Cybersecurity for Accounting Firms: What the FTC Safeguards Rule Requires

Western CPE Staff

Ask a room of tax and accounting professionals whether they take client data security seriously, and nearly every hand goes up. Ask them to describe what federal law requires, and things can get a little murky. That gap matters, because the rules are not vague suggestions or best-practice wish lists. The Federal Trade Commission’s Safeguards Rule sets out specific, enforceable obligations, and it places tax and accounting practices squarely in the category of financial institutions it regulates.

If you prepare returns, keep the books, advise on financial planning, or handle client financial records in almost any capacity, this rule reaches you. It is also the backbone of what effective cybersecurity for accountants looks like in day-to-day practice. The reassuring part is that compliance is achievable for a firm of any size, from a national practice down to a solo preparer working from a home office. What follows breaks down what the Safeguards Rule is, who it covers, what it asks of you, and how to start meeting it without bringing your work to a standstill.

Why a Financial Privacy Law Lands on Your Desk

The Safeguards Rule grows out of the Gramm-Leach-Bliley Act, often shortened to GLBA, a federal law enacted to protect consumers’ personal financial information. GLBA directed the FTC to require the businesses under its authority to protect the sensitive data they collect and hold. The Safeguards Rule is the result, and the FTC reads the term “financial institution” far more broadly than most practitioners assume.

In short, a financial institution is any business significantly engaged in providing financial products or services. The FTC has stated plainly that this category includes tax preparers and accountants. You do not need a bank charter or a brokerage license to qualify. You simply need to handle the kind of sensitive financial information that ordinary tax and accounting work generates every single day.

In practice, the rule typically covers:

Tax return preparers and firms of every size, including sole practitioners
CPAs and accounting firms that handle client financial records
Enrolled agents and other credentialed preparers
Bookkeeping and payroll service providers
Financial planners and advisors who collect personal financial data

If your work touches any of these areas, the safe assumption is that the rule applies and that regulators expect you to act accordingly.

The Information It Expects You to Protect

The rule centers on what GLBA calls nonpublic personal information, frequently abbreviated as NPI. This is any personally identifiable financial information that a client provides to you, that you gather while delivering a service, or that you obtain from another source in connection with that service. It is the raw material of nearly every engagement you take on.

For a tax or accounting practice, NPI is everywhere in your files. It includes Social Security numbers, bank and brokerage account numbers, wage and income details, prior-year returns, dependent information, and the login credentials clients share so you can complete their work. Information that is already lawfully public, such as property records anyone can pull, generally sits outside the definition. The practical lesson is straightforward: assume that almost everything in a client file is protected and design your safeguards around that assumption rather than around the exceptions.

The Eight Core Requirements

At its core, the Safeguards Rule requires you to develop, implement, and maintain a written information security program. Amendments that took full effect in 2023 replaced broad principles with concrete components, so a compliant program now centers on eight core requirements:

Designate a qualified individual. Put one person in charge of running and enforcing your security program, and have that person report in writing to your leadership or governing body at least once a year. The role can sit with an employee, an owner, or a qualified outside provider, but the accountability has to land somewhere specific rather than float across the whole office.
Conduct a risk assessment. Identify the reasonably foreseeable internal and external risks to client information, write them down, and describe how you will address each one. This written assessment becomes the foundation that every safeguard you adopt is meant to support.
Design and implement safeguards. Put controls in place to manage the risks you found. The rule expects to see access controls, an inventory of where data lives, encryption of information in storage and in transit, security review of the apps you rely on, multi-factor authentication for anyone reaching client data, secure disposal of information you no longer need, change management, and monitoring of user activity.
Test and monitor what you put in place. Confirm your controls actually work, either through continuous monitoring or through a defined schedule of testing such as penetration testing and regular vulnerability scans. A control you never check is a control you cannot truly rely on.
Train your people. Give staff security awareness training and schedule regular refreshers. Many breaches trace back to human error, which makes this one of the highest-return obligations on the list.
Oversee your service providers. The outside vendors who touch your data, from cloud hosts to the software platforms you file through, must be capable of protecting it. Select them with care, require safeguards by contract, and reassess them over time.
Keep the program current. Review and adjust your safeguards as your practice grows, as you adopt new tools, and as new threats appear. Security is a moving target, never a one-time project you can finish and forget.
Maintain a written incident response plan. Decide in advance how you will detect, contain, and recover from a breach, who holds which responsibilities, and how you will document and learn from the event afterward.

Where the WISP Fits In

You may already know this written program by a more familiar name. Tax professionals are widely encouraged to capture these requirements in a Written Information Security Plan, or WISP. The IRS, working through its Security Summit partners, expects every professional preparer to maintain one, and the document is exactly how you demonstrate that your Safeguards Rule program exists on paper and in practice rather than only in your head.

A WISP does not need to be long or dense with technical jargon to do its job. It needs to be accurate, current, and a true reflection of how your practice actually handles data. If writing one from a blank page feels daunting, there is no need to start from scratch. We offer a free WISP template that you can adapt to your firm, giving you a structured starting point and sparing you from guessing at what belongs inside.

Two Provisions Worth Knowing

The first is a partial break for smaller practices. A firm that maintains information on fewer than 5,000 consumers is relieved of a handful of specific obligations: the written risk assessment, continuous monitoring or periodic penetration testing and vulnerability assessments, the written incident response plan, and the annual written report to leadership. The operative word is “partial.” Every other safeguard in the rule still applies, so a small office is nowhere near exempt and should not treat the carve-out as permission to relax.

Second, a breach notification requirement obligates covered businesses to notify the FTC after a security event involving the unencrypted information of 500 or more consumers. That notice is due as soon as possible, and no later than 30 days after you discover the event, filed through the FTC’s reporting channel. It sits on top of any state breach-notification laws you already follow and any duty you have to alert the clients who were affected.

What Noncompliance Can Cost You

It is tempting to treat a federal rule as background noise until something goes wrong. That instinct is an expensive one. The fallout from ignoring the Safeguards Rule rarely arrives politely or one piece at a time.

Regulatory exposure. Violations tied to GLBA can bring substantial civil penalties and FTC enforcement actions, sometimes accompanied by oversight that shadows your firm for years.
Professional standing. For tax preparers in particular, data-security failures can invite IRS scrutiny and threaten the credentials and filing privileges your livelihood depends on.
Direct breach costs. Investigation, client notification, credit monitoring, and system recovery stack up fast, and they fall hardest on the smaller firms least equipped to absorb them.
Lost trust. Clients share their most sensitive information on the belief that you will guard it. A single breach can end relationships built over many years, and that kind of news travels quickly through a community.

Cybersecurity for Accountants in Practice: Where to Start

If your program isn’t where it should be, the goal is steady progress, not flawless coverage by the end of the week. A handful of early moves will put you meaningfully ahead of where you are today.

Begin by naming your qualified individual, so the question of who owns security has a clear answer. Walk through your practice and write down where client data lives, who can access it, and which vendors handle it along the way. Switch on multi-factor authentication everywhere it is offered, since it remains one of the least expensive and most effective protections available to a small practice. From there, put your plan in writing, train your team on what it says, and set a recurring date to review the whole thing.

None of these steps demands a large budget or an in-house IT department. What they call for is intention and follow-through, the same disciplined mindset you already bring to a complicated return or a stubborn reconciliation.

A Promise You Already Make

The Safeguards Rule can feel like one more obligation in a profession already crowded with them. Seen from another angle, it is simply a structured version of a promise you make to every client who walks through your door: that the financial details they trust you with are safe in your hands. Strong cybersecurity for accounting firms protects your clients, your reputation, and the future of your practice in a single effort. Understanding what the rule genuinely requires is the first step toward getting there, and you have just taken it.

Ready to go deeper on data security and earn CPE while you do it? Western CPE offers a range of continuing education courses on cybersecurity and data protection built for tax and accounting professionals: