85°F Knoxville
Mon–Fri 9–5 ETAnswered by a human
Industries · Accounting

Tax season has enough deadlines. A breach shouldn’t be one.

The FTC Safeguards Rule treats your firm as a financial institution — full written security program required. We build that program and run the IT behind it, so a ransomware note never lands the week before April 15.

What does an outage or breach actually cost an accounting firm?

It's not just downtime. Every client file on your network is a Social Security number, a bank routing number, and a full financial picture — exactly what identity thieves want and exactly what the FTC built the Safeguards Rule to protect. A ransomware hit or a compromised inbox during filing season means missed deadlines you can't get back, client data exposed to fraud, and a conversation with every client you've ever filed for about why their data wasn't safe with you.

<15 min
Response, critical issues
314.4
FTC Safeguards section that applies to you
$150
Per user/month, published

What compliance regime actually applies to a CPA firm?

The FTC Safeguards Rule. The FTC defines tax preparers and accountants as "financial institutions" under the rule, which means a written information security program isn't optional — it's the same legal requirement banks and mortgage lenders answer to, applied to your firm. We map the specific controls the rule requires (314.4) to what you actually run, and hand you the documentation an examiner or a client's due-diligence request expects to see.

Written program

The document the rule requires

A designated security coordinator, documented risk assessment, and the written information security program itself — built once, maintained as your firm changes.

  • Written information security program
  • Designated security coordinator
  • Risk assessment documentation
  • Annual security reviews
Operational controls

What actually protects client data

The technical and procedural side of Safeguards compliance — the part that keeps a breach from happening in the first place.

  • Employee security training
  • Vendor oversight procedures
  • Access controls and encryption
  • Written incident response plan

Why does seasonal deadline pressure raise the stakes?

Most businesses can absorb a day of downtime. An accounting firm in the six weeks before a filing deadline can't — every hour a tax preparer can't log into their return software is an hour of billable, deadline-bound work that doesn't come back. That's also exactly the window attackers target, because they know the pressure to just get back online makes firms more likely to pay a ransom instead of calling for help. We've documented a QuickBooks Desktop Intuit ID login hang that stopped preparers cold mid-season and the workaround that got them back to work — the kind of fix that matters more in March than in July.

What happens if client data is already exposed?

We've stopped a business email compromise wire fraud attempt at a title company mid-transaction — the same email-based fraud pattern that targets accounting firms handling client fund transfers. We've also run a security audit that found client passwords sitting in spreadsheets and documents, which is the kind of gap a Safeguards risk assessment is built to catch before an examiner — or an attacker — finds it first.

How fast can you get us audit-ready?

We've encrypted an entire client fleet with BitLocker in 72 hours against a compliance deadline, and pulled a full 312-asset hardware inventory in 47 minutes for an insurance audit. Those are the two things an examiner or a cyber-insurance carrier asks for first: proof of encryption, and an accurate accounting of every device touching client data.

Straight answers

Accounting firm IT questions

Pricing included — because “call for pricing” is how IT companies hide the number.

See full pricing
Does the FTC Safeguards Rule actually apply to my accounting firm?

Yes. The FTC classifies tax preparers and accountants as "financial institutions" under the Safeguards Rule, which means you're required to maintain a written information security program, not just antivirus software. This applies whether you're a solo preparer or a multi-partner firm — the rule doesn't scale down for firm size.

What happens if we get breached during tax season?

Beyond the FTC compliance exposure, a breach or ransomware event during filing season means missed deadlines and client data exposed to identity theft on top of the outage itself. The cost isn't just downtime; it's the trust of clients who handed you their Social Security numbers and bank routing numbers.

What does a written information security program actually require?

The FTC Safeguards Rule requires a designated security coordinator, a documented risk assessment, access controls and encryption for client data, employee security training, vendor oversight, and a written incident response plan. We build and maintain all of it as part of managed service, not as a one-time binder that goes stale.

Can you help if we've never had a written security program before?

Yes — that's the most common starting point. An FTC Safeguards compliance build (risk assessment, written program, technical controls) is priced from $5,000 as a project, then folds into ongoing managed IT so the documentation stays current instead of expiring the day after you write it.

What if our tax software slows to a crawl during peak season?

Software hangs and login failures during your busiest weeks are exactly the incidents we document and fix at the source — see our report on a QuickBooks Desktop Intuit ID login hang below. We monitor these systems year-round, not just when something breaks in April.

What does this cost?

FTC Safeguards compliance is included in the $150/user/month managed IT base (3-user minimum, month-to-month, no contract). The initial written program build is a separate project, priced from $5,000 depending on firm size and current state.

Advertisement — ours, permanently
Audit-ready before the next deadline hits.

Book fifteen minutes with Corey Watson — the person who builds the Safeguards program, writes the documentation, and answers the phone when your filing deadline is on the line.