CPA Requirements for the FTC Safeguards Rule 

As a CPA firm, you are the guardian of countless pieces of sensitive information. This leads to exceptionally high security compliance requirements – something every CPA firm should be aware of and take seriously.

When it comes to the Federal Trade Commission’s (FTC) Safeguard Rule, there are certain requirements specific to CPA firms. This guide will cover everything your firm needs to know to maintain compliance with the revised FTC Safeguards Rule, avoid fines, and adequately protect your clients’ information.

What Does the New Safeguards Rule Require? 

In a nutshell, the rules require financial institutions within the FTCs jurisdiction to have proactive measures that work to protect customer information and keep it secure. 

The FTC recently hosted a national forum, asked for public comments, and reviewed commentary from consumers and businesses. The result is a revised Standards for Safeguarding Customer Information, also often referred to as the Safeguards Rule.

The stakes are high for CPA firms–under the revised rules, penalties are serious. Firms risk penalties of $100,000 per violation and $43,000 per day for each consent violation, in addition to other potential fines for not maintaining compliance.

Does my CPA Firm need to revisit our cybersecurity plan? Ask yourself these two key questions:

1. Has your information security program been updated within the last year? 
2. Have you updated your information security program to reflect the revisions to the Rules (effective January 2022)?

If the answer to either or both of these questions is “no,” it’s time to take a closer look at what your CPA firm is doing to prioritize cybersecurity. This new publication linked below is an important reminder of the responsibility of CPA firms to ensure their business practices reflect current protocols and laws and address new security risks. 

Additional information from the FTC:

• FTC Safeguards Rule: What Your Business Needs to Know 
• New publication offers guidance on revised FTC Safeguards Rule.

What Your CPA Firm Needs To Do

Understand if you must comply with all nine elements of the information security program requirement or if you are small enough to be exempt from some of the elements.

If your firm has less than 5,000 consumer records ever, two elements have a reduced scope, and two of the nine elements do not apply (reference). Unfortunately, unless you are a startup with only a few clients, you likely exceed the record limit and need to comply with all nine elements. 

Here is a quick way to calculate how many consumer records you have access to:

1. Total number of clients (past and present) in your software, folders, and online platforms. 
2. Total number of their employees for each client in your software, folders, and online platforms (assuming you were sent that information, e.g., payroll, Quickbooks file).
3. Total number of their customers in your software, folders, and online platforms. (assuming you were sent that information, e.g.,Quickbooks file, Excel files.).

For most firms, this total will exceed 5,000 because access to just one or two large clients’ bookkeeping systems exposes you to thousands of records that count toward the FTCs benchmark. 

Customized Cybersecurity Plans for CPA Firms

When your  business deals with private financial information, you have no choice but to take cybersecurity seriously. 

PK Tech was founded with a deep history of supporting CPA firms to maintain compliance and security for their clients. If this blog has inspired you to make a cybersecurity update, we would love to support you. At PK Tech, we work with small to medium-sized businesses–and specifically several CPA firms–in the Greater Phoenix Area to provide IT security assessments, ongoing support, and help on special consulting projects.

Evaluate your FTC Safeguards Rule readiness by taking our quiz, then schedule a time to chat with our team to determine your next steps as firm.