Guide

The Client Data Exposure Checklist for CPA Firms

Sixteen checks, grouped by layer. Run it in an afternoon with whoever handles your IT. What you can't check off is your work list — and what you can't answer at all is your starting point.

Financial Providers · Client Data Protection

What this checklist catches (and what it can't)

It catches the common, fixable exposure that shows up in firms your size: unprotected email, wandering devices, unreviewed access, untested backups, and paperwork that doesn't match practice.

It can't see configurations, verify that a control actually works, or tell you you're compliant. It tells you where to look. A real exposure review confirms what's behind the checkboxes.

How to run it

Block ninety minutes. Bring the partner responsible for operations and whoever manages your technology — in the same room, because half the value is hearing where their answers differ. Mark each item yes, no, or don't know.

"Don't know" counts as a no. It just hasn't been confirmed yet.

The checklist

Email — the outermost layer

  • MFA is enforced on every email account, with no exceptions for partners
  • Nobody's email password is reused on another system
  • Old employee and contractor accounts are disabled, not just unused
  • Someone would notice a forwarding rule quietly added to a partner's inbox

Devices — the layer that travels

  • The firm can list every device that touches client data, including personal ones
  • Firm devices are updated and protected on a schedule, not whenever
  • There is a written decision about personal devices — allowed with controls, or not allowed
  • A lost laptop would be an inconvenience, not a disclosure event

The portal and what's around it

  • Portal permissions are reviewed at least annually — who has access, and should they
  • The email accounts that receive portal notifications meet the email checks above
  • Client files downloaded from the portal have a defined place to live and a defined time to die

Backups — the layer you hope never matters

  • Backups cover the systems the firm actually can't lose
  • A restore has been tested in the last year — actually performed, not assumed
  • Backups are protected from the same attack they're meant to survive

Policies — the layer on paper

  • The WISP describes controls that actually exist, in their current form
  • The last cyber insurance questionnaire was answered from evidence, not memory

How to read your results

Mostly yes

Your basics are stronger than most firms'. The next step is confirming the yeses are configured the way you believe — that's what an exposure review does.

A handful of no

Normal, and fixable in sequence. Email gaps first, devices second, everything else after. Most of these close with discipline, not purchases.

Mostly don't-know

The checklist has done its job. The finding is that nobody currently owns this — and that's a more useful discovery than any individual gap.

When to get help

If running the checklist raised more questions than it answered, or the fixes keep not happening between tax seasons, that's the moment to put a name on the responsibility.

Not sure how this maps to your firm? That's a 30-minute conversation, not a project.

Book a Consultation

Keep going

Why a Secure Portal Isn't Enough for an Accounting Firm

The thinking behind the checklist.

Read more →

Cybersecurity for Financial Providers

What working with Droptine covers.

Read more →

Risk Assessment

The interactive version, ten minutes.

Read more →

Turn the checklist into a plan.

Reading about the gap is step one. If you want help sizing and closing it, that's what we do.

Book a Consultation