If an insurance carrier, a regulator, or a big client has ever asked your firm for “your information security plan,” “your risk assessment,” or “who's your Qualified Individual,” they were asking about governance, not firewalls.
Here's what governance actually means for a CPA firm, and why it's probably the thing your MSP doesn't do.
Technical security
What your MSP does: the firewalls, the patches, the backups, the endpoint protection. The stuff that stops bad things from happening.
Governance
The written program: what your firm has decided to protect, how, who's responsible, how you'd respond to a breach, how you train your team, and how you prove any of it actually happened.
Regulators, insurers, and enterprise clients all want to see the governance program. Not the firewall configuration.
Most CPA firms have great MSPs. When you ask the owner "are we secure?" the answer is usually "yes, our MSP handles that." And for technical security, they're right.
The disconnect shows up at three specific moments:
Your carrier sends a form asking whether you have a Written Information Security Plan, whether you've done a documented risk assessment in the past 12 months, whether you have an Incident Response Plan with annual testing, whether your team has completed annual cybersecurity training, and who your Qualified Individual is.
None of those are firewall questions. They're governance questions.
The Fortune 500 company you're bidding to sends a vendor questionnaire. It asks for your WISP, your risk assessment, your vendor list, your DPA, your training records, and your breach notification plan.
None of those come from your MSP.
Both mention technical controls. Both also require written plans, documented decisions, a named person accountable, and training records. The written program is a legal requirement, not a nice-to-have.
Here's what “the governance layer” means in practice for a CPA firm:
A real document that says what your firm protects, how, and why. Every carrier asks for it. Most regulators require one. Most CPA firms don't have one beyond a template their MSP gave them once.
A documented look at what could go wrong, how likely each scenario is, and what you're doing about it. Think "EFIN hijacking," "wire fraud on a client account," "lost laptop with tax returns," or "vendor breach exposing client PII." These are the scenarios that actually apply to a CPA firm.
For every risk, the firm owner or Qualified Individual decides: accept, mitigate, or transfer (usually to insurance). That decision gets documented, with the reasoning. This is the document that shows a regulator or auditor that you weren't negligent. You made informed calls.
What your firm does if something goes wrong. Who calls the insurer. Who notifies clients. Who notifies the state AG (most states require notification, each with its own timeline). How you preserve evidence.
Every vendor that touches your client data. Which ones have signed DPAs. Which ones are authorized subprocessors. Which ones you should probably replace.
Every person in your firm, trained annually, with records that an auditor can see and an insurer can verify.
When you say "we require MFA on email," you can prove it. When you say "we train annually," you can show the roster and the completion dates.
Version history on the plans. Signed approvals. Date stamps on decisions. The paper trail that converts "we think we're doing this" into "here's the proof."
If your firm is subject to the FTC Safeguards Rule and you're over a certain size, you're required to designate a Qualified Individual (QI): the person responsible for the information security program.
The QI isn't your MSP. The QI is usually an internal leader, such as the firm owner, the operations partner, the COO, or the IT director, who has the authority to make decisions and the responsibility for the program's outcomes. Some firms hire a vCISO (a virtual Chief Information Security Officer) to serve as the QI on a fractional basis.
The QI signs off on the risk decisions. The QI reports to leadership on the program's status. The QI is who a regulator or insurer points to when asking "who's accountable?"
This is the part most CPA firms learn the hard way:
Governance is the business-owner layer. It's exactly the layer regulators, insurers, and auditors care about, because it's where the firm takes responsibility for its own program.
Some MSPs have a compliance function that helps with the paperwork. Even then, the firm owner still makes the decisions, still signs off, still owns the consequences. That's not a gap in what MSPs offer. It's how regulation is structured. Responsibility sits with the firm.
Kompflow is the governance layer for CPA firms: the software that generates the plans, tracks the decisions, stores the records, and produces the artifacts.
We don't do firewalls. Your MSP does. We do the plans, the records, the decisions, and the proof.
They overlap but aren't identical. Compliance is whether you meet a specific rule (FTC Safeguards, IRS Pub 4557, state breach law). Governance is the program that makes compliance provable: the written plans, decisions, training, and evidence. You can't have good compliance without good governance.
Under the FTC Safeguards Rule, yes. Any firm defined as a "financial institution" (which includes most CPA firms that prepare tax returns) is required to have one. Size affects the specifics, not the requirement.
Probably not. A template isn't a WISP until it's been customized to your firm: your systems, your data, your decisions. Most carriers and regulators can tell the difference. More importantly, a template doesn't document the decisions your firm actually made, which is the core artifact.
Worst case: uninsured loss, regulatory fines, loss of clients. More commonly: significantly higher insurance premiums at renewal, lost deals where the prospect's security team wouldn't approve your firm as a vendor, and prolonged time to recover from an incident because no one knew who was doing what.
It's the person responsible for the program. In a 5-person firm, it's probably the owner. In a 25-person firm, it might be the operations partner or the IT director. In a firm without the internal bandwidth, it's often a vCISO. The Professional and Premium plans of Kompflow include a dedicated QI workflow.
A consultant runs your governance program once and leaves. Kompflow keeps it running: the plans stay current, the training tracks itself, the audit trail builds automatically, and the Insurance Gap Assistant is there when your carrier asks a question. For most firms, the ongoing operational model is a better fit than a one-time engagement.
We use cookies to measure site performance and improve your experience. No data is sold to third parties. Privacy Policy