Legal Compliance

Cybersecurity Compliance for Accountants: Why It Matters More Than Ever

By Maria Jose Castro L8 min
By Maria Jose Castro L
8 min
Cybersecurity
FTC Safeguards Rule
Accounting Firms
Data Protection
Compliance

TL;DR

CPAs and accounting firms fall under the Federal Trade Commission's Safeguards Rule because they provide tax planning and preparation services, making them "financial institutions" that must implement written information‑security programs. This article explains the key Safeguards Rule requirements, the exceptions and why all CPA firms (irrespective of size) should adopt robust cybersecurity practices.

Cybersecurity Compliance for Accountants: Why It Matters More Than Ever

The essence of the work of Accounting and tax professionals involves handling the highly sensitive personal and financial information that cyber criminals value. Yet, many CPA firms have historically relied on informal security practices that make them highly vulnerable to these breaches in security. Recent changes to federal regulations make clear that accountants cannot take cybersecurity lightly.

The FTC Safeguards Rule, which has existed since 2002 under the Gramm–Leach–Bliley Act, requires covered financial institutions to develop and maintain a written information‑security program (ISP) that is commiserate to their size and complexity. Amendments adopted in 2021 expanded the definition of "financial institution" to include entities that engage in financial activities "incidental to such financial activities," which explicitly covers tax preparers and CPA firms. Plainly stated, CPA firms must treat themselves as financial institutions for purposes of cybersecurity compliance.

Understanding the Safeguards Rule

The Safeguards Rule obligates covered entities to "develop, implement, and maintain" an ISP with administrative, technical, and physical safeguards to protect customer information. Key requirements include:

Appoint a qualified individual

Firms must designate a person with appropriate skills to oversee the ISP. If a third‑party service provider is used, the firm remains responsible and must appoint a senior‑level supervisor.

Conduct a written risk assessment

Identify and inventory customer information, evaluate foreseeable risks and vulnerabilities, and update the assessment as operations and threats evolve.

Implement specific safeguards

The Rule lists several required controls, such as:

  • Access controls to ensure individuals only access information necessary for their roles.
  • Data inventory and mapping – Understand how data is collected, stored and transmitted.
  • Encryption of customer information both in transit and at rest.
  • Assessment of applications used to store or transmit data.
  • Multi‑factor authentication for anyone accessing customer information.
  • Secure disposal of data no longer needed.
  • Change management protocols to respond to evolving threats.
  • Activity logging and monitoring to detect unauthorized access.

Testing and monitoring

Continuous monitoring or periodic penetration testing and vulnerability assessments.

Employee training

Ensure personnel understand security policies.

Service provider oversight

Execute contracts requiring vendors to maintain appropriate safeguards.

Regular updates to the ISP

As the business and threat landscape evolve.

Incident response plan

Prepare for data breaches with a written plan.

Annual reporting

The qualified individual must report to the company's governing body at least annually.

Exceptions for Small Firms (But Not a Free Pass!)

The amended Safeguards Rule includes an exception for covered financial institutions that maintain customer information for fewer than 5,000 consumers. Under this rule these firms are exempt from certain requirements and must instead focus on a narrower set of controls like encryption, multi‑factor authentication, and secure disposal. However, the AICPA cautions that all ISP elements remain relevant to protecting customer information, regardless of firm size. CPA firms should treat the exception as a minimum baseline and adopt the full suite of safeguards to mitigate liability, and build trust with clients.

Why Compliance Matters

Cybercrimes targeting CPA firms is on the rise because financial data is valuable. Failing to comply with the Safeguards Rule can lead to enforcement actions by the FTC or state attorney general, civil penalties, lawsuits, and reputational damage. Even small firms that fall under the 5,000‑consumer threshold can suffer catastrophic losses if client data is stolen.

Adopting the full set of safeguards demonstrates due diligence, reduces the likelihood of breaches, and positions your firm as a trusted partner.

Building a Compliant Program

Assess your data flows

Document what information you collect (tax returns, personal identifiers, payment details), where it is stored and who can access it. Use this map to prioritize controls.

Develop a written information‑security program

Use templates from industry associations or regulatory agencies, but customize them for your firm's operations. Assign responsibilities, define policies for encryption and access control, and include an incident‑response plan.

Invest in technology

Implement password management, multi‑factor authentication, endpoint protection and data‑loss‑prevention tools. Use encryption for both data at rest and in transit.

Train your team

Conduct regular training on phishing, secure data handling and regulatory requirements. Make security awareness part of your culture.

Vet service providers

Require SOC 2 reports or similar assurances from cloud providers, bookkeeping software vendors and IT consultants. Include security provisions and audit rights in contracts.

Review and update

Technology and threats evolve quickly. Review your ISP at least annually and whenever you introduce new systems or processes. Regularly test your controls with penetration tests or vulnerability scans.

Protect Your Clients' Livelihoods, Let Castroland Legal Help you Stay Compliant

Under the FTC's expanded Safeguards Rule, CPA firms must build comprehensive cybersecurity programs, no matter their size. Don't wait for a breach to discover vulnerabilities.

Castroland Legal specializes in helping accounting firms implement thorough risk assessments, multi‑factor authentication, and incident‑response plans. Let us guide your firm through compliance, train your team, and safeguard sensitive data so you can serve clients confidently.

Reach out to Castroland Legal today to get started.

Accounting firms handle highly sensitive personal and financial information which makes them prime targets for cyber threats. Under the FTC's expanded Safeguards Rule, CPAs are classified as "financial institutions" and must develop written information‑security programs, appoint qualified individuals to oversee them, and implement safeguards such as risk assessments, encryption, multi‑factor authentication, and secure data disposal. While firms serving fewer than 5,000 consumers enjoy limited exemptions, best practices dictate that all firms adopt robust safeguards. Compliance protects client data, builds trust, and mitigates the risk of fines, lawsuits, and reputational harm.