Back to Blog

How to Talk to Your IT Provider About Compliance Without Sounding Like You Don't Trust Them

Daniel Chang, Founder of Kompflow

You trust your IT provider. You should. They keep your systems running, your email flowing, your network protected. When something breaks at 7 AM on a Monday, they're the ones who fix it. That relationship matters, and nothing in this article is meant to undermine it.

But there's a conversation that needs to happen between your firm and your IT provider, and most firm owners avoid it because they're worried about how it will land. The conversation is about compliance. Specifically, it's about where your IT provider's responsibilities end and your firm's obligations begin.

The hesitation is understandable. Nobody wants to call their MSP and say, "Hey, I need to audit what you're doing." It feels adversarial. It feels like you're questioning their competence. But the FTC Safeguards Rule doesn't give you a choice. Section 314.4(f) explicitly requires you to periodically assess your service providers' security and to have contractual agreements that specify their obligations. This isn't about trust. It's about a regulatory requirement that sits on your shoulders, not theirs.

The good news is that this conversation doesn't have to be uncomfortable. The best IT providers welcome it. And the firms that have this conversation well end up with stronger partnerships, not weaker ones.

Why the Conversation Matters Now

The relationship between CPA firms and their IT providers has changed over the past few years. 90% of small and medium businesses use or are considering a managed service provider for their IT needs. That's a significant concentration of trust. And attackers have noticed.

In 2021, the Kaseya attack compromised 60 MSPs directly and cascaded to between 800 and 1,500 downstream businesses through a single software vulnerability. In 2024, a Finnish IT provider called Tietoevry was hit with ransomware, and the attack disrupted services for Swedish government agencies, universities, and dozens of other organizations that depended on them. A German IT provider serving 70 municipalities was breached, shutting down town halls and critical services.

These weren't attacks on the end clients. They were attacks on the service providers those clients depended on. Phishing attacks targeting MSPs increased 73% year over year, and third-party involvement in data breaches jumped from 15% to 30% in 2024. Your IT provider is a target precisely because they hold the keys to your kingdom and dozens of other clients' kingdoms simultaneously.

This isn't a reason to distrust your MSP. It's a reason to make sure the relationship is built on a shared understanding of risks and responsibilities. And that starts with a conversation.

What the FTC Expects You to Do

The Safeguards Rule doesn't just suggest that you oversee your service providers. It requires three specific actions.

First, you must take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for client data. This means you should have a documented basis for why you chose your IT provider and what security capabilities they bring.

Second, you need a written contract that specifies their security obligations. Not a handshake. Not an assumption. A contract that says, "Here is what you are responsible for protecting, and here is how we expect you to do it."

Third, you must periodically assess whether your service provider's safeguards are still adequate. This means revisiting the relationship, at least annually, to verify that what they're doing matches what you need and what the regulations require.

CISA reinforces this approach with specific guidance for organizations using managed service providers: ensure contracts transparently identify ownership of security responsibilities, implement comprehensive logging, and maintain visibility into what your provider is doing on your behalf.

How to Start the Conversation

Here's the part that matters most: how you actually bring this up without making it sound like an interrogation.

Frame it as a partnership, not an audit. The opening line should be something like, "Our industry has new compliance requirements that apply to how we work with all of our service providers. We need to make sure we're both covered. Can we schedule 30 minutes to walk through what we each own?"

Most MSPs hear this and appreciate it. They deal with dozens of clients, and the ones who proactively clarify responsibilities make their jobs easier. The clients they worry about are the ones who never ask questions and then blame the MSP when something goes wrong.

Come with a list, not accusations. Prepare five or six specific questions before the meeting. Not "Are you doing your job?" but rather:

What security services are included in our current agreement? What is specifically excluded? Are vulnerability scans being conducted on our systems? How often? Can we see documentation? Who is responsible for monitoring login activity and alerting us to suspicious access? If one of our team members' credentials is compromised, how would we know? What's your incident response process if your own systems are breached?

These questions aren't adversarial. They're practical. They acknowledge that your IT provider is the expert in their domain while establishing that you, as the firm owner, are responsible for understanding what's happening with your client data.

Ask for a scope of work or shared responsibility matrix. The clearest way to define the relationship is in writing. A shared responsibility matrix is a simple document that lists every security function and identifies who owns it. Cloud providers like AWS and Microsoft Azure have popularized this model, and it works just as well for the MSP-client relationship.

Your IT provider handles infrastructure, patching, and monitoring. You handle governance, training, risk assessment, and compliance documentation. There's overlap in the middle that needs to be agreed upon. Getting this onto paper prevents the dangerous assumption that someone else is handling something that nobody is actually handling.

What Good IT Providers Will Tell You

A strong MSP will respond to this conversation with clarity and honesty. They'll tell you what they cover and what they don't. They'll explain their monitoring capabilities and their limitations. They may tell you that compliance reporting isn't part of their scope, and that's actually a helpful answer because it tells you where to fill the gap.

Compliance consulting revenue for MSPs grew 60% in 2024, which means more and more IT providers are expanding into this space. Your MSP may already offer compliance-adjacent services you don't know about. The conversation might reveal capabilities you can build on.

The providers to be cautious about are the ones who wave off the conversation entirely. "Don't worry, we handle everything" is not a satisfactory answer when the FTC requires you to have documented, specific agreements about service provider oversight. If your IT provider can't articulate what they do and don't cover, that's a gap worth understanding.

What You Can Do Today

  1. Send a simple email this week. Tell your IT provider that you'd like to schedule a 30-minute call to discuss compliance requirements and shared responsibilities. Frame it as regulatory housekeeping, because that's exactly what it is.

  2. Prepare your questions in advance. Write down five specific things you want to understand about what your IT provider covers and what falls outside their scope. Bring the list to the meeting.

  3. Ask for documentation. Request a copy of their most recent vulnerability scan results, a summary of their monitoring services, and a description of their incident response process. If they can provide these easily, you're in a good spot. If they can't, you've identified your next action item.

  4. Create a shared responsibility matrix. After the conversation, document what you agreed on. Who owns what. Send it to your IT provider for confirmation. This becomes part of your compliance documentation.

  5. Schedule a recurring annual review. Put a date on the calendar, same time every year, to revisit the conversation. Compliance requirements change. Your firm's operations change. Your IT provider's capabilities change. An annual check-in keeps everyone aligned.

The Bottom Line

Your IT provider is your ally. Treat them like one. The compliance conversation isn't about questioning their work. It's about making sure the entire security ecosystem around your firm is working together, with each party understanding their role and owning their responsibilities.

The firms that have these conversations build stronger security postures and more resilient partnerships with their IT providers. The firms that avoid the conversation are relying on assumptions. And assumptions, as the FTC has shown repeatedly, don't hold up when regulators come asking questions.

If you're not sure where to start the conversation, or if you want help building the shared responsibility matrix and compliance documentation that ties your IT relationship together, that's what Kompflow does. We sit between you and your IT provider, making sure the governance side of the equation is handled so both of you can focus on what you do best.

The conversation you've been avoiding might be the most productive 30 minutes your firm spends this month.

Ready to Get Compliant?

Plans starting at $99/mo · Billed annually

See Plans & Pricing
30-day money-back guarantee
Cancel anytime
No setup fees

We use cookies to measure site performance and improve your experience. No data is sold to third parties. Privacy Policy