In today's highly connected world, CPA firms are prime
targets for cyberattacks and regulatory scrutiny. The federal regulation known
as the FTC Safeguards Rule (under the Gramm‑Leach‑Bliley Act) mandates
that "financial institutions," which the Federal Trade Commission (FTC) now
clarifies includes many accounting and tax-preparation firms, must develop,
implement, and maintain a robust information-security program.
If you're leading a CPA firm, getting compliant isn't just
about checking a box; it's about protecting your clients' highly sensitive
financial data, preserving your professional reputation, and avoiding
regulatory penalties.
In this blog post, we'll clarify why the Safeguards Rule
applies to CPA firms, walk through its key requirements, and provide
practical steps to ensure your firm's cybersecurity posture meets
expectations.
Why the Safeguards Rule Applies to CPA Firms
At first glance, the Safeguards Rule only applies to banks,
credit unions, and large financial institutions. However, under 16 CFR § 314,
the term "financial institution" is more broadly defined to include service
providers that engage in "activities that are financial in nature or incidental
to such financial activities."
Specifically for CPA firms:
- If
your firm prepares tax returns, conducts audit/assurance services, or
otherwise handles non-public personal information (NPPI) of clients or
customers, you likely fall under the Safeguards Rule.
- The
2021-2023 amendments to the Rule clarified that many tax preparers and
small accounting firms are indeed covered.
- Not
complying puts you at risk of regulatory action, fines, reputational
damage, and loss of client trust.
In short: if your firm handles sensitive financial- or
tax-related data for clients, especially non-public personal information, you
should assume you're covered and plan accordingly.
What the Safeguards Rule Requires: The Nine Core Elements
According to the FTC's guidance and commentary for
accounting firms, your information security program must include a set of administrative,
technical, and physical safeguards.
Here are the nine key elements your firm should have
(especially under the updated Rule as of June 9, 2023).
- Qualified
Individual — Designate someone (employee or external) who handles
overseeing the program, has appropriate skills and experience, and reports
to senior leadership.
- Risk
Assessment & Inventory — Identify what client information you
collect, store, and send; map where it resides; identify threats and
vulnerabilities; update periodically.
- Safeguards
Design & Implementation — Develop policies and controls for access
controls, encryption, authentication, secure disposal, change management,
and vendor/service provider oversight.
- Monitor
& Test the Program — Regular monitoring, log review, vulnerability
assessments, penetration testing, or equivalent to ensure safeguards are
working.
- Training
& Awareness — Employees and service providers must be trained on
security policies, potential threats (such as phishing and social
engineering), and data handling.
- Service
Providers Oversight — Your firm remains accountable even if you
outsource IT or cloud services. You must select, contract with, and
monitor providers for adequate safeguards.
- Information-Security
Program Maintenance ("Keep Current") — The landscape changes; your
plan must be updated as your business changes or new threats emerge.
- Incident
Response Plan — Have a documented plan for how the firm will respond
to a security event: roles/responsibilities, communications, recovery
measures, and post-event review.
- Senior
Management Reporting — The qualified individual must report to firm
leadership (e.g., partners, board) at least annually on the program's
status.
Also worth noting is that, while there is a limited
"threshold" exception for firms that maintain client information for fewer than
5,000 consumers, it is narrow and does not relieve the firm of all
obligations. Many small firms exceed that threshold by the number of records.
Practical Steps to Get and Stay Compliant
If you run or support a CPA firm in North Carolina, here are actionable steps
to align your cybersecurity program with the Safeguards Rule:
Map your data & infrastructure
- Identify
all systems/devices/applications that hold or process client data (NPPI).
- Determine
where data is stored, backed up, transmitted, and who can access it.
- Document
the "data-flow" and inventory of third-party services (cloud-apps,
software vendors).
- This
gives you the basis for a risk assessment.
Assign the Qualified Individual
- Choose
someone, internal or external, who will be accountable for the
information-security program.
- Ensure
they have authority and direct access to senior leadership.
- If you
outsource IT to an MSP, the firm remains ultimately responsible. Use the
MSP to fulfill this role if appropriate.
Develop a Written Information Security Program (WISP)
- Tailor
it to the size, scope, and complexity of your firm.
- Cover
technical, admin, and physical safeguards: encryption, MFA, access
controls, secure disposal, change management, vendor contracts.
- Create
or update an incident-response plan: how you will detect, contain,
recover, and learn from a security event.
Implement Technical Safeguards
- Enforce
multi-factor authentication (MFA) for systems handling client data.
- Encrypt
data both at rest and in transit.
- Use
role-based access controls ("least privilege") and monitor user
activity/logs.
- Regular
vulnerability scans and penetration testing (or equivalent) to test
security effectiveness.
Train and Educate Your Team
- Provide
cybersecurity training for all staff, even non-IT roles, because they're
often the first line of defense.
- Simulate
phishing and test awareness.
- Review
policies regularly and update them when systems or threats change.
Vendor/Service-Provider Oversight
- Review
contracts with your IT/cloud vendors: do they provide adequate security?
Do they do SOC 2 or similar audits?
- Monitor
their performance and require regular reassessment. Do not assume "they
are secure" without oversight.
Review & Update Regularly
- At
least annually, revisit your risk assessment, test your safeguards, review
your incident-response plan, and update your WISP.
- Whenever
you add new services, locations, remote work, or cloud apps, treat it as a
trigger for review and change management.
Create an Incident-Response Plan and Practice It
- Define
roles, communication protocols (internal & external), and steps to
contain and recover from a breach.
- Plan
for notification requirements (e.g., FTC breach notification for
"notification events") and regulatory consequences.
- Conduct
mock exercises so your team knows what to do when things go wrong.
Demonstrate Compliance & Build Trust
- Maintain
documentation: your risk assessments, training logs, incident plans,
service-provider evaluations, and management reports.
- Communicate
to clients: "We follow industry-standard security practices and comply
with the FTC Safeguards Rule."
- This
not only protects you from liability but also strengthens your firm's
reputation as a trusted data steward, a critical differentiator in the
marketplace.
Key Takeaways & Next Steps
- The
FTC Safeguards Rule applies to CPA firms that collect, store, or transmit
nonpublic personal information and should not be ignored.
- The
Rule mandates a written, firm-specific information-security program
covering nine essential elements, from risk assessment to monitoring to
vendor oversight.
- Compliance
doesn't have to be overwhelming, but it does require intentionality,
documentation, oversight, and continuous improvement.
- Begin
with data mapping and finding your "Qualified Individual", then build or
update your WISP, technical controls, and training.
- Keep
it current, security and business operations change, and your program must
adapt.
- By
doing this, you not only protect your clients' sensitive data but also
position your firm as a trustworthy, professional partner.
Click Here or give us a call at 252-240-3399 to Book a FREE 15-Minute Discovery Call
