When business owners hear “FTC Safeguards Rule,” the first thought is usually banks. Big financial institutions. Wall Street. Not a two-person CPA office in Lady Lake or an independent insurance agency in The Villages.

That assumption has left a lot of small businesses out of compliance since June 2023, often without knowing it.

What the FTC Safeguards Rule actually covers

The rule was written to cover any business “engaging in an activity that is financial in nature or incidental to such financial activities.” That language is broad on purpose.

The FTC’s own guidance lists covered businesses, and the list includes:

  • Accountants and tax preparation services
  • Insurance agencies
  • Mortgage brokers
  • Investment advisors
  • Real estate settlement providers
  • Check cashing services
  • Vehicle dealerships that offer leases or financing

If you prepare tax returns, you are on that list. If you sell insurance policies and hold client financial information, you are on that list. The size of your firm is not a factor. A solo CPA and a regional accounting firm are both covered.

The FTC publishes a plain-language guide specifically for small businesses: FTC Safeguards Rule: What Your Business Needs to Know

What compliance actually requires

The rule requires covered businesses to “develop, implement, and maintain a comprehensive information security program to secure their customers’ data.”

In plain terms, that means:

  • A written plan describing how you protect client information
  • Controls to limit who can access sensitive data
  • Regular testing to make sure those controls actually work
  • A designated person responsible for the security program
  • A process for responding if something goes wrong

For a small firm, this doesn’t have to be complicated. But it does have to exist. “We’re careful with client data” is not an information security program.

The deadline has already passed

The mandatory compliance date was June 9, 2023. That was nearly two years ago.

Businesses that were unaware of the rule haven’t been exempt from it. They’ve been out of compliance. The penalties are significant: up to $100,000 per violation for companies, and up to $10,000 per violation for corporate officers personally.

Most small firms haven’t been audited. But the risk isn’t only regulatory. A data breach at your firm creates the same exposure. If client financial records are leaked or stolen and you can’t demonstrate that you had a security program in place, the liability conversation gets much harder.

What this looks like for CPA firms

Your clients trust you with Social Security numbers, tax returns, business financials, and years of personal financial history. That data is exactly what the Safeguards Rule is designed to protect.

For most small CPA practices, compliance means:

  • Documented procedures for how client data is stored and accessed
  • Backups that are tested and offsite
  • Email security to protect against phishing and W-2 fraud (one of the most targeted attack types for accounting firms)
  • A written security plan you can point to if a client or regulator asks

This also ties directly into cyber insurance renewals. Carriers are asking for the same evidence at renewal time. Getting your security program in order handles both requirements at once.

What this looks like for insurance agencies

Insurance agencies hold personal information across large client rosters: dates of birth, financial details, sometimes health information. The Safeguards Rule applies to any business holding this type of customer financial data, regardless of whether you think of yourself as a “financial company.”

For independent agencies and small brokerages, the requirements are the same: a written security plan, access controls, tested backups, and someone accountable for the program.

The practical path forward

The good news is that for a small firm, building a compliant information security program is not a months-long project. Most of the pieces are practical IT practices that a managed IT plan already covers: monitored systems, tested backups, access controls, and documentation.

What you get with a monthly IT plan, beyond the day-to-day support, is a paper trail. When your cyber insurance carrier asks at renewal, or when a client asks how their data is protected, you have real answers.

If you’re not sure whether your firm is covered or where your current setup stands, that’s worth finding out before a problem surfaces.

Give us a call at 352-561-8106 or email hello@intermachine.io. We work with CPA firms and insurance agencies in Lady Lake, The Villages, and surrounding Lake and Sumter County communities. No pressure, no jargon, just a straight answer about where you stand.