Security · compliance · AI automation · built for CPA firms

Your clients trust you with everything. Attackers are counting on it.

Double Rule is a managed security practice built around CPA firms. Safeguards Rule compliance, adversarial testing, managed infrastructure, and AI-driven automation. One firm, one relationship, everything your security program needs to actually work.

Mapped to FTC Safeguards Rule & IRS Pub 4557 · no obligation

The compliance ledger

What federal law already expects of your firm.

These are not best practices. They are existing legal requirements for firms that handle taxpayer and client financial data. Most firms, reviewed honestly, cannot check these boxes today.

Schedule of required safeguards · as of current period
Requirement Source Typical firm With Double Rule
Written Information Security Plan (WISP), maintained and currentFTC Safeguards Rule / GLBA✗ missing or template✓ authored & maintained
Designated qualified individual accountable for the security program16 CFR 314.4(a)✗ nobody named✓ role supported
Written risk assessment, revisited on a schedule16 CFR 314.4(b)✗ never performed✓ performed annually
Multi-factor authentication on systems holding client data16 CFR 314.4(c)✗ partial at best✓ enforced everywhere
Encryption of client data at rest and in transit16 CFR 314.4(c)✗ unverified✓ verified & documented
Oversight of service providers with access to client data16 CFR 314.4(f)✗ informal✓ vendor register kept
Security awareness training for all personnel, including seasonal staff16 CFR 314.4(e)✗ ad hoc✓ scheduled & tracked
Written incident response plan the partners have actually rehearsed16 CFR 314.4(h)✗ doesn't exist✓ written & exercised
Annual reporting on the program to owners / governing body16 CFR 314.4(i)✗ never delivered✓ delivered each year

And one more, hiding in plain sight: every PTIN renewal now requires preparers to attest to their data security responsibilities, and IRS Publication 4557 makes clear the agency expects a written security plan. When you check that box without a real program behind it, you're signing an attestation you can't support. A position no CPA would let a client take.

Not sure how many of these boxes your firm can honestly check? A 30-minute scoping call will tell you.

Get in touch
Scope of services

Four pillars. One accountable firm.

We've assessed enough CPA firms to know that the problems are consistent, the attack surface is predictable, and the compliance gaps repeat. That's why we've turned this into a subscription: not because it's simpler for us, but because we've done this enough to know exactly what your firm needs and how to deliver it month over month.

01 · Comply

The Safeguards Program

Your entire regulatory posture, authored and maintained. Not downloaded from a template mill.

  • WISP authored for your firm, updated as your firm changes
  • Full FTC Safeguards Rule program buildout (16 CFR 314)
  • IRS Pub 4557 & Security Six alignment
  • Written annual risk assessment
  • Incident response plan + breach notification playbook
  • Qualified-individual support & annual owner reporting
  • Cyber insurance application & renewal support
02 · Test

Adversarial Testing

We attack your firm the way it will actually be attacked, then hand you the workpapers.

  • External & internal penetration testing
  • Phishing simulations built on real tax-season lures
  • Microsoft 365 / Google Workspace configuration review
  • Tax software & client portal security review
  • Remote access & seasonal-staff onboarding review
  • Partner-level tabletop exercise: your worst Tuesday in March
  • Findings mapped to Safeguards Rule sections for evidence
03 · Run

Managed Security

The stack, procured and operated. One vendor, one invoice, one throat to choke.

  • Managed detection & response, watched 24/7
  • Hardened email with MFA enforced firm-wide
  • Encrypted backup with restores actually tested
  • Secure client document portals that clients will use
  • Device management for partners, staff & seasonal hires
  • Quarterly reviews that double as compliance evidence
  • Workflow support so security never slows a return
04 · Automate

AI & Workflow Automation

The work that eats your staff's hours: automated, monitored, and audit-ready.

  • AI-assisted document intake and client data classification
  • Automated compliance evidence collection and reporting
  • Intelligent phishing triage: threats escalated, noise suppressed
  • Workflow automation for onboarding, offboarding & seasonal rollover
  • AI-driven anomaly detection across financial data access patterns
  • Integration with your tax, practice management & portal systems
  • Every automation logged and auditable. No black boxes
Pricing

Flat monthly. No hourly meters. No surprises.

We've seen the same compliance gaps, the same attack patterns, and the same busy-season pressure across enough firms to build a program around it. That experience is why this works as a subscription: you get a proven, repeatable security operation without paying us to figure it out. Service fees cover our people and expertise. Security tooling is procured through us at negotiated rates and billed transparently per seat. Commit annually and save 10%.

Monthly Annual Save 10%
Foundation
$500/mo

Compliance documentation and oversight. The program the Safeguards Rule requires, on paper, maintained and current.

  • WISP authored for your firm, updated annually
  • Written risk assessment, performed annually
  • Incident response plan
  • Security policy library (acceptable use, data classification, remote work)
  • PTIN/EFIN attestation documentation support
  • Cyber insurance application support
  • Designated qualified-individual support
  • Annual compliance report delivered to partners
  • Quarterly compliance review call
Get started
Command
$1,500/mo base
+ $75/seat from seat one.

Full managed program with AI automation. Everything in Protection plus workflow automation, faster testing cadence, and a priority relationship. Tools billed separately.

  • Everything in Protection
  • Semi-annual penetration testing
  • Semi-annual partner tabletop exercises
  • AI-assisted document intake + classification
  • Automated compliance evidence collection
  • Workflow automation (onboarding, offboarding, seasonal rollover)
  • Intelligent alert triage + noise suppression
  • Data access anomaly detection
  • Tax + practice management system integrations
  • Vendor security assessments for third parties
  • Priority incident response (2-hour SLA)
  • Named account lead
Get started

Security tooling (EDR, email security, backup, MDM, phishing platform, training platform) is procured through us at negotiated rates and billed per seat as a separate transparent line item. Same invoice, no markup surprises. Around 15 seats, Command becomes less expensive than Protection while delivering more.

Already know you need this? Skip the brief and go straight to a 30-minute scoping call.

Book a call
The security trial balance

Every exposure, offset by a working control. That's the whole model.

You close books for a living, so we'll present it your way: debits and credits. An exposure without an offsetting safeguard is an open item. Our job is a firm that balances, closed under the double rule we're named for.

Security Trial Balance // Your Firm For the period: every filing season, forever
Exposure (Dr)Phishing lure dressed as an e-file rejection lands in a preparer's inbox at 9 p.m. in March
Safeguard (Cr)Staff trained on that exact lure; hardened email quarantines it; MDR flags the sender infrastructure
Exposure (Dr)Stolen partner password reused from a breached shopping site
Safeguard (Cr)MFA enforced on every system that touches client data. No exceptions for partners
Exposure (Dr)Ransomware encrypts the server hosting fifteen years of client returns
Safeguard (Cr)Encrypted, isolated backups with restore drills on the calendar. Recovery in hours, not weeks
Exposure (Dr)FTC inquiry or insurance renewal asks to see your security program
Safeguard (Cr)A current WISP, dated risk assessment, training records, and quarterly evidence. Produced same day
Exposure (Dr)Seasonal preparer's laptop, hired in January, unmanaged and full of client PDFs
Safeguard (Cr)Managed devices and portal-only workflows for seasonal staff, provisioned before their first return
Firm status: BALANCED Every open exposure is an item we haven't closed yet. We keep the schedule.
Engagement structure

Scoped like an engagement, because it is one.

Fixed phases, defined deliverables, and a letter that says exactly what you're getting. No open-ended "digital transformation." No surprise invoices.

Phase I

Safeguards Gap Assessment

We inventory where client data actually lives, test the perimeter, review your M365 or Workspace tenant, and score your firm against every Safeguards Rule requirement. You receive a findings report a partner can read in twenty minutes, each item rated, sourced, and priced to fix.

≈ 2–3 weeks · fixed fee · zero disruption to production
Phase II

Remediation Sprint

We close the findings in priority order: WISP authored, MFA enforced, email hardened, backups verified, portals deployed, staff trained. Work is sequenced so client-facing operations never stop. The disruptive items land in your off-season.

≈ 30–90 days depending on findings · milestone billing
Phase III

Managed Program

Ongoing operation: monitoring, patching, training, phishing drills, vendor oversight, and the annual risk assessment and owner report the Rule requires. Every quarter produces the evidence file your insurer, your attorney, and your own attestation depend on.

Annual agreement · flat monthly · scales with your firm

We schedule around your calendar, not ours.

Heavy lifting happens May through December. During filing season we shift to protect-and-monitor posture: no migrations, no forced changes, no lockouts at the deadline. Just coverage, watchfulness, and a phone that gets answered.

Phase I is the only decision you need to make today. Fixed fee, read-only, and the findings report is yours regardless of what you do next.

Book Phase I
Why a specialist

Generalist IT keeps the printers running. This is a different discipline.

Most firms rely on a local IT provider for helpdesk and hardware, and that relationship is worth keeping. But the Safeguards Rule doesn't ask whether your printers work. It asks whether a named individual runs a documented, tested security program over some of the most sensitive data a business can hold. That's a regulatory and adversarial discipline, not a support ticket.

We work in your vocabulary. Findings read like findings. Deliverables are dated, versioned workpapers you can hand to an insurer, an attorney, or the FTC. Because we built this practice around CPA firms, we already know your software, your workflows, your deadlines, and the exact lures your staff will see in February. You never pay us to learn your industry.

We'll also happily coexist with your current IT provider. They keep the helpdesk; we own security and compliance; your firm gets both without a turf war.

That depth of experience is why this works as a subscription. We've seen enough CPA environments to know which tools belong, which configurations break during busy season, which phishing lures land in February, and which compliance gaps show up in every single assessment. You're not hiring us to solve your problem for the first time. You're hiring the firm that turned the pattern into a program.

Plain-English briefings

The rules, translated. Five minutes each, no vendor jargon.

Most partners were never told any of this applies to them. Here is the working knowledge you need before you talk to anyone, including us.

Briefing 01 · Compliance

What is a WISP, and why does the IRS keep mentioning it?

A Written Information Security Plan is the document federal law requires you to have: who's responsible for security at your firm, what data you hold, what protects it, and what happens when something goes wrong. It is required under the FTC Safeguards Rule, and IRS Pub 4557 tells every tax professional to maintain one.

The catch: a WISP describes a program. If the program doesn't exist, the document is fiction. And fiction with your signature on it.

Get a WISP that's actually true →
Briefing 02 · Regulation

Why the FTC considers your firm a financial institution

Under GLBA, "financial institution" isn't about size or charter. It's about activity. Professional tax preparation and accounting services qualify. That means the FTC Safeguards Rule (16 CFR 314) applies to your firm the way it applies to a lender: designated security lead, written risk assessment, MFA, encryption, vendor oversight, incident response, annual reporting.

Civil penalties can exceed $50,000 per violation. Nobody sends your firm a welcome letter about this.

Book a Gap Assessment →
Briefing 03 · Incident reality

What actually happens in the 72 hours after a breach

A breach at a tax practice is a reporting event, not an IT event. You're notifying the IRS Stakeholder Liaison, state tax agencies, state attorneys general, and every affected client, under the breach laws of every state where a client resides. Meanwhile fraudulent returns get filed in your clients' names, and your malpractice carrier asks to see your security program.

Firms with a rehearsed incident response plan handle this in days. Firms without one handle it in the press.

Get the incident response plan →
Briefing 04 · The attestation

The box you check every PTIN renewal

Every PTIN renewal now requires preparers to attest to their data security responsibilities. When you check that box without a real program behind it, you're signing an attestation you can't support. A position no CPA would ever let a client take on a return.

The fix isn't complicated. It's a scoped engagement with defined deliverables. The kind of work you already understand better than any other buyer we serve.

See how the engagement works →

Want these as a monthly two-page memo? Partner-level, plain English, one regulatory development and one live threat per issue.

Get the checklist
Common questions

Asked by every managing partner. Answered plainly.

Does the Safeguards Rule really apply to a firm like ours?

Yes. GLBA's definition of "financial institution" explicitly reaches professional tax preparation, and the FTC has confirmed it covers tax and accounting practices. Certain very limited data footprints get narrow relief from a few written-program elements, but core safeguards (MFA, encryption, access controls, vendor oversight) apply regardless. Most established firms exceed even those narrow thresholds once you count every individual whose data sits in your archives.

We downloaded a WISP template and filled it in. Are we covered?

A template WISP describes a fictional firm. In an FTC inquiry, an insurance claim dispute, or a breach lawsuit, the gap between what your WISP says and what your firm actually does becomes the opposing exhibit. A WISP is supposed to be the documentation of a real program. We build the program first, then the document is simply true.

We already have an IT guy. Why do we need you?

Keep them. Helpdesk, hardware, and printers are real work. But ask them three questions: Where is our written risk assessment? Who is our designated qualified individual? When was our last penetration test? If those answers don't exist, you have IT support, not a security program. We fill exactly that gap and coordinate with your existing provider.

What does this cost?

Foundation is $500/mo flat for compliance documentation and oversight. Protection is $1,500/mo with 5 seats included and $125/seat above that, covering managed security and testing. Command is $1,500/mo base plus $75/seat from seat one, adding AI automation, faster testing cadence, and a priority SLA. Security tooling is procured through us at negotiated rates and billed separately per seat. Around 15 seats, Command actually costs less than Protection while delivering more. Annual commitment saves 10% across the board. No hourly billing, no change orders.

Will this disrupt filing season?

No. It's the first constraint in every plan we write. Assessments are read-only. Remediation is sequenced into your off-season. During filing season we operate in protect-and-monitor mode only. A security program that jeopardizes April 15 has failed at its one job.

Start here

Find out where your firm actually stands, before someone else does.

Tell us a little about your firm and what you're looking for. We'll get back to you within one business day.

We respond within one business day. No automated follow-ups, no drip campaigns.

Or email directly: avery@doublerulesecurity.com

Not ready to talk yet? Get the CPA Firm Security Checklist: every Safeguards Rule requirement and the ten questions to ask your current IT provider, on two pages.

One checklist, one monthly briefing memo. No drip campaign.

Book a Gap Assessment