If your firm prepares tax returns or handles client financial records, the federal government already classifies you as a “financial institution” — the same legal category as a bank or a mortgage lender. That means the FTC Safeguards Rule applies to your accounting firm, and it has been enforceable since June 9, 2023.
Most accounting firm owners assume this rule is for Wall Street, not a 12-person CPA practice in a strip mall. It isn’t. The regulation specifically names “an accountant or other tax preparation service” as a covered business (16 CFR Part 314, 2024), and the IRS has been blunt about it: under the law, “tax and accounting professionals are considered financial institutions, regardless of size” (IRS Publication 5708, 2024).
This guide explains, in plain English, exactly what the FTC Safeguards Rule requires of accounting firms: who is covered, the nine mandatory elements of a compliant security program, the deadlines you’ve already passed, the new breach-reporting clock that started in 2024, and a practical checklist to get compliant. Every requirement below is cited to its primary source.
Key Takeaways
- The FTC Safeguards Rule classifies accountants and tax preparers as “financial institutions,” and the law requires every firm to maintain a Written Information Security Plan — regardless of firm size (IRS Publication 5708, 2024).
- The core requirements have been enforceable since June 9, 2023, and include nine mandatory elements such as encryption of all customer data and multi-factor authentication (16 CFR Part 314, 2024).
- Since May 13, 2024, any security breach affecting 500 or more consumers must be reported to the FTC — no later than 30 days after discovery (16 CFR Part 314, 2024).
- The stakes are not theoretical: the FBI logged $2.77 billion in business-email-compromise losses in 2024 (FBI IC3, 2024), and the average data breach now costs $4.88 million (IBM Cost of a Data Breach, 2024).
Does the FTC Safeguards Rule apply to accounting firms?
Yes — almost certainly. The Safeguards Rule is the FTC’s implementation of the Gramm-Leach-Bliley Act, and it reaches far beyond traditional banks. The exact definition is broad on purpose.
- The rule states that “an accountant or other tax preparation service that is in the business of completing income tax returns is a financial institution” (16 CFR Part 314, 2024).
- The IRS confirms the point for smaller practices: “Under the GLBA and Safeguards Rule, tax and accounting professionals are considered financial institutions, regardless of size” (IRS Publication 5708, 2024).
- The IRS’s data-security guidance for preparers adds that the “financial institutions” definition “includes professional tax preparers” (IRS Publication 4557, 2024).
The same rule that covers your CPA firm also covers mortgage brokers, payday lenders, and auto dealerships — which is why you may have seen headlines about the FTC Safeguards Rule for dealerships. If your firm collects Social Security numbers, bank-account details, or other client financial information, you are in scope, and a sole practitioner is covered just as a multi-partner firm is.
The 9 requirements every accounting firm’s security program must meet
The heart of the rule is a written information security program built on nine elements. The plan must be scaled to your firm’s size and complexity, but the following components are mandatory.
- Designate a Qualified Individual to oversee and enforce your information security program. This person can be an employee or an outsourced provider, but your firm retains responsibility (16 CFR Part 314, 2024).
- Base the program on a written risk assessment that identifies foreseeable internal and external threats to client information (16 CFR Part 314, 2024).
- Encrypt all customer information — the rule requires you to “protect by encryption all customer information held or transmitted by you both in transit over external networks and at rest” (16 CFR Part 314, 2024).
- Implement multi-factor authentication (MFA) for anyone accessing your systems. The IRS notes this is “required for all companies regardless of size” (IRS Publication 4557, 2024).
- Test your defenses regularly — either continuous monitoring, or annual penetration testing plus vulnerability assessments at least every six months (16 CFR Part 314, 2024).
- Train your staff with security-awareness training that is refreshed as new risks emerge (16 CFR Part 314, 2024).
- Oversee your service providers by requiring, in writing, that vendors who touch client data maintain appropriate safeguards (IRS Publication 5708, 2024).
- Maintain a written incident response plan designed to respond to and recover from any security event affecting client information (16 CFR Part 314, 2024).
- Report to leadership annually — the Qualified Individual must report in writing, at least once a year, to your board or a senior officer on the program’s status (16 CFR Part 314, 2024).
The deadlines: June 9, 2023 and the 2024 breach-notification clock
If this is the first you’re hearing of the rule, you’re already behind. The compliance dates have come and gone.
- The core provisions — the Qualified Individual, encryption, MFA, training, and incident response plan — “are effective as of June 9, 2023” (16 CFR Part 314, 2024).
- A newer requirement took effect May 13, 2024: you must “report a security event affecting 500 or more people to the FTC as soon as possible, but no later than 30 days from the date of discovery” (IRS Publication 5708, 2024).
That 30-day clock starts the moment anyone at your firm — other than the attacker — becomes aware of the breach, and the notice is filed electronically through a form on the FTC’s website (16 CFR Part 314, 2024). There is no waiting to “see if it’s serious.” For a firm that discovers a ransomware incident in the middle of tax season, that is a very tight window.
Do small CPA firms get an exemption? The 5,000-consumer rule
There is partial relief for the smallest practices, but it is narrower than most owners hope.
- A firm that “maintains customer information concerning fewer than five thousand consumers” is exempt from four specific provisions: the written risk assessment, the continuous-monitoring/penetration-testing requirement, the written incident response plan, and the annual report to leadership (16 CFR Part 314, 2024).
Read that carefully, because of what it does not exempt. Multi-factor authentication, encryption, designating a Qualified Individual, staff training, and service-provider oversight still apply to every covered firm, no matter how small. And the rule for reporting breaches of 500 or more consumers has no small-firm carve-out at all. In practice, “small” does not mean “exempt” — it means a leaner version of the same program.
What’s actually at stake for accounting firms
Accounting firms are a high-value target because of what sits in their systems: W-2s, Social Security numbers, bank-account and routing numbers, and the wire instructions that move real money. Attackers know it, and the numbers show it.
- In 2024, complaints to the FBI’s Internet Crime Complaint Center totaled 859,532, with reported losses of $16.6 billion — a 33% increase over 2023 (FBI IC3, 2024).
- Business email compromise alone — the fake-wire-instruction scam that hits firms at closing and during refund season — accounted for $2.77 billion in 2024 losses (FBI IC3, 2024).
- The global average cost of a single data breach reached $4.88 million in 2024, up 10% year over year, with financial-services firms among the hardest hit (IBM Cost of a Data Breach, 2024).
A concrete example from the FBI’s 2024 report shows how fast it happens: buyers in a real-estate closing received a spoofed email from their supposed real-estate agent and wired $956,342 to a fraudulent account. They only realized the instructions were fake two days later; the FBI’s Recovery Asset Team managed to freeze and return $955,060 (FBI IC3, 2024). The same spoofed-email playbook lands in accounting firms’ inboxes every tax season — and the firms that recover fastest are the ones that already had an incident response plan on the shelf.
How to comply: a practical WISP checklist (and where outsourced IT support fits)
Compliance comes down to writing the plan and then actually operating it. Here is a realistic order of operations for an accounting firm.
- Name your Qualified Individual — the one person accountable for the program (in-house or via a managed IT partner).
- Write and date your WISP. The IRS publishes a free fill-in-the-blanks template built specifically for tax and accounting practices (IRS Publication 5708, 2024).
- Turn on MFA everywhere — email, tax software, remote access — and encrypt laptops, email, and backups.
- Inventory where client data lives and limit access to staff who genuinely need it.
- Get service-provider safeguards in writing with your tax software, cloud, and IT vendors.
- Build and rehearse an incident response plan so the 30-day FTC clock never catches you flat-footed.
Few accounting firms have the in-house expertise to run all of this themselves, and that is exactly why managed IT services for accounting firms have grown so quickly. A good outsourced IT support partner for accounting firms can own the technical layer — deploying MFA and encryption, monitoring for threats, serving as your Qualified Individual, and standing up the breach-response process — so the rule becomes a maintained system rather than a binder no one updates. The right accounting-firm IT support team will already know the Safeguards Rule cold, because it shapes everything they build for firms like yours.
Final Thoughts
The FTC Safeguards Rule is not a one-time checkbox; it is an evergreen program you keep current as your firm, your tools, and the threats change. The good news is that the requirements are flexible and scalable — a sole practitioner can comply with a far leaner plan than a 10-partner firm — and the IRS gives you a free template to start. The hard part is operating it consistently, year after year, while you’re also running a busy practice.
That is where Tech Advisors comes in. We help CPA and accounting firms design, deploy, and maintain Safeguards-Rule-ready security programs — from MFA and encryption to monitoring and breach response — so you can prove compliance and, more importantly, actually protect your clients’ data. If you’re not sure where your firm stands today, a short conversation is the easiest place to start.
