ato logo
Search Suggestion:

Tax Profession Cyber Security Working Group key messages 27 February 2025

Key topics discussed at the Tax Profession Cyber Security Working Group meeting 27 February 2025.

Published 28 March 2025

Australian Taxation Office and Tax Practitioners Board

The current focus areas of work and previous actions stemming from the working group was discussed.

The Australian Taxation Office (ATO) issued advice to tax professionals on steps recommended, to keep secure prior to the end-of-year closedown period. It was well received and shared in media.

In response to the increasing prevalence of impersonation scams, work is continuing. The ATO has made it publicly clear how they will and will not interact with taxpayers with information available to verify or report a scam.

We are working with the Australian Government Digital ID System to ensure that online services provide protection and security to users.

Identity fraud is another area of focus, with the concept of ‘know your client’ particularly relevant for tax professionals.

The Tax Practitioners Board is taking steps to manage identity fraud and strengthen security with the introduction of digital ID for access to their systems.

The group discussed the need to consider the risks of using artificial intelligence (AI) services, specifically, awareness of the data input into these services.

Member comments

It can be difficult for tax professionals to stay updated with the influx of AI products and services on offer. We need to carefully consider the AI provider and service and have internal policies on AI use in place that can help.

External member updates

External members of the group shared views on relevant emerging issues, behaviours, threats or concerns regarding cyber security in the tax profession.

We discussed the awareness campaign for myID and its relation to strong identity strength. It was noted that this phase of the campaign is to raise awareness of the recent name change, and we will explore messaging regarding levels of identity strength in the future.

Concerns were that managing cyber security is an additional burden for tax professionals, particularly those in smaller practices. We discussed options for addressing this, including targeted advice and guidance about cyber security for tax and BAS agents. This could focus on ‘getting the basics right’ as a starting point.

Data security and protection deep dive

Key areas of focus had been identified and prioritised in previous meetings that will now be considered in a series of deep dive discussions. The first deep dive discussion is on the topic of data security and protection.

A starting place for considering data security and protection is an awareness of the data held, and how long it has been retained.

Understanding the data management policies of any business management, accountancy software is important. Tax professionals can check with their software provider about what data is held, data retention periods, backup processes and how to extract data.

Members suggested that clients expect that data will be retained for significant periods. We highlighted that holding data for too long may also be problematic as it increases exposure should a data breach occur.

Members shared suggestions and tips for approaching data security and protection, such as nominating specific data purge periods, noting data retention periods in letters of engagement, and understanding their software.

To support tax professionals in relation to data security and protection, we will explore education and promotion of these tips and will consider appropriate communications channels to engage agents on cyber security.

QC104030