When the Federal Trade Commission expanded the Safeguards Rule in 2021, with major requirements taking effect in 2023, most CPA firms missed the memo. The rule applies to "financial institutions" — and a lot of accounting professionals reasonably assumed that didn't mean them.
It does. The FTC interprets "financial institutions" broadly under the Gramm-Leach-Bliley Act, and tax preparers, accountants who advise on financial products, and firms that handle financial information for clients generally fall within scope. If your firm prepares taxes, advises clients on financial decisions, or stores client financial records — you're in scope.
What the Rule Actually Requires
The 2023 Safeguards Rule update is more prescriptive than the original. It requires a written information security program with specific elements, not just "reasonable security." Here's what your firm needs in place:
- Designated Qualified Individual responsible for the information security program
- Written risk assessment, reviewed periodically
- Access controls including multi-factor authentication for systems accessing customer information
- Data inventory documenting what customer information you collect, where it's stored, and how it flows
- Encryption of customer information in transit and at rest, where reasonable
- Secure development practices for applications that handle customer data
- Continuous monitoring or periodic penetration testing and vulnerability assessments
- Workforce training including phishing awareness
- Vendor oversight including written agreements and periodic assessment
- Written incident response plan with breach notification procedures
- Annual report from the Qualified Individual to the firm's governing body
The MFA Question Trips Up Almost Everyone
The single most common gap we see at accounting firms is multi-factor authentication. The rule requires MFA on any system that accesses customer information — and that includes email (where firms send and receive financial documents), the firm's file storage, tax preparation software, accounting systems, and remote access tools.
It's not enough to have MFA available. It needs to be enforced, documented, and exception-managed. If your firm allows partners or staff to opt out of MFA "because it's annoying," you have a gap.
The Written Plan Is Not Optional
The Safeguards Rule explicitly requires a written information security program. Verbal commitments, "we use a good IT company," and "we're HIPAA compliant for our medical clients" are not the program. The written plan must address each of the rule's required elements specifically.
This is also where the IRS Publication 4557 connects — tax practitioners have separate IRS requirements that overlap substantially with the FTC rule but include their own specifics around the Written Information Security Plan (WISP).
What to Do This Quarter
- Designate your Qualified Individual in writing and document their responsibilities
- Conduct a written risk assessment if one hasn't been done in 12+ months
- Audit MFA coverage across email, file systems, tax software, and remote access
- Inventory where customer information lives — including personal devices, email archives, and cloud apps
- Document and sign written agreements with every vendor that touches customer data
- Schedule workforce training and document completion records
- Draft or update the written information security program to cover all required elements
The Safeguards Rule isn't going away. Enforcement has been gradually increasing, and the FTC has signaled it intends to be more active in this space. The question isn't whether to address this — it's whether you'd rather do it on your own timeline or under deadline pressure after an incident.