What Does the FTC Safeguards Rule Require for a Houston CPA Firm's IT Security?

The FTC Safeguards Rule, significantly updated in 2023, requires every CPA and accounting firm in the United States — including practices in Houston and Dallas — to maintain a written information security program covering at least 9 specific categories of IT controls. Non-compliance can expose your firm to civil penalties of up to $100,000 per violation for the firm and up to $10,000 per violation for individual officers and directors. Despite these stakes, most small and mid-size accounting practices have not implemented a documented security program that meets the Rule's 2023 standards. Here's exactly what your firm needs — and what a managed IT provider should be covering on your behalf.

What Is the FTC Safeguards Rule — and Does It Apply to Your CPA Firm?

The Safeguards Rule is part of the Gramm-Leach-Bliley Act (GLBA), a federal law that governs how financial institutions collect, use, and protect customer information. The FTC expanded the definition of "financial institution" to include CPA firms, tax preparers, investment advisors, and accounting practices — not just banks.

If your Houston CPA firm prepares tax returns, handles payroll, manages client investments, or processes any financial data on behalf of clients, you are covered. The updated Rule took effect in June 2023 for most firms. That means compliance is not optional — it's overdue for most practices that haven't formally addressed it.

There is one limited exception: firms with fewer than 5,000 client records are exempt from three specific requirements (a written risk assessment, a formal incident response plan, and an annual board report). But the remaining six or more requirements still apply in full — including the mandate for a designated Qualified Individual to oversee your security program and documented evidence of your controls.

The 9 Controls the FTC Safeguards Rule Requires

The Rule breaks your required Information Security Program into nine elements. Each one carries specific implementation expectations:

• Designate a Qualified Individual to oversee the program — this can be an employee or a third-party IT provider.
• Conduct a written risk assessment identifying threats to the security, confidentiality, and integrity of client information.
• Design and implement safeguards to address identified risks — including encryption, access controls, multi-factor authentication (MFA), and secure data disposal.
• Regularly monitor and test safeguards — through penetration testing, vulnerability scanning, or continuous security monitoring.
• Train staff on your security policies and how to identify threats such as phishing emails.
• Monitor service providers who access your client data — require them to implement appropriate safeguards through written contracts.
• Keep the program current — updating it when your environment, threats, or business practices change.
• Create a written incident response plan (required for firms with 5,000+ client records) covering detection, containment, notification, and recovery.
• Report to the board or senior officer annually on the state of your security program and any material incidents.

This is not a theoretical checklist. The FTC actively audits financial institutions and has brought enforcement actions against firms that failed to implement documented programs.

How Managed IT Satisfies These FTC Safeguards Requirements for CPA Firms

A properly scoped managed IT plan addresses most of the nine FTC Safeguards requirements directly. Here's how the controls map for a Houston or Dallas accounting practice:

Designated Qualified Individual

Your managed IT provider can serve as your Qualified Individual under the Rule. This gives you a documented point of accountability without needing to hire a full-time CISO or IT director — a realistic option for most 5–50 person CPA firms.

Encryption, MFA, and Access Controls

MFA is required for any system that accesses client financial information. Your managed IT provider should be enforcing MFA on Microsoft 365 or Google Workspace, managing which employees have access to which systems, and applying least-privilege access policies. For a CPA firm, that includes your tax software, client portals, accounting platforms, and email.

Continuous Monitoring and Threat Detection

The Rule's monitoring requirement is addressed through endpoint detection and response (EDR) with 24/7 security operations center (SOC) coverage. This means trained security analysts are watching your systems around the clock — not just during business hours. Any suspicious activity triggers an immediate investigation and response, not a ticket that sits in a queue until Monday morning.

Dark Web Monitoring and Credential Exposure

Leaked employee credentials are one of the most common entry points for cyberattacks on professional services firms. Dark web monitoring scans criminal forums and breach databases continuously for your firm's email addresses and passwords. When a match is found, your IT team is alerted immediately so compromised credentials can be reset before they're used against you.

Staff Security Training

The Rule explicitly requires staff training. Phishing simulation and security awareness training delivers this in an ongoing, measurable way — sending realistic phishing test emails to your staff and tracking who clicks. Employees who fail tests get targeted follow-up training. This creates a documented record of training activity that directly satisfies the Safeguards Rule's staff training requirement.

Email Security and DMARC/SPF/DKIM

CPA firms are high-value targets for business email compromise (BEC) — attackers impersonate partners or clients to redirect wire transfers or steal tax documents. Managed email authentication (DMARC, SPF, and DKIM) prevents criminals from spoofing your firm's domain, while advanced email filtering stops phishing and malware before it reaches inboxes. Both controls are part of a complete Safeguards Rule compliance posture.

Cloud Backup and Data Protection

The Safeguards Rule's data integrity requirements include protecting client information from loss, corruption, and unauthorized access. Microsoft 365 and Google Workspace backup with 1-year retention ensures your firm can recover from ransomware, accidental deletion, or a vendor outage — and provides documented evidence of your data protection controls.

What Happens If Your CPA Firm Isn't Compliant?

The consequences of non-compliance go beyond FTC penalties. Here's the realistic risk picture for a Houston or Dallas accounting practice:

• FTC civil penalties of up to $100,000 per violation for the firm; up to $10,000 for individual officers.
• Client notification requirements — a breach affecting client financial data may trigger notification obligations under the FTC's Safeguards Rule and Texas state law.
• Professional liability exposure — failure to implement required safeguards could constitute negligence, affecting your E&O coverage and malpractice exposure.
• Reputational damage — for a firm built on trust, a publicized breach or enforcement action can cost you clients and referrals that took years to build.
• Loss of client data — a ransomware attack or credential compromise can mean losing access to years of client records during tax season — the worst possible time.

The FTC has been increasingly active in bringing enforcement actions. And unlike many regulatory frameworks, the Safeguards Rule does not require a breach to trigger an investigation — the absence of a documented program is itself a violation.

How a Houston CPA Firm Closed Its Compliance Gaps in 60 Days

A 12-person Houston CPA firm specializing in tax and advisory services came to Scorpion Technology after their previous IT provider told them they were 'probably fine' on security — with no documentation to back it up. When we conducted an initial assessment, we found:

• No MFA enforced on Microsoft 365 — any employee password compromise would give an attacker full access to all client tax files.
• No dark web monitoring — two employee email addresses were already listed in criminal breach databases.
• No email authentication (DMARC/SPF/DKIM) — the firm's domain could be spoofed to impersonate partners in wire transfer requests.
• No documented security program — meaning the firm had zero written record of its controls for FTC compliance purposes.

Within 60 days of onboarding to Scorpion's Assured plan, the firm had enforced MFA across all users, activated dark web monitoring with immediate credential alerts, implemented DMARC/SPF/DKIM on their domain, and received a written security program document they could present to the FTC or a client on request.

Result: Zero security incidents in the 12 months following onboarding

Monthly investment: $2000/mo  Less than one hour of their billable rate per week, and fully deductible as a business expense.

Scorpion Technology: Managed IT for CPA Firms in Houston and Dallas

Scorpion Technology has served small businesses and healthcare practices across Houston, Dallas, Austin, and San Antonio for over 19 years. We specialize in HIPAA-compliant IT for medical practices and professional services firms — including CPA firms that need to satisfy the FTC Safeguards Rule without hiring a full-time IT director. Our Assured plan includes the core controls the Safeguards Rule requires: MFA enforcement, dark web monitoring, phishing simulation and security awareness training, email authentication (DMARC/SPF/DKIM), endpoint detection and response with 24/7 SOC coverage, and Microsoft 365 backup with 1-year retention.

Every managed client gets a 60-minute guaranteed response time, a dedicated local team, and a Quarterly Technology Business Review that documents your security posture — giving you a written record you can present to the FTC, a client, or your malpractice insurer. We sign Business Associate Agreements and service agreements that satisfy the Safeguards Rule's third-party oversight requirements.

Learn more at ScorpionITSupport.com or call 713-623-1266.