FTC Safeguards Rule Compliance for CPA Firms: What's Required, What's at Stake, and How to Get There
Most CPA firms that fall under the FTC Safeguards Rule don't know it yet. The ones that do often think it's a checklist, something to hand off to their IT vendor or knock out in an afternoon. It isn't.
The FTC updated its Safeguards Rule in 2023, and it explicitly covers tax preparers, CPAs, and bookkeepers who handle nonpublic personal financial information. If your firm prepares returns, processes payroll, or manages client financial records, you're a financial institution under this rule. That's not a gray area.
What the rule actually requires is a documented, risk-based information security program, a written plan covering how your firm collects, stores, accesses, and protects client financial data. It requires a designated qualified individual to oversee that program, a formal risk assessment, and tested controls. Annually.
Here's where most firms get tripped up. FTC Safeguards Rule compliance for CPA firms isn't a one-time project. It's an ongoing obligation with real enforcement teeth. Penalties run up to $100,000 per violation for the firm and $10,000 per violation for individual officers. That's not a fine you absorb. That's firm-ending exposure for a practice that thought a cloud backup and a password policy were enough.
This guide breaks down what the rule requires, how it interacts with IRS Publication 4557, what your Written Information Security Plan must include, and the most efficient path to compliance for a firm without a full-time IT staff.
Does Your CPA Firm Have to Comply? (The Answer Is Almost Certainly Yes)
The FTC Safeguards Rule applies to any "financial institution", a term defined broadly under the Gramm-Leach-Bliley Act. It includes banks and credit unions, but it also includes any business that is "significantly engaged" in providing financial products or services to consumers.
Tax preparation qualifies. Bookkeeping qualifies. Financial advisory services qualify. If your firm prepares personal returns, files payrolls, or handles client investment documentation, you are covered. Sole practitioners are covered. A two-person CPA firm doing personal returns in the Inland Empire is covered.
The test isn't firm size. It's whether you handle nonpublic personal information (NPI), names, Social Security numbers, income figures, account numbers, or any other personal financial data your clients share with you in the course of an engagement. Every CPA firm handles NPI. The rule applies.
There is a small firm exemption for certain requirements (covered in detail below), but it covers a narrow set of obligations. The core requirements, a written information security program, a designated qualified individual, encryption, multi-factor authentication, staff training, and vendor oversight, apply regardless of firm size.
The 9 Elements of a Compliant FTC Safeguards Program
The rule requires a written information security program that addresses nine specific areas. Each has implementation requirements that go deeper than most firms expect.
1. Designate a Qualified Individual
Every covered firm must designate a qualified individual (QI) to own and oversee the information security program. This person is responsible for implementing the program, reporting to firm leadership, and ensuring ongoing compliance.
The QI doesn't need a specific degree or certification, the rule requires knowledge and experience appropriate to the firm's size and complexity. Critically, the QI can be an employee, an affiliate, or a service provider. That last option is the rule's built-in relief valve for small firms. An MSP or MSSP can serve as your QI, taking formal responsibility for your program. Most CPA firms don't know this option exists.
The QI must provide a written annual report to the firm's board of directors or, for firms without a board, to a senior officer. That report needs to cover the state of the security program, material risks identified, and how they were addressed.
2. Conduct a Written Risk Assessment
The rule requires a formal, documented risk assessment, not a mental inventory of what you think might be at risk, but a written evaluation of where NPI exists in your environment, how it's collected and stored, who has access, and what controls are in place.
The risk assessment drives every other element of the program. Safeguards are designed based on what the assessment finds. If the assessment is shallow, the program built on top of it is weak, and the documentation trail is thin if the FTC ever asks questions.
3. Design and Implement Technical and Administrative Safeguards
Based on the risk assessment, the firm must implement safeguards covering three categories: administrative (policies and procedures), technical (software and infrastructure controls), and physical (device and facility security).
Technical safeguards get the most scrutiny in FTC enforcement guidance. Encryption and multi-factor authentication are explicitly required, these aren't optional elements that can be traded off against other controls. See the dedicated technical safeguards section below for specifics.
4. Select and Oversee Service Providers
If you use any third-party vendor that handles NPI, a cloud-based tax platform, a document management system, a payroll processor, an IT company, the Safeguards Rule requires you to oversee them. That means selecting vendors with appropriate security capabilities, requiring contractual safeguards, and periodically monitoring their compliance.
"We use a reputable vendor" is not oversight. You need contracts that specify security requirements, and you need a process for reviewing compliance at regular intervals. Most CPA firms have neither.
5. Access Controls and Activity Monitoring
The rule requires access controls limiting NPI access to authorized personnel with a legitimate business need, and activity monitoring to detect unauthorized access or use. Multi-factor authentication is mandatory for anyone accessing systems containing customer information, there are no exceptions and no size-based waivers for this requirement.
Access controls also mean a formal process for granting and revoking access. When a staff member leaves, their accounts should be disabled immediately. When a new hire joins, access should be provisioned based on their role, not defaulting to whatever the previous person in that seat had.
6. Encrypt Customer Information
All NPI must be encrypted, both at rest (stored on servers, workstations, or cloud platforms) and in transit (when transmitted over networks or email). If encryption isn't technically feasible for a particular situation, the rule allows a documented equivalent control approved by the qualified individual, but that approval needs to be in writing, with the reasoning explained.
This requirement has a direct implication most CPA firms miss: sending client tax documents or financial statements by unencrypted email is not compliant. If your firm emails PDFs with NPI to clients or team members without encryption, that practice needs to change.
7. Train Your Staff
The rule requires ongoing security awareness training for all personnel with access to customer information. "Ongoing" means more than a one-time orientation. Training needs to address relevant threats, be updated as the threat landscape changes, and be documented with completion records.
Completion records matter. If you're ever subject to an FTC inquiry or a breach investigation, training documentation is part of demonstrating that your program was implemented and maintained. "We covered this in our team meeting" doesn't satisfy the documentation requirement.
8. Test and Monitor Your Controls
Controls that aren't tested are controls you can't vouch for. The rule requires monitoring your systems for unauthorized activity and testing your security controls through one of two paths: annual penetration testing plus biannual vulnerability assessments, or continuous monitoring systems that provide equivalent coverage.
For firms with fewer than 5,000 consumer records, the penetration testing and vulnerability assessment requirements are waived (see the small firm exemptions section). But the monitoring requirement itself isn't waived, you still need a mechanism for detecting unauthorized access or unusual activity.
9. Establish an Incident Response Plan
Your program must include a written incident response plan covering detection, containment, recovery, and notification procedures. If a breach affects 500 or more consumers, you must notify the FTC within 30 days of discovery. Missing that window is a separate violation from the underlying breach.
Small firms with fewer than 5,000 consumer records are exempt from the formal written incident response plan requirement, but they still need a response process. Knowing what you would do if you discovered a breach is not optional regardless of firm size.
Technical Safeguards: What Actually Has to Be Implemented
The technical layer is where most CPA firms are furthest from compliance, and where the FTC's requirements are most specific. Understanding what "implement appropriate safeguards" means in practice is the difference between a compliant program and a document that looks like one.
Encryption: What It Means for a CPA Firm
Encryption at rest means that files stored on your servers, workstations, laptops, or cloud platforms are encrypted. If a laptop is stolen from a staff member's car and the drive isn't encrypted, you have both a potential breach and a compliance failure.
Encryption in transit means that NPI moving across networks, between your office and a cloud platform, from staff to clients, between office locations, is encrypted. Email sent without encryption doesn't qualify.
Practical implementation for most CPA firms: enable BitLocker or FileVault on all workstations and laptops, use an encrypted client portal for document exchange instead of email attachments, and ensure your cloud tax platform uses TLS-encrypted connections (most major platforms do, but it's worth verifying).
Multi-Factor Authentication: Mandatory, Not Optional
MFA is explicitly required for all users accessing systems that contain customer information. There are no firm-size exemptions for this requirement. If your staff accesses your tax software, document management platform, email, or any other system containing client NPI, they need MFA enabled.
Authenticator apps (Google Authenticator, Microsoft Authenticator) are more secure than SMS-based MFA. Either satisfies the requirement, but SMS has known vulnerabilities to SIM-swapping attacks that authenticator apps don't share. For a firm handling high volumes of client financial data, the upgrade is worth making.
Penetration Testing: What It Is and Why Most Firms Have Never Had One
A penetration test is an authorized, simulated attack on your IT environment conducted by a qualified third party. The goal is to find vulnerabilities before attackers do. For firms above the small-firm threshold, annual penetration testing is required.
Most CPA firms have never had a penetration test. Many have never had a third-party security review of any kind. If your IT vendor handles your computers but has never produced a formal security assessment, you don't know where your vulnerabilities are, and neither does the FTC if they come asking.
Access Controls: Beyond Shared Logins
Access controls mean that each staff member has individual credentials, access is limited to what their role requires, and access is revoked promptly when someone leaves. Shared admin passwords and "everyone has access to everything" configurations don't satisfy this requirement.
For Microsoft 365 environments (common in CPA firms), this means properly configuring user roles, enabling conditional access policies, and using Azure Active Directory to manage permissions. For non-Microsoft environments, equivalent controls apply.
What Is a WISP and What Must It Include?
The Written Information Security Plan is the document that describes your security program. It's the evidence that you have one, not just the technical controls you've implemented, but the policies, procedures, and governance structure surrounding them.
WISP vs. FTC Safeguards Program: Is There a Difference?
The WISP is the written component of the broader FTC Safeguards program. The program includes both the WISP (the policy document) and the actual technical and administrative controls implemented based on it. A firm can have a WISP on paper and still be non-compliant if the controls described in it aren't actually in place.
IRS Publication 4557 also requires a WISP for tax preparers, and the IRS has made WISP attestation part of PTIN renewal. The FTC and IRS requirements overlap significantly. Building a single program that satisfies both is the efficient path; building two separate documents is unnecessary.
What Your CPA Firm WISP Must Cover
A complete WISP for a CPA firm addresses all of the following:
- Scope and objectives: What information is covered, what the program is designed to protect, and who is responsible for it
- Risk assessment process: How the firm identifies and evaluates risks to NPI, how often assessments occur, and how findings are documented
- Data inventory: What NPI the firm holds, where it's stored, how it's transmitted, and who has access
- Access control policy: How access is granted, reviewed, and revoked; password and MFA requirements; prohibition on shared credentials
- Encryption standards: What encryption is used for data at rest and in transit; exceptions and compensating controls, if any
- Employee training requirements: Training schedule, topics covered, documentation and completion tracking
- Vendor management procedures: How vendors are evaluated, what contractual requirements apply, how compliance is monitored
- Incident response procedures: Detection, containment, recovery, and FTC notification steps
- Physical security: Device security, clean desk policy, disposal of physical records containing NPI
- Review and update schedule: How frequently the program is reviewed and how changes are documented
The WISP doesn't need to be a 100-page document. For a 10-person CPA firm, a thorough WISP runs 15-25 pages. What matters is that it's accurate, specific to your firm's actual environment, and current.
Janet runs a six-person CPA firm in the San Fernando Valley. In early 2024, she asked her IT vendor whether they had a WISP. The vendor didn't know what the acronym meant. She asked a compliance consultant, who quoted her $8,000 to produce a template document with her firm's name on it. When she asked what the document would say about her actual systems, the consultant acknowledged they hadn't seen them. She eventually engaged a managed IT provider that reviewed her environment first and produced a WISP that reflected what was actually in place, along with a remediation list for the gaps. Total engagement: $4,500. What she got: a defensible, accurate security program she owned.
FTC Safeguards Rule vs. IRS Publication 4557: Clearing Up the Confusion
Tax practitioners operate under both the FTC Safeguards Rule and IRS Publication 4557. These are separate requirements from separate agencies, and the overlap creates genuine confusion. Here's the practical breakdown.
| Requirement | FTC Safeguards Rule | IRS Publication 4557 |
|---|---|---|
| Who it covers | All "financial institutions" under GLBA, including tax preparers | Tax professionals who prepare federal returns or have access to taxpayer data |
| What it protects | Nonpublic personal information (NPI) of all clients | Taxpayer data specifically |
| Written program required | Yes, full information security program | Yes, WISP specifically |
| MFA required | Yes, for all NPI system access | Yes |
| Encryption required | Yes | Yes |
| Penetration testing required | Yes (annual, with exceptions for small firms) | Not explicitly required by name |
| Enforcement | FTC civil penalties | IRS can revoke PTIN; state consequences vary |
| PTIN renewal attestation | Not required | Yes, cybersecurity compliance attestation required at renewal |
The short version: if you're a tax preparer, you need to satisfy both. The requirements overlap substantially. A program that satisfies the FTC Safeguards Rule will cover most of what IRS Publication 4557 requires, the main gap is the PTIN renewal attestation, which requires specific documentation of your compliance that you should be producing anyway.
Building one comprehensive program that addresses both is significantly more efficient than treating them as separate compliance exercises.
Small Firm Exemptions: What You're Actually Exempt From
The rule includes a scaled exemption for smaller financial institutions. If your firm handles fewer than 5,000 consumer records, you're exempt from three specific requirements:
- Biannual vulnerability assessments
- Annual penetration testing
- A formal written incident response plan
That's it. The exemptions are narrow. Everything else, the qualified individual, the written risk assessment, MFA, encryption, staff training, vendor oversight, the WISP, activity monitoring, and the annual program review, applies regardless of firm size.
Most small CPA firm owners assume "small firm" means most of the rule doesn't apply to them. It doesn't work that way. A sole practitioner preparing 200 personal returns a year is still subject to the core requirements. The exemptions only remove the most technically intensive testing obligations.
If you're unsure whether your firm meets the threshold, count the number of individual consumer records you hold, each client represents one record, but client files containing multiple individuals (joint filers, family accounts) may count as multiple records. When in doubt, assume the full requirements apply.
Enforcement, Penalties, and What the Exposure Actually Looks Like
The FTC enforces the Safeguards Rule with civil penalties. For organizational violations, the penalty is up to $100,000 per violation. For individual officers who knowingly participate in or permit a violation, the penalty is up to $10,000 per violation. Both are adjusted annually for inflation.
The definition of "per violation" is broad. Each day of non-compliance can be counted as a separate violation. For a firm that has been non-compliant for 18 months, the theoretical exposure compounds quickly.
The rule also requires notification to the FTC within 30 days of discovering a security breach affecting 500 or more consumers. Missing that window is its own violation, separate from whatever caused the breach.
Major enforcement benchmarks: the Equifax settlement totaled $575-700 million. While Equifax is a far larger company than most CPA firms, the enforcement pattern matters. The FTC treats security program failures as genuine violations, not administrative technicalities.
There's also the cyber insurance angle. An increasing number of business insurance carriers are requiring documented FTC Safeguards compliance as a condition of coverage. A firm without a demonstrable security program may find that their policy excludes or limits coverage for a breach, exactly when they need it most.
David runs a 14-person accounting firm in Orange County. After a client of his was targeted in a business email compromise attack using contact information stolen from David's firm, he engaged a managed security provider to audit his environment. The audit found that his firm had no MFA on email accounts, no encryption on three employee laptops, no documented WISP, and a cloud tax platform configured with shared admin credentials. None of these were things his previous IT vendor had raised. He remediated everything within 90 days. He hasn't had a breach since, and his cyber insurance carrier now lists him as a preferred client.
How Most CPA Firms Actually Achieve Compliance
There are three common paths to FTC Safeguards compliance for CPA firms. One works. Two don't.
The DIY path, the managing partner reads the rule, creates a WISP using a template from the AICPA, and considers it done, doesn't work. A template WISP describes a generic security program, not your firm's actual environment. The technical controls (MFA, encryption, access controls) aren't implemented by writing a policy. And the ongoing obligations, annual reviews, staff training records, vendor oversight documentation, require consistent execution that typically falls through the cracks without a dedicated owner.
The compliance software path, subscribing to a platform that generates compliance documentation, gets you closer but isn't sufficient on its own. A software platform can help you document a program. It can't implement the technical controls, monitor your environment, or serve as your qualified individual.
The managed IT path, engaging an MSSP that understands the FTC Safeguards Rule operationally and can both implement the technical requirements and produce the compliance documentation, is what actually works for most small and mid-sized CPA firms.
The rule's QI provision was designed exactly for this. A managed service provider can serve as your designated qualified individual, taking formal responsibility for your security program. That means the QI requirement is met, the annual reporting obligation is met, and there's a named, accountable party responsible for your compliance on an ongoing basis.
What a properly structured compliance engagement for a CPA firm should deliver:
- A written risk assessment of your actual environment
- A complete WISP that reflects your firm's systems, data, and procedures
- Technical control implementation: MFA, encryption, access controls
- Staff training program with completion tracking
- Vendor management review and updated contract requirements
- Ongoing monitoring and annual program review
- A named QI who owns your program and reports annually
- Documentation you can produce if the FTC, a client, or an insurance carrier asks
For a 10-person CPA firm, implementation typically takes 60-90 days. Ongoing management runs as part of a flat-rate managed IT engagement.
If you want to understand exactly where your firm stands today, a free Safeguards Rule compliance gap assessment takes about 45 minutes and gives you a clear picture of what you have, what you're missing, and what it would take to close the gap. If you're building toward compliance on your own, the assessment gives you a prioritized list to work from. If you'd rather have a managed partner handle it, Cobrix's accounting firm IT services include a full FTC Safeguards program as part of the managed engagement.
The Bottom Line
Three things are consistently true about FTC Safeguards Rule compliance for CPA firms. Most firms don't know the rule applies to them. The ones that do underestimate what it requires. And the firms that have been through a security incident almost universally wish they had dealt with this before it happened rather than after.
The rule isn't going away, and enforcement is active. The $100,000-per-violation penalty structure isn't theoretical. The breach notification requirement has a hard 30-day window. And the PTIN renewal attestation means the IRS is using its existing infrastructure to create compliance pressure from a second direction.
The most efficient path forward for a firm without internal IT resources is an MSSP that understands compliance operationally, not just a document vendor, not a template platform, but a partner who implements the technical controls, produces the documentation, serves as your qualified individual, and maintains the program on an ongoing basis.
That's what Cobrix builds for accounting firms. If you're ready to understand exactly where your firm stands and what it would take to close any gaps, schedule a free compliance gap assessment. We'll walk through your environment, identify what's in place and what isn't, and give you a specific plan, whether you choose to implement it yourself or work with us to do it.