Back to Blog

"Our IT Guy Handles Compliance" — The Distinction That Matters

Daniel ChangFounder of SafeGuardGRC

You're at a conference. Someone asks about your firm's cybersecurity posture. You smile and say, "Our IT guy handles all that." It's a reasonable thing to say. You pay someone to manage your systems, install patches, handle email security. You trust them. So you assume the compliance box is checked.

But here's the problem: your IT provider can do everything right from a technical standpoint and your firm can still be out of compliance with the FTC Safeguards Rule. The reason is simple. Security and compliance are not the same thing. One is what you build. The other is what you prove.

Security and Compliance Are Not the Same Thing

Let's be clear about what each one is.

Security is the set of technical controls that protect your systems from attack or unauthorized access. A firewall. Multi-factor authentication. Encryption. Regular patching. Network monitoring. These are the tools and processes that make it hard for a bad actor to get in. Your IT provider or MSP is the expert here. They should be building these walls, testing them, and maintaining them.

Compliance is demonstrating to regulators that you have a written, documented program to protect client data, that your team understands their role in protecting it, that you've assessed the risks specific to your firm, and that someone is accountable for the whole thing. The FTC doesn't just want you to have good security. It wants you to have evidence that you made a plan, trained your people, checked your work, and reported on it. It wants to know who owns it.

Here's the distinction in one sentence: your IT provider builds the walls. You're responsible for the blueprint, the building code, the inspection reports, and the signed-off checklist.

Many firms have strong technical controls but weak governance. They've invested in good security tools without investing in the documented program that ties it all together. That gap between "we have a secure system" and "we can prove our compliance program works" is where most enforcement actions happen.

What the FTC Actually Expects From You

The FTC Safeguards Rule, codified in 16 CFR Part 314, spells out the firm owner's responsibilities pretty clearly. Here are the ones that matter most.

Designate a qualified individual. Section 314.4(a) requires you to name one person who is responsible for the information security program. Not your IT provider. You. It can be the managing partner, a compliance officer, or someone you hire. But there must be someone whose job, in writing, includes "make sure we stay compliant." If you can't name that person right now, you have a gap.

Conduct a risk assessment. Section 314.4(b) requires you to assess the risks specific to your firm. What data do you hold? Where is it stored? What are the most likely threats? What happens if you lose it? Your IT provider can help with the technical part. But you have to own the assessment and sign off on it.

Oversee your service providers. Section 314.4(d) says you're responsible for making sure your vendors, including your IT provider, are protecting client data. That means you need a written contract that spells out what they're supposed to do, and you need to audit them. It's a partnership, not a handoff.

Report to your board or partners. Section 314.4(j) requires you to keep your leadership informed. At least annually, you need to document and discuss your compliance posture. This isn't IT jargon. It's governance.

The IRS reinforces this in Publication 4557, which specifically addresses tax and accounting firms. You must have a Written Information Security Plan (WISP). You must train your employees. You must document it.

None of these are IT tasks. None of them are "configure the firewall" tasks. They're leadership tasks. Governance tasks. Compliance tasks.

Your IT Provider Is Essential. They're Just Not Responsible for This.

Let me be direct: your IT provider or MSP is essential to your security posture. They do critical work. They're the right people to implement firewalls, deploy multi-factor authentication, manage patches, set up backups, and monitor your network. If they're good, they save you from breaches and outages all the time. You should trust them and lean on them.

But trusting them with technical implementation is not the same as asking them to own your compliance program. That's like asking your tax software to also manage your client relationships. Different job. Different skill set. Different accountability. Your IT provider can tell you how many systems passed the patch audit. But they're not the right person to decide whether your firm's risk tolerance matches your actual risk controls, or whether the board needs to know about that gap, or what the firm's compliance documentation should look like.

The best IT relationships are collaborative. You ask them: "What's in scope for you? What's not?" You document their scope in a contract. You talk to them about compliance requirements. And then you fill the gaps with a compliance function, either internal or external, that's separate from IT operations.

What You Can Do Today

This isn't a three-year transformation. Start here.

  1. Name your qualified individual. Open a document. Write down who owns information security for your firm. If you can't fill that blank, schedule a 30-minute conversation with your leadership team this week and figure it out.

  2. Ask your IT provider for a scope of work. Email your MSP or IT director and ask them to document what they do and don't cover. Do they conduct risk assessments? Do they provide compliance reporting? Do they train staff on data handling? Don't assume. Confirm in writing.

  3. Check if you have a written information security plan. Do you have a WISP? If not, that's your first compliance gap to close. It doesn't need to be 50 pages. It needs to exist and be updated.

  4. Schedule a compliance conversation with your IT partner. Sit down and talk about shared responsibility. Show them the FTC requirements. Ask them what they can support and what you need to own. Most good IT partners will appreciate the clarity.

  5. Start documenting your training. If your staff have received any security awareness training, document it. Who trained them? When? What topics? This is low-hanging compliance fruit.

The Bottom Line

Here's the lesson: compliance is a leadership function that works alongside IT, not something IT absorbs by default. Your IT provider is your partner in security. They build the technical foundation. But they're not responsible for the documented program, the governance oversight, the risk assessment, the training, or the board reporting. You are.

The FTC has made it clear that firms with strong technical controls but weak governance programs still get enforcement actions. The Marriott case, which resulted in a 20-year compliance order, serves as a stark reminder that having good security tools doesn't protect you if you can't prove you managed the program responsibly.

You don't need a team of compliance experts. But you need clarity about who does what, documented evidence that you made a plan and stuck to it, and a qualified individual who can look the FTC in the eye and say, "I own this." That's compliance. And that's on you.

If you're not sure where to start, we built SafeGuardGRC to help firms close exactly these gaps. We work alongside your IT provider, not instead of them. We handle the compliance side of the equation, so you can stay focused on your practice.

Ready to Get Compliant?

Plans starting at $99/mo for firms of every size

See Plans & Pricing

Starting at $99/mo · Billed annually

30-day money-back guarantee
Cancel anytime

Core compliance modules in every plan · Professional adds IRP, tasks & more →

We use cookies to measure site performance and improve your experience. No data is sold to third parties. Privacy Policy