The Qualified Individual

Most CPA firms use Microsoft 365 for email and collaboration, and most firms assume they understand their data security there. But Microsoft's default settings leave significant gaps—particularly around shared mailboxes, file sharing, and recovery. We're breaking down what M365 does and doesn't do, and what controls your firm needs to add.

Tax season brings volume, pressure, and fatigue—exactly when hackers strike. From phishing attacks targeting busy staff to stolen credentials accessing dormant systems, tax time is peak season for breaches. Here's how to prepare your firm's security culture and controls to survive the busiest time of year.

Your largest clients are increasingly asking about your security practices—how you protect their data, what controls you have, whether you meet compliance standards. We're talking about what these client security questionnaires are really asking, why they're becoming standard, and what it means for your firm's compliance.

Offboarding is how most breaches actually start—not with external hackers, but with former employees or contractors who kept their access. We're talking about why access removal is harder than it sounds, what gets missed, and the framework for making sure that when someone leaves, their doors actually close.

Many CPA firms rely on their Managed Service Provider for security. But an MSP handles servers and systems—not your security program. We're breaking down what an MSP does, what they don't do, and why your firm still needs a documented, independent security program even if your IT is completely outsourced.

When a breach happens, the first two days matter more than everything that comes after. You need to know: how to detect it, who to call first, what to preserve, and how to communicate both internally and with authorities. We're walking through the incident response framework and the practical steps that keep a small situation from becoming a firm-threatening crisis.

The Safeguards Rule now requires you to designate a Qualified Individual to oversee your security program. Who should this person be? What do they actually need to do? And what happens if you don't have one? We're breaking down the role and how it works in practice at a small to mid-sized firm.

The FTC classified CPA firms as financial institutions under the Safeguards Rule. What does that mean? It means new compliance obligations, specific security requirements, and if you get it wrong, substantial penalties. Here's what you need to know about the rule, how it applies to you, and what your first steps should be.

Most CPA firms think their cyber insurance will cover a breach. It won't—at least not the way they think it will. We're breaking down why policies deny claims, how sublimits shrink your actual coverage, and what you need to do before disaster strikes to make sure you're protected when it matters most.