Solanasis Docs

CPA_Firm_Cold_Outreach_Kit_v1

13 min read

CPA Firm Cold Outreach Kit

Solanasis — “WISP Compliance & Safeguards Readiness” Positioning

Version: 1.0 Date: March 14, 2026 Owner: Dmitri Sunshine Purpose: Crack the cold outreach problem for CPA firms. CPAs have IMMEDIATE, MANDATORY compliance obligations that most haven’t fully addressed. This is the most compliance-driven vertical — the regulatory hooks are real, documented, and enforceable. Companion docs: LinkedIn Cold Outreach Playbook, Master GTM Sprint, ORB Pack v2, Broker Kit v1, Attorney Kit v1 Key insight from research: Unlike attorneys (where the obligation is ethical/professional) and brokers (where it’s business-driven), CPAs face STATUTORY requirements with SPECIFIC PENALTIES. The IRS WISP requirement and FTC Safeguards Rule are not optional. Penalties are up to $100,000/violation for FTC infractions. Most small-to-mid CPA firms have either a checkbox WISP that wouldn’t survive scrutiny, or nothing at all.

⚠️ CRITICAL FINDINGS THAT CHANGE THE GAME

Why CPA Firms Are the Most Compliance-Exposed Vertical

  1. IRS WISP Requirement (Written Information Security Plan) — IRS Publication 4557 and Publication 5708 make WISP mandatory for ALL tax preparers. Not optional. Not “recommended.” Mandatory. The IRS can revoke your PTIN (Preparer Tax Identification Number) for non-compliance.
  2. FTC Safeguards Rule (16 CFR Part 314) — Requires “financial institutions” (which includes tax preparers and accounting firms) to develop, implement, and maintain a comprehensive information security program. Penalties up to $100,000 per violation.
  3. AICPA Professional Standards — AICPA Code of Professional Conduct requires confidentiality of client information. SOC 2 engagements are increasingly expected even for small firms.
  4. State Board of Accountancy — Colorado State Board can take disciplinary action for failure to protect client data.
  5. Tax season data = highest-value target — Tax returns contain SSNs, income data, employer information, bank account numbers, addresses — literally everything needed for identity theft, tax fraud, and financial fraud.
  6. IRS reported 294,138 identity theft tax returns in 2023 (GAO Report GAO-24-105291). Many of these originated from compromised tax preparer systems.

⚠️ WHAT’S VERIFIED vs. WHAT’S NOT

ClaimStatusSource
IRS WISP is mandatory for tax preparers✅ VERIFIEDIRS Pub 4557, Pub 5708
FTC Safeguards Rule applies to CPA firms✅ VERIFIED16 CFR Part 314, FTC enforcement actions
FTC penalties up to $100K/violation✅ VERIFIEDFTC Act Section 5, published enforcement
PTIN can be revoked for non-compliance✅ VERIFIEDIRS Circular 230, Pub 4557
294,138 identity theft returns in 2023✅ VERIFIEDGAO-24-105291
Most small CPA firms have inadequate WISPs⚠️ ANECDOTALIndustry consensus, not hard statistic

The Language Shift — Sound Like You Belong

DON’T SayDO SayWhy
”Cybersecurity assessment""WISP validation and Safeguards review”Maps to their actual compliance obligation
”We check your security""We verify your WISP meets IRS and FTC requirements”Specific regulatory framing
”Vulnerabilities""Safeguards gaps”FTC Safeguards Rule language
”Incident response plan""Breach response procedures (per FTC 314.4(h))“Direct regulatory citation
”IT security""Information security program”The exact phrase from FTC Safeguards Rule
”We’re a cybersecurity company""We help accounting firms meet their information security obligations”Positions as compliance support, not tech vendor
”You need to fix this""Your WISP needs to be a living document, not a checkbox”Collaborative, not confrontational

The Timing Advantage: Post Tax Season

  • April 16 - June 30 is THE window: Firms have just finished tax season, are breathing, and are doing annual planning
  • This is when they think about “all that stuff we said we’d do after tax season”
  • Malpractice/E&O insurance renewals often fall Q2-Q3 for CPA firms
  • FTC enforcement is increasing — recent actions against tax preparers specifically
  • IRS “Taxes-Security-Together” campaign keeps putting pressure on preparers

OUTREACH STRATEGY

Target Profile

  • Firm size: 3-25 CPAs (solo practitioners rarely have budget; national firms have internal compliance)
  • Practice focus: Tax preparation, wealth management accounting, estate/trust accounting, small business accounting
  • Location: Colorado (start local, expand regionally)
  • Decision maker: Managing partner, firm administrator, or compliance partner
  • Key signals: Offers tax preparation, has 3+ CPAs listed on website, no CISO or IT director listed, handles individual and/or estate tax returns

Where to Find Them

  1. Colorado Society of CPAs (COCPA) — cocpa.org member directory
  2. AICPA — aicpa.org find-a-cpa
  3. LinkedIn Search: “CPA” + “managing partner” + “Colorado” or “Denver” or “Boulder”
  4. Google: “CPA firm Boulder CO” / “tax preparation Denver CO”
  5. IRS Tax Pro Directory — irs.gov/tax-professionals
  6. Colorado State Board of Accountancy — active license lookup
  7. COCPA chapter events and CPE events — attend as a resource

EMAIL OUTREACH SEQUENCE

Important: Per Solanasis Operating Keys, DEFAULT to email for outreach. LinkedIn messages get lost in spam.

Email 1: The Compliance Obligation Angle (Day 1)

Subject: Quick question about your firm’s WISP — [Firm Name]

Body:

Hi [First Name],

I’ve been reaching out to CPA firms in Colorado about something that keeps coming up in our work: the gap between having a Written Information Security Plan (WISP) on file and actually having one that would hold up under IRS or FTC scrutiny.

IRS Publication 4557 requires every tax preparer to maintain a WISP. The FTC Safeguards Rule (16 CFR 314) goes further — it requires a comprehensive information security program with specific technical and administrative controls. Penalties under the FTC Act can reach $100,000 per violation.

Most small-to-mid firms we talk to have one of two situations: a WISP that was created from a template and never updated, or no formal program at all. Both create exposure.

We do a focused 10-day Safeguards review — not an audit, not a sales pitch — just a clear-eyed look at where your firm stands against what the IRS and FTC actually require. The deliverable is a documented report you can use for compliance evidence, insurance renewals, or internal planning.

Would a 15-minute conversation be useful?

Best, Dmitri Sunshine Solanasis | Information Security for Professional Services hi@solanasis.com | 303-900-8969

Email 2: The FTC Enforcement Angle (Day 4)

Subject: Re: Quick question about your firm’s WISP — [Firm Name]

Body:

Hi [First Name],

Following up from earlier this week. One data point that’s been getting attention in our conversations with CPA firms:

The FTC has been actively enforcing the Safeguards Rule against tax preparers specifically. The rule requires that firms not just HAVE a security program, but maintain it as a “living document” with regular risk assessments, access controls, encryption, and breach response procedures (see 16 CFR 314.4).

The risk isn’t just the fine. It’s the combination: FTC enforcement + IRS compliance questions + state board exposure + malpractice insurance gaps. If client data is compromised and your firm can’t demonstrate a reasonable security program was in place, the liability exposure compounds quickly.

Our 10-day review is specifically structured to produce the documentation that addresses all four of those exposure points simultaneously.

Worth a quick call to see if the timing makes sense for [Firm Name]?

Dmitri

Email 3: The Practical Reality Angle (Day 8)

Subject: The WISP gap we keep seeing at CPA firms

Body:

Hi [First Name],

Last note from me — I wanted to share the pattern we see consistently with accounting firms:

The biggest risk isn’t a sophisticated cyberattack. It’s the basics: a staff member’s email gets compromised during tax season, or a backup hasn’t been tested and fails when it matters, or there’s no documented procedure for what to do if client tax returns are exposed.

The IRS reported 294,138 identity theft tax returns in 2023 alone. Many originated from compromised preparer systems — not from the taxpayers themselves.

What we do is straightforward: a 10-day review that checks your actual security controls against what the IRS and FTC require, tests your backup recovery, and gives you a prioritized action plan. Tight scope, minimal disruption to your team — especially important if you’re coming out of tax season.

If this isn’t the right time, I completely understand. But I’d love to be a resource whenever the timing is right.

Best, Dmitri Sunshine Solanasis | hi@solanasis.com | 303-900-8969

Email 4: The Breakup Email (Day 14)

Subject: Closing the loop — [Firm Name]

Body:

Hi [First Name],

I’ve reached out a few times and haven’t heard back, so I’ll assume the timing isn’t right. Completely understand — post-tax-season is a mix of recovery and catching up on everything that got deferred.

I’ll leave you with this: the FTC Safeguards Rule compliance landscape is tightening, not loosening. Firms that can demonstrate a documented, validated security program are in a much stronger position — for client confidence, insurance renewals, and regulatory inquiries.

If information security ever moves up the priority list at [Firm Name], I’m always happy to have a no-pressure conversation.

Wishing your firm continued success.

Dmitri Sunshine Solanasis | hi@solanasis.com | 303-900-8969 | solanasis.com

LINKEDIN OUTREACH (Secondary Channel)

Note: Use LinkedIn primarily for connection building and visibility. Prefer email for actual conversations.

Connection Request (300 char limit)

Version 1 — Compliance-focused: Hi [Name], I help CPA firms with WISP validation and FTC Safeguards compliance. Would love to connect — I see a lot of alignment in the firms we support.

Version 2 — Soft: Hi [Name], I’m building relationships with accounting professionals in Colorado. Your firm’s work looks impressive. Would love to connect and stay in touch.

Version 3 — Post-tax-season: Hi [Name], hope tax season treated you well. I work with CPA firms on information security compliance. Would love to connect as a resource.

Follow-up DM (after acceptance)

Thanks for connecting, [Name]. I don’t want to be the person who pitches immediately, so I’ll keep it brief — I help CPA firms make sure their WISP and security controls actually meet IRS and FTC requirements. If that’s ever on the radar for [Firm Name], I’d welcome a conversation. No rush at all.

PHONE SCRIPT

Opening (for warm call after email)

“Hi [First Name], this is Dmitri from Solanasis. I sent you a note about WISP compliance for CPA firms. I know you’re busy, especially coming out of tax season — do you have about 90 seconds?”

If yes:

“Great. The short version is: we help CPA firms make sure their Written Information Security Plan and overall security posture actually meets what the IRS and FTC require — not just the checkbox version, but a validated program that holds up to scrutiny.

We do a focused 10-day review that checks your actual controls against the requirements, tests your backup recovery, and gives you a prioritized roadmap. The deliverable is documentation you can use for compliance evidence, insurance renewals, and internal planning.

Most firms we talk to know they should have addressed this but haven’t gotten to it yet. Would it be worth a 15-minute call to see if it’s relevant for [Firm Name]?”

Handling Objections

“We already have a WISP.” “That’s great — you’re ahead of most firms. The question we help answer is whether that WISP reflects your current environment. Most WISPs we review were created from a template 2-3 years ago and haven’t been updated to reflect changes in staff, systems, or the FTC’s specific technical requirements under 314.4. We essentially stress-test it.”

“We have an IT company that handles this.” “Perfect — most IT companies do a great job keeping systems running. What we focus on is the compliance documentation side: making sure your WISP is current, your controls map to FTC and IRS requirements, and you have evidence that would hold up if the FTC or a malpractice carrier asked questions. Think of it as the bridge between IT operations and regulatory compliance.”

“We’re too small for this to matter.” “Actually, the FTC Safeguards Rule applies to every firm that handles financial information — there’s no size exemption. And smaller firms are often more exposed because they don’t have dedicated compliance staff. The IRS’s ‘Taxes-Security-Together’ initiative specifically targets preparer security because that’s where tax identity theft originates.”

“How much does this cost?” “Our 10-day review starts at $5,000 for smaller firms. It includes a complete assessment, a real backup restore test, a maturity scorecard, and a 90-day action plan. The deliverables are designed to serve double duty — they address compliance documentation AND give you a practical roadmap.”

“We’re still recovering from tax season.” “Totally understand. Actually, the post-season window is ideal timing — your team has bandwidth, and you can address this before malpractice insurance renewal season. Most firms find the 10-day engagement fits naturally into the May-June planning cycle.”

COLORADO CPA TARGET LIST

Where to Build Your List

  1. COCPA (Colorado Society of CPAs): cocpa.org — member directory, chapter listings
  2. Colorado State Board of Accountancy: dora.colorado.gov — active CPA license lookup
  3. AICPA Find a CPA: aicpa.org
  4. LinkedIn Sales Navigator: “CPA” + “Managing Partner” + Colorado
  5. Google Maps: “CPA firm” + Boulder/Denver/Fort Collins/Colorado Springs
  6. IRS Tax Professional Directory: irs.gov
  7. COCPA CPE Events: Attend continuing education events as a resource/networking

Target Firm Characteristics

  • 3-25 CPAs
  • Offers tax preparation services (triggers WISP and Safeguards obligations)
  • No listed CISO, IT director, or compliance officer (meaning gaps are likely)
  • Handles individual, estate, or trust tax returns (high-sensitivity data)
  • Bonus: firm mentions “protecting client information” on website
  • Bonus: firm handles estate/trust accounting (overlap with attorney referral network)

FOLLOW-UP CADENCE

DayActionChannel
1Email 1 (Compliance Obligation)Email
1LinkedIn connection requestLinkedIn
4Email 2 (FTC Enforcement)Email
5If connected on LinkedIn, send follow-up DMLinkedIn
8Email 3 (Practical Reality)Email
14Email 4 (Breakup)Email
30Soft touch: share relevant article about CPA firm data breach or FTC actionEmail or LinkedIn
60Re-engage: “Has WISP compliance moved up the priority list?”Email

CPA-SPECIFIC ONE-PAGER CONTENT SPEC

Build a PDF one-pager (similar to broker and attorney one-pagers) tuned for CPAs.

Sections

  1. Header: Solanasis logo + contact info + “WISP Compliance & Safeguards Readiness for CPA Firms”
  2. The Obligation: IRS WISP (Pub 4557/5708) + FTC Safeguards Rule (16 CFR 314) — brief, specific
  3. The Exposure: $100K/violation FTC penalty, PTIN revocation risk, malpractice gaps, 294K identity theft returns
  4. What We Do: 10-Day Safeguards Review (mapped to FTC 314.4 requirements)
  5. What You Get: WISP Validation Report, Risk Register, 90-Day Action Plan, Maturity Scorecard, Restore Verification
  6. How It Works: 5-step visual
  7. About Solanasis + CTA

METRICS & TARGETS

Weekly Targets (First 4 Weeks)

MetricTargetNotes
Research firms10/weekPersonalize every message — mention specific practice areas
Emails sent10/weekEmail 1 to new contacts
LinkedIn connections sent10/weekParallel to email
Follow-up emails sent20/weekEmails 2-4 in sequence
Responses received3-4/weekCPAs may respond higher due to compliance urgency
Conversations booked1-2/weekCompliance angle drives stronger response

Realistic Timeline

  • Weeks 1-2: Building list, sending first emails, getting initial data
  • Weeks 3-4: First responses, first conversations (post-tax-season window opens)
  • Weeks 5-8: First serious conversations, potential proposal stage
  • Weeks 8-12: First engagement close (60-90 day sales cycle)
  • The CPA vertical may convert fastest because the compliance obligation is the most concrete and immediate

VOICE REMINDERS FOR ALL CPA OUTREACH

  1. Lead with compliance, not fear — “The IRS requires this” is a fact. “You’re going to get fined” is threatening.
  2. Respect their expertise — CPAs understand compliance frameworks. Don’t talk down to them. Reference specific regulations by name and citation.
  3. Position as compliance support, not IT — You’re helping them with their regulatory obligations, not trying to replace their IT provider.
  4. Acknowledge tax season reality — Never contact CPA firms January 15 - April 15. Just don’t.
  5. Use accounting-adjacent language — “Documentation,” “attestation,” “risk assessment,” “controls” — these are terms CPAs use daily.
  6. Don’t oversell scope — A WISP validation is not a SOC 2 audit. Be clear about what you are and aren’t delivering.
  7. Cross-referral opportunity — CPAs who handle estate/trust accounting may refer you to their estate attorney connections, and vice versa. Mention this.

CROSS-REFERRAL PLAY: CPA → ATTORNEY → BROKER

This is the real strategic play. CPAs who trust you can introduce you to:

  • Estate attorneys they work with on trust and estate matters
  • Financial advisors/RIAs they co-advise clients with
  • Cyber insurance brokers who insure their clients

One successful CPA engagement can unlock an entire local professional services network. Keep this in mind as you build relationships — the CPA is often the hub of the trusted advisor circle.

Graph View

Backlinks