Incident Response Plan Template for Tax & Accounting Firms

An incident response plan is the document that decides whether a security event becomes a routine cleanup or a disclosure-grade disaster. For tax preparers, CPAs, enrolled agents, and bookkeepers, the plan is not optional paperwork — it is a specific requirement of the FTC Safeguards Rule, a documented expectation of IRS Publication 5708, and the first artifact your cyber insurance carrier will demand after a claim. This template walks through every section that belongs in an IRP for a small or mid-sized tax and accounting firm, in plain English.

Why every PTIN holder needs an IRP in 2026

The federal regulators have all moved in the same direction. The FTC's amended Safeguards Rule at 16 CFR § 314.4(h) requires a written incident response plan for any covered financial institution that maintains information on 5,000 or more consumers. The IRS, through Publication 5708 and the annual PTIN renewal attestation, expects every paid preparer — regardless of size — to maintain a WISP that includes incident response procedures. State attorneys general can bring independent actions under state breach laws. And every major cyber insurance carrier (Travelers, Coalition, At-Bay, Chubb, Beazley, CNA) now asks to see the IRP on the application and refuses to pay claims when the insured cannot show one was followed.

The cost of not having one is concrete. The IRS estimates the average tax-related identity-theft case costs the preparer 25–40 hours of unreimbursed remediation work per affected client. A 100-client breach without an IRP routinely consumes the entire next filing season. A 100-client breach with a tested IRP is usually contained inside a week.

The eight sections every IRP should contain

The structure below maps directly to the FTC Safeguards Rule, NIST SP 800-61r2, and the IRS Pub 5708 outline. Use the headings as-is; auditors and insurance underwriters look for them by name.

1. Purpose, scope, and governance

State the goal of the plan in two sentences. Identify which systems and data are in scope (customer information as defined by the GLBA Safeguards Rule, employee records, financial systems). Name the Qualified Individual responsible for invoking the plan and the governing body — partner group, owner, or board — that receives the post-incident report. See the GLBA Safeguards Rule guide for the customer-information definition.

2. The incident response team

List every internal role and the name of the person currently holding it. A minimum team for a small firm is: Incident Commander (usually the Qualified Individual), Technical Lead (internal IT or MSP), Communications Lead, and Legal/Compliance Lead. Each role has a backup. Include after-hours mobile numbers and personal email addresses, because the breach often takes down the firm's primary email tenant.

3. External contacts

The list of phone numbers you will need to dial in the first hour:

• Cyber insurance breach hotline (printed on the policy declarations page — call this first, before any forensic action, to preserve coverage)
• Outside counsel familiar with state breach-notification statutes
• Pre-vetted digital forensics and incident response (DFIR) firm
• IRS Stakeholder Liaison for your state
• FBI field office and IC3.gov for ransomware
• State attorney general consumer protection division
• FTC online breach-notification portal (for events affecting 500+ consumers)
• Microsoft 365, QuickBooks, Drake, UltraTax, Lacerte, ProSeries support escalation lines
• Banking partners for ACH and wire-fraud freezes

4. Classification and severity levels

Define three or four tiers so the team agrees on what "critical" means before the adrenaline starts. A workable model:

• SEV-1 — confirmed exfiltration of taxpayer data, ransomware on production systems, or wire fraud in progress. Invoke full IRP, call the carrier, call counsel.
• SEV-2 — credible phishing compromise of a user account with no confirmed data access. Force password reset, revoke sessions, investigate.
• SEV-3 — single suspicious login blocked by MFA, malware detected and quarantined by EDR. Document and monitor.
• SEV-4 — informational alerts, policy violations. Track in the WISP log.

5. The six phases (detection through review)

This is the operational heart of the plan. Each phase gets a short checklist:

Detection & analysis. Who is monitoring (EDR, M365 alerts, bank notifications, client phone calls)? What is the triage process? When is the IRP officially "invoked"? Record the time stamp — every downstream notification deadline runs from it.

Containment. Short-term containment (isolate the host, disable the account, revoke tokens) versus long-term containment (block at the firewall, rotate all admin credentials). The IRP should pre-authorize the Technical Lead to disconnect any system from the network during business hours without further approval.

Eradication. Remove the threat actor's persistence: scheduled tasks, OAuth grants, mailbox rules, new admin accounts, shadow MFA factors. This phase is where firms cut corners and reinfect themselves a week later.

Recovery. Restore from a verified-clean backup, monitor for re-entry, return systems to production in a documented order. Decide who signs off that recovery is complete.

Notification. Trigger the legal and regulatory clock. State breach-notification windows range from "as soon as possible" to a hard 30 days. The FTC's 30-day window for events affecting 500+ consumers runs from discovery, not from confirmation. The IRS Stakeholder Liaison should be contacted the same day for any event involving taxpayer data.

Post-incident review. Within 30 days of closure, hold a one-hour debrief. Document what worked, what failed, what changed in the WISP. File the report with the governing body. This is the artifact the next FTC examiner or insurance underwriter will ask to see.

6. Communication templates

Pre-write the worst messages so a panicked owner is not drafting them at 11 p.m. Include drafts for: client notification letter, staff internal email, IRS Stakeholder Liaison email, state AG notice, FTC portal narrative, and a public statement for the firm's website if needed. Outside counsel reviews these once and approves them as templates.

7. Evidence preservation

Do not wipe and reimage in the first hour. The forensics firm and the insurance carrier both need the original disk image, memory capture, and log files. The IRP names a single location (encrypted external drive, or a dedicated S3 bucket with object lock) where evidence is staged and lists the chain-of-custody form to use.

8. Testing and maintenance

Schedule the annual tabletop exercise on the calendar with a fixed date (most firms run it in August, after extension deadlines and before PTIN renewal). Document who attended, what scenario was run, what the plan got wrong, and what was revised. The annual WISP review checklist includes the IRP test as a required item.

How the IRP fits inside the WISP

The IRP is usually a stand-alone document that lives as an appendix to the Written Information Security Plan. The WISP references it by name; the IRP back-references the WISP for definitions and the Qualified Individual designation. Together they answer the two questions an FTC examiner will ask first: What was your program? and What did you do when something went wrong? The written information security plan template shows how the two documents nest together.

The IRS-specific notification track

Tax preparers have a notification track that does not exist for other financial institutions. When a preparer suspects client data has been compromised, the IRS asks for the following within 24 hours:

• Email to the IRS Stakeholder Liaison covering your state (names and contacts are on the IRS website).
• A separate report to the state tax agency in every state where affected clients filed.
• A report to the FBI through IC3.gov for any ransomware or business email compromise.
• Notification to your e-file software provider so they can flag affected EFINs.

The IRS uses these reports to place an identity-theft marker on affected SSNs before fraudulent returns are filed. Preparers who notify quickly often prevent the second wave of damage. Preparers who wait usually face it. See the data breach response checklist for tax preparers for the hour-by-hour playbook.

Common IRP mistakes

Three patterns show up in nearly every weak IRP we review:

Generic template language. A plan that talks about "the organization" without naming people, systems, or vendors is not actionable at 2 a.m. Replace every generic noun with a specific person, phone number, or system.

No pre-authorized containment. If the Technical Lead has to wake the managing partner to get permission to disconnect a workstation, the threat actor has another two hours. The IRP must pre-authorize specific actions.

No testing. An untested plan reads well and fails immediately. The annual tabletop is what surfaces the gaps — wrong phone numbers, decommissioned systems still listed, the carrier hotline that was never saved to anyone's phone.

Bottom line

An incident response plan is the difference between a contained event and a career-altering one. The template above gives you the structure regulators, examiners, and carriers expect. Pair it with a current written risk assessment and a tested WISP, and your firm will be in the top quartile of tax-and-accounting practices for incident readiness.