SNH Technologies
unsplash-image-j4uuKnN43_M.jpg

IT News from SNH

Weekly Tech Updates

Navigating the complexities of today's IT landscape can be daunting. Whether you're a small business owner grappling with data security, a medium-sized company aiming to streamline its IT infrastructure, or a large corporation looking for custom solutions, we've got you covered. Our team of highly skilled, Santa Rosa Beach-based IT professionals are always on hand to offer the best-in-class IT services that your business deserves.

You can learn more about managing IT services with regular industry updates, best practices, cybersecurity tips, and much more. The goal is to help you make informed decisions about your technology investments. In addition, we highlight how our services can specifically help businesses in Walton County stay competitive and secure.

As your local IT company, we're not just technology experts; we’re experts in understanding the unique IT needs of local businesses like yours. Our knowledge is informed by the area business climate and specific needs of companies on 30A-Santa Rosa Beach-Panama City Beach. Here you’ll find tailored solutions to help you maximize productivity, efficiency, and security, ensuring your technology infrastructure grows with your business.

Be sure to subscribe for regular updates on all things IT. We're excited to be your go-to resource for managed IT services in Santa Rosa Beach. With a wealth of local experience and expertise, you can trust us to keep your business at the cutting edge of technology. As a local company, we're proud to be part of the 30A-Santa Rosa Beach community and are dedicated to helping area businesses like yours thrive in the modern digital world.

At SNH Technologies, we're more than just an IT company - we're your local IT partner. Remember, when it comes to IT consulting in Santa Rosa Beach and the Florida panhandle, think local, think SNH Technologies.

Florida CPA Firms: Is Your Client Data Protected?

Florida CPA firms, tax preparers, bookkeepers, payroll companies, wealth advisors, and financial offices handle some of the most sensitive client information a business can hold.

Tax returns. Social Security numbers. Bank accounts. Payroll data. Investment records. Business financials. Estate documents. Loan applications. Copies of IDs. Client portals. Email attachments. Cloud files.

That information is exactly what cybercriminals want.

For Florida accounting and financial firms, cybersecurity is no longer just a best practice. In many cases, it is a compliance requirement under the FTC Safeguards Rule, part of the Gramm-Leach-Bliley Act, commonly called GLBA.

The FTC Safeguards Rule requires covered financial institutions to develop, implement, and maintain safeguards to protect customer information. The FTC has also updated the rule in recent years to make requirements more specific and to add certain breach reporting requirements.

For small and midsize firms, the challenge is simple:

You may be expected to protect client data like a regulated financial institution, even if you do not think of your business that way.

Why This Matters for Florida CPA Firms and Financial Offices

Florida has thousands of small professional firms serving retirees, real estate investors, business owners, medical practices, contractors, nonprofits, and high-net-worth individuals.

That makes Florida CPA firms and financial offices attractive targets for phishing, wire fraud, ransomware, tax identity theft, and email compromise.

This is especially important for firms that provide:

  • Tax preparation

  • Bookkeeping

  • Payroll services

  • Fractional CFO services

  • Wealth management

  • Financial planning

  • Loan or financing support

  • Estate and trust-related financial work

  • Business advisory services

  • Client portal access

  • Document collection and storage

Even a small office can hold years of sensitive client records. If that data is exposed, lost, encrypted by ransomware, or accessed through a compromised email account, the damage can be serious.

What Is the FTC Safeguards Rule?

The FTC Safeguards Rule requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure. Covered companies are also responsible for taking steps to ensure that affiliates and service providers protect customer information they handle.

The term “financial institution” is broader than many business owners expect. It can include companies that are significantly engaged in financial activities, which may include tax preparers and certain financial service providers. The IRS also states that federal law gives the FTC authority to set data safeguard regulations for entities including professional tax return preparers.

For Florida CPA firms, tax preparers, and financial offices, this means cybersecurity needs to be more than a password policy and antivirus software.

It should be a documented information security program.

What Does the FTC Safeguards Rule Require?

The FTC explains that the Safeguards Rule is designed to be flexible, but the updated rule gives more concrete guidance for businesses. The rule requires covered companies to develop, implement, and maintain an information security program appropriate to their size, complexity, activities, and the sensitivity of the customer information they handle.

In practical terms, firms should be prepared to address areas such as:

  • Written information security program

  • Qualified individual responsible for the program

  • Risk assessment

  • Access controls

  • Data inventory and classification

  • Encryption

  • Secure development and change management

  • Multi-factor authentication

  • Logging and monitoring

  • Secure disposal of customer information

  • Vendor and service provider oversight

  • Employee security training

  • Incident response planning

  • Regular testing and evaluation

  • Board or leadership reporting, where applicable

For many small firms, this sounds overwhelming. But most of the work starts with understanding where client data lives and then putting reasonable, documented controls around it.

The WISP: Your Written Information Security Plan

One of the most important pieces of Safeguards Rule readiness is a Written Information Security Plan, often called a WISP.

A WISP documents how your firm protects customer information. It should not be a generic template that sits in a folder and never gets used. It should reflect your actual systems, vendors, users, workflows, and risks.

A practical WISP for a Florida CPA or financial office should include:

  • What types of client information the firm collects

  • Where client data is stored

  • Who has access to client data

  • How access is approved and removed

  • What systems are protected by MFA

  • How devices are secured

  • How email and file sharing are controlled

  • How backups are handled

  • How vendors are reviewed

  • How employees are trained

  • What happens during a cyber incident

  • How the plan is reviewed and updated

The IRS also encourages tax professionals to protect taxpayer data and notes that tax return preparers must create and enact security plans to protect client data.

Why Microsoft 365 Security Matters

Many Florida accounting firms and financial offices rely on Microsoft 365 for email, Teams, OneDrive, SharePoint, calendars, and client communications.

That does not automatically mean the environment is secure.

Microsoft 365 needs to be configured correctly. Otherwise, client data may be exposed through weak passwords, risky sharing links, compromised email accounts, personal devices, old employee accounts, or unmonitored access.

Important Microsoft 365 security controls include:

  • Multi-factor authentication for all users

  • Conditional access policies

  • Strong admin account protection

  • Secure SharePoint and OneDrive sharing settings

  • Email phishing protection

  • Audit logging

  • Device compliance policies

  • Mobile app controls

  • Data loss prevention

  • Proper user onboarding and offboarding

  • Retention and archiving rules

  • Backup and recovery planning

For firms using Microsoft 365, one of the most important questions is:

Could a stolen password give someone access to client tax records, financial documents, or email attachments?

If the answer is yes, the firm has work to do.

AI Security Is Now Part of Client Data Protection

AI tools can help CPA firms and financial offices work faster. Staff may use AI to summarize documents, rewrite emails, analyze spreadsheets, draft client responses, prepare internal notes, or review financial language.

But AI creates a new risk: sensitive client data may be pasted, uploaded, or processed in tools the firm does not control.

For Florida CPA firms, bookkeepers, and financial advisors, AI security should be part of the firm’s written security program.

Your firm should know:

  • Are employees allowed to use public AI tools?

  • Can staff paste tax data, payroll data, or client financials into AI?

  • Does the AI tool train on submitted information?

  • Where is the data stored?

  • Can the firm control retention and deletion?

  • Are browser extensions or AI meeting tools capturing client information?

  • Are AI-generated summaries reviewed for accuracy?

  • Is there a written AI use policy?

The safest approach is not to ban every AI tool blindly. It is to define which tools are approved, what data may be used, and what information is prohibited.

A simple rule is a good place to start: Do not enter client tax, financial, payroll, identity, or confidential business information into unapproved AI tools.

Common Security Gaps in CPA and Financial Offices

Many firms are not ignoring security. They are simply relying on informal processes that do not hold up well under real-world threats.

Common gaps include:

  • No written information security plan

  • No complete inventory of where client data is stored

  • MFA not enabled for every user

  • Shared passwords

  • Personal email used for client documents

  • Client files stored on desktops or local folders

  • Former employees still having access

  • Unrestricted OneDrive or SharePoint sharing

  • No secure client portal

  • Weak backup strategy

  • No incident response plan

  • No vendor review process

  • Employees using unapproved AI tools

  • No regular security training

  • No documentation for cyber insurance questions

These gaps are fixable. The key is to move from informal habits to documented, repeatable controls.

What Counts as Customer Information?

For accounting and financial offices, customer information may include any nonpublic personal information handled in connection with financial services.

That can include:

  • Tax returns

  • W-2s and 1099s

  • Social Security numbers

  • Dates of birth

  • Bank account information

  • Payroll records

  • Investment records

  • Loan documents

  • Business financial statements

  • Copies of driver’s licenses or passports

  • Estate and trust documents

  • Client portal documents

  • Email attachments

  • Scanned files

  • Archived records

Do not assume data is safe just because it is old. Many firms retain years of historical tax and financial records, which can still be valuable to criminals.

Vendor Management Is Part of Compliance

The FTC Safeguards Rule also expects covered businesses to take steps to ensure service providers protect customer information.

For a CPA or financial office, vendors may include:

  • Tax software providers

  • Payroll platforms

  • Client portals

  • Document management systems

  • Cloud storage providers

  • Payment processors

  • IT providers

  • Backup vendors

  • Phone and communication platforms

  • E-signature platforms

  • AI tools

  • Marketing platforms with client data

  • Remote access tools

Your firm should know which vendors touch client information, what security controls they provide, and whether they are appropriate for the sensitivity of the data.

Breach Reporting and Incident Response

The FTC added breach notification requirements to the Safeguards Rule in 2023, and those requirements took effect in May 2024. The FTC says covered financial institutions must report certain data breaches and security incidents involving customer information.

That makes incident response planning even more important.

Your firm should know what to do if:

  • An email account is compromised

  • A laptop is lost or stolen

  • A staff member clicks a phishing link

  • Ransomware encrypts files

  • A vendor reports a breach

  • Client data is accidentally shared

  • An AI tool is used improperly

  • A former employee still has access

  • Backup recovery fails

During an incident, confusion costs time. A written response plan gives your firm a starting point before emotions and urgency take over.

Cyber Insurance Is Asking Harder Questions

Cyber insurance applications increasingly ask detailed questions about MFA, backups, endpoint protection, encryption, administrator access, employee training, incident response plans, and vendor management.

A firm may be asked whether:

  • MFA is enabled for email and remote access

  • Backups are encrypted and tested

  • Endpoint detection is installed

  • Users receive security training

  • Admin accounts are limited

  • A written security policy exists

  • Client data is encrypted

  • A formal incident response plan exists

If your answers are unclear or undocumented, coverage may become more expensive or more limited.

A compliance-focused MSP can help your firm document controls before insurance renewal, not after a claim.

What Florida Firms Should Do First

If your CPA firm, bookkeeping business, tax office, or financial advisory firm is unsure where to start, begin with these steps:

  1. Identify where client information lives.

  2. Confirm MFA is enabled for every account.

  3. Review Microsoft 365 sharing and admin settings.

  4. Remove former employee access.

  5. Encrypt laptops and mobile devices.

  6. Confirm backups are secure and tested.

  7. Create or update your WISP.

  8. Train employees on phishing and data handling.

  9. Review vendors that access client information.

  10. Create an AI usage policy.

  11. Document your incident response process.

  12. Build a practical security roadmap.

You do not have to fix everything in one week. But you do need to stop guessing.

How an MSP Helps With the FTC Safeguards Rule

A managed service provider can help CPA firms and financial offices turn compliance requirements into practical technology controls.

For Florida firms, MSP support may include:

  • Microsoft 365 security hardening

  • MFA and conditional access

  • Endpoint detection and response

  • Secure backups

  • Device encryption

  • Patch management

  • Email security

  • User onboarding and offboarding

  • Secure file sharing

  • Vendor coordination

  • AI policy support

  • Cyber insurance readiness

  • WISP support

  • Incident response planning

  • Documentation and reporting

The goal is not to make your CPA, bookkeeper, or financial advisor become a cybersecurity expert.

The goal is to create a safer, more reliable environment for client data.

FTC Safeguards Rule Support for Florida CPA and Financial Firms

SNH Technologies is based in Santa Rosa Beach, Florida, and supports professional and regulated businesses across Northwest Florida and beyond.

For CPA firms, tax preparers, bookkeepers, financial offices, payroll companies, and professional service firms, cybersecurity requirements can quickly become part of doing business.

SNH Technologies helps Florida businesses with:

  • Managed IT support

  • Microsoft 365 security

  • Cybersecurity planning

  • Backup and disaster recovery

  • Endpoint protection

  • Security awareness training

  • AI usage policy support

  • Cyber insurance readiness

  • Compliance-focused IT roadmaps

  • Documentation and technology standards

Whether your firm is in Santa Rosa Beach, Destin, Panama City Beach, Pensacola, Fort Walton Beach, Tallahassee, Jacksonville, Tampa, Orlando, or elsewhere in Florida, protecting client information should be part of your operating plan.

Florida CPA firms and financial offices hold highly sensitive client information. That makes them attractive targets for cybercriminals and subject to growing expectations around cybersecurity, documentation, and vendor oversight.

The FTC Safeguards Rule is not just a technical checklist. It is a reminder that client data protection must be planned, documented, tested, and maintained.

If your firm is not sure whether your current IT setup supports your compliance obligations, now is the time to find out.

Work With a Florida MSP That Understands Regulated Businesses

SNH Technologies helps Florida CPA firms, financial offices, and other regulated businesses strengthen cybersecurity, secure Microsoft 365, protect backups, develop practical technology roadmaps, and reduce compliance risk.

If your firm needs help understanding where client data lives, how secure your Microsoft 365 environment is, or whether your team is using AI safely, SNH can help.

Schedule a cybersecurity review

FAQ: FTC Safeguards Rule, CPA Cybersecurity, and Florida Financial Office IT

What is the FTC Safeguards Rule?

The FTC Safeguards Rule requires covered financial institutions to maintain safeguards that protect customer information. It also requires companies to take steps to ensure service providers safeguard customer information in their care.

Does the FTC Safeguards Rule apply to CPA firms?

It may. CPA firms, tax preparers, and certain financial service providers may be considered covered financial institutions depending on the services they provide and the customer information they handle. The IRS notes that FTC safeguard regulations apply to entities including professional tax return preparers.

Do tax preparers need a written information security plan?

Yes. The IRS states that tax return preparers must create and enact security plans to protect client data. A written information security plan, often called a WISP, helps document how the firm protects customer information.

What IT controls do CPA firms need for the FTC Safeguards Rule?

Common controls include MFA, access controls, encryption, secure backups, endpoint protection, risk assessment, employee training, vendor oversight, incident response planning, logging, monitoring, and secure disposal of customer information.

Is Microsoft 365 enough for FTC Safeguards Rule compliance?

Microsoft 365 can support a secure environment, but it must be properly configured and managed. MFA, conditional access, audit logging, secure sharing, device management, backup, and admin controls are all important.

Can CPA firms use AI tools with client data?

CPA firms should be very careful with AI tools. Client tax records, Social Security numbers, payroll data, financial statements, and confidential business information should not be entered into unapproved AI tools. Firms should create a written AI usage policy.

What should be included in a CPA firm WISP?

A CPA firm WISP should document the firm’s risk assessment, security controls, data storage locations, user access rules, vendor oversight, employee training, incident response plan, backup strategy, and process for reviewing and updating the program.

Do Florida CPA firms need cybersecurity training?

Yes. Employee training is one of the most practical ways to reduce phishing, email compromise, wire fraud, and accidental data exposure. Training should be repeated regularly and tailored to the firm’s real workflows.

Can an MSP help with FTC Safeguards Rule readiness?

Yes. An MSP can help secure Microsoft 365, implement MFA, manage endpoints, review backups, document controls, support WISP development, create AI usage policies, and build a cybersecurity roadmap.

Does SNH Technologies support CPA firms and financial offices in Florida?

Yes. SNH Technologies is based in Santa Rosa Beach, Florida, and supports CPA firms, financial offices, and regulated businesses across Northwest Florida and the broader Florida market.

Russell HaleSNH TECHNOLOGIESit company, regulatory compliance