Cyber Security for Accountants: What the TPB Code Now Requires You to Have in Place
The Tax Practitioners Board Code of Conduct has explicit cyber security expectations. Most practitioners don't know exactly what's required — or what evidence they'd need to show if a client's data was ever compromised.
If you're a registered tax agent, Business Activity Statement (BAS) agent, or tax (financial) adviser, the Tax Practitioners Board (TPB) holds you to specific standards around how you protect client information. These aren't vague suggestions — they're obligations under the Tax Agent Services Act 2009 and the TPB Code of Professional Conduct, and breaching them can result in suspension or deregistration.
The problem is that most accounting and bookkeeping practices don't know exactly what those obligations require in practice. They know cyber security is "important," but they haven't translated that into specific controls — and they've never thought about what evidence they'd need to show the TPB (or a client pursuing a claim) if something went wrong.
This article cuts through the vague language and tells you what's actually expected, what the highest-risk areas are for accounting practices specifically, and what "reasonable steps" looks like in practice.
What the TPB Code Actually Says
The TPB Code of Professional Conduct requires registered practitioners to act with honesty and integrity, and to take reasonable steps to protect confidential client information. Specifically, Code Item 1 requires that you act honestly and with integrity. Code Item 6 requires that you not disclose any information relating to a client's affairs to a third party without legal justification — this is the primary confidentiality obligation. Together, these provisions are interpreted by the TPB as encompassing a duty to take reasonable steps to protect client information from unauthorised access.
The TPB has published specific cyber security guidance for tax practitioners, making clear that practitioners are expected to have appropriate measures in place to prevent unauthorised access to client data. This guidance has been developed in the context of a significant and well-documented increase in ATO portal fraud and tax identity theft cases — many of which have originated from compromised practitioner credentials.
Key point: The TPB doesn't prescribe exactly which technical controls you must have. Instead it applies a "reasonable steps" standard — meaning your controls are assessed in the context of your practice size, the sensitivity of data you hold, and what a reasonable practitioner in your position would have done.
This is both good news and bad news. Good news: you're not required to implement enterprise-grade security. Bad news: "reasonable steps" is assessed after the fact, which means you only find out if you've done enough when something goes wrong.
Why Accounting Practices Are a Primary Target
Accounting and bookkeeping practices hold an extraordinary concentration of sensitive data. Client tax file numbers (TFNs), Australian Business Numbers (ABNs), bank account details, BAS data, payroll information, superannuation account numbers, and ATO login credentials — all in one place. For a cybercriminal, a compromised accounting practice is far more valuable than a compromised individual.
The most common attack vectors targeting Australian accounting practices are:
- ATO Online Services for Agents credential theft: Attackers use phishing emails, password spraying, or credential stuffing to gain access to practitioner portal credentials. Once in, they redirect client tax refunds, lodge fraudulent returns, or access client data.
- Practice management software compromise: Tools like Xero, MYOB, QuickBooks, and Handisoft hold complete client financial records. Weak passwords or shared credentials make these high-value targets.
- Business email compromise (BEC): Attackers compromise a practice email account and use it to redirect electronic funds transfer (EFT) payments — either from clients expecting to pay you, or from you paying on behalf of clients.
- Ransomware: Practice files encrypted and held to ransom. Without backups, recovery means either paying the ransom or rebuilding from scratch — often losing years of client records in the process.
What "Reasonable Steps" Looks Like in Practice
Based on TPB guidance, ATO recommendations, and what's been accepted in regulatory proceedings, here are the controls that define a reasonable standard for an accounting or bookkeeping practice:
Multi-Factor Authentication on Everything
This is the single most important control — and the one the ATO has made explicit as a requirement for accessing Online Services for Agents. Multi-factor authentication (MFA) means that even if your password is stolen, attackers can't log in without a second factor (typically a code on your phone). Every portal access — ATO, Xero, MYOB, email, cloud storage — should have MFA enabled. This is no longer optional and a regulator or court would find it very difficult to accept that a practice not using MFA had taken "reasonable steps."
Separate Credentials for Each System
Reusing the same password across multiple systems means a single breach can cascade into a total compromise. Every system should have a unique, strong password. In practice this means using a password manager — remembering dozens of unique passwords is not realistic without one. LastPass, 1Password, and Bitwarden are all acceptable options at minimal cost.
Staff Access Controlled on a Need-to-Know Basis
Not every staff member needs access to every client file or every system. Excessive access privileges mean that if any staff account is compromised — through phishing, a personal device breach, or a disgruntled employee — the blast radius is the entire practice. Access should be provisioned by role, and removed promptly when staff leave.
Regular, Tested Backups
Backups are your recovery mechanism for ransomware, hardware failure, and accidental deletion. The important word is "tested" — a backup you've never restored from is an untested assumption. Backups should be stored separately from your main systems (so ransomware can't encrypt them too) and tested by actually restoring a file at least quarterly.
Software Kept Up to Date
Outdated software contains known vulnerabilities that attackers actively exploit. This applies to your operating system, practice management software, browser, and any plugins. Automatic updates should be enabled wherever possible, and you should periodically confirm that devices are actually current — automatic update failures are common and silent.
A Basic Incident Response Plan
If client data is compromised, what do you do? Who do you call? The TPB expects practitioners to have thought about this in advance. Your plan doesn't need to be a 50-page document — it needs to cover: who to contact internally, how to contain the breach, when and how to notify clients, and how to report to the ATO and the Office of the Australian Information Commissioner (OAIC) if required.
Notifiable Data Breach obligations: Under the Privacy Act, if a data breach is likely to result in serious harm to any individual, you're required to notify both the OAIC and affected individuals as soon as practicable. Failing to notify when required compounds the original breach and attracts additional penalties. Most accounting practices are caught by the Privacy Act if they have an annual turnover above $3 million or handle tax file numbers — the latter applies to virtually every practice.
What the TPB Can Do If You Fall Short
The TPB has a range of sanctions available for Code breaches. These include formal cautions, additional conditions on your registration, suspension, and deregistration. In cases involving client data loss, the TPB has also referred matters to the OAIC and, in serious cases, to law enforcement.
Beyond TPB sanctions, practices face civil liability to affected clients. If a client suffers financial loss because their TFN was used fraudulently following a breach of your practice, they may have grounds for a negligence claim. Your professional indemnity insurance may provide cover — but insurers are increasingly scrutinising whether basic security controls were in place at the time of the breach, and coverage can be denied if reasonable steps weren't taken.
What Evidence Do You Actually Need?
If the TPB investigates your practice following a breach, or if a client makes a complaint, the question isn't just "did you have controls in place?" — it's "can you demonstrate that you had controls in place?" Evidence that matters includes:
- Documentation of your security practices (even a simple one-page policy)
- Records showing MFA was enabled on key systems
- Evidence that staff received security awareness training
- Backup logs or restoration test records
- Your incident response plan, even if basic
- A security assessment showing you'd reviewed your posture
The last point is often overlooked. A documented assessment — showing that you systematically reviewed your security, identified gaps, and took steps to address them — is strong evidence of due diligence. It shows the TPB or a court that you didn't just assume things were fine; you actively checked.
The Practical Starting Point
For most small accounting and bookkeeping practices, the most important immediate steps are: enable MFA on the ATO portal and your practice management software, set up a password manager, review who has access to what, and make sure backups are running and tested. These four actions alone substantially reduce your risk profile and provide a defensible foundation.
From there, a structured assessment will tell you where the remaining gaps are — including the ones specific to your practice that a generic checklist won't surface.
Know Where Your Practice Stands
Our Accounting Practice Health Check covers the specific controls the TPB expects, including ATO portal security, practice management software, client data handling, and staff access. You'll get a scored assessment with prioritised recommendations you can act on immediately — and a report you can keep as evidence of due diligence.