portal and is published on a public list within the FTC's website. For a small CPA firm, that means a single laptop loss or ransomware event with the right number of records crosses you onto a public federal breach list. The course module on breach response walks you through exactly what to do in the first 72 hours so you do not miss the clock.

What changed with IRS Publication 5708

IRS Publication 5708, the WISP template the IRS released for tax professionals, is now the practical baseline that every preparer is expected to know. The course walks through the template section by section so your firm's WISP is firm-specific, defensible, and tied directly to the controls you are actually running. A generic template downloaded and saved unsigned in a shared drive is not a WISP. We show you how to make it real.

The Resource Pack is what makes the curriculum actionable. Module 2 walks you through authoring a WISP from IRS Pub 5708; the Resource Pack ships the working template. Module 6 covers breach response; the Resource Pack ships the 30-day notification matrix. The four documents below ship with every seat:

• WISP Template (IRS Pub 5708-aligned). 8-10 pages of fill-in placeholders for firm name, qualified individual, signing partner, scope of customer information, technical safeguards, vendor list, training schedule, and incident response language. Customize once and you have a defensible WISP that maps to the controls you actually run.
• Qualified Individual Designation Memo. One-page formal memo per 16 CFR § 314.4(a) that documents the appointment of your qualified individual, scope of authority, reporting cadence, and signature line for the partner or governing body. The exact language examiners look for.
• Vendor / SOC 2 Review Tracker. Printable inventory of every vendor with access to customer information, last SOC 2 review date, contract renewal date, and a column for the qualified individual's annual sign-off. Closes the § 314.4(f) service-provider oversight requirement.
• Breach Notification 30-Day Matrix. Federal and state notification clocks on one page — FTC 30-day rule, IRS Stakeholder Liaison contact, North Carolina, California, New York, Massachusetts, Texas, and a research-framework column for any state not covered. The first document a partner reaches for at 6 AM on April 14.

Templates are delivered in editable formats. Lifetime updates: when the FTC, IRS, or AICPA shifts the rules, your Resource Pack updates with the course at no additional charge.

The major continuing-education providers each have a place in a CPA firm's training stack. AICPA on-demand, Surgent CPE, and Becker each offer broad NASBA-registered libraries that satisfy traditional CPE-hour requirements across tax, audit, accounting, and ethics. They are designed for breadth and credit, not for hands-on cybersecurity execution at the firm level.

This course is different on three points. First, it is practitioner-led by a security firm that runs incident response on tax practices, not by a general continuing-education vendor. The Module 5 fraud playbook is built from real engagements, not from secondary research. Second, the content is current to 2026 and includes the May 13, 2024 FTC breach amendment, the most recent IRS Security Summit guidance, and the latest IRS Stakeholder Liaison expectations on WISP examination. Third, it includes an actual WISP authoring walkthrough using IRS Publication 5708 as the working template, which is something the broad CPE catalogs do not currently offer at this depth.

A practical recommendation: keep your AICPA, Surgent, or Becker subscription for traditional CPE breadth. Add this course as your firm's hands-on cybersecurity and compliance operations layer. The two stacks are complements, not substitutes.

What this course does not claim

• This course is not currently NASBA-registered. We are explicit about that throughout the curriculum.
• This course does not issue traditional CPE credit. It produces a certificate of completion structured for CPE-equivalent self-study contact hours.
• This course does not provide legal advice. It provides cybersecurity and compliance operations guidance. For legal interpretation of the FTC Safeguards Rule, IRS Pub 4557, or state breach notification statutes, engage qualified counsel.

Petronella Technology Group is a Raleigh, North Carolina-based cybersecurity, compliance, and AI automation firm that has served accounting firms, financial advisors, healthcare practices, and DoD supply-chain manufacturers since 2003. The firm holds a BBB A+ rating, is a CMMC Registered Practitioner Organization, and has delivered hundreds of WISP authorings, FTC Safeguards Rule readiness projects, breach response engagements, and security awareness programs to small and mid-sized professional service firms.

The course is led by Craig Petronella, founder of PTG, who carries the CMMC Registered Practitioner (CMMC-RP) designation, the Cisco Certified Network Associate (CCNA), the Certified Wireless Network Expert (CWNE), and the Digital Forensic Examiner (DFE) credential. Craig is the author of multiple Amazon-published books on cybersecurity for small business, the host of the PTG cybersecurity podcast, and a frequent speaker at industry events on tax-season fraud, ransomware response, and the FTC Safeguards Rule.

Beyond Craig, the PTG team includes additional CMMC Registered Practitioners and brings the operational depth of an actively delivering security firm. The course content is the curriculum we use internally to train our own analysts before they are assigned to tax-firm engagements.

The firm operates a portfolio of related compliance services including cybersecurity audit and assessment, virtual CISO engagements for firms that need an outsourced qualified individual under the FTC Safeguards Rule, and HIPAA compliance services for firms that handle protected health information through their healthcare clients.