Cyber One Solutions logo.
Get Support

FTC Safeguards for CPA & Accounting Firms

Compliance / FTC Safeguards

FTC Safeguards Rule Compliance for CPA & Accounting Firms.

CPA firms and accounting practices hold exactly the kind of nonpublic personal information the FTC Safeguards Rule was written to protect. Client Social Security numbers and EINs, bank and account details, financial statements, and tax data move through advisory work, bookkeeping, client accounting services, and fractional CFO engagements. The rule names accountants and tax-preparation services as examples of covered non-bank financial institutions under 16 CFR §314.2(h). Whether the rule reaches your firm depends on what your firm actually does.

Coverage is activity-dependent, so we start by assessing what your firm does and documenting why and how the rule applies. Then Cyber One Solutions builds and manages the full compliance program: the written information security program, the technical controls, the testing, and the documentation a regulator or client's security review expects to see. We do the work, write the evidence, and keep the program current.

What You Get
A written information security program (WISP) that satisfies 16 CFR Part 314.
A designated Qualified Individual overseeing the program.
MFA for anyone accessing your information systems, with encryption applied to client financial information.
Penetration testing, vulnerability assessments, or continuous monitoring on the required schedule.
An incident response plan and the annual report your governing body needs.
A documented coverage determination plus an evidence trail ready for an FTC inquiry or a client security questionnaire.
What the Rule Requires

The Safeguards Rule, Mapped to Your Firm.

The 2021 amendments to 16 CFR Part 314 made the rule far more prescriptive than its original version. A 2023 amendment then added the breach-notification requirement that took effect in May 2024. These are the core elements a covered CPA or accounting firm must put in place. Each one is paired with the work we deliver against it.

Written Information Security Program (WISP)

A documented, comprehensive program that addresses each element the Safeguards Rule requires. It is tailored to how your practice actually handles client financial information across advisory, bookkeeping, client accounting services, and any tax work.

Designated Qualified Individual

The rule requires a single accountable person to oversee the security program. We can serve as, or support, your Qualified Individual and produce the documentation that role is responsible for.

Written Risk Assessment

A documented assessment of the foreseeable internal and external risks to the client information in your general ledger, workpaper, portal, and cloud-accounting systems. It pairs each risk with the safeguard that addresses it.

Access Controls, MFA & Encryption

Role-based access to client financial data. Multi-factor authentication for anyone accessing your information systems, unless a documented equivalent is approved. Encryption of that information in transit and at rest.

Testing & Continuous Monitoring

Annual penetration testing and vulnerability assessments at least every six months, or continuous monitoring in their place. This element also includes audit logging of access to client information.

Incident Response & Board Reporting

A written incident response plan and notification to the FTC within 30 days of a notification event. A notification event is the unauthorized acquisition of unencrypted customer information involving at least 500 consumers. The rule also requires an annual written report to your firm leadership or governing body on the state of the program.

Why It Applies to CPA & Accounting Firms

Client accounting work sits inside what the rule protects.

The FTC Safeguards Rule protects nonpublic personal information held by non-bank financial institutions. Much of what an accounting practice does falls inside that definition. Firms provide financial advisory services, keep the books, run client accounting services, and prepare returns. The rule lists accountants and tax-preparation services among covered financial institutions, though whether it reaches a given firm turns on that firm's specific activities.

Accounting firms hold high-value financial data at scale.

A single firm can hold the SSNs, EINs, bank and account details, payroll records, financial statements, and tax data of hundreds of businesses and individuals. That is precisely the client financial information the Safeguards Rule is written to protect, and the concentration makes a firm a high-value target.

Account takeover and business email compromise target this data directly, and the pressure spikes during busy season. The controls the rule requires are MFA, verification procedures, and encryption. They are the same controls that defend against the most common attacks on accounting practices.

Coverage depends on your activities, so we determine it first.

A firm engaged in tax preparation, financial planning, bookkeeping, client accounting services, or advisory work is generally a covered financial institution. A firm doing purely audit and attest work for public companies may sit under different regimes rather than the FTC Safeguards Rule.

Most firms are a mix, so the honest answer is that it depends on your service lines. Cyber One Solutions assesses your activities during onboarding and documents why and how the rule applies to your firm, rather than assuming every practice is automatically in scope or out of it.

A written program is the baseline, not the ceiling.

The rule requires a written information security program, a Qualified Individual, a documented risk assessment, and an incident response plan. These exist whether or not you have ever had an incident.

For firms that also prepare taxes, the IRS expects paid preparers to maintain a written data security plan under the safeguards provisions referenced in IRS Publication 4557 and the Gramm-Leach-Bliley Act. A Safeguards-aligned WISP satisfies both obligations from a single program. We produce these documents to reflect what is actually running in your environment, so the program survives an FTC inquiry or a client security review rather than reading as boilerplate.

Vendor oversight is part of compliance.

Accounting practices rely on cloud-accounting platforms such as QuickBooks, general-ledger and workpaper software, client document portals, payroll and bill-pay providers, and tax-prep and e-file systems. The rule requires you to oversee the service providers that handle your client information.

We inventory those vendors, document the security expectations, and fold vendor oversight into your written program so the requirement is met and evidenced.

Frequently asked questions.

Does the under-5,000-consumer exemption apply to us?

It might apply to specific elements. A covered firm maintaining customer information concerning fewer than 5,000 consumers is exempt from four requirements: the written risk assessment, penetration testing and the twice-yearly vulnerability assessment, the written incident response plan, and the annual board report. The firm must still maintain a written information security program and the other safeguards, including access controls and MFA, encryption, audit logging of access to customer information, secure disposal, and training. The FTC 30-day breach-notification duty still applies. Many accounting firms exceed 5,000 consumers once every individual whose data they hold across business and personal engagements is counted, so we confirm the count during onboarding and scope the program to what actually applies to you.

How long does it take to get an accounting firm compliant?

It depends on your current posture, but a program built from scratch typically takes 60 to 120 days to establish. Work starts with the coverage determination, the gap analysis, and the risk assessment, then moves through control implementation and documentation. We scope every engagement to what your environment actually needs rather than to a fixed package.

Common Questions

FTC Safeguards for CPA & Accounting Firms, Answered.

Common questions from CPA firms and accounting practices working out whether the Safeguards Rule applies to their service lines and what compliance actually involves.

Don't see your question?
Our team answers questions like these every day, no sales pitch attached.
Ask a Question