Skip to main content
NorthStar Technology Group
All Case Studies
Financial Services

FTC Safeguards Rule Compliance for a Multi-Location CPA Firm

How NorthStar built the documentation and security program a multi-location CPA firm needed to meet FTC Safeguards Rule requirements.

The Client

A multi-location CPA firm handling sensitive financial data for hundreds of clients across multiple offices. The 2023 FTC Safeguards Rule update introduced specific technical and documentation requirements the firm had not previously addressed.

The Challenge

  • The 2023 FTC Safeguards Rule update introduced new requirements the firm was not meeting
  • No Written Information Security Program (WISP) existed
  • No Qualified Individual had been designated as required by the updated rule
  • Risk assessments had not been conducted or documented
  • Multiple office locations created complexity in applying consistent security controls
  • Staff handled sensitive client financial data daily with limited security awareness
  • Firm needed to demonstrate compliance quickly to satisfy client audit requests

What NorthStar Did

  • Conducted a comprehensive risk assessment across all office locations
  • Developed the Written Information Security Program (WISP) covering all FTC Safeguards requirements
  • Established the Qualified Individual (QI) program with defined responsibilities and reporting structure
  • Documented access controls, encryption standards, and data handling procedures for client financial information
  • Created vendor oversight documentation for all third-party service providers with access to client data
  • Built the incident response plan with notification procedures specific to financial data breaches
  • Developed the annual board/management reporting framework required by the Safeguards Rule
  • Delivered staff training on data handling, phishing awareness, and the firm's new security policies

Results

Achieved

Safeguards Compliance

All

Locations Covered

Complete

Documentation

Restored

Client Confidence

The Full Story

When the FTC finalized its updated Safeguards Rule in 2023, the requirements caught many financial services firms off guard. CPA firms, tax preparers, financial planners, and insurance agencies suddenly faced specific technical mandates that had not existed before: designate a Qualified Individual, conduct documented risk assessments, implement MFA, encrypt customer financial information, and report to management annually.

This multi-location CPA firm recognized the gap quickly. They handled sensitive financial data for hundreds of clients across multiple offices. Some of those clients, particularly institutional and corporate accounts, were beginning to ask about the firm's security posture and compliance status. The firm needed to get ahead of the requirement before it became a business risk.

NorthStar started with a risk assessment across all locations. We examined how client financial data moved through the firm's systems: from intake and document upload through processing, storage, and eventual archiving. We identified where data was encrypted and where it was not, who had access and whether that access was appropriate, and what would happen if a laptop was stolen, a phishing email was successful, or a vendor was compromised.

From the risk assessment, we built the Written Information Security Program (WISP), the core document the FTC Safeguards Rule requires. The WISP was not a template. It was written specifically for this firm's operations, technology stack, and risk profile. It covered access controls, encryption standards, vendor management, incident response, employee training requirements, and the Qualified Individual's responsibilities.

We established the QI program, defining who within the firm holds the Qualified Individual role, what their responsibilities are, and how they report to firm leadership. The updated Safeguards Rule requires the QI to provide an annual written report to the board (or equivalent) covering the security program's status, risk assessment findings, and security events. We built the reporting template and process so the firm could deliver this requirement consistently every year.

Vendor oversight was a significant piece of the work. CPA firms rely on numerous third-party tools: tax preparation software, document management systems, client portals, cloud storage, and practice management platforms. The Safeguards Rule requires documented oversight of every service provider with access to customer financial information. We cataloged every vendor, assessed their security practices, and created the oversight documentation the rule demands.

The firm now operates with a compliance program that satisfies the FTC Safeguards Rule and gives their clients confidence that sensitive financial data is being handled with the level of care they expect from their CPA firm.

About the author

Ken Satkunam, CISM

Ken Satkunam, CISM

President & Founder, NorthStar Technology Group

Ken has spent over 25 years in IT leadership, serving in roles from technical support to CIO for organizations as large as 23,000 employees. He founded NorthStar Technology Group in 2000 to help regulated organizations build secure, compliant, and operationally resilient technology environments. Ken holds the Certified Information Security Manager (CISM) credential from ISACA and is the co-author of the Amazon best-seller "Cyber Attack Prevention." He has been quoted in industry publications including eWeek and DM News, and NorthStar has been recognized on the Inc. 5000 list in both 2024 and 2025.

CISMInc. 5000MSP 500Published Author25+ Years
Connect on LinkedInView full profile

Facing a Similar Challenge?

Every engagement starts with understanding where you are and building a clear path forward.

View Financial Services Resources