Financial services firms face some of the strictest data security regulations. Whether you're a CPA firm, wealth manager, insurance agency, or mortgage broker, you're subject to the FTC Safeguards Rule, GLBA, and potentially state-specific requirements. Non-compliance can result in significant fines and loss of licensure.
📋 Key Regulations
- FTC Safeguards Rule (2023+): Requires specific security controls including MFA, encryption, and a designated "Qualified Individual"
- GLBA: Gramm-Leach-Bliley Act mandates financial institutions protect customer NPI
- IRS Pub 4557: Tax preparers must follow specific data security guidelines
- State Requirements: Ohio, SEC, and state insurance regulators may have additional requirements
FTC Safeguards Rule Requirements
Core Requirements (Mandatory)
- Designated Qualified Individual for security program
- Written Information Security Plan (WISP) documented
- Risk assessment performed and documented
- Multi-factor authentication on all systems accessing customer data
- Encryption of customer information at rest and in transit
- Access controls limiting data access to job function
- Employee security awareness training (ongoing)
- Vendor/service provider oversight program
- Incident response plan documented
- Annual penetration testing or vulnerability assessments
- Board/management reporting on security program
Deadline Passed: The FTC Safeguards Rule took full effect June 9, 2023. If you're not compliant, you're already at risk of enforcement action.
Access Control & Authentication
Identity Security
- MFA enforced on email, accounting software, CRM
- MFA on VPN and remote access
- MFA on bank/custodian portals (where available)
- Unique user accounts (no shared logins)
- Strong password policy (16+ characters)
- Password manager deployed firm-wide
- Terminated employee access disabled same day
Data Protection
Encryption & Data Handling
- Full-disk encryption on all laptops
- Encrypted email for client communications with NPI
- Secure client portal for document exchange
- Cloud storage encrypted (M365, Google Workspace)
- Data retention policies documented and followed
- Secure disposal procedures for hardware/documents
Email & Communication Security
- Advanced threat protection on email
- DMARC/DKIM/SPF configured (email spoofing prevention)
- Wire transfer verification procedures documented
- External email warning banners enabled
- Client email impersonation protection active
Vendor Management
- Vendor inventory with data access documented
- Vendor security assessments performed (SOC 2 reports reviewed)
- Written agreements with security requirements
- Cloud service providers on approved vendor list
- Annual review of vendor access and security
Required Documentation
- Written Information Security Plan (WISP)
- Risk Assessment (updated annually)
- Incident Response Plan
- Employee Security Training Records
- Vendor Due Diligence Documentation
- Security Testing Reports
- Board/Management Security Reports
WISP Requirement: Your Written Information Security Plan must be tailored to your firm's size, complexity, and data handled. Template WISPs may not satisfy regulators.
FTC Safeguards Compliance Assistance
Sabre IT Services helps Columbus-area financial services firms achieve and maintain FTC Safeguards compliance. We provide WISP development, required security controls, and ongoing management.
Schedule a Compliance Assessment →
(614) 683-0060
Save this checklist: Press Ctrl+P (Cmd+P on Mac) to save as PDF