Does the FTC Safeguards Rule apply to accountants and enrolled agents?

Yes. Under the Gramm-Leach-Bliley Act, tax preparers and accounting firms are classified as financial institutions — the same category as banks and investment firms — and are subject to the FTC Safeguards Rule. The rule requires a written security program, vendor oversight, employee training, and incident-response planning. Penalties under the amended rule can reach tens of thousands of dollars per violation, per day.

What is IRC Section 7216 and how does it affect tax preparers using AI?

Section 7216 of the Internal Revenue Code makes the knowing or reckless unauthorized disclosure or use of taxpayer information a federal crime, with potential fines and imprisonment. Pasting a client return into a personal, unmonitored AI tool can constitute exactly that kind of unauthorized disclosure — under the firm's PTIN. A protected AI environment with logging and governance keeps the productivity gain while removing the exposure.

What is Form W-12 Line 11?

Form W-12 Line 11 is the data-security attestation on the IRS Preparer Tax Identification Number (PTIN) application and renewal form. Since 2024, every PTIN holder must check this box certifying — under penalty of perjury — that they have implemented a Written Information Security Plan compliant with IRS Publication 4557 and the FTC Safeguards Rule. Approximately 810,000 tax preparers sign this attestation every year.

What happens to taxpayer data when a seasonal tax preparer leaves the firm?

Without a documented offboarding process, departures usually leave no record of what data each preparer could access or what they retained. A structured offboarding shield revokes access, documents data custody, and produces a timestamped record of access scope and return — supporting the firm's WISP and IRS Publication 4557 obligations.

Will cyber insurance pay out if a CPA firm has no documented WISP?

Most cyber insurance policies now require a documented WISP and specific security controls as a condition of coverage. After a breach, the carrier typically audits the firm's security program before paying claims. If the insured cannot produce evidence the controls were actually in place, claims can be reduced or denied even with all premiums paid. Building the evidence file before a breach — not after — is the difference between coverage and a denied claim.

How fast can MOSTRO 1040 be deployed for a CPA or accounting firm?

Standard deployment is a four-week timeline: Week 1 is a full environment audit, Week 2 is configuration and staff onboarding, Week 3 is penetration testing and evidence-file generation, Week 4 begins 24/7 monitoring. Staff are typically onboarded with their own secured infrastructure within days of signing.

The Apex Cybersecurity OS for Tax & Accounting Firms

YOU HOLD THE DATA.WE HOLD THE LINE.

Q: Do tax preparers really need a Written Information Security Plan (WISP)?

Yes. Since 2024, IRS Form W-12 Line 11 requires every PTIN holder to certify under penalty of perjury that they maintain a Written Information Security Plan. There is no minimum-client threshold: a preparer filing 11 returns has the same obligation as a firm filing 10,000. IRS Publication 4557 defines the requirement; Publication 5708 provides the template.

MOSTRO 1040 is the cybersecurity, WISP-evidence, and protected-AI operating system for CPA firms, accounting practices, and enrolled agents who hold the most concentrated financial data in America — and quietly carry all of the liability.

Book Your Discovery Call → Is Your WISP Real?

30 MINUTES. NO FLUFF. A BRUTALLY HONEST ASSESSMENT OF YOUR EXPOSURE.

MOSTRO 1040® · COMPLIANCE FEED LIVE

▣WISP · IRS Pub 4557 / 5708DOCUMENTED

⬡Security Six Controls6 / 6 ENFORCED

◈Protected AI GuardrailMONITORING

⊞EFIN / PTIN WatchSECURED

◷Evidence File · Last SignedTODAY 09:14

SCENARIO-BASED MODELING ONLY. NO TAXPAYER NPI IS EVER UPLOADED TO ANY PUBLIC AI MODEL. DESIGNED TO SUPPORT FTC SAFEGUARDS & IRC §7216 DOCUMENTATION.

TRUSTED INSIDE FLORIDA'S REGULATED FINANCIAL ECOSYSTEM · TAMPA-BASED · FOUNDER-LED

KEISER UNIVERSITYCybersecurity Advisory Board TAMPA BAYChamber of Commerce HISPANICChamber of Commerce BNIBusiness Network Int'l

Pillar 01 · Protected AI Platform

YOUR STAFF GET THE WORLD'S BEST AI. YOUR FIRM STAYS PROTECTED.

Your preparers and bookkeepers get access to the most powerful AI models on earth — running inside a secure, monitored, compliant environment built for tax professionals. More returns per preparer. Cleaner workpapers. And not one client SSN pasted into a personal ChatGPT tab.

ANTHROPIC CLAUDEOPENAI GPT-5GOOGLE GEMINIGROKMETA LLAMAAMAZON NOVA

Scenario-based AI tooling only. No taxpayer non-public personal information is uploaded to any public AI model. MOSTRO 1040 supports IRC §7216 and IRS Publication 4557 documentation but does not provide legal advice or guarantee any outcome. Consult qualified counsel for your obligations.

75+

SECURED AI MODELS · 15+ AGENTS · ONE COMPLIANT ENVIRONMENT

Before you scroll any further

HOW MANY OF THESE ARE TRUE IN YOUR FIRM RIGHT NOW?

01 / THE SIGNATURE

You certified on Form W-12, Line 11 — under penalty of perjury — that you maintain a Written Information Security Plan. If a Stakeholder Liaison asked to see it Monday morning, could you produce it? Or did you check a box and pray?

★ 810,000+ PREPARERS SIGN THIS BOX. MOST HAVE NOTHING BEHIND IT.

02 / THE LEAK

How many of your preparers have a personal ChatGPT tab open right now with a client's W-2, SSN, or full 1040 pasted into it? IRC §7216 makes unauthorized disclosure a federal crime. Whose PTIN is on the line — theirs, or yours?

03 / THE GHOSTS

Your seasonal preparers touched taxpayer data on personal laptops, personal email, and personal phones — and three of them are gone now. Could you prove what they accessed and what they walked out with?

04 / THE MASTER KEY

Your EFIN is the master key to every return you file. If it's compromised, the IRS can shut you down mid-season. Is it protected with MFA and active monitoring — or a password you set in 2019?

05 / THE LAWSUIT

When a client's refund gets intercepted or their identity gets cloned, the lawsuit and the board complaint don't land on the hacker. They land on the firm that held the data. Do your controls hold up under discovery?

06 / THE DENIED CLAIM

Your cyber insurance almost certainly requires a documented WISP. After a breach, the carrier audits your security before they pay. No WISP, no payout — even though you paid every premium on time. Have you read that clause?

IF THREE OR MORE OF THESE LANDED — WE SHOULD TALK.

Book Your Strategy Call →

Your firm — before and after MOSTRO 1040

YOUR STAFF STOP IMPROVISING SECURITY. YOU START SLEEPING.

WITHOUT MOSTRO 1040

✕Staff using personal ChatGPT with taxpayer NPI

✕A WISP that's a downloaded PDF nobody implemented

✕Taxpayer data on unmanaged personal devices

✕Form W-12 attestation you can't actually prove

✕Seasonal staff depart with no data-custody trail

✕EFIN / PTIN unmonitored and exposed

✕No incident-response plan when the IRS calls

✕Nothing to hand the cyber carrier after a breach

WITH MOSTRO 1040

✓Protected AI platform — monitored, logged, documented

✓A living WISP, maintained to Pub 4557 / 5708

✓Endpoint security on every device, every connection

✓Timestamped evidence file — your attestation is provable

✓Offboarding Shield — clean, documented departures

✓EFIN / PTIN watch with MFA and 24/7 alerts

✓Written IRP — tested and filed before anyone knocks

✓An audit-ready file the carrier can't wave away

The Ecosystem

FIVE PILLARS. ONE ECOSYSTEM. ZERO COMPETITORS OFFERING ALL FIVE.

Protected AI Platform

Your staff are using AI right now with your clients' data. You have no visibility, no logging, and you carry all the §7216 liability. We give them the best models — inside a compliant cage.

LEARN MORE →

Automation + Practice Integration

Secure client-document intake, AI communication, and automated reminders — wired into the tools you already run: UltraTax, Lacerte, Drake, ProConnect, and QuickBooks.

LEARN MORE →

Enterprise Cybersecurity

The IRS Security Six, fully implemented — MFA, EDR, encryption, VPN, backups, and a real firewall — on every device, including your remote and seasonal workforce.

LEARN MORE →

WISP & Cyber-Liability Defense

A living, Pub 4557 / 5708-aligned WISP, maintained and timestamped — plus an audit-ready evidence file. So your W-12 attestation isn't a prayer. It's a fact you can prove.

LEARN MORE →

Elite Talent Magnet

The profession is short hundreds of thousands of accountants. Give every staffer modern AI tooling and a firm that runs like 2026, not 1996. The good ones choose you — and stay.

LEARN MORE →

The Offboarding Shield

Every staff departure — documented, clean, and defensible.

SEE THE SHIELD →

The Differentiator

THE CONVERSATION NO ONE IN THIS PROFESSION IS HAVING.

Every year, 810,000+ preparers sign Form W-12 and swear — under penalty of perjury — that they protect taxpayer data. Most then go back to a duct-taped tech stack, personal devices, and a WISP template they downloaded once and never implemented. That gap is a federal liability sitting under your own signature. We close it — and we make it provable.

✓A real WISP — built, implemented, and kept current to IRS Pub 4557 & 5708

✓A timestamped evidence file showing what was implemented, reviewed & maintained

✓Staff security-training records — dated and signed for the Pub 4557 requirement

✓Clean, documented offboarding when seasonal preparers leave

✓The file your cyber carrier demands — ready before the breach, not after

✓Your Form W-12 attestation, finally turned from a hope into a fact

The Math

THE MATH MOST FIRMS NEVER RUN.

A 15-person tax & accounting firm runs the full MOSTRO 1040 ecosystem — all five pillars — for a fraction of what one mid-level hire costs. Here's the alternative most owners never price out.

BUILD IT IN-HOUSE

1 IT / Security lead — $90K–$135K + benefits
1 Compliance / WISP officer — $75K–$110K + benefits
1 AI / Automation specialist — $85K–$125K + benefits
Tools, EDR, monitoring, licenses — $35K–$70K / yr
Coverage: 9–5, M–F. Vacations. Sick days. Turnover.

ALL-IN: $320K–$510K / YR

DEPLOY MOSTRO 1040

All five pillars — the full ecosystem
24/7 elite SOC monitoring that never sleeps
Protected AI — 75+ models for every staffer
Living WISP + audit-ready evidence file
24 / 7 / 365. No vacation. No turnover. No drama.

ALL-IN: A FRACTION OF ONE HIRE

810K+

preparers signing the W-12 attestation

minimum-client threshold — 11 returns = same rules as 10,000

24/7

SOC & NOC coverage on your environment

"One compliance hire's salary buys you a person who works 40 hours a week. The same money — invested in MOSTRO 1040 — buys you an entire enterprise-grade security team that's awake at 3 a.m. on April 14th, when you're not."

See Your Firm's Number →

The force behind MOSTRO 1040

YOU'RE NOT HIRING A VENDOR. YOU'RE DEPLOYING A TEAM.

Sign with MOSTRO 1040 and you get an entire command structure working for your practice — security engineers, compliance specialists, AI architects, and a 24/7 SOC watching your environment around the clock.

Compliance Command

Your dedicated team builds your WISP to IRS Pub 4557 / 5708, maintains your evidence file, and keeps your documentation audit-ready — so your attestation is always defensible.

Cybersecurity Operations

Enterprise-grade SOC and NOC teams monitor your environment 24/7. Threats are neutralized before your staff ever know they existed — including during peak filing season.

AI & Automation Engineers

Your protected-AI environment and workflow automation are built, governed, and upgraded by engineers who specialize in tax and accounting practice operations.

Deployment & Onboarding

A dedicated team gets every preparer, bookkeeper, and seasonal hire onboarded with their own secured infrastructure. No disruption. No IT tickets. No drama.

Founder · MOSTRO Cybersecurity

A 25-YEAR OPERATOR. THREE REGULATED INDUSTRIES. ONE INEVITABLE CONCLUSION.

Dennis Patino spent 14 years building marketing engines for regulated industries — including financial services — before founding MOSTRO Cybersecurity. He watched, from inside the room, as professionals who hold the most sensitive data in America started pasting it into personal AI tools. As firms ran on duct-taped tech stacks. As people walked out with client data nobody could prove they took.

MOSTRO 1040 is what he built when he realized the firm that survives the next decade isn't the one with the lowest fees — it's the one that can prove, on demand, that it protected what its clients trusted it with.

KEISER UNIVERSITY CYBERSECURITY ADVISORY BOARD · TAMPA BAY CHAMBER · HISPANIC CHAMBER · BNI · TAMPA, FL · HABLAMOS ESPAÑOL

DENNIS PATINO
FOUNDER · CEO
MOSTRO CYBERSECURITY

↳ Drop Dennis-1.webp here

No IT headaches. No training burden. Just proof — from day one.

NO DISRUPTION. NO LEARNING CURVE.

WEEK 1 · WE AUDIT

You Do Nothing

We scan your full environment — devices, domains, email, EFIN access, vendor connections. You get a risk report and a remediation blueprint.

WEEK 2 · WE DEPLOY

Staff Get Access

We configure and install everything. Your team gets one onboarding email and access to certification modules built for tax professionals.

WEEK 3 · WE TEST

You See Your Report

A full Level-1 penetration test and compliance verification. You receive a clean, audit-ready evidence file. Your dashboard goes live.

WEEK 4 · PROTECTED

We Monitor Forever

24/7 SOC monitoring, automated alerts, and quarterly reviews. Your dashboard shows who's certified, who's overdue, and where you stand — any time anyone asks.

🎓

The MOSTRO Firm Security Certification

Every staff member who completes certification generates a timestamped training record. Your dashboard shows completion across your whole team — so when the IRS, your state board, or a plaintiff's attorney asks what security training your people received, you have the evidence file to prove it. That's the IRS Publication 4557 employee-training requirement, handled.

MOSTRO 1040 handles deployment, configuration, monitoring infrastructure, and compliance documentation support. FTC Safeguards, IRS Pub 4557, and IRC §7216 compliance remain the responsibility of the firm. Consult qualified legal counsel for your specific obligations.

Common Questions

FREQUENTLY ASKED QUESTIONS

Do I really need a WISP — or is that just for big firms? +

Yes, you need one. Since 2024, IRS Form W-12 (Line 11) requires every PTIN holder to certify — under penalty of perjury — that they maintain a Written Information Security Plan. There is no minimum-client threshold: a preparer filing 11 returns has the same obligation as a firm filing 10,000. IRS Publication 4557 defines the requirement; Publication 5708 provides the template. A downloaded PDF you never implemented is not a WISP — and that's exactly the gap we close.

Does the FTC Safeguards Rule apply to accountants and EAs? +

Yes. Under the Gramm-Leach-Bliley Act, tax preparers and accounting firms are classified as "financial institutions" — the same category as banks and investment firms. That means you're subject to the FTC Safeguards Rule, which requires a written security program, vendor oversight, employee training, and incident-response planning. Penalties under the amended rule can reach tens of thousands of dollars per violation, per day. (Figures are based on publicly available FTC guidance and are subject to change.)

What is IRC §7216 and why should I care? +

Section 7216 of the Internal Revenue Code makes the knowing or reckless unauthorized disclosure or use of taxpayer information a federal crime, with potential fines and imprisonment. Every time a staffer pastes a client's return into a personal, unmonitored AI tool, you're risking exactly that kind of disclosure — under your firm's PTIN. Our Protected AI platform gives staff powerful AI inside a logged, governed environment so the productivity stays and the exposure goes.

What happens to taxpayer data when a seasonal preparer leaves? +

Without a system, usually nothing documented — which is the problem. The Offboarding Shield handles every departure cleanly: access is revoked, data custody is documented, and you keep a timestamped record of what each person could access and what was returned. So if a question ever comes up months later, you have an answer instead of a guess.

What about my EFIN and PTIN if I get breached? +

Your EFIN is the master key to everything you e-file, and a compromise can lead the IRS to suspend it — mid-season, when it hurts most. We put MFA and active monitoring around your EFIN, PTIN, and IRS accounts, and maintain the documentation you'd need to respond fast if something looks wrong.

Will my cyber insurance even pay out without this? +

Read your policy. Most carriers now require a documented WISP and specific controls as a condition of coverage — and after a breach, they audit your security program before paying. If you can't produce evidence the controls were actually in place, claims can be reduced or denied even though you paid every premium. MOSTRO 1040 builds the evidence file before the breach, not after.

What does MOSTRO 1040 cost, and how fast can it deploy? +

Pricing is per firm with unlimited users, and it scales down per-person as your team grows — far below the cost of hiring the same capability in-house. Deployment runs on a four-week timeline, and your staff are onboarded with their own secured infrastructure quickly after signing. Book a discovery call for your firm's specific number.

You've built something worth protecting

PROVE IT BEFORESOMEONE PROVES YOU DIDN'T.

30 minutes. No fluff. A brutally honest assessment of where your firm stands — and exactly what it would take to make your attestation true.

Book Your Discovery Call →

DENNIS PATINO, CEO · MOSTRO CYBERSECURITY · 813-790-7575