What Clients Are Starting to Ask About Your Firm's Security (And What to Tell Them)

Last month, a firm owner told me he got an email from his largest client, a mid-sized manufacturing company, asking whether his firm had a SOC 2 report. He'd been their accountant for twelve years. They'd never asked anything like this before.

He forwarded the email to me with a one-line note: "What do I say?"

This isn't an isolated incident. Across the country, CPA firms are receiving questions they've never had to answer before. Not about tax strategy. Not about advisory services. About cybersecurity. About how the firm protects client data. About what happens if something goes wrong.

The firms that are prepared for these questions will keep their clients. The firms that aren't will watch those clients quietly migrate to firms that have answers.

Why Clients Are Asking Now

The shift has been building for years, but it accelerated in 2024 and 2025. Three things are driving it.

First, breaches are in the news constantly. The Identity Theft Resource Center reported 1,732 data compromises in just the first half of 2025, affecting an estimated 166 million individuals. Accounting firms specifically have made headlines. Legacy Professionals in Illinois notified over 216,000 people after a breach. Sax LLP potentially exposed 220,000 records. These aren't theoretical threats. They're front-page stories, and your clients are reading them.

Second, businesses are tightening their own vendor oversight. Third-party involvement in data breaches doubled to 30% in 2024, up from 15% the prior year, and companies are responding by scrutinizing every service provider that touches their data. If your client has a compliance team, a legal department, or even a conscientious CFO, they're building vendor security questionnaires into their procurement process. Your firm is a vendor. The questionnaire is coming.

Third, consumer awareness of data privacy is at an all-time high. 80% of U.S. consumers received at least one breach notification in the past year. Only 29% of consumers feel confident they can understand how well a company protects their data. People are worried, and they're looking for reassurance from the professionals they trust with their most sensitive information.

The Questions You'll Hear

The questions vary depending on the sophistication of the client, but they tend to cluster around a few themes.

"Do you have a security policy?" This is the baseline question. The client wants to know if you've thought about this at all. They're not asking for a 50-page document. They want to hear that you have a written plan and that it's something you take seriously. If you have a WISP, this is a straightforward answer.

"How do you protect our data?" This is more specific. They want to know about encryption, access controls, and how their files are transmitted and stored. They may ask about your email security, your file-sharing practices, or whether your team uses secure portals. The answer here should be specific without being overly technical: "Client data is encrypted in transit and at rest. Access is limited to staff who need it for your engagement. We use multi-factor authentication on all systems."

"What happens if there's a breach?" They want to know you have a plan. Not the full plan. Just the assurance that you've thought about it. "We have an incident response plan. If an incident occurs, our IT provider conducts the forensic investigation, we notify affected clients within the timeframes required by law, and we work with counsel to manage the regulatory process." That's enough for most clients.

"Do you have a SOC 2 report?" This one's becoming more common, especially from business clients. SOC 2 demand has surged as more companies require it from their service providers. In 2024, 64.4% of SOC 2 reports included confidentiality as an in-scope category, up from 34% the year before. If your firm doesn't have a SOC 2, be honest about it, but explain what you do have: "We're not SOC 2 certified, but we comply with the FTC Safeguards Rule, maintain a Written Information Security Plan, and conduct regular security assessments. Here's what that includes."

"Can you fill out our vendor security questionnaire?" This is the most detailed version of the question. The client sends you a form with 50 to 300 questions about your security practices, and they expect substantive answers. Organizations using quantitative risk scoring experience 2.3 times fewer vendor-related incidents, which is why more companies are adopting these assessments. Being able to complete one efficiently signals that your firm takes security seriously.

What to Tell Them

The temptation is to either overpromise or dodge the question. Both are mistakes.

Overpromising creates liability. If you tell a client "your data is completely secure" and then a breach occurs, that statement becomes evidence against you. Security is about risk management, not guarantees. Nobody's data is completely secure. The honest answer is always about what you're doing, not what you can guarantee.

Dodging creates suspicion. If a client asks about your security posture and you deflect with "we've never had a problem," you sound like every firm that eventually has a problem. The absence of an incident isn't evidence of readiness.

The right answer is confident, specific, and honest. Here's a framework:

"We take data security seriously and maintain an active information security program. We comply with the FTC Safeguards Rule and IRS requirements for tax professionals. Our program includes access controls, multi-factor authentication, employee security training, regular vulnerability assessments, and a documented incident response plan. We work with a qualified IT provider to manage our technical infrastructure, and we maintain the governance and compliance program internally. If you'd like specifics or need us to complete a vendor questionnaire, we're happy to provide that."

That response covers the bases without overreaching. It demonstrates awareness, preparation, and professionalism. And it opens the door for a deeper conversation if the client wants one.

Why This Is Actually a Competitive Advantage

Here's the part most firm owners miss: the clients who ask about security are telling you something valuable. They're telling you that this matters to them. And if it matters to them, they'll choose the firm that gives them a good answer over the firm that stumbles.

Firms that proactively invest in security and communicate about it are expanding their market opportunities, especially with regulated clients in finance, healthcare, and government contracting who require their service providers to meet specific security standards. A manufacturing company looking for a new CPA firm will, increasingly, include data security in their evaluation criteria alongside technical competence and price.

The Thales 2025 Consumer Digital Trust Index found that not a single industry sector scored above 50% when consumers were asked which sectors they trusted with their personal data. Trust is scarce. The firms that can demonstrate trustworthiness have a genuine edge.

You don't need a SOC 2 to win on security. You need a clear, documented program, the ability to articulate what you're doing, and the willingness to engage with the question instead of avoiding it.

What You Can Do Today

1. Prepare a one-page security summary for clients. Write a brief overview of your security practices: what controls you have in place, how client data is protected, what standards you follow. Keep it at a level that a non-technical client can understand. Share it proactively with your top 10 clients.

2. Create a standard response for vendor questionnaires. If you haven't received one yet, you will. Prepare answers to common questions about encryption, access controls, authentication, training, incident response, and compliance standards. Having this template ready saves hours when the questionnaire arrives.

3. Include security language in your engagement letters. Add a brief section that describes your commitment to data protection and the standards you follow. This sets expectations upfront and demonstrates that security is part of how you do business.

4. Train your team to answer the question. When a client asks a staff member about security, the answer shouldn't be "I don't know, let me ask someone." Everyone on your team should be able to say, confidently, "We have a documented security program that includes [key controls]. If you want details, I can connect you with [qualified individual]."

5. Use security as part of your marketing. Not in a flashy way. In a professional, understated way. "We maintain an active information security program that complies with FTC and IRS requirements" is a meaningful differentiator on your website, in your proposals, and in new client conversations.

The Bottom Line

Your clients aren't just trusting you with their tax returns. They're trusting you with their Social Security numbers, their bank accounts, their financial histories, and in some cases, the personal financial information of their employees. That trust comes with an expectation that you're protecting it.

The question isn't whether your clients will start asking about security. They already are. The question is whether you'll have an answer that keeps them with you or sends them looking elsewhere.

The firms that treat security as a client service issue, not just an IT issue, are the ones that will hold on to their best relationships and win new ones. It's not about being perfect. It's about being prepared, being transparent, and being willing to invest in the thing your clients care about most: the safety of their information.

If you want help building the documentation, preparing for vendor questionnaires, or creating the client-facing materials that turn your security program into a competitive advantage, Kompflow can help. We work with firms every day to close the gap between "we take security seriously" and "here's the evidence."

Your clients are paying attention. Make sure you're ready when they ask.