FTC Safeguards Rule for CPA Firms: The Practical IT Controls to Focus on in 2026

Many CPA firms and accounting firms fall under the FTC Safeguards Rule because tax preparation and advisory work qualify as covered financial activities under the Gramm-Leach-Bliley Act. That has been true for years. What changed in 2024 is how exposed weak execution has become.

The amended rule requires financial institutions to notify the Federal Trade Commission as soon as possible, and no later than 30 days after discovery, of a security breach involving the information of at least 500 consumers. That single requirement forces a practical question most firms have not had to answer cleanly before: would you actually know when a reportable incident occurred, and could you prove what controls were in place at the time?

The Safeguards Rule is intentionally outcome-based. It does not tell you which tools to buy or how to configure your environment. As expectations rise in 2026, CPA firms are judged less on intent and more on whether IT controls protect customer information and produce defensible evidence.

This guide breaks down the FTC Safeguards Rule for CPA firms into the specific IT controls that matter in practice and shows how those controls map to a working written information security plan and WISP. This is operational guidance, not legal advice.

Key Takeaways

• Compliance is more manageable when you translate the FTC Safeguards Rule requirements into a small, repeatable set of IT and operational controls.
• The goal is consistent protection of customer information and client data, supported by evidence from your risk assessment and ongoing risk management.
• Clear ownership, simple routines, and steady execution matter more than complex tools or one-time projects.

The safeguards IT checklist for CPA firms

The IRS reports 870,679 individuals with current Preparer Tax Identification Numbers (PTINs) for 2025, underscoring how large the tax-preparer attack surface really is.

Before refining policies or expanding your WISP, you need controls that actually operate across your network, cloud platforms, and offices. Documentation should reflect reality, not aspiration.

A control-first approach closes the gap between the tools you already own and the routines needed to reduce security risks. For CPA firms and accounting firms, a practical safeguards checklist usually covers the areas below, scaled to the sensitivity of customer information, financial information, and taxpayer data you handle.

Access and authentication controls

Access controls are the front line against unauthorized access to sensitive data.

A practical 2026 baseline includes multi-factor authentication, disciplined identity management, and least-privilege access. MFA should be enforced on email, remote access, administrative accounts, and cloud applications that store customer information or financial data. Using both multi-factor authentication and MFA consistently reduces the impact of phishing and stolen credentials during tax season.

Centralized identity management helps streamline onboarding and offboarding across information systems and service providers. Access should be tied to role, reviewed periodically, and promptly removed when staff leave or change responsibilities. Limiting administrative privileges and separating duties further reduces exposure if an account is compromised.

Data protection controls

Once identity is controlled, data security depends on how information is stored, shared, and accessed.

Core protections include full-disk encryption on laptops and portable devices, encrypted storage for systems holding client information, and secure handling of backup data. CPA firms should favor secure client portals over email attachments when exchanging tax returns, financial records, and sensitive data with clients or lenders.

Email should enforce basic transport encryption, with additional protections for especially sensitive communications. Mobile and remote access should be governed by clear rules, including device security requirements and MFA. Physical safeguards still matter. Offices, file rooms, and on-prem equipment should be secured to prevent casual exposure of printed records or legacy storage.

These protections should be described clearly in your written information security plan and WISP, including who is responsible for configuration and review.

Detection and monitoring controls

In 2024, IC3 recorded 859,532 complaints and $16.6 billion in reported losses, reinforcing why CPA firms need real monitoring and clear response ownership.

Even strong preventive controls will be tested. Detection and monitoring help you identify issues early and limit damage from security breaches.

For most CPA firms, this means centralized visibility into authentication events, endpoint activity, and key system logs. Continuous monitoring can be real-time through managed services or structured through automation paired with documented review schedules.

Endpoint protection or endpoint detection and response should be treated as a baseline across firm-owned systems. Just as important, alerts must have owners. Someone needs to review them, investigate anomalies, and escalate when necessary.

Monitoring should tie directly to a practical incident response plan that explains how to assess potential data breaches, contain threats, and document actions taken.

Vulnerability reduction controls

Vulnerability management focuses on reducing known weaknesses before they are exploited.

At a minimum, CPA firms should maintain structured patching for operating systems, tax software, productivity tools, and remote access platforms. Automation helps deploy updates, but regular reviews are still required to confirm coverage.

Unsupported systems and applications that handle customer information introduce unnecessary vulnerability. These should be retired, migrated, or tightly isolated. Some firms may also use vulnerability scanning or limited penetration testing, depending on size and risk profile.

Review cadence should be tied to your risk assessment. Systems processing sensitive financial data generally warrant more frequent review as emerging threats evolve.

Human risk controls

People interact with customer information every day, making human behavior a central part of cybersecurity.

Security awareness training should be provided to all staff and partners at least annually. Training should cover phishing, handling of sensitive information, acceptable system use, and how to report suspected issues.

Short reminders during peak tax season help reinforce expectations when workload and phishing attempts increase. Periodic phishing simulations, paired with easy reporting, help reduce risk over time. Privileged users and administrators should receive additional training aligned with their elevated access.

Training participation and outcomes should be tracked as evidence within your information security program and WISP.

Continuity and recovery controls

CTIIC (ODNI) tracked 5,289 reported ransomware attacks in 2024, up 15% year over year, supporting the case for tested backups and a practiced incident response plan.

Continuity and recovery controls ensure financial services can continue even during outages or incidents.

Backup practices should cover both on-premises systems and cloud platforms used for tax returns, document storage, and workflow. Firms should maintain multiple backup copies, store at least one copy offsite, and avoid assuming that SaaS retention equals a full backup.

Regular restore testing is essential. Verifying that backups ran is not enough. Document how long restores take and whether recovery meets business needs. Define recovery expectations for core systems and align them with client relationships and filing deadlines.

Tax-season resilience planning should identify priority applications, alternate work arrangements, and communication steps in the event that systems are disrupted.

Evidence CPA firms should be ready to produce

In the 2025 National MAP Survey, 88% of firms reported purchasing cyber liability insurance, so being able to show MFA coverage, backups, and training records is increasingly non-negotiable.

Controls only matter if you can show they exist and operate.

Most CPA firms should be prepared to produce governance documents, including a current written information security plan, a complete WISP, and an incident response plan. These documents should reflect actual safeguards, not generic language.

Supporting evidence typically includes risk assessment results, risk management decisions, training records, asset and patch reports, MFA coverage summaries, backup and restore test logs, and oversight of service providers handling client data.

Many firms also align this evidence with IRS expectations by citing relevant IRS publication guidance for tax preparers, demonstrating that the same controls consistently protect taxpayer data and customer information.

Common compliance missteps to avoid in 2026

Many firms struggle not because safeguards are missing, but because they are poorly maintained.

Common issues include policies that do not match reality, security tools without clear ownership, and backups that are never tested. Vendor sprawl is another frequent problem. Multiple platforms processing client information without consistent security measures increase complexity and risk.

Another recurring gap is the absence of an empowered, qualified individual. When responsibility for the information security program is unclear, reviews lapse, and non-compliance risk grows.

Simple, repeatable routines outperform large, one-time compliance efforts.

How Tech Advisors helps CPA firms operationalize safeguards

Operationalizing the FTC Safeguards Rule does not require building an internal security team, but it does require sustained attention.

Tech Advisors helps CPA firms and accounting firms assess current safeguards against the FTC Safeguards Rule requirements, IRS guidance, and insurance expectations. We design and maintain the information security program, including WISP development, risk assessment, and incident response planning aligned to business needs.

Tech Advisors can act as or support the qualified individual, providing reporting to the governing body, board of directors, or partners. We help manage documentation, monitoring, access controls, backup testing, and automation that help streamline recurring security tasks.

We also provide education through safeguards-focused webinar sessions and practical plan template resources. Many firms begin with a short webinar, then move into a tailored readiness review.

Final thoughts: Consistent safeguards matter more than complex ones

This article provides operational guidance and does not constitute legal advice regarding the FTC Safeguards Rule or the Gramm-Leach-Bliley Act. Many recommended controls align closely with IRS guidance for tax professionals and help protect both customer information and financial data.

The goal is not maximum complexity. It is consistent, well-owned safeguards that stand up to scrutiny from the Federal Trade Commission, the IRS, insurers, and clients.

If you are unsure where your firm stands, a concise readiness review that maps your existing controls to these expectations is a practical next step.

Request a safeguards readiness review for your accounting firm.

FAQs