If you run an accounting or tax practice, there is a good chance you have heard of the FTC Safeguards Rule. There is also a good chance you are not entirely sure what it requires, whether you are covered, or whether your current IT setup actually meets the bar.
This post covers what the rule says, what it means in practice for a small professional services firm, and where most accounting practices fall short without realizing it.
What is the FTC Safeguards Rule?
The Safeguards Rule is a regulation from the Federal Trade Commission that requires financial institutions to protect customer information with a Written Information Security Program (WISP). It has existed in some form since 2003, but the FTC significantly updated the requirements in 2023 with more specific, prescriptive obligations.
"Financial institution" under the Safeguards Rule is broader than most people expect. It includes banks and credit unions, but it also covers tax preparers, accountants, mortgage brokers, investment advisors, and any business that provides financial products or services to consumers. If your firm handles tax returns, financial statements, or client financial records, you are almost certainly covered.
The rule was not written for large companies. It was explicitly designed to apply to businesses of all sizes, and the FTC has been clear that "small" is not an exemption.
What the rule requires
The 2023 updates moved the rule from vague principles to specific requirements. Here is what you actually need to have in place.
A Written Information Security Program (WISP)
This is the foundation of the rule. You need a documented security program that covers how your firm handles, protects, and manages customer information. "Documented" means written down, not just something you do informally.
The program needs to be tailored to your firm's size and complexity. A 10-person CPA practice does not need the same WISP as a large financial institution, but the program still needs to exist and actually reflect how your firm operates.
A designated Qualified Individual
The rule requires you to designate someone to oversee your information security program. This does not have to be a full-time security professional. For most small firms, it is the owner or a senior partner. But someone has to own this formally, and their name needs to be in writing.
A risk assessment
You need to conduct and document a risk assessment that identifies the risks to customer information at your firm. This includes things like who has access to client data, how it is transmitted and stored, what happens when an employee leaves, and what third-party vendors touch your data.
The key word is "documented." Knowing in your head that your firm has some risks does not satisfy the rule. You need a written assessment.
Specific security controls
The 2023 update added a list of required controls. These include:
- Encryption of customer information, both in transit and at rest
- Multi-factor authentication for anyone accessing systems with customer data
- Access controls that limit who can see what
- Monitoring and testing of your safeguards
- A patch management process for software updates
- Secure disposal of customer information when it is no longer needed
For most accounting firms, the honest question is not whether they have heard of these controls. It is whether they have actually implemented them across their environment.
A written incident response plan
If something goes wrong, you need a plan for how to respond. The rule requires a written incident response plan that addresses how you detect, contain, and recover from a security event. It also needs to cover how you notify affected customers when required.
Annual reporting to the board or senior management
Someone with oversight responsibility at the firm needs to receive a written report at least annually covering the status of your information security program. For a small firm, this might be a one-page summary reviewed by the managing partners. But it needs to happen and be documented.
Oversight of service providers
If you use vendors that access customer information (cloud software, payroll providers, document management systems, your IT provider), you need to have contracts in place that require them to implement appropriate security measures. You also need to periodically review their security practices.
This is one area where a lot of small firms have gaps. Many accounting practices use a handful of cloud tools and have never reviewed the security provisions in those vendor agreements.
Where most small accounting firms fall short
After working with professional services firms for years, the gaps I see most often are not exotic. They are straightforward.
No written WISP. Most small firms have some informal security practices but nothing documented. The Safeguards Rule requires written documentation. "We do it this way" does not satisfy a regulator.
MFA is inconsistent. Multi-factor authentication is specifically required under the rule. A lot of firms have it turned on for some systems but not others. Your practice management software might have MFA enabled while your email, file storage, or client portal does not.
No formal risk assessment. Knowing your firm handles sensitive data is not the same as having a documented risk assessment. The rule requires you to actually conduct and record one.
Employee offboarding gaps. When someone leaves the firm, their access to client data needs to be terminated promptly. This sounds obvious, but it fails in practice regularly. Shared passwords, old email accounts, lingering access to cloud tools. These are compliance violations and security risks.
Vendor agreements without security provisions. Most small firms sign up for software tools without paying close attention to the data handling provisions in the agreement. The Safeguards Rule requires you to ensure your vendors are protecting customer data appropriately.
What Microsoft 365 covers and what it does not
Most accounting firms run on Microsoft 365. It is a good platform and it includes a lot of security capability. But M365 Business Premium does not automatically make you Safeguards Rule compliant.
What M365 Business Premium gives you: MFA, encryption in transit, Conditional Access policies, Intune for device management, Defender for endpoint protection. These are real security controls that map to Safeguards Rule requirements when they are properly configured.
What it does not give you automatically: a written WISP, a risk assessment, a documented incident response plan, vendor oversight records, or the governance layer the rule requires. Those have to be built on top of the technical controls.
The platform is necessary but not sufficient. Compliance requires both the controls and the documentation.
What enforcement actually looks like
The FTC has authority to investigate and fine businesses that violate the Safeguards Rule, and they have used it. Fines can reach $50,120 per violation per day for knowing violations. Beyond federal enforcement, some states have their own data security laws with additional requirements and penalties.
The more practical concern for most small accounting firms is not an FTC audit. It is a data breach. If your firm experiences a breach and it turns out you did not have the required security program in place, you are looking at regulatory exposure, potential civil liability, and the kind of reputational damage that is very hard to recover from in a business built on client trust.
The Safeguards Rule is not just a compliance checkbox. It is a floor for reasonable security practice. Most of what it requires you would want to do anyway.
Getting compliant without hiring a full-time security team
A 15-person accounting firm does not need a CISO. But you do need someone who understands what the rule requires and can build the documentation and controls to meet it.
That is what Athencia Comply is designed for. We help professional services firms build the written WISP, implement the technical controls through Athencia One Complete, document the risk assessment, and prepare you for the oversight and renewal obligations that come after the initial setup.
The goal is not to bury you in paperwork. It is to build a security program that is real, documented, and maintainable by a small firm without a dedicated IT staff.
If you are not sure where your firm stands against the Safeguards Rule requirements, the right first step is a gap assessment. Start there before worrying about anything else.
Ready to find out where you actually stand? See how Athencia Comply works or get in touch directly for a straightforward conversation about what your firm needs.
