The FTC Safeguards Rule protects nonpublic personal information held by non-bank financial institutions. Much of what an accounting practice does falls inside that definition. Firms provide financial advisory services, keep the books, run client accounting services, and prepare returns. The rule lists accountants and tax-preparation services among covered financial institutions, though whether it reaches a given firm turns on that firm's specific activities.
Accounting firms hold high-value financial data at scale.
A single firm can hold the SSNs, EINs, bank and account details, payroll records, financial statements, and tax data of hundreds of businesses and individuals. That is precisely the client financial information the Safeguards Rule is written to protect, and the concentration makes a firm a high-value target.
Account takeover and business email compromise target this data directly, and the pressure spikes during busy season. The controls the rule requires are MFA, verification procedures, and encryption. They are the same controls that defend against the most common attacks on accounting practices.
Coverage depends on your activities, so we determine it first.
A firm engaged in tax preparation, financial planning, bookkeeping, client accounting services, or advisory work is generally a covered financial institution. A firm doing purely audit and attest work for public companies may sit under different regimes rather than the FTC Safeguards Rule.
Most firms are a mix, so the honest answer is that it depends on your service lines. Cyber One Solutions assesses your activities during onboarding and documents why and how the rule applies to your firm, rather than assuming every practice is automatically in scope or out of it.
A written program is the baseline, not the ceiling.
The rule requires a written information security program, a Qualified Individual, a documented risk assessment, and an incident response plan. These exist whether or not you have ever had an incident.
For firms that also prepare taxes, the IRS expects paid preparers to maintain a written data security plan under the safeguards provisions referenced in IRS Publication 4557 and the Gramm-Leach-Bliley Act. A Safeguards-aligned WISP satisfies both obligations from a single program. We produce these documents to reflect what is actually running in your environment, so the program survives an FTC inquiry or a client security review rather than reading as boilerplate.
Vendor oversight is part of compliance.
Accounting practices rely on cloud-accounting platforms such as QuickBooks, general-ledger and workpaper software, client document portals, payroll and bill-pay providers, and tax-prep and e-file systems. The rule requires you to oversee the service providers that handle your client information.
We inventory those vendors, document the security expectations, and fold vendor oversight into your written program so the requirement is met and evidenced.