An independent cybersecurity review across the largest CPA firms in the United States — national CPA firms and accounting networks serving businesses and high-net-worth clients including Deloitte, PwC, and EY — reveals a surprisingly wide range of results. These organizations handle sensitive customer and financial data at national scale, yet several show the same email-authentication gaps found at much smaller regional institutions.
Using data from audit.emailmenow.com, we evaluated each firm’s primary domain across email, website, and network security — including SPF, DKIM, DMARC, MTA-STS/TLS, and security headers.
In this national audit, scores ranged from 84% to 39% — 5 of 17 (29%) scored below 60%.
Cybersecurity Scores of CPA Firms
Overall compliance scores from audit.emailmenow.com. Re-run any domain at the link to verify.
| Rank | CPA Firm | Domain | Overall Score | Performance Level |
|---|---|---|---|---|
| 1 | Plante Moran | plantemoran.com | 84% | Strong |
| 2 | Crowe | crowe.com | 80% | Strong |
| 3 | BDO | bdo.com | 73% | Strong |
| 4 | EY | ey.com | 71% | Strong |
| 5 | PwC | pwc.com | 70% | Strong |
| 5 | KPMG | kpmg.com | 70% | Strong |
| 5 | Marcum | marcumllp.com | 70% | Strong |
| 5 | CLA | claconnect.com | 70% | Strong |
| 9 | Armanino | armanino.com | 64% | Above Average |
| 10 | Deloitte | deloitte.com | 60% | Above Average |
| 10 | Baker Tilly | bakertilly.com | 60% | Above Average |
| 10 | CBIZ | cbiz.com | 60% | Above Average |
| 13 | Moss Adams | mossadams.com | 58% | Average |
| 14 | CohnReznick | cohnreznick.com | 54% | Below Average |
| 15 | Sikich | sikich.com | 49% | Weak |
| 16 | RSM | rsmus.com | 44% | Weak |
| 17 | Grant Thornton | grantthornton.com | 39% | Weak |
What the Results Reveal
- Scores range from 84% (Plante Moran) down to 39% (Grant Thornton) — Plante Moran (84%) and Crowe (80%) lead the national field.
- The Big Four cluster at 60–71%: EY (71%), PwC (70%), KPMG (70%), and Deloitte (60%) — none reach the 85%+ showcase tier.
- Grant Thornton (39%) and RSM (44%) score lowest among major national networks despite heavy SMB and middle-market client volume.
- Without an enforced DMARC policy, criminals can spoof a firm’s own domain to phish clients during tax season or redirect refund and ACH instructions.
Why This Matters for CPA Firms
CPA firms are bound by IRS Publication 4557, the FTC Safeguards Rule (for tax preparers), state board rules, and client contractual security requirements. Email authentication (SPF, DKIM, and an enforced DMARC policy) is the single highest-impact control against tax-season phishing, W-2 scams, and business email compromise targeting client refunds and wire transfers.
Check any firm’s posture at audit.emailmenow.com/?industry=cpa-firms.
See also — state audits
- Texas Accounting Firms
- California Accounting Firms
- Florida Accounting Firms
- Illinois Accounting Firms
- New York Accounting Firms
- Pennsylvania Accounting Firms
- Ohio Accounting Firms
- Georgia Accounting Firms
- Michigan Accounting Firms
Recommendations
- Enforce DMARC (
p=reject), strict SPF (-all), and DKIM signing. - Add MTA-STS and website security headers.
- Adopt verified call-back procedures for any change to payment or wiring instructions, and train customer-facing staff.
Protect your organization. Run a free Instant Cybersecurity Audit at audit.emailmenow.com/?industry=cpa-firms.
Contact EmailMeNow IT Consulting for help with IRS Pub 4557-aligned email security hardening.
Source & methodology: Overall compliance scores from the free scan at audit.emailmenow.com — each domain checked for email authentication (SPF, DKIM, DMARC), transport security (MTA-STS/TLS), website security headers, and network security. Re-run any domain at the link to verify.