Does the FTC Safeguards Rule apply to my accounting firm?

Most likely yes. The FTC Safeguards Rule applies to non-bank financial institutions under the Gramm-Leach-Bliley Act — and tax preparation, financial planning, and bookkeeping services all qualify. The Rule requires a written information security program, a risk assessment, and annual penetration testing. Penalties run to $100,000 per violation per day.

Can you assess a QuickBooks Desktop or Sage 50 environment?

Yes. We check whether QuickBooks Desktop, Sage 50, Drake Tax, Lacerte, ProSeries, CCH Axcess, or UltraTax CS are reachable from the internet and how remote access to them is configured — RDP, VPN, permissions, MFA. We do not read your ledgers or client data; we assess the attack surface, meaning what is visible and reachable from outside.

Will the test disrupt work during tax season?

No. The PreScan is passive — it only reads what your systems already publish to the internet. No logins, no installed agents, no load on your server. We can schedule the full CyberAudyt around the filing peak (January–April). The firm runs normally and your clients notice nothing.

Does the assessment cover IRS e-Services and tax-portal security?

Yes. We check how IRS e-Services credentials and access tokens are stored, whether permissions are per-employee or shared firm-wide, whether each account has MFA, and whether the team is resilient to phishing that impersonates the IRS. IRS Tax Pro account takeover is one of the fastest-growing vectors targeting US tax practices.

What about client-portal security?

If you run a client portal for document exchange (ShareFile, TaxDome, Canopy, custom), we assess it for injectable forms, outdated components, and exposed admin panels. The portal is often the least-watched element — it lives outside the main accounting system yet plugs straight into client data.

Can I use the report to satisfy the FTC Safeguards risk-assessment requirement?

Yes. The FTC Safeguards Rule requires a written risk assessment of threats to customer information. The CyberAudyt report documents the external threat surface, vulnerability findings, and a prioritised remediation plan — exactly the evidence the Rule calls for. The post-remediation re-scan also satisfies the annual penetration-testing obligation.

How much is it for a 3-person firm?

The same as for a 25-person firm: CyberAudyt is a fixed $900, regardless of how many seats or clients you have. We do not bill per "seat" or per hour. You start with the free PreScan and only pay if you decide to go for the full assessment.

What if you find a data leak — what are our notification obligations?

The FTC Safeguards Rule requires you to notify the FTC within 30 days if a breach affects 500 or more customers. State breach notification laws may require notifying affected clients faster, with some states setting a 30-day window. PreScan and CyberAudyt find the risks before they become a breach. If we detect an existing credential leak, you get a concrete list of accounts to change immediately.

Do you assess QuickBooks Online or Xero in the cloud?

Yes, with a different scope. The vendor manages their infrastructure; you are responsible for the accounts that access it, the devices they log in from, and staff email addresses. We check exactly that — MFA configuration, credential leaks, phishing susceptibility. It is the portion the vendor by definition does not cover.

If you find something, do we have to hire you to fix it?

No. The assessment tells you what is wrong and what to fix. Your IT provider, MSP, or any cybersecurity firm can do the remediation. If you do not have a trusted IT partner we can refer one — but there is no lock-in.

Accounting firms

You hold the books for dozens of clients.
We stress-test what protects them.

A fixed-price CPA and accounting firm cybersecurity assessment. We check your accounting system, remote access to the server, email, IRS portal security, and backup — exactly where an attacker looks for a way in. Free PreScan in 24 hours, full report in 5 business days. No IT department required on your end.

Book a free pre-scan

We know the systems your firm runs on

QuickBooks Desktop
QuickBooks Online
Xero
Sage 50
Drake Tax
Lacerte
ProSeries
CCH Axcess
UltraTax CS

The honest version

Why accounting firms are hit more often than the average company

This isn't scare-talk - it's the pattern the Verizon DBIR⁵ and FBI IC3⁴ reports have shown for years about firms that handle other people's money and data.

One break-in is the financial data of every client you serve.

Your firm holds tax filings, payroll, and bank-account details for 20-200 businesses at once. To an attacker that is not one victim - it is an entire database in a single place. That is why accounting firms are targeted far more often than a single company of the same size.

The attacker knows your calendar better than you think.

Statutory deadlines - the 20th and 25th of each month, the year-end filing dates - are the window where downtime hurts most and pressure to pay the ransom is highest. Ransomware fired at the peak of filing season is not an outage; it is the whole firm frozen at the worst possible moment.

BEC works because you authorise transfers every day.

One forged "changed account number" message looks like routine, because routine is exactly what it is. Business email compromise (BEC) is the most common real financial loss in an accounting firm - a single hit is usually tens, sometimes hundreds of thousands.

The assessment

What we check at your firm

Accounting-system exposure

We check whether your system — QuickBooks Desktop, Sage 50, Drake Tax, Lacerte, ProSeries, CCH Axcess — is reachable from the internet through open RDP, TeamViewer or AnyDesk. An exposed accounting server is the most common ransomware entry point in professional-services firms.

Remote access (RDP/VPN)

Remote desktop to the QuickBooks or tax-prep server and VPN connections are the dominant attack vector in CPA firms. We check whether RDP is publicly visible, whether the VPN is up to date, and whether access requires MFA — not just a password.

Email security (SPF/DKIM/DMARC)

SPF, DKIM and DMARC configuration for your domain. Without them, someone can impersonate your firm and email a client or your bookkeeper with a changed account number. Invoice-redirect and BEC fraud is the number-one threat in this industry.

IRS e-Services & tax-portal security

You operate IRS e-Services accounts and IRS Tax Pro accounts that touch every client's return. We check how credentials and access tokens are stored, whether permissions are granted per employee (not shared firm-wide), and whether each account has MFA — phishing that impersonates the IRS is the fastest-growing threat in US tax practices.

Client portal & backup accessibility

If you run a client portal for document exchange, we look for injectable forms, outdated plugins and exposed admin panels. We also check whether your client-database backup is reachable from the internet (and therefore by ransomware) and whether an offline copy exists per the 3-2-1 rule.

Staff password hygiene

We check your team addresses against breach feeds, plus the common firm pattern of one password reused across the social-security portal, the tax portal, banking and the internal system. One leaked password used everywhere is an open path into every client account.

FTC Safeguards without the scare

Does the FTC Safeguards Rule apply to your firm?

The short, honest answer: almost certainly yes. CPA firms, tax-prep practices, and bookkeeping services qualify as non-bank financial institutions under the Gramm-Leach-Bliley Act. The 2023 amendments added a mandatory penetration-testing requirement and breach notification to the FTC within 30 days.

Your situation	FTC scope
CPA, tax-prep, or bookkeeping firm with individual or business clients	Covered — you are a non-bank financial institution under the Gramm-Leach-Bliley Act
You provide only payroll services, no tax or financial planning	Likely covered — payroll involves consumer financial data; confirm based on service scope
5,000+ consumer records under management	Additional obligation — must maintain a written WISP and designate a qualified security officer
Breach affecting 500+ customers	Must notify FTC within 30 days — and notify affected clients under applicable state laws

The FTC Safeguards Rule requires both a written risk assessment and annual penetration testing. CyberAudyt satisfies both in a single engagement — and produces the documentation to show an auditor.

Security compliance guide

The real cost

What an incident actually costs

$100k/day1

FTC Safeguards penalty

The FTC Safeguards Rule (under GLBA) requires a written information security program, a risk assessment, and penetration testing for covered financial institutions including CPA and tax-prep firms. Violations carry civil penalties up to $100,000 per violation per day — plus the FTC can seek injunctions and restitution.

$50k-$500k4

BEC loss

Business email compromise is the costliest category of cybercrime in the FBI IC3 2024 report, with US losses exceeding $2.9 billion. A CPA firm authorising client wire transfers every day is a high-value target. The money rarely comes back.

Trust business

Client churn

Accounting is a relationship built on trust and referrals. A single email telling clients their financial data leaked can move half your book to a competitor within weeks. No PR firm softens that.

How it plays out in practice

Five ways an accounting firm gets hit

None of these require you to be an "interesting" target. They all start with something a scan finds in the first few hours.

1

Redirected client transfer (BEC)

An attacker takes over an assistant's inbox through phishing, impersonates the firm's owner, and sends an 'urgent' request to change the account number on a client's tax payment. The money lands in the fraudster's account before anyone calls to confirm.
2

Encrypted tax files (supply-chain attack)

A compromised accounting-software update or plugin delivers ransomware straight onto the firm server. Every client's filing files, databases and returns are encrypted - in the middle of the submission deadline.
3

Ransomware via exposed RDP to QuickBooks server

A partner works from home, so the Remote Desktop to the QuickBooks Desktop server is exposed to the internet. A bot finds it within hours, brute-forces a weak password, encrypts the client database and exfiltrates it at the same time — double extortion: ransom to decrypt and ransom not to publish client financials.
4

Session hijack through a reused password

The same password protects the IRS e-Services account and the internal-system login. It leaks in a breach at an entirely different vendor, the attacker tries it everywhere, and takes over the tax portal session — with access to every client's return history and e-file status.
5

IRS impersonation phishing

A staff accountant receives an email: 'Action required — IRS e-Services login expired.' One click hands over the access token. The attacker now has view access to every client's transcript on record and can modify e-file direct-deposit routing on pending refunds.

See what a real report looks like

Here's what a PreScan report for an accounting firm contains

We've redacted the name and domain. Everything else is the real output - the findings, the severity scoring, the prioritised action list, and the plain-language explanation the owner can hand to their IT provider the same day.

Request sample report …or skip the sample - get my own PreScan in 24 h

Deliverables

What you receive

Every firm that orders the full assessment gets the same package - no tiers, no upsells, no "enterprise only" features held back.

Executive PDF report in plain English - no jargon, written for the firm owner
Full vulnerability list with severity scores (Critical / High / Medium / Low) and CVSS where applicable
Prioritised remediation plan your IT provider can action directly
Accounting-system and remote-access (RDP/VPN) exposure review - what the internet can see
Email security configuration guide for your domain (SPF, DKIM, DMARC)
Credential exposure report - which team addresses, in which breaches, when
30-minute debrief call with the assessor to walk through findings

Pricing

Fixed price, visible up front

You start free. You only pay if there is something to fix. The CyberAudyt price is fixed - regardless of how many seats, clients or locations you run.

Start here

PreScan

Free

results in 24 h

Passive external scan of your firm. We show what is visible from the internet - with zero access on your end. Answers the question "is there even anything to worry about."

CyberAudyt

$900

report in 5 business days

Full external assessment with manual verification: accounting system, remote access, email, IRS e-Services / tax-portal security, client portal and backup. Plain-language report with prioritised fixes and a 30-minute call. Fixed price regardless of how many seats or clients you have.

Re-scan after fixes

50% off

once remediation is done

After you close the gaps, we re-check that the fixes actually worked - at half the CyberAudyt price for firms that already completed one. The current report is something you can show clients as proof of due diligence.

Post-season offer. The best time for an audit is right after tax season. Book a slot during the season (January-April) and you lock in today's price and priority scheduling for May-June, when the team can breathe.

Guarantee: if CyberAudyt doesn't surface at least 3 actionable findings, you pay nothing.

Fixed price - no hourly billing, no surprises. Larger firm networks, or when a corporate client requires it: a full penetration test is also available.

Start with the free PreScan

Questions accounting owners ask us

Accounting-firm objections, answered

"Does the FTC Safeguards Rule apply to my accounting firm?": Most likely yes. The FTC Safeguards Rule applies to non-bank financial institutions under the Gramm-Leach-Bliley Act — and tax preparation, financial planning, and bookkeeping services all qualify. The Rule requires a written information security program, a risk assessment, and annual penetration testing. Penalties run to $100,000 per violation per day.
"Can you assess a QuickBooks Desktop or Sage 50 environment?": Yes. We check whether QuickBooks Desktop, Sage 50, Drake Tax, Lacerte, ProSeries, CCH Axcess, or UltraTax CS are reachable from the internet and how remote access to them is configured — RDP, VPN, permissions, MFA. We do not read your ledgers or client data; we assess the attack surface, meaning what is visible and reachable from outside.
"Will the test disrupt work during tax season?": No. The PreScan is passive — it only reads what your systems already publish to the internet. No logins, no installed agents, no load on your server. We can schedule the full CyberAudyt around the filing peak (January–April). The firm runs normally and your clients notice nothing.
"Does the assessment cover IRS e-Services and tax-portal security?": Yes. We check how IRS e-Services credentials and access tokens are stored, whether permissions are per-employee or shared firm-wide, whether each account has MFA, and whether the team is resilient to phishing that impersonates the IRS. IRS Tax Pro account takeover is one of the fastest-growing vectors targeting US tax practices.
"What about client-portal security?": If you run a client portal for document exchange (ShareFile, TaxDome, Canopy, custom), we assess it for injectable forms, outdated components, and exposed admin panels. The portal is often the least-watched element — it lives outside the main accounting system yet plugs straight into client data.
"Can I use the report to satisfy the FTC Safeguards risk-assessment requirement?": Yes. The FTC Safeguards Rule requires a written risk assessment of threats to customer information. The CyberAudyt report documents the external threat surface, vulnerability findings, and a prioritised remediation plan — exactly the evidence the Rule calls for. The post-remediation re-scan also satisfies the annual penetration-testing obligation.
"How much is it for a 3-person firm?": The same as for a 25-person firm: CyberAudyt is a fixed $900, regardless of how many seats or clients you have. We do not bill per "seat" or per hour. You start with the free PreScan and only pay if you decide to go for the full assessment.
"What if you find a data leak — what are our notification obligations?": The FTC Safeguards Rule requires you to notify the FTC within 30 days if a breach affects 500 or more customers. State breach notification laws may require notifying affected clients faster, with some states setting a 30-day window. PreScan and CyberAudyt find the risks before they become a breach. If we detect an existing credential leak, you get a concrete list of accounts to change immediately.
"Do you assess QuickBooks Online or Xero in the cloud?": Yes, with a different scope. The vendor manages their infrastructure; you are responsible for the accounts that access it, the devices they log in from, and staff email addresses. We check exactly that — MFA configuration, credential leaks, phishing susceptibility. It is the portion the vendor by definition does not cover.
"If you find something, do we have to hire you to fix it?": No. The assessment tells you what is wrong and what to fix. Your IT provider, MSP, or any cybersecurity firm can do the remediation. If you do not have a trusted IT partner we can refer one — but there is no lock-in.

Get a free PreScan for your firm

You send us your domain name. We tell you in 24 hours what an attacker sees. If that's nothing serious, you keep the report and we disappear. If it's serious, you get a fixed-price proposal - no pressure, no subscription.

Book a free pre-scan Prefer to talk first? Contact us

No credit card. No access to your systems. No recurring fees.

Sources

¹FTC Safeguards Rule (16 CFR Part 314) — penalties and requirements (ftc.gov)
²IBM Cost of a Data Breach Report 2024 (ibm.com/reports/data-breach)
³FTC Safeguards Rule breach notification — 30-day FTC notification requirement (ftc.gov)
⁴FBI Internet Crime Report (IC3) 2024 — Business Email Compromise (ic3.gov)
⁵Verizon Data Breach Investigations Report 2024 (verizon.com/dbir)

You hold the books for dozens of clients. We stress-test what protects them.