What is the Cyber Defense Score™?

The Cyber Defense Score™ is an A–F letter grade plus a 0–100 numerical score produced by a 100-tool external attack surface scan. It shows you exactly what cyber insurance underwriters see when they assess your business. It is mapped to NIST CSF 2.0, CIS Controls, SOC 2, NIST 800-171, FTC Safeguards Rule, and PCI-DSS readiness.

How does Cyber Defense Agent help with cyber insurance?

Cyber Defense Agent runs the same external scans that cyber insurance underwriters use to assess your risk. By scanning first, you can identify and fix gaps (missing MFA, DMARC, open ports, SSL issues) BEFORE your renewal or new application. This helps you avoid denials, reduce premiums, and pass underwriting on the first attempt.

What do cyber insurance underwriters scan for?

Underwriters typically scan for: MFA enforcement across all remote access, DMARC/SPF/DKIM email authentication, open RDP ports (3389), SSL/TLS configuration, known vulnerabilities in public-facing services, DNS security, and evidence of endpoint detection (EDR). Cyber Defense Agent checks all of these in 60 seconds.

Can Cyber Defense Agent help me lower my cyber insurance premium?

Yes. Carriers offer premium discounts of 10–25% for businesses that demonstrate strong security posture. By fixing the gaps Cyber Defense Agent identifies and presenting your Cyber Defense Score™ and trust page to your broker, you provide concrete evidence of risk reduction that carriers reward with lower premiums.

Why was my cyber insurance application denied?

The most common denial reasons are: no MFA on email and remote access (41% of denials), missing DMARC email authentication, open RDP ports, no EDR/endpoint protection, and no incident response plan. Cyber Defense Agent scans for all of these and shows you exactly what to fix before reapplying.

How long does a Cyber Defense Agent scan take?

A full 100-tool external attack surface scan completes in approximately 60 seconds. No software installation, no questionnaires, and no credit card is required to get started. You see the same view of your attack surface that underwriters see.

What frameworks does Cyber Defense Agent map to?

Cyber Defense Agent maps scan results to NIST CSF 2.0, CIS Controls, SOC 2, NIST 800-171, FTC Safeguards Rule, and PCI-DSS readiness. These are the same frameworks cyber insurance carriers reference in their underwriting guidelines.

How much does Cyber Defense Agent cost?

Essentials starts at $149/mo ($1,490/yr). Pro is $349/mo ($3,490/yr) and includes internal scanning, SOC 2 readiness, and full MCP toolset. Enterprise is $999/mo ($9,990/yr) with daily scans, custom framework mapping, and a dedicated AI agent instance. MSP partners pay $79/business/mo with a 25-business minimum. The free scan is always free.

How do I prepare for cyber insurance renewal?

Start 60–90 days before renewal. Run a Cyber Defense Agent scan to identify gaps. Fix critical items: enforce MFA everywhere, deploy DMARC, close open ports, update EDR. Re-scan to verify improvements. Present your Cyber Defense Score™ and trust page to your broker as evidence of improved posture. This positions you for renewal without premium increases or coverage reductions.

What is a trust page?

A trust page is a public cybersecurity posture page hosted at trust.cyberdefenseagent.ai/{your-slug}. It displays your Cyber Defense Score™, framework compliance status, and last scan date. Brokers, underwriters, and business partners can verify your security posture in 60 seconds instead of reviewing 30-page questionnaires.

Guide

FTC Safeguards Rule Checklist for CPAs & Tax Preparers

A step-by-step compliance checklist covering all 9 Safeguards Rule requirements, tailored for CPA firms, accounting practices, and tax preparers.

Farhad Mirza Khawar

Founder of HIPAA Agent and Cyber Defense Agent. Compliance infrastructure for SMBs. Sacramento, CA.

2026-05-01

Get My Cyber Defense Score™ →Book a 30-min review

In this guide

1. Checklist overview
2. 1. Designate a Qualified Individual
3. 2. Conduct a risk assessment
4. 3. Implement safeguards
5. 4. Monitor and test
6. 5-9. Training, vendors, updates, incident response, reporting

Checklist overview

This checklist covers all 9 updated FTC Safeguards Rule requirements as they apply to CPA firms and tax preparers. Use this as a starting point — then run a Cyber Defense Agent scan to verify your technical controls. The FTC Safeguards Rule applies to every CPA firm and tax preparer in the United States. Over 300,000 tax preparers must comply, and the FTC has actively pursued enforcement actions against accounting practices.

1. Designate a Qualified Individual

Designate someone to oversee your information security program. For small CPA firms, this is typically the managing partner or a qualified IT provider. Action items: - Formally designate your Qualified Individual in writing - Document their qualifications and responsibilities - If outsourcing, ensure the third party is contractually obligated - This person must report to the board/partners at least annually

2. Conduct a risk assessment

Perform a written risk assessment identifying threats to client financial data. Action items: - Inventory all systems that store or process client data (practice management, email, file storage) - Identify internal risks (employee access, lost devices) - Identify external risks (phishing, ransomware, unauthorized access) - Assess likelihood and impact of each risk - Document current safeguards and identify gaps - Run a Cyber Defense Agent scan to identify external technical risks automatically

3. Implement safeguards

Based on your risk assessment, implement controls for identified risks. Action items: - Enable MFA on all systems accessing client data - Encrypt client data at rest and in transit - Implement email authentication (SPF/DKIM/DMARC) - Configure access controls (least privilege) - Deploy endpoint protection (EDR/antivirus) - Secure your website with proper TLS configuration - Implement a firewall and network segmentation

4. Monitor and test

Continuously monitor your safeguards and test them regularly. Action items: - Use Cyber Defense Agent for continuous external monitoring (weekly/daily scans) - Conduct annual penetration testing or continuous monitoring - Perform biannual vulnerability assessments - Review access logs regularly - Test incident response procedures annually

5-9. Training, vendors, updates, incident response, reporting

Complete the remaining requirements: 5. Train all employees on security awareness, with specialized training for the Qualified Individual. 6. Monitor service providers (cloud software, IT providers) — require contractual security obligations. 7. Keep your security program current — review and update when operations, threats, or vulnerabilities change. 8. Create a written incident response plan — include detection, containment, notification, and recovery procedures. 9. Report to partners/board annually on the overall status of the security program, including material matters and recommendations.

Key Takeaways

TL;DR

All 9 Safeguards Rule requirements apply to CPA firms and tax preparers regardless of size.

Start with a Cyber Defense Agent scan to identify external technical gaps immediately.

MFA, encryption, and email authentication are non-negotiable technical requirements.

Document everything — the FTC evaluates your program's documentation, not just its effectiveness.

Official Sources

FTC Small Business Guide to the Safeguards Rule IRS Publication 4557

FAQ

Frequently asked questions

How long does Safeguards Rule compliance take for a CPA firm?

A small CPA firm can achieve baseline compliance in 30-60 days. Start with a Cyber Defense Agent scan (60 seconds) to identify technical gaps, then systematically address documentation and policy requirements. The Qualified Individual designation and risk assessment can be completed in a week.

Can I do this without an IT consultant?

For technical controls (MFA, encryption, email auth), you may need IT support. For the program itself (policies, risk assessment, training), many small firms handle it internally using templates and tools like Cyber Defense Agent. The key is documentation and verification.

What if I use cloud-based tax software?

You're still responsible for compliance. While your cloud provider handles some security, you must verify their controls (vendor management), implement MFA for access, and ensure your own systems (email, network) are secure. CDA scans your external posture regardless of where data is hosted.

Related Guides

Continue reading

FTC Safeguards Rule Compliance Guide FTC Safeguards Rule Penalties & Enforcement What FTC Safeguards Rule Compliance Really Costs

Get your Cyber Defense Score™ in 60 seconds.

100 tools. No installation. No credit card. Real evidence.

Get My Cyber Defense Score™ →Book a 30-min review with Farhad