The FTC Safeguards Rule (amended June 2023) covers CPA firms of all sizes. It requires a written information security program, designated qualified individual, annual risk assessments, encryption of customer data in transit and at rest, multi-factor authentication, and continuous monitoring or periodic penetration testing. Penalties: up to $100,000 per violation. Zero Delta Security's attack surface assessment maps directly to the FTC's risk assessment documentation requirement.
What Is the FTC Safeguards Rule — and Why Do CPA Firms Care?
The Gramm-Leach-Bliley Act (GLBA) was signed into law in 1999, requiring financial institutions to protect the security and confidentiality of customer financial information. Most people think of banks when they hear "financial institution." The FTC's definition is much broader — and it explicitly includes accountants, tax preparers, and financial planners.
The FTC serves as the primary enforcer of GLBA for non-bank financial institutions. That means CPA firms fall squarely under their jurisdiction. The Safeguards Rule — the specific GLBA regulation governing information security programs — was substantially amended in October 2021, with most requirements taking effect December 9, 2022 for larger firms and June 9, 2023 for firms with fewer than 5,000 customers.
The amended rule is significantly more prescriptive than the original. The original version told you to have a security program. The amended version tells you exactly what that program must contain, who must oversee it, how you must test it, and what you must report to leadership. If your firm provides tax preparation, bookkeeping, payroll services, or financial planning — and virtually every CPA firm does at least some of these — you are a financial institution under GLBA. There are no size exemptions. A two-person practice is covered. A solo practitioner with client tax files is covered.
The Specific Requirements You Must Implement
The amended Safeguards Rule is not vague. It specifies nine categories of safeguards that must be part of your written information security program. Here is the complete compliance checklist:
The MFA requirement deserves specific attention: it applies to any information system that accesses customer information. That means your tax software, your document management system, your email if it contains client data, and your remote access solution all need MFA enabled. "We use strong passwords" is not a compliant answer under the amended rule.
The monitoring and testing requirement gives you two options: continuous monitoring of your systems, or periodic penetration testing and vulnerability assessments. If you choose the periodic testing route, the FTC's guidance is clear that penetration tests should be conducted at least annually and following significant infrastructure changes. An automated vulnerability scan alone does not satisfy the penetration testing requirement — the two are explicitly distinguished in the rule.
The Penalties Are Not Theoretical
FTC enforcement under GLBA is not hypothetical, and the penalty structure creates meaningful financial exposure for small and mid-size CPA firms.
Under the FTC Act, civil penalties can reach $100,000 per violation. Individual violations are not defined at the incident level — regulators can treat each affected customer record, each unencrypted transmission, or each day of non-compliance as a separate violation. The math compounds quickly. Officers and directors face personal liability up to $10,000 per violation, meaning the firm's managing partner cannot simply point to IT as the responsible party and walk away.
Beyond financial penalties, an FTC enforcement action can require the firm to submit to a comprehensive security program audit overseen by an external auditor — for up to 20 years. This is not a slap on the wrist. It means two decades of mandatory external oversight, reporting obligations, and compliance costs that will far exceed the cost of building a compliant program today.
The consequences extend beyond the FTC. State CPA licensing boards have begun treating Safeguards Rule violations as grounds for professional discipline. A federal enforcement action can trigger a state board investigation, creating the possibility of license suspension or revocation separate from any FTC penalty. The FTC has pursued enforcement against accountants and tax preparers under GLBA — this is not a theoretical risk for the profession.
The Gap Between "Having IT" and Being Compliant
Most CPA firms are not sitting on completely unprotected systems. They have a managed IT provider. They use Microsoft 365. They have some form of antivirus. They probably have a firewall. None of that is a written information security program, and none of it constitutes Safeguards Rule compliance.
| What Most CPA Firms Have | What the FTC Safeguards Rule Requires |
|---|---|
| Microsoft 365 with cloud storage | Written encryption policy covering data in transit and at rest, with documented verification |
| Antivirus on workstations | Written risk assessment identifying risks to customer information across all operational areas |
| Password policy in employee handbook | MFA enabled on every system that accesses customer data, with documented enforcement |
| Managed IT provider | Written contract with IT provider requiring equivalent security standards; documented oversight |
| IT manager or senior partner "responsible for security" | Formally designated qualified individual with documented qualifications, annual reporting to board |
| No documented incident history | Written incident response plan, tested and updated annually |
| Annual IT review call with managed provider | Continuous monitoring OR annual penetration test and vulnerability assessment, with documented findings |
Having QuickBooks Online is not an encryption policy. Having antivirus is not a risk assessment. Having a managed IT provider is not vendor oversight documentation. The Safeguards Rule requires governance — written policies, documented procedures, named responsible parties, tested controls, and annual reporting to leadership. Tools without governance are not compliance.
The gap between "we have IT" and "we have a written information security program" is exactly where most CPA firms are exposed. And because the rule is administrative — it does not require a breach to trigger enforcement — firms can be found non-compliant through an audit or complaint even if they have never experienced an incident.
How Zero Delta Security Maps to FTC Requirements
The Safeguards Rule requires a written risk assessment that identifies "reasonably foreseeable internal and external risks" to customer information in each relevant area of your operations. For most CPA firms, the highest-risk external threat surface is the internet-facing layer: the systems, services, and applications that are exposed to the public internet and that attackers can probe before you know they're looking.
An external attack surface assessment is one of the most direct inputs to the risk assessment the FTC requires. It does for your external exposure exactly what the rule demands: it systematically identifies the risks, documents them, and creates a baseline against which remediation can be measured.
Zero Delta Security's assessment identifies every internet-exposed asset associated with your firm's domains: web applications, client portals, mail servers, document management systems, remote access infrastructure, and any shadow IT that has found its way onto your external footprint. We document every misconfiguration, every outdated software version, every missing security control, and every exposed service — with the severity classification and remediation guidance that FTC documentation requires.
Our findings report is structured to be included directly in your compliance documentation. It provides the external risk identification component of your written risk assessment, the evidence of security testing that the monitoring and testing requirement demands, and the baseline against which you can demonstrate ongoing remediation — all in a format your managing partner, your qualified individual, and an FTC examiner can read.
The assessment does not replace all the work of building a compliant program — you still need written policies, internal risk review, vendor contracts, and an incident response plan. But it gives you the most technically demanding piece: documented evidence that you assessed your external attack surface, identified the risks, and have a remediation path. That is exactly what the rule requires, and it is the piece most firms are missing.
For CPA firms that want to understand the full scope of what a security assessment covers, our methodology page explains the testing process in detail. For firms evaluating cost against compliance risk, our pricing page outlines assessment options sized for small and mid-size professional services firms.
See What Your Firm's Attack Surface Looks Like
Run a free external scan to see what the FTC would see if they looked at your internet-facing assets. Then review our methodology to understand how a full assessment feeds your Safeguards compliance documentation.
Frequently Asked Questions
Yes. The FTC Safeguards Rule applies to any "financial institution" under the Gramm-Leach-Bliley Act — and the FTC's definition explicitly includes accountants and tax preparers. If your CPA firm provides financial products or services (which tax preparation, bookkeeping, and financial planning are), you are covered. The amended rule took effect June 9, 2023 for firms with fewer than 5,000 customers (larger firms had a December 2022 deadline). There are no firm-size exemptions — a two-person CPA practice with client tax data is covered.
Penalties can reach $100,000 per violation, with officers and directors personally liable for up to $10,000 per violation. Beyond fines, the FTC can require a comprehensive security program audit overseen by an external auditor for up to 20 years. Civil penalties under Section 5 of the FTC Act have no statutory cap. For CPA firms, state CPA boards may also impose professional licensing consequences separate from the FTC enforcement action.
The amended Safeguards Rule requires you to designate a "qualified individual" to oversee your information security program. This doesn't have to be a full-time CISO — a CPA firm can designate an employee, an affiliate, or an outside service provider (like a managed security provider). The key requirements: they must be qualified (demonstrable knowledge of security practices), you must report to your board or senior leadership at least annually on the status of the program, and the arrangement must be documented.
The FTC Safeguards Rule requires a written risk assessment identifying risks to customer information in each relevant area of operations. An external attack surface assessment is one of the most direct inputs to that risk assessment — it identifies internet-exposed systems, misconfigured services, open ports, outdated software versions, and missing security headers that represent real attack vectors targeting your customer data. Zero Delta Security's assessment produces a findings report that maps directly to the risk assessment documentation the Safeguards Rule requires.
The Safeguards Rule requires "continuous monitoring or periodic penetration testing and vulnerability assessments" — and distinguishes between them. Automated vulnerability scanning alone is unlikely to satisfy the penetration testing requirement. The FTC's guidance indicates that penetration testing should be conducted annually and after significant infrastructure changes. A scan tells you what CVEs exist; a pentest tells you whether those CVEs can be exploited in the context of your specific systems, which is what regulators actually want to see.