An independent cybersecurity review across many of New York’s largest accounting firms reveals a wide range of results. Firms that prepare returns hold extremely sensitive taxpayer data, yet many show significant gaps in basic email authentication.
Using data from audit.emailmenow.com, we evaluated each firm’s domain across SPF, DKIM, DMARC, transport security (MTA-STS/TLS), and website security headers.
Cybersecurity Scores of Major New York Accounting Firms
Overall compliance scores from audit.emailmenow.com. Re-run any domain at the link to verify.
| Rank | Firm | Domain | Overall Score | Performance Level |
|---|---|---|---|---|
| 1 | Marcum | marcumllp.com | 70% | Strong |
| 2 | Citrin Cooperman | citrincooperman.com | 64% | Good |
| 3 | Janover | janoverllc.com | 54% | Average |
| 3 | Grassi & Co. | grassicpas.com | 54% | Average |
| 5 | PKF O’Connor Davies | pkfod.com | 50% | Below Average |
| 6 | Prager Metis | pragermetis.com | 48% | Below Average |
| 7 | EisnerAmper | eisneramper.com | 44% | Weak |
| 8 | Anchin | anchin.com | 38% | Weakest |
| 9 | Withum (Withum Smith+Brown) | withum.com | 34% | Weakest |
| 10 | Mazars USA | mazars.us | 30% | Weakest |
What the Results Reveal
- Scores range from 70% (Marcum) down to 30% — only Marcum reaches a strong posture, and over half the field sits below 50%.
- Several large national-scale firms score in the 30s, showing enforced DMARC, strict SPF, and transport protections are widely missing.
- Weak email authentication fuels the tax-season phishing and client-payment fraud that increasingly target CPA firms.
Why This Matters for Accounting Firms
The IRS (Publication 4557) requires every tax professional to maintain a written information security plan (WISP) to keep a PTIN, and the FTC Safeguards Rule backs it with civil penalties. Tax season is also peak phishing season for tax pros.
Check any firm’s posture at audit.emailmenow.com/?industry=cpa-firms.
See also — national audit
- Major U.S. CPA Firms (national)
- Major U.S. Tax Preparers (national)
- National Payroll Providers (national)
Recommendations
- Enforce DMARC (
p=reject), strict SPF (-all), and DKIM signing. - Add MTA-STS and website security headers.
- Document your WISP and run recurring security awareness training before filing season.
Protect your firm and your clients. Run a free Instant Cybersecurity Audit at audit.emailmenow.com/?industry=cpa-firms.
Contact EmailMeNow IT Consulting for help with your IRS-ready written security plan and email hardening.
Source & methodology: Overall compliance scores from the free scan at audit.emailmenow.com — each domain checked for email authentication (SPF, DKIM, DMARC), transport security (MTA-STS/TLS), website security headers, and network security. Re-run any domain at the link to verify.