CPA firm cybersecurity: AICPA, IRS 4557, and the WISP requirement
Your clients trust you with their most sensitive financial data. The IRS requires a WISP. The FTC Safeguards Rule applies to you. And clients are starting to ask about SOC 2. BlackSheep puts your entire cybersecurity compliance program in one place.
No credit card required · 14-day free trial · Cancel anytime
Built by a CISSP with 20 years in cybersecurity compliance. Former Director of Cybersecurity at a top 25 CPA firm. 100+ compliance programs built.
You already know the problem
The IRS requires a WISP. The FTC Safeguards Rule applies to your firm. Clients are asking about SOC 2. And your cybersecurity program is still a document someone drafted three years ago.
Without BlackSheep
- IRS WISP requirement with no system to manage it
- Client tax data and financial records with inconsistent protections
- SOC 2 questions from clients you can't answer confidently
- FTC Safeguards Rule compliance gaps nobody has mapped
- Cybersecurity policies last touched during the last peer review
With BlackSheep
- IRS WISP managed as a living document with all required elements tracked
- Client data protection mapped to AICPA, IRS, and FTC requirements
- SOC 2 readiness with mapped controls and evidence collection
- FTC Safeguards Rule compliance scored with gap analysis
- Policy templates, version control, and employee sign-offs in one place
Built for how CPA firms actually handle compliance
Every feature maps to what the IRS, AICPA, and FTC expect. Built by someone who ran cybersecurity at a top 25 CPA firm.
Compliance Dashboard
See your AICPA, IRS 4557, FTC Safeguards, and NIST CSF scores in one view. Know where your firm stands before anyone asks.
WISP Management
Your Written Information Security Plan as a living document. Every IRS-required element tracked, versioned, and ready for review.
Incident Response
When a breach happens, the clock starts. Log incidents, track notification timelines, and manage the full response with audit trails.
Vendor Risk Management
Track every vendor that touches client data. Due diligence, risk assessments, and contract management in one place.
SOC 2 Readiness
Map controls to Trust Service Criteria, collect evidence, and get audit-ready. When clients ask, you have answers.
Evidence Collection
All compliance evidence organized and exportable. Clean packages for peer reviews, client inquiries, or regulatory responses.
Every framework that applies to your firm
Mapped controls, tracked evidence, and live compliance scores for every regulation your CPA firm needs to follow.
AICPA Cybersecurity
Professional standards for CPA firms covering cybersecurity risk management and reporting.
- Cybersecurity risk management program
- SOC for Cybersecurity framework
- Client data protection standards
- Third-party risk management
- Incident response and reporting
IRS Publication 4557
The IRS data security plan requirement for all tax professionals. Your WISP starts here.
- Written Information Security Plan (WISP)
- Employee security awareness training
- Data theft and loss protection
- Incident response procedures
- Annual security plan review
NIST CSF 2.0
The framework that ties everything together for comprehensive cybersecurity.
- Govern — policies & roles
- Identify — asset management
- Protect — access control
- Detect — monitoring
- Respond & Recover
GLBA/FTC Safeguards Rule
CPA firms handling financial data are financial institutions under GLBA.
- Designated qualified individual
- Written risk assessment
- Access controls and MFA
- Encryption requirements
- Incident response plan
CIS 18 Controls
Prioritized security controls that strengthen your overall security posture.
- Asset inventory and control
- Secure configuration management
- Continuous vulnerability management
- Audit log management
- Incident response management
Everything your compliance program needs.
One platform, one price.
Our founder charged $30,000/year per firm to build these programs by hand. Now it's all in software.
Starter
Save $36,000+/year on compliance costs
The full platform. Every feature. Every framework. No gates. Whether you self-manage or work with a consultant, everything is in one place.
- All compliance frameworks
- Live compliance dashboard & scores
- Policy templates & sign-offs included
- Vendor risk management & oversight
- Risk assessment with gap analysis
- Access reviews & IT controls review
- Incident tracking with breach timers
- IR & BCP testing logs
- Security training & tracking
- Cyber insurance readiness
- Tasks, scheduling & annual reporting
- Unlimited users
- Email support
Professional
Hands-on services included
Everything in Starter, plus we do the hands-on work. Incident response testing, business continuity testing, audit support, and annual training included.
- Everything in Starter
- We lead your incident response testing
- We lead your business continuity testing
- We provide audit support
- We lead your annual security training
Enterprise
Your fractional compliance team
Everything in Professional, plus we're alongside you week to week. Still less than a single consulting engagement.
- Everything in Professional
- Biweekly calls to lead your compliance program
- We will personally guide you through the full implementation of your cybersecurity program
- The Maverick to your Goose
- We have your back
All plans include a 14-day free trial. No credit card required. Cancel anytime.
Ready for a review in 30 days or we extend your trial free until you are.
Frequently asked questions
What compliance frameworks does BlackSheep support for CPA firms?
BlackSheep supports AICPA cybersecurity standards, IRS Publication 4557 (WISP requirement), GLBA/FTC Safeguards Rule, NIST Cybersecurity Framework 2.0, and CIS 18 Critical Security Controls. SOC 2 readiness is also included.
What is the IRS WISP requirement and how does BlackSheep help?
The IRS requires all tax professionals to have a Written Information Security Plan (WISP) as outlined in Publication 4557. BlackSheep provides WISP templates, tracks all required elements, manages employee training records, and maintains the documentation the IRS expects to see.
Does BlackSheep help with SOC 2 readiness?
Yes. BlackSheep maps controls to SOC 2 Trust Service Criteria, tracks evidence, and maintains the documentation auditors need. While we are not a SOC 2 audit firm, we get you audit-ready so the process is smooth and less expensive.
How does the FTC Safeguards Rule apply to CPA firms?
CPA firms that handle financial data are considered financial institutions under GLBA and must comply with the FTC Safeguards Rule. This includes designating a qualified individual, conducting risk assessments, implementing access controls and MFA, encryption, and incident response. BlackSheep maps all of these requirements.
Can BlackSheep be used across multiple office locations?
Yes. BlackSheep supports unlimited users with role-based access controls. Your entire firm can participate regardless of office location, and you maintain a single, consistent compliance program across all offices.
Your compliance frameworks
AICPA
Professional standards for protecting client financial data
IRS Publication 4557
IRS requirements for safeguarding taxpayer data
NIST CSF 2.0
The gold standard cybersecurity framework for risk management
GLBA/FTC Safeguards Rule
FTC requirements for financial institutions handling customer data
CIS 18 Controls
Prioritized security controls for accounting firms
Explore other industries
Your clients trust you with everything. Protect it.
Built by a former Director of Cybersecurity at a top 25 CPA firm. Now it's a platform starting at $249/month. 14-day free trial, 30-day money-back guarantee.
14-day free trial. No credit card. 30-day money-back guarantee.