Who the Safeguards Rule Actually Covers
The Safeguards Rule is enforced by the FTC under the Gramm-Leach-Bliley Act (GLBA) and applies to "financial institutions" as the FTC defines them — which is broader than most people expect. Covered entities include:
- Banks, credit unions, and investment firms (also covered by banking regulators, not just FTC)
- Registered investment advisers and broker-dealers (also covered by SEC/FINRA)
- Mortgage brokers and lenders
- Insurance companies and agencies
- Tax preparers and CPA firms — a significant expansion that many accountants still don't know about
- Real estate settlement service providers (title companies, escrow agents)
- Auto dealers offering financing
- Any business that provides financial advisory services to consumers
The surprise for CPAs and tax preparers: The IRS has specifically cited the GLBA Safeguards Rule in its guidance to tax professionals. The FTC and IRS both require tax preparers with clients' financial information to have a written information security program (WISP). Many small CPA firms still have no written security program — and no IT provider who has helped them build one.
The Nine Required Elements of the Safeguards Rule
The 2023 updated Safeguards Rule (effective for most firms since June 2023) requires nine specific elements in your information security program:
- Qualified Individual — Designate someone to oversee the information security program. Can be an employee or a third party (your MSP can fill this role as a virtual CISO).
- Risk Assessment — Conduct a written risk assessment identifying reasonably foreseeable risks to customer information, assessing the probability and impact of each threat.
- Safeguards Implementation — Implement and regularly test safeguards to control the risks identified in the risk assessment.
- Service Provider Oversight — Select and retain service providers that maintain appropriate safeguards; require safeguards contractually.
- Employee Training — Train and monitor employees in security awareness and the implementation of the information security program.
- Monitoring and Testing — Regularly monitor and test the effectiveness of key controls, systems, and procedures.
- Stay Current — Evaluate and adjust the information security program in light of changes to operations, business arrangements, threats, and technological developments.
- Incident Response Plan — Establish a written incident response plan for responding to security events.
- Annual Reporting — Report to the board of directors (or equivalent) on the information security program at least annually.
The IT Controls That Satisfy the Safeguards Rule
The rule requires that your safeguards include, at minimum:
Encryption
- Encrypt customer information in transit using TLS 1.2 or higher
- Encrypt customer information at rest — full-disk encryption on all devices and servers containing customer data
- Encrypt portable media containing customer data
Multi-Factor Authentication
The updated Safeguards Rule explicitly requires MFA for any individual accessing information systems (unless you document and implement equivalent compensating controls — a high bar in practice).
- MFA on all remote access to systems containing customer financial information
- MFA on email accounts used for client financial communications
- MFA on cloud applications storing customer information
- MFA on administrative/privileged accounts
Access Controls
- Principle of least privilege — employees access only the customer information needed for their role
- Unique user credentials — no shared accounts for systems with customer data
- Formal process for granting, reviewing, and revoking access (especially at employee departure)
- Privileged access management — administrative credentials separate from daily-use accounts
Audit Logging
- Enable audit logging on all systems that contain or access customer financial information
- Log: user activity, access attempts, system events, changes to data
- Retain logs for at least two years
- Implement a log review procedure — logs must be reviewed, not just collected
Vulnerability and Patch Management
- Continuous monitoring for vulnerabilities in systems containing customer information
- Timely patching of critical and high-severity vulnerabilities (typically within 30 days)
- Penetration testing at least annually for firms with more than 5,000 records, or qualifying as "non-exempt" under the rule
The Written Information Security Program (WISP)
The WISP is the central document that your Qualified Individual maintains and the board reviews annually. A compliant WISP includes:
- Scope: what information and systems are covered
- Risk assessment findings and how risks are being managed
- Description of safeguards implemented (access controls, encryption, audit logging, patch management, incident response)
- Employee training program description
- Service provider management process
- Testing and monitoring procedures and schedule
- Incident response plan (can be a separate document referenced)
- Review/revision schedule and last review date
Penalty Exposure Without a WISP
The FTC has pursued enforcement actions against financial institutions — including small CPA firms and tax preparers — for failing to maintain a WISP. Civil penalties up to $46,517 per violation (adjusted for inflation) plus 20-year consent decree monitoring. More significantly: following an IRS guidance update, tax preparers without a WISP risk IRS sanctions on top of FTC action.
Incident Response Plan Requirements
The Safeguards Rule requires a written incident response plan that addresses:
- Goals of the incident response program
- Internal processes for responding to security events
- Clear definition of what constitutes a security event (and a breach)
- Roles and responsibilities during an incident
- External communications process (affected individuals, regulators, law enforcement)
- Documentation requirements during and after an incident
- Post-incident evaluation and improvement process
Additionally, you must notify the FTC within 30 days of discovering a security breach involving customer information of 500 or more customers. This is a new requirement from the 2023 update that many firms have missed.
Service Provider Requirements: Your IT Provider Counts
The Safeguards Rule requires you to:
- Select service providers that maintain appropriate safeguards
- Require service providers to implement appropriate safeguards by contract
- Periodically monitor service providers' safeguards
This means your MSP's contract must specifically address their data protection obligations. A generic IT service agreement without security provisions doesn't satisfy this requirement. Ask your MSP for their security addendum or data processing agreement — and if they don't have one, that tells you something about their GLBA sophistication.
Frequently Asked Questions
Who is subject to the GLBA Safeguards Rule?
The FTC's Safeguards Rule applies broadly to "financial institutions" — including accounting firms, tax preparers, insurance agencies, mortgage brokers, real estate settlement services, and any business providing financial products or services to consumers. Many small professional service firms don't realize they're covered.
What is a Written Information Security Program (WISP) under the Safeguards Rule?
A WISP is the core compliance document documenting your information security program, including your designated Qualified Individual, risk assessment, implemented safeguards, testing procedures, service provider oversight, and incident response plan. The Qualified Individual must report to the board at least annually.
What are the FTC's penalties for Safeguards Rule violations?
Civil penalties up to $46,517 per violation plus potentially 20-year consent decree monitoring. State AG actions and class action litigation add to the exposure. For tax preparers, IRS sanctions are an additional risk.