CRA EFILE Security for Canadian Accounting Firms: A 2026 Compliance and Hardening Guide

Written by Mike Pearlstein, CISSP, CEO of Fusion Computing Limited. Helping Canadian businesses build and manage secure IT infrastructure since 2012 across Toronto, Hamilton, and Metro Vancouver.

If your firm files even one T1 or T2 return through CRA EFILE, the credential behind that filing is a regulated asset. The CRA treats the EFILE number as a personal authorization granted to a named filer, with a broad right to suspend or revoke that is not appealable in the way a license suspension would be.

For Canadian CPAs the IT controls protecting the EFILE workflow are professional-practice infrastructure. They sit at the intersection of the CRA Service Standards, the CPA Code, and PIPEDA. See our AI for Canadian accounting firms flagship for the broader practice context.

The good news: roughly 80 percent of what the CRA expects on EFILE security overlaps with what PIPEDA and the CPA Code already require. The catch: the framework has to be CRA-specific. The agency’s definition of reasonable safeguards is more prescriptive on authentication, retention, and incident handling than the privacy statutes.

The CRA EFILE Service Standards: legal anchor + 2026 framing

According to the Canada Revenue Agency (2026), every EFILE participant agrees that the EFILE number and password are confidential and that the filer is responsible for safeguarding both the credentials and the taxpayer data behind them. The Service Standards bind the registered filer personally, which is why principals at 6-25 staff firms carry direct exposure when an EFILE workflow is breached.

The 2026 framing changes the operational tempo. The CRA accepts T1 EFILE submissions from February 24 through January 24 of the following year. A security control good enough on day one has to remain operational eleven months later, which is the practical reason quarterly attestation beats a once-a-year checklist.

Not sure how your EFILE controls map to the Service Standards? Talk to our team about a 30-minute review →

EFILE access + revocation: when CRA pulls the plug

According to the CRA EFILE Help Desk (2026), the agency may suspend or cancel EFILE privileges where the filer fails the suitability screening, fails to safeguard credentials, or has reason to believe the EFILE number has been compromised. Suspension is administrative, with an internal appeal path. A mid-tax-season revocation is the closest equivalent to a professional-license freeze.

Three operational realities make revocation more likely than firms expect. The EFILE Help Desk will ask precise questions about MFA, password rotation, and last-known logon when a suspicious filing pattern is flagged. Suitability screening is renewed annually, and the agency may withhold renewal where prior-year incidents went unreported.

The agency also cross-references EFILE incidents with the broader compliance file, so a PIPEDA breach disclosure may surface in the EFILE review even if no taxpayer complaint was filed.

The IT controls CRA actually expects (MFA, encryption, audit logs)

According to the Canada Revenue Agency (2026), EFILE participants are expected to use reasonable technical safeguards proportional to the sensitivity of taxpayer data, with authentication, encryption, and record retention named as the three foundational categories.

Practitioner experience tightens that into a shortlist: MFA on every account touching the EFILE workflow, encryption at rest on every device holding taxpayer records, and an audit log retained for the six years that matches the CRA records-retention rule.

On Microsoft 365 Business Premium the three controls map cleanly to existing licensing. MFA runs through Entra ID Conditional Access. Encryption at rest comes from BitLocker on managed Windows endpoints plus the SharePoint and OneDrive defaults. The six-year audit log needs Purview Audit Standard plus a quarterly export to long-term archive. Incremental cost: CAD 12 to 20 per user per month.

Incident response is less prescriptive in writing than in practice. The Service Standards leave the notification window open, while the EFILE Help Desk operates as if same-business-day notification of a suspected credential compromise is the floor.

PIPEDA + CPA Code overlap with EFILE security

According to the Office of the Privacy Commissioner of Canada (2026), PIPEDA Principle 7 requires personal information to be protected by safeguards appropriate to its sensitivity, with mandatory breach reporting where a breach poses a real risk of significant harm. Taxpayer SIN, income, and dependent data cross that threshold.

The CPA Code Rule 208 (Confidentiality of Information) adds a parallel obligation. Provincial CPA bodies read this rule as extending to the IT systems holding client data. CPA Ontario’s AI and professional-accountability guidance frames the CPA as the accountable party for technology controls, vendor configuration, and staff training.

The practical implication: one hardening project against the CRA EFILE expectation satisfies PIPEDA Principle 7 for most of the in-scope data, CPA Rule 208, and provincial PIPAs in Alberta, BC, and Quebec. Quebec Law 25 adds a designated privacy officer and a 72-hour internal notification clock, but the underlying controls are the same. The CRA-anchored framework is the most useful starting point because it is the most prescriptive of the four.

Want a side-by-side of how your current setup maps to CRA, PIPEDA, and the CPA Code? Get in touch →

The CRA-EFILE Decision Matrix

The matrix below maps the practitioner control shortlist against CRA EFILE expectation, CPA Code and PIPEDA overlap, and the typical M365 / CCH iFirm / CaseWare implementation path. This is the working document we use during a pre-tax-season engagement.

Control	CRA EFILE expectation	CPA Code / PIPEDA overlap	M365 / CCH / CaseWare mapping
MFA on EFILE accounts	Required under reasonable safeguards; first Help Desk question on incidents	PIPEDA Principle 7; CPA Rule 208	Entra ID Conditional Access; CCH iFirm SSO; CaseWare Cloud SSO
Encryption at rest on devices	Required for taxpayer records held on local device	PIPEDA Principle 7; Quebec Law 25	BitLocker on managed endpoints; FileVault on Mac; SharePoint and OneDrive defaults
Audit log retention (6 years)	Records retention parallels CRA 6-year rule	CPA Rule 208 evidentiary trail	Purview Audit Standard plus quarterly export to cold archive
Termination access removal	EFILE filer responsible for access lifecycle	PIPEDA Principle 7; CPA Code confidentiality	Entra ID lifecycle workflow; CCH iFirm role audit; CaseWare user revocation runbook
Encrypted client portal for documents	Reasonable safeguard for in-transit taxpayer records	PIPEDA Principles 4 and 7	CCH Portal; CaseWare Cloud; Microsoft 365 secure share with expiry
Phishing-resistant email	Common credential-loss vector flagged by EFILE Help Desk	CPA Rule 208 staff training	Defender for Office 365 P1; quarterly phishing simulation
Incident response runbook	Same-business-day notification expected on credential compromise	PIPEDA mandatory breach reporting	Documented runbook with named owner; tabletop once per year
Backup with offline copy	Records integrity safeguards inferred from Service Standards	CPA Rule 208 records continuity	Veeam or Datto with one immutable copy off the SaaS plane
EFILE password rotation policy	Filer responsibility per Service Standards	CPA Rule 208	Rotation event at season start, on staff change, and on any incident

Tax-season hardening: the 90-day pre-season checklist

The pre-season hardening project for a 6-25 staff firm runs 90 days from kickoff to season-ready. A checkpoint cadence at 30, 60, and 90 days keeps the work honest. The phases below assume Microsoft 365 Business Premium with CCH iFirm or CaseWare Cloud as the working environment.

1. Days 0 to 30. Inventory and baseline. Enumerate every account with EFILE access. Document MFA status, password age, last logon. Run a Defender for Office 365 evaluation. Confirm BitLocker on every Windows endpoint. Pull a baseline export from Purview Audit. Output: signed inventory artifact and gap list.
2. Days 31 to 60. Control rollout. Enforce MFA on every EFILE-adjacent account. Push BitLocker compliance via Intune. Configure SharePoint and OneDrive retention. Tune Defender phishing policies. Stand up the CCH Portal or CaseWare Cloud share path for client document exchange. Output: control changes signed off by the principal.
3. Days 61 to 90. Runbook and rehearsal. Author the IR runbook with named owners for the EFILE Help Desk call, the OPC notification, and the CPA professional body notification. Run a tabletop. Rotate the EFILE password. Confirm the Purview Audit export-to-archive path. Output: tabletop minutes, runbook v1, and a season-ready attestation.

“Fusion took the security side of our firm off our plate. The MFA rollout closed a gap I knew we had but couldn’t prioritize during filing season, and the audit log retention proved its worth six months later when CRA called.”

Common EFILE security mistakes Canadian firms make

Four patterns recur across the engagements we run. They belong in the pre-season checklist as explicit don’t-do items.

1. Don’t share the EFILE number across the firm. A shared credential breaks the accountability chain and is the fastest path to a suspension if the agency spots an irregular filing.
2. Don’t store taxpayer documents in a personal OneDrive or Gmail. Personal cloud accounts sit outside the firm’s audit log and retention rule. The OPC reads informal personal data handling as inadequate safeguards.
3. Don’t skip MFA on the EFILE-adjacent inbox. The mailbox that receives password resets, EFILE Help Desk replies, and CRA secure messages is the highest-value target. MFA on the EFILE Web Access screen alone leaves the recovery path open.
4. Don’t let the audit log lapse below six years. Purview Audit Standard retains 180 days by default. Six-year retention requires the upgraded plan or a documented export-to-archive procedure.

The 8-step rollout

For firms starting from a typical M365 Business Premium baseline with no formal EFILE control documentation, the 8-step rollout below is the canonical sequence we use. Each step has a named owner and a single output artifact. The full project ships in 12 weeks; an accelerated 8-week path is possible for firms with one EFILE filer and fewer than 10 staff.

1. Account inventory. List every EFILE number, every M365 account, every CCH or CaseWare seat. Owner: managing principal. Output: signed inventory CSV.
2. MFA enforcement. Enable Entra ID Conditional Access with MFA required for every interactive sign-in on the firm’s tenant. Owner: IT lead. Output: compliance screenshot.
3. Endpoint hardening. Enforce BitLocker on every managed Windows device; enable FileVault on Mac. Owner: IT lead. Output: Intune compliance report.
4. Audit log baseline. Enable Purview Audit Standard; document the six-year retention path via quarterly export. Owner: IT lead. Output: written archive procedure.
5. Client portal cutover. Route all client document exchange through CCH Portal or CaseWare Cloud; ban email attachments for return drafts. Owner: managing principal. Output: client-facing FAQ.
6. Phishing baseline. Enable Defender for Office 365 P1; run a baseline phishing simulation. Owner: IT lead. Output: simulation result and remediation list.
7. IR runbook. Author the incident response runbook with named owners and 24-hour escalation timing. Owner: managing principal plus IT lead. Output: signed runbook v1.
8. Tabletop rehearsal. Run a 90-minute tabletop covering an EFILE credential compromise; document the lessons learned. Owner: managing principal. Output: meeting minutes.

Managed end-to-end, this engagement runs CAD 4,500 to 9,000 one-time plus CAD 80 to 140 per user per month for the M365 security baseline. For a 12-staff firm that totals roughly CAD 12,000 to 15,500 in the first year. See our cybersecurity services hub for the broader engagement model.

Ready to scope an 8-step rollout for your firm? Contact us →

Where this connects to the rest of your firm’s 2026 build

EFILE security is one slice of the regulator stack a Canadian accounting firm carries through 2026. The companion pieces inside this cluster cover the rest.

• For FINTRAC obligations under the trust and transfer rules: FINTRAC IT controls playbook.
• For the operational tempo of CPA tax-season cyber posture: tax-season cybersecurity guide.
• For hardening CCH iFirm and CaseWare specifically: CCH iFirm and CaseWare hardening guide.
• For the AI side of the build: Microsoft 365 Copilot oversharing risk sits adjacent to EFILE.
• For the wider context: the accounting industry hub.

FAQ

Can the CRA revoke an EFILE number for a cybersecurity incident alone?

Yes. The Service Standards give the agency authority to suspend or cancel EFILE privileges where the filer fails to safeguard credentials or where the agency has reason to believe the number has been compromised. No tax-fraud finding is required; an unsafeguarded credential is itself a Service Standard breach.

Is MFA required by name in the CRA EFILE Service Standards?

The Service Standards reference reasonable safeguards rather than naming MFA explicitly. The EFILE Help Desk treats MFA as the first technical question on a credential-compromise call. In practice, MFA on every account touching the EFILE workflow is the operational floor.

How long do I have to notify the CRA of an EFILE credential compromise?

The Service Standards leave the notification window open without an hours-based deadline. The EFILE Help Desk operates as if same-business-day notification is the floor. Firms that wait 48 hours find the review proceeds more slowly and the agency reaches more often for the suspension option.

Does PIPEDA breach reporting cover an EFILE incident?

Yes, where the breach poses a real risk of significant harm. Taxpayer SIN, income, and dependent data cross that threshold. The OPC report is separate from the EFILE Help Desk call. Expect to file both notifications in parallel after a confirmed compromise.

How long does a Canadian accounting firm have to keep an audit log for CRA purposes?

The CRA records-retention rule is six years from the end of the tax year, and the audit log evidencing access carries the same expectation. Purview Audit Standard retains 180 days by default; six-year coverage requires the upgraded plan or a documented quarterly export to archive.

Can multiple people in my firm share one EFILE number?

No. The Service Standards bind the EFILE number to the named registered filer personally. Sharing the credential breaks the accountability chain and is one of the fastest paths to a Service Standard breach finding. Each named filer should hold an individual EFILE number.

What does the CRA EFILE Help Desk ask first on an incident call?

Three opening questions recur: was MFA enforced on the EFILE-adjacent accounts, when was the EFILE password last rotated, and what is the timestamp of the last legitimate logon. Firms that answer in writing within an hour of the call materially improve their chances of staying active.

Do provincial CPA bodies expect anything beyond CRA EFILE rules on IT controls?

Provincial CPA bodies read CPA Code Rule 208 as extending to the IT systems holding client information. Provincial expectations overlap the CRA EFILE expectation by roughly 80 percent, with extra emphasis on staff training and on principal-level accountability for vendor selection.

Does encryption in OneDrive and SharePoint satisfy CRA expectations?

The M365 default encryption at rest in SharePoint and OneDrive satisfies the encryption-at-rest expectation for documents held in those services. It does not satisfy the endpoint encryption requirement for documents synced locally, which is why BitLocker on managed devices remains part of the standard control set.

What is the realistic cost for a 6-25 staff firm to harden EFILE security?

The pre-tax-season project runs CAD 4,500 to 9,000 one-time, plus CAD 80 to 140 per user per month for the ongoing baseline (M365 Business Premium, Defender for Office 365 P1, managed monitoring). For a 12-staff firm that totals roughly CAD 12,000 to 15,500 in the first year.

How does Quebec Law 25 change the picture for a CPA firm with Quebec clients?

Quebec Law 25 adds a designated privacy officer, a 72-hour internal notification clock, and tighter cross-border data transfer rules for Quebec-resident personal information. Underlying controls are the same as the CRA expectation. Designate the privacy officer in writing and document the cross-border transfer assessment for each cloud service.

Should we run a tabletop exercise even with fewer than 10 staff?

Yes. A 90-minute tabletop on an EFILE credential compromise surfaces gaps in the runbook that document review will not. Smaller firms can run a streamlined version with the managing principal, the IT lead, and a communications owner. Once-per-year cadence is the floor; quarterly is preferred.

Bottom line

CRA EFILE security in 2026 is professional-practice infrastructure for a Canadian accounting firm. The Service Standards make the EFILE filer personally responsible, the EFILE Help Desk asks specific operational questions on every incident call, and the overlap with PIPEDA and the CPA Code means one disciplined hardening pass clears multiple regulators at once.

The 90-day pre-season project and the 8-step rollout in this guide are the working sequence we use across the cluster. For the broader 2026 build picture, the AI for Canadian accounting firms flagship and the accounting industry hub are the canonical anchors.

Book a Consultation

Talk to Fusion