SMBCyberHub - Cybersecurity Compliance Kits for Small Business SMBCyberHub Home

Case Study: CPA Firm FTC Compliance

29 Mar 2026

How a 5-Person CPA Firm Got FTC Audit-Ready in One Afternoon

Quick Facts

  • Firm type: CPA practice (tax preparation, bookkeeping, payroll)
  • Team size: 5 (owner + 2 accountants + 1 bookkeeper + 1 admin)
  • Location: Austin, Texas
  • Compliance need: FTC Safeguards Rule + cyber insurance renewal
  • Time to audit-ready: 1 afternoon (approximately 4 hours)
  • Cost: €99 (Pro Kit) vs. €8,000+ compliance consultant quote
  • Outcome: Compliance reviewer accepted documentation on first submission; insurance renewed without premium increase

What was the problem?

Rachel runs a small CPA practice in Austin that handles tax returns, payroll records, and bookkeeping for roughly 200 small business clients. Her firm collects Social Security numbers, bank account details, income data, and employer identification numbers every day.

In early 2026, two things happened at once.

First, her cyber insurance carrier sent a renewal questionnaire that was twice as long as the previous year’s. It asked for written policies, training records, an incident response plan, and proof of MFA deployment. Rachel had none of these documented.

Second, her professional association sent a bulletin warning that the FTC was actively enforcing the Safeguards Rule against tax preparers and accountants. The updated rule requires a written information security program, designated qualified individual, risk assessment, employee training, and incident response procedures. Penalties run up to $50,120 per violation.

Rachel’s firm had basic security habits — they used strong passwords, locked their screens, and shredded paper files. But none of it was written down. No policies. No training records. No signed acknowledgments. Nothing she could hand to an insurer or regulator as evidence.

“Our FTC compliance was overdue and I had no idea where to start,” Rachel said. “I called a compliance consultant who quoted us $8,000 and a 6-week timeline. For a 5-person firm, that’s not realistic.”

What did the firm need?

Rachel mapped her compliance gaps against both the FTC Safeguards Rule requirements and her insurance questionnaire. The overlap was significant:

RequirementFTC SafeguardsInsurance QuestionnaireHad It?
Written information security policyYesYesNo
Designated qualified individualYesNoNo
Risk assessmentYesYesNo
Employee security trainingYesYesNo (informal only)
Training completion recordsYesYesNo
Incident response planYesYesNo
MFA documentationYesYesYes (enabled, not documented)
Data inventoryYesNoNo
Access control proceduresYesYesNo
Backup verificationNoYesNo

Ten gaps. Zero documentation. Insurance renewal due in three weeks.

How did they solve it?

Rachel downloaded the SMBCyberHub Pro Kit on a Tuesday morning and blocked out the afternoon for compliance work.

Hour 1: Policies and documentation (solo)

Rachel started with the policy templates. She customised the Acceptable Use Policy with her firm’s name, added the specific software tools her team uses (QuickBooks, Lacerte, SharePoint), and filled in the data handling procedures that matched how her practice actually operates.

She designated herself as the Qualified Individual — a Safeguards Rule requirement that simply means naming one person responsible for the security program. She documented this in the policy header.

She completed the data inventory using the kit’s template, listing every type of client financial data her firm handles, where it’s stored, and who has access. For a small firm, this took about 20 minutes.

Hour 2: Staff training (whole team)

At lunch, Rachel gathered her team of four and ran the training using the kit’s slide decks. The training covered:

  • Phishing recognition — including examples specific to accounting firms (fake IRS notices, spoofed client emails requesting bank detail changes)
  • Password hygiene and MFA basics
  • Safe client file sharing — critical for a firm that receives tax documents by email daily
  • Device security and screen-lock procedures
  • What to do if they suspect a breach

The team completed the quizzes afterward. Everyone passed on the first attempt — the material was practical, not theoretical.

“The quizzes made everyone laugh,” Rachel noted. “But they actually learned something. My bookkeeper caught a phishing email the following week because she remembered the red flags from the training.”

Hour 3: Incident response and risk assessment (solo)

Rachel customised the incident response plan template with her firm’s contact details, notification chain, and the specific steps relevant to a tax preparation firm. She added the IRS identity theft reporting procedures and state attorney general notification requirements.

She completed the risk assessment template, identifying her top risks:

  1. Phishing targeting client financial data
  2. Payment fraud via spoofed invoices
  3. Laptop theft (staff sometimes work from home during tax season)
  4. Insider access after employee departure
  5. Ransomware locking client records

Hour 4: Assembly and sign-offs (whole team)

Rachel printed the policies, had each team member sign the acknowledgment forms, collected the training completion certificates, and assembled everything into a compliance binder. She also exported digital copies to a secure folder.

The binder contained:

  • Signed information security policy
  • Qualified Individual designation
  • Data inventory and data flow map
  • Completed risk assessment with treatment plan
  • Staff training records (certificates, quiz scores, attendance log)
  • Incident response plan with contact list
  • Access control procedures and quarterly review schedule
  • MFA deployment evidence (screenshots of enabled MFA on all accounts)

What were the results?

Insurance renewal: approved on first submission

Rachel submitted the compliance documentation with her insurance renewal application the following day. Her broker called back within a week.

“The kit gave us policies, training records, and checklists that our compliance reviewer accepted immediately. Saved us thousands in consulting fees.”

The insurer renewed the policy at the same premium — no increase. Her broker told her that firms without documentation were seeing 15-25% premium hikes that year. For full detail on what insurers now expect, see our cyber insurance documentation guide.

FTC compliance: documented and defensible

Rachel now has a written information security program that addresses 8 of the 9 FTC Safeguards Rule requirements. The only gap is penetration testing, which the FTC exempts for firms with fewer than 5,000 customer records.

If the FTC sends a compliance inquiry, Rachel has a binder of evidence ready. Before, she would have had nothing to show.

Ongoing compliance: quarterly reviews

Rachel scheduled quarterly access reviews using the kit’s checklist. Every quarter, she spends 20 minutes reviewing who has access to what, confirming MFA is still enabled, and checking whether any staff changes require policy updates.

She plans to re-run the training annually, using the same materials with updated examples.

What did it cost?

ApproachCostTimelineOngoing Cost
Compliance consultant (quoted)$8,000-$12,0004-6 weeks$3,000-$5,000/year retainer
SaaS compliance platform$200-$500/month2-4 weeks setup$2,400-$6,000/year
SMBCyberHub Pro Kit€99 one-time1 afternoon€0

The Pro Kit paid for itself in the first hour by replacing the $8,000 consultant quote. Even against the cheapest SaaS option, the one-time cost saves thousands over a multi-year period.

Could this work for your accounting firm?

Rachel’s situation is common. Most small accounting practices have reasonable security habits but zero documentation. The FTC Safeguards Rule and insurance underwriters both require evidence, not intentions.

This approach works well if you:

  • Handle client financial data (tax returns, payroll, bank details)
  • Have 1-20 employees
  • Need to comply with FTC Safeguards Rule
  • Face a cyber insurance renewal with a security questionnaire
  • Don’t have the budget for a dedicated compliance consultant
  • Want documentation you can maintain yourself without SaaS subscriptions

What you still need to handle separately:

  • Technical controls — MFA, encryption, backups, and patching are your responsibility to implement (the kit provides the documentation, not the technology)
  • Penetration testing — if you handle 5,000+ customer records, the FTC requires annual pen testing, which needs a professional
  • State-specific data breach notification — each state has different requirements; consult a lawyer for your state’s specifics
  • Industry-specific regulations — if you handle healthcare client data alongside financial data, HIPAA requirements may also apply

About this case study
This is an illustrative scenario showing how a typical small CPA practice could approach FTC Safeguards Rule compliance. The characters, firm details, and quotes are fictional, but the compliance requirements, timeline, and process reflect real-world obligations for small accounting firms. Individual results depend on your firm's existing security posture and specific compliance requirements.

Estimated Reading Time: 8 minutes Aligned With: FTC Safeguards Rule (16 CFR 314), NIST CSF 2.0 (Govern + Protect), Cyber Insurance Documentation Requirements Target Audience: CPA practices, tax preparers, bookkeepers, small accounting firms (1-20 employees) Learning Objectives: Understand FTC compliance timeline for small firms, see realistic documentation examples, compare compliance approaches by cost

FTC & US Compliance

Insurance & Documentation

Templates & Checklists

📋 GDPR Compliance Documentation Kit

Download GDPR-aligned policy templates, staff training records, and audit checklists. Pass your compliance audit with confidence.

📥 Get GDPR Compliance Kit 🧰 Compare All Kits