Cybersecurity & Compliance for Accounting Firms: WISP, FTC Safeguards & SOC 2
IT security and compliance for accounting firms without an IT team: the FTC Safeguards Rule, the IRS WISP requirement, and SOC 2, explained plainly.
Accounting firms hold some of the most concentrated sensitive data of any small business: Social Security numbers, bank account details, full financial statements, and signed tax returns for hundreds or thousands of clients. That makes even a five-person CPA firm a high-value target — and, under federal rules that most firms don't realize apply to them, legally responsible for protecting it.
Most small and mid-sized accounting firms have no IT department. Security lives with an office manager, an outsourced break-fix vendor, or whichever partner is least uncomfortable with technology. This guide lays out what a firm actually has to do, what's legally required, and how to cover it without hiring an internal team.
The short answer
If your firm prepares tax returns or provides financial services, you are almost certainly a "financial institution" under the Gramm-Leach-Bliley Act (GLBA) and subject to the FTC Safeguards Rule. That means a written security program is not optional — it's federal law, enforced by the FTC, and the IRS requires a Written Information Security Plan (WISP) as a condition of maintaining your PTIN.
Beyond the legal floor, SOC 2 is increasingly what larger clients ask for before they hand a firm their books. The good news: the same underlying controls satisfy all three. You build the program once.
Why accounting firms are targeted
Attackers follow the data, and accounting firms are a concentration point:
- Tax-season phishing and wire fraud. Firms are hit with fake client emails requesting last-minute wire changes, W-2 and refund fraud, and business email compromise (BEC) that impersonates a partner to a staff accountant.
- Ransomware during peak load. An attack in March, when returns are due, gives the attacker maximum leverage. Downtime isn't an inconvenience — it's missed filing deadlines and client penalties.
- Credential theft. One reused password on a tax-prep portal or email account can expose an entire client roster.
The firms that get hit are rarely negligent. They're busy, understaffed on the technology side, and operating on the assumption that "we're too small to be a target." Attackers count on exactly that assumption.
What the law actually requires
The FTC Safeguards Rule (GLBA)
The FTC Safeguards Rule applies to "financial institutions," a category the FTC defines broadly enough to include tax preparers, CPAs, and accounting firms that provide financial services. Since the amended rule took full effect in mid-2023, covered firms must maintain a written information security program that includes, at minimum:
| Requirement | What it means for a small firm |
|---|---|
| Designate a Qualified Individual | One named person accountable for the security program (can be outsourced) |
| Risk assessment | A documented review of where client data lives and how it's exposed |
| Access controls | Least-privilege access; no shared logins to tax software or email |
| Encryption | Client data encrypted at rest and in transit |
| Multi-factor authentication (MFA) | On email, tax software, remote access, and cloud storage |
| Vendor oversight | Security expectations for your tax-prep, cloud, and portal providers |
| Incident response plan | A written plan for what to do when — not if — something happens |
| Ongoing monitoring and staff training | Logging, testing, and annual security awareness training |
The FTC can bring enforcement actions and levy penalties for non-compliance. For a small firm, the more likely trigger is a breach that draws regulatory attention — at which point the absence of a documented program becomes its own liability.
The IRS WISP requirement
Separately, the IRS requires every professional tax preparer to have a Written Information Security Plan — a WISP — under the same GLBA framework. The IRS spells this out in Publication 4557, "Safeguarding Taxpayer Data," and provides a fillable template in Publication 5708. A current WISP is effectively a condition of maintaining your PTIN, and the IRS asks about it during renewal.
A WISP is not a one-time PDF you file and forget. It has to describe controls you actually operate — MFA that's really enforced, backups that are really tested. A plan that doesn't match reality is worse than none in an examination.
SOC 2 — the client-driven requirement
Nothing legally forces a firm to get SOC 2. But it increasingly shows up in a different way: a larger client, a private-equity-backed company, or an outsourced-accounting engagement asks, "Are you SOC 2?" before they'll share their financial systems. SOC 2 is a third-party attestation that your controls are designed and operating effectively — the credential that lets a firm win bigger, more security-conscious clients.
For accounting firms that offer outsourced controllership, bookkeeping, or fractional CFO services, SOC 2 is quickly moving from "nice to have" to "table stakes." If you want the full picture of timeline and cost, see our breakdown of what SOC 2 actually costs and a realistic SOC 2 timeline.
The good news: one program covers all three
The FTC Safeguards Rule, the IRS WISP, and SOC 2 draw on the same core controls. Build these once and you satisfy the legal floor and most of a SOC 2 report:
- Identity and access — MFA everywhere, unique logins, least-privilege roles, prompt offboarding.
- Data protection — encryption at rest and in transit, controlled use of USB drives and personal devices, secure client file exchange (not email attachments).
- Email and phishing defense — DMARC, SPF, and DKIM so no one can spoof your domain, plus filtering and staff training against BEC and W-2 fraud.
- Endpoint and patching — managed antivirus/EDR, automatic updates, and encrypted laptops.
- Backup and recovery — tested, offline-capable backups so a ransomware hit in March doesn't cost you the season.
- Written policies and the WISP — the documentation the FTC and IRS require, kept current.
- Monitoring and response — logging, alerting, and a rehearsed incident-response plan.
None of this is exotic. What makes it hard for a small firm is that it's a continuous program — not a project you finish — and it has to keep running through tax season when no one has spare time.
The "no IT team" problem
Here's the trap most firms fall into. The work above needs someone who (a) understands both accounting-firm risk and modern cloud/security tooling, (b) is available year-round, and (c) actually maintains the program instead of writing a WISP once and shelving it. Hiring that person internally is expensive and hard — a competent security-minded IT hire runs well over six figures, and a firm of 15 people can't keep one busy or current.
The realistic options:
| Approach | Reality for a small firm |
|---|---|
| Do nothing / break-fix vendor | Cheapest until a breach or failed exam; no program, no documentation |
| Hire internally | $120K+ fully loaded; hard to recruit; single point of failure |
| Compliance software alone | Tracks controls but doesn't implement or operate them — you still need hands |
| Managed provider | A team operates the program year-round; you get the WISP, the controls, and the coverage without headcount |
This is exactly the gap PlatOps was built for: security and compliance for firms without an internal IT team — an entire ops team, without the headcount, for 50–70% less than hiring one in-house.
Where to start: a fixed-scope sprint, not an open-ended retainer
The hardest part is the first step, because "get compliant" feels unbounded. It doesn't have to be. A fixed-scope engagement gets you from unknown to documented-and-covered on a known timeline and price.
Our SOC 2 Readiness Sprint is a 30-day, fixed-fee engagement that produces an honest gap assessment against your actual environment, closes the fast wins (MFA, access control, policies), and gives you an auditor-ready roadmap. For a firm that also needs its FTC Safeguards / IRS WISP baseline in order, that same assessment is the foundation of the written program the law requires — you leave knowing exactly where you stand and what's left.
The point of a sprint is a firm "yes." A $5,000 fixed-scope assessment with a defined deliverable is a decision a managing partner can make in one meeting — unlike an open-ended monthly retainer that never quite gets approved.
A practical first-90-days checklist
If you do nothing else this quarter, do these:
- Turn on MFA for email, tax software, remote access, and cloud storage — today.
- Confirm you have a current WISP that matches what you actually do (not a template from three years ago).
- Verify backups exist and have been restored in a test — before tax season, not during.
- Set up DMARC so attackers can't spoof your firm's domain to your clients.
- Write down who is accountable for security (your Qualified Individual).
- Run one phishing-awareness session with staff before the busy season.
That list alone closes the gaps behind most accounting-firm breaches.
What to do next
Accounting firms don't get breached because the controls are complicated. They get breached because no one owns the program, it never gets maintained, and "we're too small to be a target" holds right up until the day it doesn't.
You have a legal obligation (FTC Safeguards Rule + IRS WISP), a growing client expectation (SOC 2), and no internal team to carry it. The fastest way to close that gap is a fixed-scope assessment that tells you exactly where you stand and gets the fast wins done.
Get a free assessment and we'll map your firm's specific gaps against the FTC Safeguards Rule, your IRS WISP obligation, and SOC 2 — or book a strategy call to talk through your busy-season risk before it arrives. If you already know SOC 2 is on your roadmap, start with the 30-day SOC 2 Readiness Sprint. For the bigger picture on running a firm without in-house IT, see IT and security for businesses without an IT team.
Put this into practice
Get a free assessment of your current security and infrastructure posture, or check your email security in 30 seconds.
Related Articles
SOC 2 Common Audit Findings: The 8 Issues We See in Every Audit
The eight most common SOC 2 audit findings that delay certification—with exact remediation steps so you can fix them before your auditor flags them.
SOC 2 Type I vs Type II: Which Do You Need First?
SOC 2 Type I and Type II serve different purposes and different buyers. Here's exactly when each makes sense, what they cost, and how to sequence them strategically.
SOC 2 Compliance Cost: What Startups Actually Pay in 2026
A detailed breakdown of SOC 2 compliance costs for startups in 2026—auditor fees, tooling, consultant rates, hidden costs, and how to reduce your total spend without cutting corners.
Get articles like this in your inbox
Practical security, infrastructure, and DevOps insights for teams in regulated industries. Published weekly.