Accounting cybersecurity
Managed cybersecurity built for the way a CPA firm actually runs — Lacerte or Drake on a local server, CCH Axcess or UltraTax in the cloud, Microsoft 365 or Google Workspace for the office, refund deposits and client wires moving through the firm at peak season. Huntress MDR, ITDR, and Security Awareness Training operated end-to-end by Obsidian Ridge, with the WISP + FTC Safeguards Rule evidence package your IRS Stakeholder Liaison and cyber-insurance carrier expect to see.
TL;DR
We operate Huntress MDR, ITDR, and Security Awareness Training for your firm end-to-end. The 24/7 Huntress SOC watches every endpoint and your Microsoft 365 or Google Workspace tenant for the attack patterns documented across the accounting vertical — ransomware against the tax software server during tax season, refund-redirect BEC, and wire-fraud aimed at client trust funds.
Obsidian Ridge adds the practitioner side: an IRS Pub 4557 + FTC Safeguards Rule § 314.4-aligned Written Information Security Plan, the AICPA SSTS § 1.3 documentation, the IRS Stakeholder Liaison-ready incident response runbook, cyber-insurance readiness, and the quarterly managing-partner briefing.
Pricing starts at $15 per agent per month for Foundation (endpoint only). Most firms land at Protected, $32 per user per month, which adds identity threat detection and the awareness program — the controls that actually move cyber insurance premiums and stop the BEC pattern that costs accounting firms six figures. Complete (from $55 per user per month) adds Managed SIEM and the full compliance evidence program.
What's included
Preparer laptops, partner workstations, the Lacerte / Drake / CCH Axcess / UltraTax server, the firm's M365 / Workspace box. 24/7 Huntress SOC watching for ransomware canaries, credential theft, and the lateral-movement patterns documented in accounting-vertical attacks.
Catches the adversary-in-the-middle phishing kits (EvilProxy, Tycoon) that bypass MFA, the inbox rules used to hide refund-redirect and wire-fraud activity, and the OAuth-consent attacks against firm tenants.
Tax-season-tuned phishing simulations: IRS notice impersonation, EFIN suspension threats, ADP/Gusto payroll lookalikes, refund-redirect themes for preparers and seasonal contractors.
The Written Information Security Plan that IRS Pub 4557 + Pub 5708 require, the FTC Safeguards Rule § 314.4 documented program, the AICPA SSTS § 1.3-aligned procedures, and the audit-control logs the IRS Stakeholder Liaison wants to see.
Account hygiene for Lacerte, Drake Tax, CCH Axcess, UltraTax CS, ATX, ProConnect. MFA on every admin, audit-log review cadence, integration-token inventory, BYOD App Protection Policies, seasonal-contractor account lifecycle.
If something happens, we coordinate forensics, IRS Stakeholder Liaison notification within 24 hours, FTC notification for 500+ consumer breaches, state AG filings, cyber-insurance claim, and client-facing communication. The Qualified Individual remains the decision-maker; we operate every step.
The threat model
The accounting vertical has moved up the target list as ransomware operators learned the leverage tax-season deadlines create. Three patterns account for the majority of the losses we see.
The attacker phishes a preparer or seasonal contractor, lands a loader, moves laterally to the tax software server (Lacerte, Drake, CCH Axcess on-prem), exfiltrates client return data, and encrypts everything over a weekend in March. Monday morning the firm cannot prepare, file, or bill. Recovery time without preparation: 5 to 21 days — and April 15 doesn't move. Full walkthrough of the attack chain.
The attacker phishes a preparer's Microsoft 365 credentials through an adversary-in-the-middle kit, captures the session token (MFA is already satisfied), sets an inbox rule that hides refund and wire emails, and reroutes a client's estimated-tax payment or refund deposit to a foreign account. Average loss per incident: $50,000 to $500,000+. The pattern in detail.
Shared preparer accounts, no MFA on the tax software admin, seasonal contractors with credentials still active in June, vendor master-data with no breach-notification clauses, a 2019 WISP nobody updated. The kind of pattern that turns an IRS Stakeholder Liaison call into a PTIN review. What IRS Pub 4557 and FTC Safeguards Rule actually require.
Accounting field notes
Practitioner-written long reads. No marketing copy, no acronym soup. Each one written for a managing partner or firm administrator, not a CISO.
The pillar piece. IRS Pub 4557 + 5708, FTC Safeguards § 314.4, AICPA SSTS § 1.3, state breach laws, and where most firms get it wrong.
Read the articleThe attack chain that ends with an encrypted Lacerte database two weeks before April 15, and the controls that break it.
Read the articleAccount hygiene, MFA on the tax software itself, seasonal-contractor lifecycle, audit-log review, e-signature integration tokens, and the on-prem server hardening checklist.
Read the articleThe 2026 underwriting questionnaire, the social-engineering rider that matters for tax-season wires, and the operational sequence that passes the application.
Read the articleThe composite refund-redirect incident, the AiTM session-token theft, the callback-verification policy that costs nothing and stops it.
Read the articleA page-by-page WISP outline aligned to IRS Pub 5708 + FTC Safeguards Rule § 314.4 — defensible, operational, and adaptable.
Read the articleHonest fit check
How we start
Tell us how the firm runs. Tax software, partner count, seasonal staffing model, current IT firm, cyber-insurance renewal date, any recent incidents, and what is driving the conversation. We tell you which tier fits and where the real risks are.
Endpoint and user counts, tier recommendation, the implementation schedule, and the WISP + FTC Safeguards deliverables. Fixed monthly pricing. Month-to-month or annual. No vendor markup games.
Huntress MDR agent on every endpoint and tax software server. Huntress Managed ITDR connected to your Microsoft 365 or Google Workspace tenant. Awareness program launched with a phishing simulation calibrated to your firm's practice areas. Written engagement agreement covering FTC § 314.4(f) vendor oversight signed before any access.
The Huntress SOC is watching from day one. Obsidian Ridge handles escalations, quarterly managing-partner briefings, the WISP maintenance, the FTC Safeguards Qualified Individual annual report support, the cyber-insurance renewal package, and the tabletop exercise every firm should be running annually.
Questions managing partners ask
No, and we don't claim to be. We deliver the technical safeguards that IRS Publication 4557, the FTC Safeguards Rule, and AICPA SSTS § 1.3 require — audit controls, encryption, MFA, identity threat detection, integrity monitoring — and we package the evidence the IRS Stakeholder Liaison and FTC investigators expect to see. We are not your Qualified Individual (FTC § 314.4(a) — that role lives with a designated firm partner) and we are not your tax practice's professional-standards interpreter.
No. We are a managed cybersecurity firm, not an MSP. Your IT firm continues to handle help-desk, Wi-Fi, hardware procurement, and tax software upgrades. We handle 24/7 monitoring, identity threat detection, security awareness training, incident response coordination, and the WISP + FTC Safeguards Rule evidence package. The two functions belong with different specialists.
Foundation starts at $15 per agent per month — that covers every workstation, the tax software server, and partner laptops with 24/7 monitoring. Protected at $32 per user per month adds Huntress Managed ITDR on the M365 or Google Workspace tenant and the awareness training program. That is the tier most firms land on once they understand how identity-layer attacks bypass MFA. Complete at $55 per user per month adds Managed SIEM and the formal compliance evidence program for firms with an upcoming insurance renewal or a state AG question.
Yes. Huntress MDR runs on Windows Server. We deploy the agent on the tax software server, every preparer workstation, every staff laptop, and the front-desk machine. The tax software server is usually the highest-value endpoint in the firm and the one most MSPs overlook on EDR coverage — we treat it as the priority.
Cloud tax software shifts the server burden to the vendor and the threat model toward account compromise. That is where Huntress Managed ITDR matters most: monitoring sign-in anomalies, mailbox rules, OAuth consent, and token-replay attacks on your M365 or Workspace tenant — the front door to the cloud tax software. Endpoint coverage is still important because preparers' laptops still get phished, so the Protected tier is the standard starting point for cloud-tax-software firms.
Endpoint agent rollout typically completes within 5 business days of contract signing. Identity threat detection on Microsoft 365 or Google Workspace activates within 24–48 hours of tenant connection. The awareness training program launches within the first two weeks. The WISP outline and incident response plan are drafted in the first 30 days and reviewed with the Qualified Individual before finalization.
Seasonal contractors are the highest-risk identity surface in any accounting firm — provisioned in February, used for 10 weeks, often skipping training. We deploy SAT modules and MFA enrollment as part of onboarding, document the deprovisioning date (April 16, no exceptions), and ensure their tax software access ends at the same time as their M365 access. The contractor lifecycle is a documented part of the WISP we help maintain.
Yes. Our Cyber Insurance Readiness sprint maps the carrier questionnaire to the actual controls you have or need, packages the evidence the underwriter wants to see, and tells you honestly which gaps are worth closing before renewal. Most firms we work with move from 'declined or surcharged' to 'standard rating' inside one renewal cycle.
You get an incident-response practitioner on the phone, not a ticket-queue auto-responder. We coordinate forensics, walk through the IRS Stakeholder Liaison notification (within 24 hours), the FTC 30-day notification for breaches affecting 500+ consumers, the state breach-notification clocks, the cyber-insurance claim, and the client-facing communication. The firm's Qualified Individual remains the decision-maker for legal and client disclosures; we operate every technical and process step.
Two ways to start
The 20-minute triage is the fastest way to find out whether this program fits your firm. The 30-minute accounting briefing goes deeper — tax software, partner count, seasonal staffing, insurance renewal, the threat model, and what your first 90 days would look like. Both are free, both are no-obligation, and we tell you when you don't need us.
