GLBA for Small CPA Firms: The Minimum Viable Program That Still Passes Audits

GLBA compliance for small CPA firms, CPA at a laptop with shield, checklist, and padlock icons in a blue office scene

Reality check

Small CPA firms do not get a free pass on GLBA. If you are significantly engaged in tax preparation or other financial services, you sit under the FTC’s Safeguards Rule. The Rule even name checks tax preparation firms, which puts most CPA practices in scope by default.

Know your small-firm break

There is an exemption for firms that maintain customer information on fewer than 5,000 consumers. You still need a written security program, but you are exempt from four burdensome items: the formal written risk assessment criteria in §314.4(b)(1), continuous monitoring or the specific pen test plus six-month vulnerability scan cadence in §314.4(d)(2), a written incident response plan in §314.4(h), and the annual board or senior officer report in §314.4(i). Everything else still applies. If you blow off the rest, you will fail.

The minimum viable GLBA program for a small CPA firm

This is the lean build that passes scrutiny without turning your shop into a bank. Each control maps to the Safeguards Rule elements.

1) Appoint a Qualified Individual

Formally name a person to own the program. This can be you, a partner, or a vCISO service. Put it in writing and define authority. (Proactive Tech offers vCISO services)

2) Create a written WISP and a risk assessment

Write a concise Written Information Security Program that matches your size and systems. Include scope, roles, policies, and the controls listed below. Do a basic risk assessment that ranks your key risks and how each control mitigates them. Firms under 5,000 are exempt from the highly prescriptive risk assessment criteria in §314.4(b)(1), not from doing a risk assessment at all.

3) Inventory what matters

List data, people, devices, systems, and facilities that touch customer information. Keep it simple: client data locations, laptops and desktops, servers, cloud apps, and who has access. This satisfies §314.4(c)(2) and makes every other control easier.

4) Access control with least privilege and MFA

Access controls screen with password field, multi factor authentication codes, and a padlock icon.

Lock down access to only what users need and require MFA for anyone accessing any information system. Document enforcement in Microsoft 365, your tax platforms, and your remote access tool.

5) Encrypt in transit and at rest

Document titled Encryption with padlock symbols while a hand places a security badge on the page.

Encrypt end user devices with full-disk encryption, turn on encryption in cloud apps, and require TLS for data in transit. The Rule requires encryption at rest and in transit or approved compensating controls signed off by the Qualified Individual.

6) Logging and monitoring at a sane level

Turn on platform logging and alerting for your core systems. Keep authentication, admin, and data access logs. You must regularly test or monitor controls. If you have fewer than 5,000 consumers, you are not forced to run annual pen tests and twice-yearly vulnerability scans, but you still need some monitoring and testing. A lightweight approach is monthly log review and a quarterly internal vulnerability scan.

7) Change management, software security, and patching

Adopt simple change procedures, patch monthly, and test changes that touch client data. If you build or buy apps that handle customer info, assess their security. That is explicitly required.

8) Data retention and secure disposal

Write a retention schedule. Purge client data you no longer need and have a process to securely dispose of records within two years of last use unless law, legitimate business needs, or system constraints require longer. Review and minimize stored data quarterly.

9) Employee security training

Train everyone annually on phishing, secure handling of client data, acceptable use, and incident reporting. Track completion. The Rule requires security awareness and keeping personnel current.

10) Vendor management that is not theater

List all service providers that touch customer information. For each, keep the contract clause that requires safeguards, review a security attestation or SOC report yearly, and document your assessment.

11) Incident handling and breach notification

Breach notification calendar showing a warning symbol while a hand marks the date.

If you hold information on fewer than 5,000 consumers, you are not required to keep a formal written incident response plan. Keep one anyway. It speeds decision making and calms auditors. You also have a legal duty: if an incident compromises unencrypted customer information for 500 or more consumers, you must notify the FTC within 30 days of discovery.

12) Reporting to leadership

Firms under the 5,000 consumer threshold are exempt from the annual board or senior officer report. If you are close to the threshold or have partners who want proof, produce a one-page summary once a year that covers risk, incidents, testing, vendor status, and program changes. It pays off during audits.

The artifacts auditors actually ask for

Designation letter or memo naming the Qualified Individual, including authority and reporting line.
WISP document with scope, roles, policies, and control mappings to §314.4.
Risk assessment with a risk register and treatment decisions. Note your small-firm exemption for §314.4(b)(1) if applicable.
Asset and data inventory, including where client data lives and who can access it.
Access control reports, MFA enforcement screenshots, and user access review sign-offs.
Encryption settings and device compliance reports.
Logging and monitoring evidence, alert runbooks, and testing or scan results. If exempt from §314.4(d)(2), show what you do instead.
Vendor list with contracts that include safeguard language and your last review notes.
Training curriculum and completion records.
Incident playbook and breach notification workflow that references the 30-day threshold for 500 or more consumers.

90-day build plan for a two-to-ten person CPA firm

Days 1 to 15

Appoint the Qualified Individual and publish a one-page charter.
Draft the WISP skeleton. Drop in policy stubs for access, encryption, data retention, vendor management, and training.
Run a two-hour workshop to complete the asset and data inventory.

Days 16 to 45

Complete the risk assessment. Record top ten risks with treatments. Note the §314.6 exemptions if you qualify.
Enforce MFA everywhere, turn on device encryption, and reduce admin rights.
Turn on logging in your core tools and document how you review alerts.
Review vendor contracts and add safeguard clauses if missing.

Days 46 to 75

Publish the retention schedule and disposal procedure. Purge one high-risk data store.
Roll out annual training and phishing simulations. Track completion.
Write a short incident playbook even if you are exempt. Include the 30-day FTC trigger for 500 or more consumers.

Days 76 to 90

Run a table-top exercise. Fix gaps.
Assemble the audit evidence binder with the artifacts listed above.

Common fail points that sink small firms

“We are too small” as a control. Size does not remove the Rule.
No inventory, so no one knows where client data actually is.
MFA not enforced on tax and email platforms.
No encryption on laptops that leave the office.
Vendors touching client data without contracts that require safeguards.
No logging, no reviews, and no proof of testing. Exemption from §314.4(d)(2) is not exemption from §314.4(d)(1).
No plan for breach notification timelines. The 30-day clock is real for 500 or more consumers.

Bottom line

You can pass a GLBA audit with a lean program if you hit the actual Rule elements and use the small-firm exemptions correctly. Name a real owner. Write a right-sized WISP and risk assessment. Enforce MFA and encryption. Turn on logs and review them. Lock down vendors. Train people. Keep a simple evidence binder. If you try to wing it with verbal policies or a binder full of nothing, you will fail.