Plain-English guides to the cybersecurity regulations that apply to professional service firms — what they require, what the penalties look like, and how an attack surface assessment maps to compliance documentation.
The amended FTC Safeguards Rule covers CPA firms of all sizes — effective June 2023. Written information security program, designated qualified individual, annual risk assessments, MFA, and periodic penetration testing. Penalties up to $100,000 per violation.
HIPAA Security Rule administrative, physical, and technical safeguards explained without the legalese. The risk assessment is explicitly required. OCR fines range from $100 to $50,000 per violation. Missing documentation is the most common enforcement trigger.
The amended Regulation S-P requires incident response programs, 30-day customer breach notification, and vendor oversight documentation. Smaller RIAs have until June 3, 2026 — 34 days from today. SEC examinations are prioritizing cybersecurity above all else.
ABA Model Rule 1.6 makes cybersecurity an ethics obligation. State bars in NY, CA, and FL have issued specific requirements beyond the ABA baseline. Law firms hold three categories of extraordinarily high-value data — and attackers know it. 29% of firms reported a breach in 2023.
Run a free external scan to see what's visible from outside your perimeter — the same view an attacker gets before they target your clients. Takes 60 seconds.