Most accounting firms in Montana already know they need to protect client data. The problem is that many firms still assume cybersecurity compliance only applies to larger practices with dedicated IT teams.
It doesn’t.
If your firm handles taxpayer information, payroll records, bank account data, or financial statements, federal law likely requires you to maintain a formal information security program and a written security plan. That includes solo CPAs, seasonal tax preparers, bookkeeping firms, and multi-office accounting practices.
For Montana accountants, two terms matter most:
- The FTC Safeguards Rule
- A WISP (Written Information Security Plan)
They’re closely connected, but they are not the same thing.
The FTC Safeguards Rule is the federal requirement.
A WISP is the written document that demonstrates how your firm complies with that requirement.
Here’s what Montana accounting firms need to know.
What Is the FTC Safeguards Rule?
The FTC Safeguards Rule is a federal cybersecurity and data protection rule created under the Gramm-Leach-Bliley Act (GLBA).
The rule requires financial institutions to protect customer information through a formal security program. Tax and accounting firms fall under the FTC’s definition of a financial institution because they handle sensitive financial and taxpayer data.
If your firm works with:
- Social Security numbers
- tax returns
- payroll records
- bank account information
- EINs
- financial statements
…the rule likely applies to you.
Firm size does not exempt you.
The FTC and IRS both make it clear that the requirements apply to firms of all sizes, including:
- solo CPAs
- bookkeeping offices
- seasonal tax preparers
- payroll providers
- enrolled agents
- larger accounting firms
The safeguards expected from a one-person office may look different from a 40-person CPA firm, but the obligation still exists.
What the FTC Safeguards Rule Requires
The rule requires firms to build and maintain a formal information security program.
That includes several key areas.
Designate Someone Responsible for Security
The FTC requires a “qualified individual” to oversee your information security program.
For many small Montana firms, that may simply be:
- the owner
- an office manager
- an outsourced IT provider
The important part is that someone is clearly responsible for managing cybersecurity policies, safeguards, and response procedures.
Perform a Risk Assessment
Your firm needs to identify:
- where client data is stored
- how it could be exposed
- what protections are currently in place
Common risks for accounting firms include:
- phishing emails
- weak passwords
- unsecured remote work
- compromised email accounts
- unencrypted laptops
- insecure client portals
A proper risk assessment helps determine where your biggest vulnerabilities exist before they turn into incidents.
Implement Security Safeguards
The FTC expects firms to implement reasonable protections for client data.
That commonly includes:
- multi-factor authentication (MFA)
- encryption
- secure backups
- antivirus and endpoint detection
- firewalls
- access controls
- employee cybersecurity training
The IRS has strongly emphasized MFA in recent guidance for tax professionals.
If your accounting software, email, or remote access tools still rely only on passwords, that’s a major concern.
For reference, the FTC’s Safeguards Rule overview is available here:
https://www.ftc.gov/business-guidance/privacy-security/gramm-leach-bliley-act
Monitor Vendors and Third Parties
Many accounting firms rely heavily on cloud platforms and outsourced providers.
That may include:
- QuickBooks Online
- tax preparation software
- payroll systems
- cloud storage providers
- managed IT companies
The FTC expects firms to ensure those vendors also maintain reasonable security protections.
Using a third-party platform does not transfer your compliance responsibility.
Create an Incident Response Plan
If ransomware hits your office tomorrow, what happens next?
The FTC expects firms to maintain documented procedures for:
- ransomware attacks
- stolen devices
- hacked email accounts
- data breaches
- business continuity
Many smaller firms have backups but no actual response process. That becomes a serious problem during an active incident.
Understand Breach Reporting Requirements
Certain breaches affecting 500 or more consumers may require FTC notification within 30 days.
Montana also has its own state breach notification laws that may apply separately.
The Montana Department of Justice outlines state breach notification requirements here:
https://dojmt.gov/consumer/data-breach-notification/
Firms often discover during a cyber incident that they are legally required to document, investigate, and report the event far faster than expected.
What Is a WISP?
A WISP is a Written Information Security Plan.
This is the actual written document that outlines your firm’s cybersecurity program and security policies.
The FTC Safeguards Rule requires firms to maintain one, and the IRS repeatedly reminds tax professionals that this requirement applies to them.
A WISP documents:
- your policies
- security safeguards
- employee procedures
- vendor oversight
- incident response process
- data protection standards
In practical terms, your WISP answers this question:
“Show us how your firm protects taxpayer information.”
What Should Be Included in a WISP?
A solid WISP for a Montana accounting firm typically includes the following sections.
Firm Information
Basic details about:
- firm locations
- responsible personnel
- systems used
- business operations
Risk Assessment
Documentation of:
- what data you collect
- where it is stored
- major security threats
- identified vulnerabilities
Technical Safeguards
This section outlines protections such as:
- MFA requirements
- password policies
- encryption standards
- antivirus/EDR
- backup procedures
- secure Wi-Fi standards
Administrative Safeguards
Policies covering:
- employee onboarding and offboarding
- cybersecurity training
- remote work procedures
- acceptable use policies
- account access management
Physical Safeguards
Security controls for physical environments, including:
- locked file cabinets
- office access restrictions
- clean desk policies
- device protection
Incident Response Procedures
Your documented process for:
- responding to cyber incidents
- containing breaches
- contacting vendors or law enforcement
- notifying affected parties
Vendor Oversight
Documentation showing how you evaluate:
- cloud software providers
- payroll platforms
- IT vendors
- contractors handling client information
Review and Update Procedures
A WISP should not be written once and forgotten.
It should be reviewed regularly and updated as:
- systems change
- employees change
- threats evolve
- software platforms change
IRS Guidance for Tax Professionals
The IRS has heavily promoted WISP compliance through:
- IRS Publication 4557
- IRS Publication 5708
- Security Summit guidance
IRS Publication 5708 specifically includes a sample WISP template designed for tax and accounting firms.
You can download IRS Publication 5708 here:
https://www.irs.gov/pub/irs-pdf/p5708.pdf
IRS Publication 4557 is available here:
https://www.irs.gov/pub/irs-pdf/p4557.pdf
The IRS has stated directly that maintaining a WISP is required by law for firms handling taxpayer information.
Many firms are surprised to learn that the IRS views cybersecurity compliance as part of overall tax preparer due diligence.
The Most Common Misconception
The biggest misunderstanding among smaller accounting firms is simple:
“We’re too small to be targeted.”
Unfortunately, small firms are often targeted precisely because attackers assume security controls are weaker.
A one-person tax office still stores:
- Social Security numbers
- tax returns
- payroll information
- bank details
That data is valuable.
Even a solo practitioner in Montana is expected to:
- maintain a WISP
- use reasonable safeguards
- protect taxpayer information
The safeguards scale with your firm size, but the legal obligation does not disappear.
What Compliance Might Look Like for a Small Montana CPA Firm
A smaller accounting office does not need an enterprise-level cybersecurity department to improve compliance significantly.
A well-managed small firm might have:
- a written WISP document
- MFA enabled everywhere possible
- encrypted laptops
- a secure client portal
- cyber liability insurance
- annual employee security training
- documented backup procedures
- a breach response checklist
That alone places many small firms ahead of where they are today.
Risks of Ignoring the FTC Safeguards Rule
Ignoring compliance requirements creates more than just cybersecurity risk.
Potential consequences include:
- FTC investigations
- IRS compliance issues
- EFIN complications
- state breach liability
- lawsuits
- cyber insurance claim denials
- reputational damage
For many firms, the operational disruption after a ransomware event becomes more damaging than the ransom itself.
A Simple Way to Think About It
| Term | Meaning |
|---|---|
| FTC Safeguards Rule | The federal cybersecurity compliance rule |
| WISP | Your written plan proving compliance |
| IRS Publication 5708 | IRS sample/template for creating a WISP |
| GLBA | The federal law behind the rule |
Best Next Steps for Montana Accounting Firms
A practical starting point looks like this:
- Download IRS Publication 5708
- Create or update your WISP
- Implement MFA across email and critical systems
- Train employees annually
- Review vendors and security practices
- Update the WISP every year
Many firms already have some of these protections in place. The gap is usually documentation, consistency, and ongoing oversight.
The IRS Security Summit also provides ongoing cybersecurity recommendations for tax professionals:
https://www.irs.gov/newsroom/security-summit
Where First Call Can Help
Most accounting firms did not get into the business to manage cybersecurity compliance.
The challenge is that compliance, cybersecurity, cyber insurance requirements, and client expectations are now tightly connected.
That’s where a managed IT partner becomes valuable.
First Call works with businesses throughout Montana to help implement practical cybersecurity protections, improve compliance readiness, and reduce operational risk. That includes helping firms:
- implement MFA and endpoint protection
- secure remote work environments
- improve backup and recovery systems
- strengthen email security
- support WISP implementation efforts
- train employees on cybersecurity risks
- build incident response processes
For many smaller accounting firms, outsourced IT support also fulfills the practical role of the “qualified individual” responsible for managing cybersecurity oversight under the FTC Safeguards Rule.
If your firm is unsure where its current security posture stands, talking with an experienced managed IT provider is a practical next step.
