A boutique wealth management firm in the Bay Area recently discovered that their former IT contractor still had active login credentials to their cloud storage environment - six months after that contractor had moved on to another client. No breach occurred. But for six months, one person outside the firm held the keys to client financial records, correspondence, and internal systems.

That firm got lucky. Many don’t.

The Problem: IT Offboarding Is Not the Same as Regular Employee Offboarding

When a paralegal, financial analyst, or staff accountant leaves your firm, your HR process handles most of the security cleanup. You terminate their email account, collect their laptop, and remove their badge access. It’s straightforward because their access is typically defined and documented.

When your IT person leaves, the situation is fundamentally different.

An IT generalist, whether a salaried employee, a part-time contractor, or a previous managed service provider (MSP), typically holds privileged access that most employees never touch. This includes domain administrator credentials that control your entire network, firewall and router management portals, cloud infrastructure accounts (Microsoft 365 admin, Google Workspace, AWS, Azure), backup and disaster recovery systems, vendor portals for software licenses and renewals, and monitoring tools installed directly on your servers or workstations.

These accounts rarely show up on an HR offboarding checklist. They exist outside the normal identity management systems that HR sees. In many small firms, some of these accounts use shared or generic credentials (“admin”, “itadmin”, or a variation of the firm name) that were set up years ago and never rotated.

Here’s what makes this worse: your departing IT person may be the only one who knows all of these access points exist. Institutional knowledge leaves with them. And if the departure is anything less than perfectly amicable, that knowledge gap becomes a real risk.

Professional services firms are not just businesses. They are stewards of sensitive client information, and they operate under specific regulatory obligations that make an uncontrolled access departure more than just an IT problem.

If your firm is a registered investment adviser (RIA) or broker-dealer, you operate under Securities and Exchange Commission (SEC) and Financial Industry Regulatory Authority (FINRA) rules that require documented controls over who can access client data. The SEC’s Regulation S-P specifically requires firms to protect client financial information and have administrative, technical, and physical safeguards in place. An unrevoked admin credential sitting in the hands of a former contractor does not meet that standard.

CPA firms handling tax and audit engagements are bound by the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, updated by the Federal Trade Commission (FTC) in 2023, which requires formal access controls and a written information security plan. A former IT person with active credentials is a documented deficiency under that rule.

Law firms, particularly those in financial services litigation, M&A, or wealth planning, hold privileged client communications. State bar ethics rules in California and across the country require competent measures to protect client confidentiality. The California Consumer Privacy Act (CCPA) adds additional obligations around personal information.

Beyond regulatory exposure, there is practical financial risk. Security liability insurance carriers are increasingly scrutinizing access control practices. A claim that involves a former IT employee or contractor with unrevoked access can become grounds for a coverage dispute.

How to Address IT Offboarding Insider Access Risk at a Small Professional Services Firm

The goal is not to assume bad intent from a departing IT person. Most departures are professional and cooperative. The goal is to build a process that does not depend on that assumption, or on their goodwill, or on their memory.

Start with a privileged access inventory before anyone leaves.

Ideally, your firm maintains a running inventory of every administrative account, shared credential, and system your IT person manages. If you don’t have that today, build it now, before you need it. The inventory should include every cloud platform and admin portal, all firewall and network device credentials, backup and monitoring service accounts, vendor relationships and billing accounts, and any software installed under a personal or contractor account.

Treat generic credentials as a separate problem.

Shared passwords cannot be revoked the way a personal account can. You cannot simply remove one person’s access to a password everyone on the IT team (or vendor) uses. Every shared credential your departing IT person knew must be rotated immediately after their departure, and the rotation must be documented.

Conduct a shadow IT audit.

Shadow IT refers to tools, services, or configurations set up outside of your firm’s formal purchasing or approval process. IT generalists at small firms often spin up monitoring agents, personal Dropbox or OneDrive accounts used for backups, remote access tools registered to their personal email, or trial accounts that quietly became production systems. After a departure, these persist invisibly. A thorough shadow IT audit involves reviewing active software installations on all devices, checking for remote access tools like TeamViewer, AnyDesk, or LogMeIn, reviewing firewall logs for outbound connections to unfamiliar services, and auditing billing statements for recurring subscriptions.

Treat a provider transition as a security event.

If your firm is moving from one MSP to another, or from an internal IT person to a managed service, the handoff itself requires security discipline. Revoke access before granting new access where possible. Document what the outgoing provider is removing. Do not assume that a professional departure means a clean one.

Assign clear ownership of the offboarding process.

Someone at your firm, a managing partner, a COO, an office manager, needs to own IT offboarding as a defined responsibility. That person does not need to be technical. They need to know who to call and what checklist to follow.

What to Look for in an IT Partner

If you are evaluating managed IT providers after a departure or transition, ask these specific questions:

  • Do you maintain a documented inventory of all privileged accounts and credentials you manage on our behalf?
  • What is your process for revoking your own access if we terminate our agreement with you?
  • How do you handle shadow IT or tools set up by a previous provider?
  • Can you conduct a credential audit as part of onboarding?
  • Do you carry technology errors and omissions (E&O) and information security liability insurance, and will you provide documentation?

A capable IT partner should answer all of these questions without hesitation. The willingness to plan for their own offboarding is a signal of professional maturity, not a red flag. Providers who resist documenting their access or defining an exit process are telling you something important about how they operate.

The Bottom Line

When an IT person leaves a small professional services firm, the access they held does not disappear automatically. It lingers in admin portals, shared credentials, monitoring tools, and vendor accounts until someone methodically revokes it. For financial services firms, CPA practices, and law firms, that lingering access is both a regulatory liability and a practical security risk. Building a documented, repeatable IT offboarding process is one of the highest-return security investments a small firm can make.

Frequently Asked Questions

What accounts does an IT person typically have access to that a normal employee doesn’t?

An IT generalist typically holds domain administrator access, firewall and network device credentials, cloud platform admin accounts (such as Microsoft 365 or Google Workspace), backup and disaster recovery systems, remote monitoring tools, and vendor or licensing portals. Most of these are not visible to HR or listed in standard employee directories. In small firms, some of these accounts may use shared credentials that were never tied to a specific individual.

How do I know if a former IT contractor still has access to my systems?

Start with an audit of active accounts across your core platforms, particularly Microsoft 365, Google Workspace, any firewall management portals, and remote access tools. Check for accounts registered to personal email addresses, vendor portals where the contractor was the primary contact, and software license accounts in their name. Reviewing firewall and application logs for recent logins from unfamiliar IP addresses can also surface unexpected activity.

What is shadow IT, and why does it matter when an IT employee leaves?

Shadow IT refers to tools, accounts, or systems that an IT person set up without formal organizational approval or documentation, often for convenience or because they worked quickly. Examples include personal cloud storage used for backups, remote desktop tools registered to a personal account, and monitoring agents installed on firm devices. When that person leaves, these tools may remain active, creating both a security gap and a compliance issue, since data may be flowing to systems your firm does not control or even know about.

Does an IT offboarding gap expose my firm to regulatory penalties?

Yes, it can. For RIAs and broker-dealers, uncontrolled access to client data implicates SEC Regulation S-P and FINRA requirements around data security controls. CPA firms are subject to the FTC Safeguards Rule under GLBA, which requires documented access controls. Law firms in California face obligations under the CCPA and state bar ethics rules regarding client confidentiality. In each case, an unrevoked former IT credential is a documented control deficiency that regulators and insurance carriers can use against you.

One82 provides managed IT, cybersecurity, compliance, and AI integration services exclusively for professional services firms in the San Francisco Bay Area. Schedule a 15-Minute Discovery Call to discuss your firm’s IT offboarding and insider access risk posture.