How to Choose a Managed IT Provider for Financial Services

For most CPA firms and financial advisory practices, the decision to outsource IT to a managed service provider (MSP) is driven by practical necessity: the firm lacks the internal expertise to manage its technology environment, compliance obligations have become too complex to address informally, or a security incident made the cost of inadequate IT support suddenly very clear. Whatever the catalyst, choosing the right IT partner for a financial services firm is fundamentally different from selecting an MSP for a general business. Your regulator — the FTC, through the Safeguards Rule, and potentially FINRA or the SEC — has specific requirements for how you oversee your service providers. Choosing the wrong IT partner doesn't just hurt your operations; it can put you out of compliance with federal law.

What Does the FTC Safeguards Rule Require When You Hire an IT Provider?

The FTC Safeguards Rule (16 CFR Part 314, Section 314.4(f)) is explicit about your obligations when engaging service providers who access customer financial information. You must:

• Select service providers with the skills to maintain appropriate safeguards: You are required to vet your IT provider's security posture before engaging them — not just take their word for it. This means reviewing their certifications, security documentation, and references.
• Enter into written contracts that obligate the provider to implement and maintain appropriate safeguards: A vendor agreement that doesn't include specific security obligations is non-compliant. The contract must spell out what security controls the MSP will maintain, how they will protect your customer information, and their obligations in the event of a breach.
• Monitor your service provider's work: The Safeguards Rule requires ongoing oversight — not a one-time vetting at contract signing. You must build in mechanisms to assess your provider's continued adequacy periodically.
• Provide for periodic reassessments of their suitability: As your business changes and new threats emerge, your provider's capabilities must keep pace. Section 314.4(f) requires you to reassess the relationship regularly.

The FTC has already enforced these requirements. In the Ascension Data & Analytics case, the FTC charged the company with violating the Safeguards Rule specifically by failing to oversee service providers and failing to identify reasonably foreseeable risks to customer information. Choosing an IT provider without performing proper due diligence isn't just a business risk — it's a federal compliance failure.

What Security Certifications Should a Financial Services MSP Have?

Not all IT providers are equipped to serve regulated financial services clients. When evaluating candidates, look for specific credentials and capabilities that indicate the provider understands your regulatory environment:

• SOC 2 Type II certification: A SOC 2 Type II report demonstrates that the MSP's security controls have been audited by an independent CPA and found to operate effectively over time (typically six to twelve months). Type II is meaningfully different from Type I (which only verifies that controls are designed appropriately, not that they actually work). Under the GLBA Safeguards Rule, requiring a SOC 2 Type II from your IT provider is a recognized mechanism for fulfilling your vendor oversight obligation.
• CISM or CISSP-credentialed leadership: The Certified Information Security Manager (CISM) and Certified Information Systems Security Professional (CISSP) designations indicate that the provider's security leadership has demonstrated knowledge of information security management beyond general IT practice. For a firm subject to FTC Safeguards, this is relevant — your Qualified Individual obligation under Section 314.4(a) can be fulfilled by an external provider, but that provider must have appropriate expertise.
• Experience with financial services compliance specifically: Ask for specific references from CPA firms, RIAs, or broker-dealers. A provider that primarily serves manufacturing or retail clients may have general IT competence but lack the regulatory fluency required to manage your GLBA, FINRA, or IRS compliance environment effectively.
• Incident response capability and documented IR plan: The FTC Safeguards Rule requires you to have a written incident response plan (Section 314.4(h)). Your MSP should either provide this capability directly or support its development. Ask specifically how the provider would handle a ransomware event, a suspected breach of client data, and the 72-hour notification clock under your cyber insurance policy.

What Questions Should You Ask a Potential MSP During Due Diligence?

The due diligence process for selecting a financial services IT provider should cover both technical capability and regulatory alignment. Essential questions include:

• Can you provide your SOC 2 Type II report? If the answer is no or the provider only has a SOC 2 Type I, understand why. Some smaller MSPs have alternative certifications, but the absence of Type II documentation makes your Safeguards Rule vendor oversight obligation harder to fulfill.
• Do your service agreements include specific security obligations as required by the GLBA Safeguards Rule? Review the actual contract language. Vague commitments to "industry-standard security" are not the same as contractually specified controls.
• What is your process for managing patches and updates on client systems? Unpatched systems are one of the leading causes of cyber insurance claim denials and Safeguards Rule violations. The provider should have a documented, automated patching process with SLAs for critical patches.
• How do you manage MFA deployment and enforcement across client environments? Section 314.4(c)(5) of the FTC Safeguards Rule requires MFA for any system that accesses customer financial information. Your MSP should have a clear policy for deploying and enforcing MFA — not just recommending it.
• What are your breach notification procedures? Under Section 314.4(j), you must notify the FTC within 30 days of a breach affecting 500 or more consumers. Most cyber insurance policies require notification within 48–72 hours. Does the MSP have a documented process for detecting, containing, and reporting incidents within those windows?
• How do you handle data when our relationship ends? Data portability and secure deletion at contract termination are both operational and compliance requirements. You need to know that client financial data can be retrieved and that it will be securely destroyed from the provider's systems.
• What security awareness training do you provide for our staff? Your staff are a primary attack vector, and the Safeguards Rule's risk management requirements (Section 314.4(b)) contemplate human-factor risks. The provider should either offer security awareness training directly or help you procure and deploy it.

What Red Flags Should Disqualify an IT Provider for Financial Services?

Some provider characteristics should be immediate disqualifiers for any firm subject to GLBA or FTC Safeguards requirements:

• No written security documentation: If a provider cannot produce their own security policies, incident response procedures, or evidence of their security controls, they cannot help you build yours. The Safeguards Rule requires documented programs — providers who operate informally cannot support that requirement.
• Resistance to contract security provisions: An MSP that pushes back on including specific security obligations in the service agreement is telling you something important about how they view their security responsibilities. The Safeguards Rule requires those contract provisions — a provider unwilling to include them is not a compliant choice.
• No financial services references: General IT competence is not the same as financial services compliance knowledge. A provider that has never worked with a CPA firm or financial advisory practice may not know what a WISP is, may not understand FINRA recordkeeping requirements, and may not recognize the IRS Publication 4557 obligations that apply to tax preparers.
• Reactive-only support model: Financial services firms need proactive monitoring, not just helpdesk ticket response. Section 314.4(d) of the Safeguards Rule requires continuous monitoring of your systems. A provider that only responds to problems you report cannot fulfill that requirement.
• Subcontracting without transparency: MSPs that subcontract core functions (monitoring, helpdesk, security operations) to third parties without disclosing it create additional vendor layers that your Safeguards Rule oversight obligation must address. You are responsible for all tiers of your service delivery chain.

How Does GLBA Vendor Management Apply to Your Tax Software Vendors Too?

An important point that many accounting firms miss: the GLBA Safeguards Rule's vendor oversight requirements apply to all service providers who access customer financial information — not just your MSP. This includes your tax software platform (Wolters Kluwer, Thomson Reuters, Intuit Pro), your document management system, your client portal, your payroll processor, and any cloud-based collaboration tools that staff use for client work.

Section 314.4(f) defines "service provider" broadly as "any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a financial institution." Every vendor in your technology stack that touches client data must be covered by a written agreement with appropriate security provisions.

In practice, large software vendors typically offer standard data processing agreements (DPAs) or security addenda that satisfy this requirement — but you must request them and execute them. Many small firms have never reviewed whether their Thomson Reuters or Wolters Kluwer agreements include Safeguards-compliant security provisions. If your firm is subject to a Safeguards audit or investigation and cannot produce compliant vendor agreements for all service providers handling client data, that is a compliance failure regardless of how good your internal controls are.

What Should You Look for in an MSP Service Agreement for Financial Services?

A compliant MSP service agreement for a GLBA-covered accounting firm or financial services company should include at minimum:

• Specific security controls the MSP will implement and maintain
• Defined SLAs for patching critical vulnerabilities (typically within 24–72 hours for critical patches)
• Breach notification obligations and timelines aligned with your FTC Safeguards and insurance requirements
• Right-to-audit provisions allowing you to verify the MSP's security posture
• Data handling and subprocessor disclosure requirements
• Secure data destruction obligations at contract termination
• Defined access controls and personnel background check requirements for MSP staff who access your systems

What Should Financial Services Firms Do to Find the Right IT Partner?

The right managed IT provider for a CPA firm or financial services practice is one that treats your regulatory compliance obligations as shared responsibilities — because under the FTC Safeguards Rule, they effectively are. A qualified MSP for financial services doesn't just manage your helpdesk and patching; they help you build and maintain the WISP, implement the technical controls that Safeguards requires, provide the written documentation your vendor oversight obligation demands, and serve as the Qualified Individual your program needs.

NorthStar Technology Group was built specifically for regulated industries, including accounting firms and financial services companies that need a technology partner who understands the difference between good IT practice and FTC Safeguards Rule compliance. Our team holds CISM certification and has built compliance-aligned IT programs for firms of all sizes across the financial services sector. If you're evaluating IT providers or questioning whether your current provider is equipped to meet your compliance requirements, we're ready to have that conversation. Visit northstartechnologygroup.com/services to learn about our financial services managed IT programs and how we approach vendor due diligence and compliance documentation. You may also find our article on the hidden IT costs draining financial services firms useful as you evaluate what your current technology environment is really costing you.