The Impact of Cybersecurity Regulations on Accounting Firms

While we’re biased given our line of work cybersecurity is undoubtedly an urgent issue for businesses across all sectors. Given its reliance on both financial and personal information, the accounting industry is unsurprisingly no exception. Accounting firms are increasingly becoming targets for cyberattacks due to the vast amount of sensitive financial data they manage. As a result, new regulations are being introduced every year to ensure that these organizations take appropriate measures to protect client data, financial information, and operational integrity. 

Let’s explore the impact of new cybersecurity regulations on accounting firms and review what was introduced in 2024 and what is expected to come in 2025. 

The Growing Need for Cybersecurity in Accounting Firms

Accounting firms store a treasure trove of confidential financial data — from tax filings and audit reports to client accounts and business strategies. This makes them an attractive target for hackers seeking to steal information or disrupt operations. The consequences of data breaches can be catastrophic –- financial loss, reputational damage, and even legal penalties.

In recent years, regulatory bodies have ramped up their focus on cybersecurity , and firms are now required to meet specific standards to safeguard client data. As the nature and sophistication of cyber threats evolve, so too do the regulations intended to protect firms from these risks. Understanding what your firm is up against regarding regulatory compliance is critical to responsible accounting firm management, and that’s where PK Tech comes in.

Cybersecurity Regulations Introduced in 2024

Several significant cybersecurity regulations took effect in 2024, impacting accounting firms' operations and compliance requirements. Let’s highlight the most important ones: 

The SEC’s Enhanced Cybersecurity Rule (2024)

In early 2024, the U.S. Securities and Exchange Commission (SEC) introduced the Cybersecurity Risk Management Rules for investment advisers and private funds, which also affects accounting firms offering financial advisory services. The new rule requires firms to establish comprehensive cybersecurity risk management frameworks, conduct frequent risk assessments, and implement a robust incident response plan.

Accounting firms are now expected to:

• Report significant cybersecurity incidents to the SEC within four business days.
• Establish clear internal procedures for responding to cybersecurity breaches, including communication protocols with clients and regulatory bodies.
• Create and maintain cybersecurity policies that are updated regularly to ensure ongoing protection.
• Audit vendor relationships to ensure that third-party service providers also meet cybersecurity standards.

While this rule primarily targets firms engaged in securities and financial advisory services, many accounting firms that offer these services will need to comply. Even for firms that don't provide these services directly, the regulatory framework influences best practices in the broader accounting industry.

The NYDFS Cybersecurity Regulation Update (2024)

The New York Department of Financial Services (NYDFS) is one of the leading state regulators for cybersecurity standards. In 2024, the NYDFS updated its Cybersecurity Requirements for Financial Services Companies, which impacts accounting firms operating in New York or working with clients in the state.

Key provisions of the updated regulation include:

• Multi-Factor Authentication (MFA) for all critical access points to accounting systems.
• A strict data encryption policy for both stored and transmitted data.
• The requirement for firms to submit annual cybersecurity reports to demonstrate compliance with the state’s cybersecurity standards.

For accounting firms that deal with clients based in New York or are incorporated in the state, these updates represent a significant increase in compliance demands, particularly around authentication and data security protocols.

The Federal Data Protection Act (2024)

In 2024, the U.S. Congress passed the Federal Data Protection Act, which focuses on increasing accountability and oversight regarding personal data protection. This act applies to all companies that handle personal data, including accounting firms.

Under this act, accounting firms are required to:

• Obtain clear consent from clients before processing their personal data.
• Notify clients promptly of any breaches that may affect their personal information.
• Implement privacy controls to safeguard both digital and physical records of clients' personal data.

This regulation is part of a broader trend toward more stringent data protection laws that put the onus on firms to demonstrate accountability and transparency.

What to Expect in 2025: New Regulations on the Horizon

While 2024 brought several updates, the regulatory landscape for accounting firms is expected to tighten further in 2025. Some of the key expected changes include:

GDPR Expansion to U.S. Companies (2025)

The General Data Protection Regulation (GDPR), enacted by the European Union, is already one of the strictest data protection laws globally. However, in 2025, legislation is anticipated to extend GDPR-like regulations to U.S.-based firms, including accounting firms. This expansion would apply to any firm that handles the personal data of EU residents, meaning firms would need to enhance their data protection measures to meet GDPR's rigorous requirements.

Changes to be aware of include:

• The right to erasure, which gives clients the ability to request that their data be deleted.
• Enhanced data minimization practices, where firms must reduce the collection of unnecessary client information.
• The need for firms to conduct regular Data Protection Impact Assessments (DPIAs).

Proposed Cyber Insurance Mandates (2025)

With increasing cyber threats, cyber insurance is becoming a critical aspect of financial risk management for businesses. In 2025, there are discussions about potential regulations requiring accounting firms to maintain cyber insurance as part of their cybersecurity governance framework.

The expected mandate would:

• Ensure firms are financially covered in the event of a cyberattack or data breach.
• Require firms to demonstrate that they have minimum cybersecurity controls in place before obtaining coverage.
• Encourage firms to participate in cybersecurity training and simulations to reduce the risk of cyber incidents.

The National Cybersecurity Framework (2025)

The U.S. government is also expected to introduce a National Cybersecurity Framework in 2025, which could become a mandatory set of guidelines for all businesses, including accounting firms. This framework would require firms to adopt specific cybersecurity practices, conduct regular penetration tests, and submit to third-party cybersecurity audits.

The framework is designed to create uniform standards across industries and reduce the risk of systemic breaches that could affect multiple sectors simultaneously.

Adapting to the Changing Regulatory Landscape

The increasing complexity of cybersecurity regulations means that accounting firms must continually evolve their security strategies and ensure compliance with both current and future rules. Here are some essential steps firms can take to stay ahead:

• Invest in cybersecurity technology: Implement multi-factor authentication, encryption, and data backup solutions.
• Train employees: Ensure staff members are well-versed in cybersecurity best practices and the firm’s internal protocols.
• Create a proactive incident response plan: Develop a clear and detailed response strategy for cyberattack management.
• Regularly audit vendor security: Ensure third-party partners adhere to the same rigorous cybersecurity standards.

By staying informed and proactive, accounting firms can protect themselves, their clients, and their reputation while meeting constantly changing regulatory demands.

The Regulatory Future for Accounting Firms

Cybersecurity regulations have become an integral part of the accounting industry’s regulatory framework, and the changes introduced in 2024 highlight just how critical these measures are. With more updates expected in 2025, accounting firms must continue to adapt to safeguard sensitive client data and avoid the potentially devastating consequences of cyberattacks. 

Staying ahead of the curve with cybersecurity practices means investing in the support your firm needs. Working with a managed IT service provider will ensure you’re current on compliance standards. As an MSP, PK Tech is proud to offer 15 years of experience with a focus on accounting firms. We boast AICPAs SOC 2 Type II attestation, proving via third-party audit by an independent CPA firm that we passed a rigorous and comprehensive assessment of our security and privacy controls. Schedule a time to chat with our team here.