// Pillar Guide · 2026 Update · ~25 min read

THE FTC SAFEGUARDS RULE IMPLEMENTATION GUIDE FOR CPA & ACCOUNTING FIRMS.

What 16 CFR Part 314 actually requires of an accounting firm: the Written Information Security Program (WISP), the designated Qualified Individual, the annual risk assessment, and — new since the December 2023 amendment — the 30-day FTC breach notification requirement. Tax preparers, accountants, and bookkeepers handling customer financial information are “financial institutions” under the Rule whether they realize it or not. This guide walks through the nine required WISP elements, the practical IT stack, and the audit-ready documentation a Florida CPA firm needs in 2026.

By Steve Condit, USMC Veteran · 30+ yrs ITPublished 2026-05-01Updated 2026-05-13
Get a Free FTC Safeguards Assessment →Jump to Guide ↓
// What's In This Guide

ELEVEN SECTIONS. ABOUT 4,000 WORDS.

  1. // 01What the FTC Safeguards Rule Actually Covers (16 CFR Part 314)
  2. // 02Who Is a “Financial Institution” Under the Rule (Hint: Tax Preparers Are)
  3. // 03The 9 Required Elements of a Written Information Security Program
  4. // 04The Qualified Individual: Who Should Hold This Role
  5. // 05Annual Risk Assessment + What It Should Document
  6. // 06The 30-Day FTC Breach Reporting Requirement (Dec 2023 Amendment)
  7. // 07Tax-Software Vendor Security (QuickBooks, Drake, UltraTax, Lacerte)
  8. // 08Tax-Season Threat Patterns (Phishing, BEC, W-2/1099 Fraud)
  9. // 09Secure Client Document Exchange (Email Is Not Acceptable)
  10. // 10The Practical FTC-Safeguards-Aligned IT Stack
  11. // 11Frequently Asked Questions
// 01

WHAT THE FTC SAFEGUARDS RULE ACTUALLY COVERS.

The FTC Safeguards Rule lives at 16 CFR Part 314. It implements Section 501(b) of the Gramm-Leach-Bliley Act (15 U.S.C. 6801), which directed the Federal Trade Commission to establish standards for the security of nonpublic personal information (NPI) held by financial institutions under the FTC's jurisdiction. The original Rule dates to 2003. The FTC substantially amended it in October 2021, with most provisions taking effect December 9, 2022. A further amendment in December 2023 added the explicit 30-day FTC breach notification requirement covered in Section 6 of this guide.

The Rule's structure is straightforward. 16 CFR 314.3 requires every covered financial institution to develop, implement, and maintain a comprehensive information security program (the WISP) containing administrative, technical, and physical safeguards appropriate to the size and complexity of the institution, the nature and scope of its activities, and the sensitivity of the customer information at issue. 16 CFR 314.4 enumerates the nine required elements of that program. 16 CFR 314.5 establishes the effective dates. 16 CFR 314.6 provides limited exemptions for institutions that maintain customer information about fewer than 5,000 consumers.

What “Customer Information” Means

For a CPA firm, “customer information” is broad: Social Security numbers, dates of birth, driver's license numbers, bank account and routing numbers, brokerage statements, tax returns and supporting documentation, mortgage and loan documents, financial statements, credit card information, identity-verification documents, payroll data, and any other NPI a customer provides in the course of obtaining a financial service. If it's in the firm's tax-prep software, client portal, email, or document storage — it's customer information under the Rule.

Enforcement Reality

The FTC has enforcement authority under Section 5 of the FTC Act (15 U.S.C. 45) and the GLBA. Civil penalties for knowing Rule violations are substantial — up to $51,744 per violation as of 2026 (the cap adjusts annually for inflation). The IRS also enforces a parallel set of obligations on paid tax-return preparers via Publication 4557 (“Safeguarding Taxpayer Data”) and Publication 5708 (“Creating a Written Information Security Plan for Your Tax & Accounting Practice”) — both of which point back to the FTC Safeguards Rule as the controlling framework. A PTIN holder who lacks a documented WISP is potentially in violation of both regimes simultaneously.

// 02

WHO IS A “FINANCIAL INSTITUTION” UNDER THE RULE.

The definition is the part most accounting professionals get wrong. Under 16 CFR 314.2(h), a financial institution is any business “significantly engaged in financial activities” as described in Section 4(k) of the Bank Holding Company Act (12 U.S.C. 1843(k)) and the implementing regulations at 12 CFR 225.28 and 225.86. The FTC's 2021 amendments explicitly listed examples that swept in many businesses that don't self-identify as “financial.”

For the accounting profession specifically, the covered list includes: tax-return preparers (including seasonal preparers, EAs, and any CPA practicing tax), accountants providing financial advisory services, bookkeepers handling customer financial information, payroll-service bureaus, financial planners, retirement-plan administrators, and providers of real-estate appraisal or settlement services. If your firm files a 1040 for compensation, you are a financial institution. If your firm reconciles a client's bank account or prepares their financial statements for compensation, you are a financial institution. The fact that you call yourself a “CPA firm” and not a “bank” is not relevant.

The 5,000-customer threshold in 314.6 is not an on/off switch for the Rule — it's a partial exemption from three specific subparts (formal written risk assessment under 314.4(b)(1), formal IR plan under 314.4(h), and annual board report under 314.4(i)). The substantive technical and administrative safeguards under 314.4(c), 314.4(d), 314.4(e), 314.4(f), and 314.4(g) apply to every covered firm regardless of customer count. A sole-practitioner CPA with 200 clients still has to implement MFA, encryption, access controls, and vendor oversight under the Rule.

// 03

THE 9 REQUIRED ELEMENTS OF A WRITTEN INFORMATION SECURITY PROGRAM.

16 CFR 314.4 enumerates the nine elements every WISP must contain. These are not aspirational — they are required, in writing, with documented evidence the firm can produce if the FTC investigates. Most off-the-shelf WISP templates address the wording; the differentiator is whether the firm has actually implemented and can prove the underlying program.

  1. 01
    Designate a Qualified Individual (314.4(a))
    A named human responsible for overseeing, implementing, and enforcing the program. Doesn't need to be an employee, but must be qualified for the role and accountable to senior governance.
  2. 02
    Conduct a written risk assessment (314.4(b))
    Periodic risk assessment that identifies reasonably foreseeable internal and external risks to customer information and assesses the sufficiency of safeguards in place. Documented in writing for firms above the 5,000-customer threshold.
  3. 03
    Implement safeguards based on the risk assessment (314.4(c))
    Eight enumerated technical and administrative safeguards: access controls, data inventory, encryption of customer information in transit and at rest, secure development practices, MFA on systems with customer information, secure disposal, change management, and monitoring and logging of authorized user activity.
  4. 04
    Regularly test or monitor the effectiveness of safeguards (314.4(d))
    Either continuous monitoring or, alternatively, annual penetration testing plus biannual vulnerability assessments. Smaller firms typically use the continuous monitoring path via their managed IT provider's SOC.
  5. 05
    Implement policies and procedures for personnel training (314.4(e))
    Workforce training on the security program, periodic refreshers, qualifications for security personnel. Documented completion records.
  6. 06
    Oversee service providers (314.4(f))
    Selection of service providers based on their ability to maintain appropriate safeguards, contractual requirements that they implement and maintain such safeguards, and periodic assessment of those providers.
  7. 07
    Evaluate and adjust the program (314.4(g))
    Periodic evaluation and adjustment of the program in light of test results, material changes to operations or business arrangements, and any other circumstances reasonably indicating program adjustment.
  8. 08
    Establish a written incident response plan (314.4(h))
    Written IR plan covering goals, internal processes, roles and responsibilities, communications, requirements for remediation, documentation and reporting, and post-incident program evaluation.
  9. 09
    Report in writing to the board (314.4(i))
    Qualified Individual reports at least annually to the board of directors (or equivalent governing body) on the program. Firms below the 5,000-customer threshold are exempt from this formal step but the discipline still benefits the practice.

The IRS Publication 5708 template is a reasonable starting point for the WISP's structure, but firms should not treat the template itself as the deliverable. The deliverable is the program — the documented evidence that each of the nine elements is actually operating at the firm.

// 04

THE QUALIFIED INDIVIDUAL: WHO SHOULD HOLD THIS ROLE.

The Qualified Individual is the named human accountable for the firm's information security program under 16 CFR 314.4(a). The Rule deliberately leaves the “qualified” standard flexible — there's no required certification — but the person designated must have the practical authority and competence to oversee the program. The Qualified Individual may be an employee, an affiliate, or a service provider. If it's a service provider, the Rule still requires the firm to designate a senior employee responsible for direct oversight of that service provider.

The Practical Pattern for Small Firms

At firms of 3-20 people, the managing partner or firm administrator is typically the named Qualified Individual. The firm's managed IT provider supports the technical execution — running the SOC, managing patching, maintaining EDR — under a contractual relationship that satisfies the service-provider oversight requirements of 314.4(f). The accountability stays with the firm; the technical heavy lifting sits with the MSP. This is the structure the FTC contemplated and the structure the IRS Publication 5708 describes.

What the Qualified Individual Actually Does

Day-to-day, the role is more governance than technical: signing off on the WISP and its annual updates, reviewing the risk assessment, approving access changes for new and departing employees, making the policy calls when something ambiguous arises (e.g., “can we use this new AI tool with client tax data?”), maintaining the BAA-equivalent vendor agreements, and chairing the annual program review. When an incident occurs, the Qualified Individual is the firm's point person with the breach coach, the FTC, and the state agencies.

Critically, the Qualified Individual cannot delegate accountability — only execution. The FTC will look to the named person if it investigates. Most firms we work with name the managing partner explicitly in the WISP and document the MSP's supporting role in a separate service-provider oversight memo under 314.4(f).

// 05

ANNUAL RISK ASSESSMENT + WHAT IT SHOULD DOCUMENT.

16 CFR 314.4(b)(1) requires a written risk assessment that identifies reasonably foreseeable internal and external risks to customer information and assesses the sufficiency of any safeguards in place to control those risks. For firms above the 5,000-customer threshold, the written documentation is mandatory; for smaller firms it's a partial exemption but the discipline still matters. The practical cadence we recommend is annual, with an interim refresh whenever the firm makes a material change (new tax software, office move, M&A, new client segment).

A defensible risk assessment documents at minimum: (1) an inventory of systems and locations holding customer information; (2) the foreseeable threats to each — including ransomware, phishing-driven credential compromise, lost or stolen device, malicious insider, vendor compromise, and natural disaster; (3) the current controls against each threat with reference to the relevant 314.4(c) subparts; (4) the residual risk after controls; (5) the remediation plan with named owners and dates; and (6) the date and signature of the Qualified Individual.

The most common deficiency we see when auditing existing risk assessments at Florida CPA firms is that the document was generated once (often from a template provided by a tax-software vendor or insurance broker) and never updated. The Rule requires a periodic assessment — one that was last updated in 2022 and references “upcoming” FTC changes is not a current risk assessment. Calendar this as a recurring annual task on the managing partner's calendar.

// 06

THE 30-DAY FTC BREACH REPORTING REQUIREMENT.

In December 2023, the FTC amended 16 CFR Part 314 to add a new 314.4(j): covered financial institutions must notify the FTC within 30 days of discovering a “notification event” involving the unauthorized acquisition of unencrypted customer information of 500 or more consumers. The notification is filed through the FTC's online portal at FTC.gov/SafeguardsRule. The amendment took effect May 13, 2024. This is now a hard, time-bound federal obligation distinct from any state-level breach reporting.

What the FTC Notification Must Contain

The notification, per the FTC's published guidance, must include: the name and contact information of the reporting financial institution; a description of the types of information involved; the date or date range of the notification event; the number of consumers affected (or an estimate if exact numbers aren't yet known); and a general description of the notification event. The FTC publishes notifications it receives on a public-facing page — meaning a covered firm's breach becomes immediately discoverable to journalists, plaintiffs' attorneys, and competitors as soon as the filing posts.

How the FTC Clock Interacts with Florida and Other Layers

For a Florida CPA firm, a single qualifying incident can trigger simultaneous obligations: FTC notification under 314.4(j) within 30 days; Florida Information Protection Act (F.S. 501.171) notification to affected Floridians and the Florida Department of Legal Affairs within 30 days for 500+ residents; IRS notification per Publication 4557 if taxpayer data was involved; and state-by-state notification obligations for affected residents of other states. The clocks all start on the date of discovery — not the date of confirmation or the date of remediation. Time-to-discovery matters significantly to the firm's legal exposure.

Practical implication: the firm's IR plan under 314.4(h) must include the FTC notification step explicitly, with the FTC portal URL, the responsible party (Qualified Individual or breach coach), and a 30-day countdown trigger from the moment of discovery. Most firms we onboard had never heard of the December 2023 amendment until we walked them through it.

// 07

TAX-SOFTWARE VENDOR SECURITY: QUICKBOOKS, DRAKE, ULTRATAX, LACERTE.

16 CFR 314.4(f) requires the firm to oversee its service providers — selecting them based on their ability to maintain appropriate safeguards, contracting for those safeguards, and periodically assessing them. For most CPA firms, the most critical service providers are the tax-software vendor, the document-management or portal vendor, the practice-management software, and the managed IT provider. Each has a different security posture and a different shape of risk.

QuickBooks (Intuit)

QuickBooks Online is a SaaS application with Intuit as the data custodian — the firm's security obligations shift toward identity management (MFA enforcement on every user, role-based access, monitoring of session activity, prompt deprovisioning of departing staff). QuickBooks Desktop is locally installed with files typically stored on a server or file share — the firm bears full responsibility for endpoint encryption, network segmentation, backup, and access controls. Many Florida firms run a hybrid (QB Desktop for client write-up, QB Online for the firm's own books) and need both control sets.

Drake Tax

Drake is predominantly installed locally with the firm hosting the data. Drake Documents (cloud) is an add-on. Drake Portals is the secure client-document-exchange product. The firm bears responsibility for endpoint EDR, network segmentation between tax-prep workstations and guest WiFi, encrypted local backup, and the practical Windows-hardening tasks Drake doesn't perform on the firm's behalf. Drake publishes security guidance in its annual Knowledge Base — firms should obtain and retain the current version as part of their 314.4(f) documentation.

UltraTax CS & Lacerte

Thomson Reuters UltraTax CS and Intuit Lacerte both support traditional on-premise and SaaS deployments (UltraTax via Onvio, Lacerte via Intuit Hosting). The SaaS path shifts infrastructure security to the vendor but concentrates the firm's residual risk on the identity layer. The on-premise path keeps full firm responsibility for server hardening, encryption, and backup. Either way, the firm needs current vendor security documentation (typically a SOC 2 Type II report) on file to satisfy 314.4(f).

The IRS Security Six (in Publication 4557) is the IRS's simplified version of the FTC Safeguards Rule and is required reading for any PTIN holder: antivirus software, firewalls, two-factor authentication, encrypted backup, drive encryption, and a VPN. The Security Six is an absolute floor, not a ceiling.

// 08

TAX-SEASON THREAT PATTERNS.

From January 15 through April 15, CPA firms face a concentrated, predictable wave of social-engineering attacks. Threat actors know the firm is busy, hiring seasonal staff, processing high-value documents, and willing to bend procedure for client convenience. The patterns repeat every year.

1. Client-Impersonation Phishing

An email arrives in the firm's inbox that appears to come from a known client asking for an urgent change — new banking instructions for the refund deposit, a rushed request to file an extension, an attached “updated W-2” that's actually a credential-harvesting page. The threat actor has done reconnaissance on the firm's client list (often via the firm's public bio pages or LinkedIn) and is impersonating with detail. The countermeasure: a verbal call-back policy on every banking change request, no exceptions, even — especially — in March.

2. Business Email Compromise (BEC) Targeting Client Refunds

If the threat actor has actually compromised a firm or client mailbox (often via credential theft followed by silent persistence), they sit and monitor for refund-disbursement conversations, then inject themselves with altered banking instructions at the moment of execution. Average BEC loss involving a CPA firm in 2025 was reported at over $130,000. MFA on every mailbox blocks the dominant attack vector. Conditional Access policies (Microsoft 365 Business Premium) block legacy authentication that bypasses MFA.

3. W-2 / 1099 Bulk-Data Theft

Threat actors target payroll-service bureaus and write-up firms during W-2/1099 production season. A successful compromise yields thousands of usable identity-theft records in one breach. The countermeasure: segregation of payroll/write-up data from general firm mailboxes, EDR on every workstation handling bulk W-2/1099 data, immutable backup so the data can't be quietly altered before filing.

4. Seasonal-Staff Onboarding Risk

Many firms hire seasonal preparers in January and onboard them under time pressure. Common mistakes: shared logins for tax software, no MFA enforcement, no documented termination checklist for April 16, personal devices accessing client data with no MDM. The fix is procedural: every seasonal hire gets unique credentials, MFA from day one, an explicit termination date on the calendar, and a 24-hour deprovisioning SLA after April 15.

// 09

SECURE CLIENT DOCUMENT EXCHANGE: EMAIL IS NOT AN ACCEPTABLE CHANNEL.

16 CFR 314.4(c)(3) requires encryption of customer information in transit and at rest. Standard SMTP email — even between two TLS-enabled providers — is not reliable encryption for purposes of the Rule because the firm cannot guarantee TLS negotiated at every hop, and once the email lands in the client's mailbox or attachment store, the firm has no encryption claim over it. Sending a W-2 PDF as an unencrypted email attachment is the single most common Rule violation we see at Florida CPA firms.

The fix is a secure client portal — a system where the firm uploads documents, the client authenticates to retrieve them, and the entire transfer is encrypted end-to-end with auditable logging. Leading options in the CPA market:

  • SmartVault — popular with QuickBooks-centric firms, integrates with Intuit's lineup, supports e-signature.
  • ShareFile (Citrix) — enterprise-grade, strong audit logging, integrates with most tax-software platforms.
  • TitanFile — firm-focused with simple client UX, SOC 2 Type II.
  • Thomson Reuters Onvio — tight UltraTax integration, end-to-end workflow.
  • Drake Portals — firm-friendly pricing for Drake-centric firms.
  • Microsoft SharePoint with external sharing governance — cost-effective if the firm is already on Microsoft 365 Business Premium and willing to configure properly.

The selection criteria are tax-software integration, e-signature workflow, audit-log quality (so the firm can prove who downloaded what and when), and client experience. All major options encrypt in transit and at rest. The fail mode is non-adoption — staff falling back to email because “the portal is too clunky.” The fix is process discipline plus a portal the staff actually likes.

// 10

THE PRACTICAL FTC-SAFEGUARDS-ALIGNED IT STACK.

What does an FTC-Safeguards-aligned IT environment actually look like at a 10-person Florida CPA firm in 2026? Here's the stack Simply IT deploys at every new accounting client during onboarding. It satisfies the 16 CFR 314.4(c) technical safeguards, supports the WISP and Qualified Individual functions, and gives the firm audit-ready documentation.

  • Identity: Microsoft 365 Business Premium, Entra ID with Conditional Access policies, MFA enforced on every user (including seasonal staff), separate global-admin accounts for IT only.
  • Endpoint: Defender for Business EDR on every workstation, BitLocker disk encryption on every laptop, automated patching via Intune (or RMM), application allowlisting where appropriate.
  • Email: Exchange Online with Defender for Office 365, DMARC enforcement on the firm domain, attachment sandboxing, banking-change keyword alerts, user phishing-reporter add-in.
  • Network: Business-grade firewall, VLAN segmentation between tax-prep workstations and guest WiFi, separate VLAN for any locally hosted tax-software server, VPN for remote access.
  • Backup: Image-based backup of every server hosting tax software, cloud backup of SharePoint and OneDrive, immutable retention for ransomware resilience, quarterly tested restores.
  • Client Portal: SmartVault, ShareFile, TitanFile, Onvio, Drake Portals, or SharePoint-with-governance — selection based on firm's tax-software stack.
  • Monitoring: 24/7 SOC monitoring of identity events, after-hours login anomalies, EDR alerts, DLP triggers for customer-information movement.
  • Training: Annual security awareness training (KnowBe4 or equivalent) with CPA-specific phishing simulations, documented completion records, sanctions policy for repeat clickers.
  • Documentation: WISP, annual written risk assessment, IR plan with FTC 30-day clock embedded, vendor inventory with SOC 2 references, Qualified Individual designation memo, annual board report (if applicable).

Pricing: this full stack at Simply IT is $150 per user per month on the Simply Compliant tier, with no long-term contracts. A 10-person CPA firm invests $1,500/month for an FTC-Safeguards-aligned posture — versus an average $80,000-$250,000 cost of recovering from a tax-season ransomware incident plus regulatory penalties and notification expense.

// 11

FREQUENTLY ASKED QUESTIONS.

What does “financial institution” mean under the FTC Safeguards Rule?+
Broader than most people assume. 16 CFR 314.2(h) defines a financial institution as any business “significantly engaged in financial activities” as described in 12 CFR 225.28 and 225.86 of the Bank Holding Company Act. The FTC's 2021 amendments and subsequent guidance made clear this includes tax-return preparers, accountants providing financial advisory services, bookkeepers, payroll providers, retail credit extenders, mortgage brokers, real-estate settlement services, check cashers, wire transferors, and many others — not just banks. If your firm prepares tax returns, handles client bank statements, or advises on financial transactions, you are almost certainly subject to the Rule.
Is my small CPA firm actually subject to the Rule?+
Almost certainly yes. The Rule applies regardless of firm size — a sole-practitioner CPA who prepares tax returns is a financial institution under 16 CFR 314.2(h). The only meaningful threshold is the 5,000-customer threshold in 314.6, which determines which sections of the Rule apply: firms with fewer than 5,000 customers are exempt from a few enumerated requirements (the written risk assessment under 314.4(b)(1), the incident response plan formalities under 314.4(h), and the annual report to the board under 314.4(i)). All other Safeguards Rule requirements apply to every covered financial institution, regardless of size.
What is a Qualified Individual under 16 CFR 314.4(a)?+
The Qualified Individual is a designated person responsible for overseeing, implementing, and enforcing the firm's information security program. They don't have to be an employee, and they don't have to hold a specific credential — but they have to be qualified for the role and report to the firm's senior governance. For most small CPA firms, the practical answer is to designate the managing partner or the firm administrator as the named Qualified Individual, with a contracted managed IT provider supporting the technical execution. The named human bears the accountability; the MSP supports the function.
What does FTC Safeguards Rule compliance actually cost a small CPA firm?+
Most Florida CPA firms we work with invest $125-$150 per user per month for FTC-Safeguards-aligned managed IT (Simply IT's Simply Secure or Simply Compliant tiers). A typical 10-person firm (4 CPAs + 6 staff) invests $1,250-$1,500 per month, which covers monitoring, EDR, email security, MFA, encrypted backup, security awareness training, and the WISP + documentation maintenance described in this guide. There's a No long-term contracts. Compare that to the typical $80,000-$250,000 cost of recovering from a tax-season ransomware incident plus regulatory penalties and notification costs.
How does the FTC Safeguards Rule differ from HIPAA?+
Both are federal data security frameworks but cover different industries. HIPAA (45 CFR Part 164) covers protected health information held by healthcare entities. FTC Safeguards (16 CFR Part 314) covers customer financial information held by non-bank financial institutions, including tax preparers and accountants. They share many practical controls — MFA, encryption, access controls, vendor management, incident response — but the regulatory triggers, definitions, and enforcement agencies differ. A firm that handles both PHI (e.g., a CPA serving medical practice clients with patient billing data) may have obligations under both regimes.
What's the annual reporting cadence under the Rule?+
16 CFR 314.4(b)(2) requires periodic risk assessments — the practical cadence is annual. 16 CFR 314.4(i) requires the Qualified Individual to report in writing to the firm's board or equivalent governing body at least annually on the overall status of the information security program, material matters, risk assessment, risk management decisions, service-provider arrangements, results of testing, security events, and recommendations. Firms under 5,000 customers are exempt from the formal board report (314.6) but still benefit from documenting the annual review.
What changed in the December 2023 amendment?+
The FTC's December 2023 amendment to 16 CFR Part 314 added an explicit notification requirement: covered financial institutions must notify the FTC within 30 days of discovering a “notification event” involving unauthorized acquisition of unencrypted customer information of 500 or more consumers. The notification is filed through the FTC's online portal at FTC.gov. This is a hard deadline — significantly faster than HIPAA's 60-day federal notification timeline — and it applies in addition to any state breach notification laws (Florida's FIPA, F.S. 501.171, requires notification within 30 days of discovery for 500+ Florida residents).
Are Drake and UltraTax security implications different?+
Drake Tax and Thomson Reuters UltraTax CS have different deployment models, which drives the security posture. Drake is predominantly installed locally with optional Drake Documents (cloud), so the firm bears more direct responsibility for endpoint encryption, network segmentation, and local backup. UltraTax CS in SaaS mode shifts more infrastructure security to Thomson Reuters but increases reliance on the firm's identity management (MFA, SSO, conditional access) since compromised user credentials grant access to the cloud tenant. Both vendors publish security documentation — firms should obtain the current vendor security attestation as part of their 16 CFR 314.4(f) service-provider oversight obligation.
What secure-portal options do you recommend for CPA firms?+
The market leaders we deploy at Florida CPA firms are SmartVault, ShareFile (Citrix), TitanFile, Thomson Reuters Onvio (if you're already on UltraTax), Drake Portals (if Drake), and Microsoft SharePoint with granular permissions and external-sharing governance. The right choice depends on tax-software integration, client experience, and how the firm handles signature workflows. All of the major options support the encryption-in-transit and at-rest requirements; the differentiators are integration depth, e-signature workflow, and audit logging quality.
Does cyber insurance overlap with FTC Safeguards compliance?+
Significantly. The 10 underwriter controls that 2026 cyber insurance carriers require (MFA, EDR, tested backup, email security gateway, patch management, security awareness training, written IR plan, vendor inventory, network segmentation, privileged account management) map directly to the technical safeguards required by 16 CFR 314.4(c). Firms that achieve insurance-ready posture are simultaneously achieving the practical implementation floor for FTC Safeguards. Most underwriters now require attestation of WISP existence on renewal applications for CPA firms.
What if a breach happens during tax season?+
Tax season (January 15 through April 15) is when CPA firms are most vulnerable and least able to absorb downtime. The breach-response sequence is identical to any other time of year: (1) call the cyber insurance breach hotline first to preserve attorney-client privilege over the investigation; (2) disconnect — do not power down — affected systems to preserve forensic evidence; (3) document everything you observe. The 30-day FTC notification clock starts on discovery, not on filing. The breach coach takes over coordination with FTC, state agencies, and clients. The practical lesson: have the IR plan written, tested, and posted before January 1.
How is Simply IT different from a generic IT provider on FTC Safeguards?+
Simply IT is veteran-owned, headquartered in Ocala FL, and treats FTC Safeguards compliance as a first-class deliverable rather than an upsell. Standard onboarding for every CPA-firm client includes designation support for the Qualified Individual role, a written WISP template tuned to the firm's size, the annual risk assessment with documented output, technical safeguards aligned to 16 CFR 314.4(c) and 314.4(d), service-provider oversight templates under 314.4(f), and the audit-ready evidence binder the firm needs if the FTC ever investigates. Same flat monthly fee, no “compliance add-on” pricing games.
// Related Resources

CONTINUE READING.

Industry
Accounting Firm IT →
Local
Ocala Accounting IT →
Solution
Cybersecurity Services →
Solution
Microsoft 365 Setup →
Reference
IT Glossary →
FAQ Hub
Frequently Asked Questions →
Get Started
Free FTC Safeguards Assessment →
READY FOR FTC-SAFEGUARDS-ALIGNED IT AT YOUR ACCOUNTING FIRM?

Get a free FTC Safeguards Rule technology assessment from a veteran-owned managed IT provider headquartered in Ocala, FL. We'll review your WISP, your Qualified Individual designation, your tax-software vendor security, your secure client-document workflow, and the 10 cyber-insurance controls — and give you an honest written gap-and-fix report with no obligation.

By submitting you consent to be contacted by Simply IT via phone, email, or SMS. Reply STOP to opt out of SMS at any time. Privacy Policy

Or call us directly: 352-723-5003