Technology compliance that satisfies regulators, insurers, and clients
Regulations are not slowing down. FTC Safeguards, SOC 2, IRS 4557, state bar rules, DFPI, SEC — professional services firms face more compliance requirements than ever. One82 builds and maintains compliance programs that pass examinations, satisfy insurers, and give your clients confidence. Over 26 years helping firms like yours stay ahead of regulators.
CPA firms, law firms, and boutique financial services companies operating in the San Francisco Bay Area do not answer to a single regulator — they answer to several at once. The FTC Safeguards Rule and IRS Publication 4557 govern how accounting firms handle taxpayer data. State bar technology rules impose data security obligations on every California attorney. Private lenders and servicers face DFPI oversight, CFPB scrutiny, and GLBA requirements. Investment bankers, broker-dealers, and PE firms contend with SEC and FINRA cybersecurity mandates. And nearly every firm receiving institutional capital now faces SOC 2 requests in LP and client due diligence questionnaires.
The cost of non-compliance continues to climb. According to the Ponemon Institute, the average cost of non-compliance is 2.71 times higher than the cost of maintaining a compliance program. The FTC can impose penalties of up to $50,120 per violation under the Safeguards Rule and has brought more than 80 enforcement actions since 2020 (FTC Enforcement Database). Meanwhile, Schellman's 2024 SOC 2 Trends Report found that 67% of B2B buyers now consider SOC 2 compliance a factor in vendor selection — meaning compliance increasingly drives revenue, not just risk reduction.
One82 has spent 26 years building compliance programs for professional services firms in the Bay Area — and we have learned that overlapping frameworks are best addressed with a unified approach, not a series of siloed audits. When your documentation satisfies the FTC Safeguards Rule and your state bar's technology rules at the same time, compliance becomes an asset rather than a burden. We do not hand you a gap report and walk away. We implement the fixes, build the documentation, and stand with you when a regulator, insurer, or counterparty asks for proof.
Everything you get with compliance & regulatory
Compliance Gap Assessments
Before you can fix compliance gaps, you need to know exactly where they are. Our gap assessments audit your current IT environment, policies, and procedures against the specific frameworks that apply to your firm — FTC Safeguards, SOC 2, IRS Publication 4557, HIPAA, PCI DSS, CMMC, or state-specific regulations. You receive a detailed report showing your current compliance posture, every gap identified, the risk level of each finding, and a prioritized remediation roadmap with clear timelines and cost estimates. The assessment is non-disruptive — your team continues working normally while we evaluate. Most firms discover gaps they did not know existed.
FTC Safeguards Rule Implementation
The FTC Safeguards Rule now requires CPA firms, tax preparers, and non-bank financial institutions to implement a comprehensive information security program with nine specific requirements. Non-compliance means fines, enforcement actions, and personal liability for firm leadership. One82 implements every requirement: designating a qualified individual to oversee your security program, developing a written information security plan, conducting and documenting risk assessments, implementing access controls and encryption, deploying continuous monitoring, building and testing your incident response plan, managing vendor security, and maintaining the ongoing documentation that proves compliance. We handle the full implementation — not just a report telling you what to fix.
SOC 2 Readiness
SOC 2 certification demonstrates to clients, investors, and partners that your firm takes data security seriously. But passing the audit requires months of preparation — implementing controls, documenting procedures, and collecting evidence across all five Trust Service Criteria. One82 manages the full SOC 2 readiness process. We implement the required technical controls (access management, encryption, monitoring, change management, incident response), develop the policies and procedures your auditor expects, and build an ongoing evidence collection system so you are not scrambling to gather documentation at audit time. When your auditor arrives, everything is organized, current, and ready for review.
Policy Documentation
Regulators, auditors, and cyber insurance carriers expect written policies — and they can tell the difference between thoughtful, firm-specific documentation and generic boilerplate downloaded from the internet. One82 develops customized policy documentation for your firm: written information security policies, acceptable use policies, incident response plans, business continuity and disaster recovery plans, data retention and destruction policies, and vendor management policies. Each document reflects your firm's actual environment, data types, and regulatory obligations. We review and update policies annually and whenever significant changes occur — because a policy written three years ago and never updated is worse than no policy at all.
Vendor Risk Management
Your firm's security is only as strong as your weakest vendor. Cloud providers, practice management software companies, payment processors, and other third parties all have access to your data or systems — and regulators hold you responsible for their security practices. One82 helps you assess and monitor your third-party vendors. We evaluate vendor security questionnaires, review SOC 2 and SOC 3 reports, assess data handling practices, and maintain a vendor risk register that documents every vendor's risk level. When a vendor experiences a breach or changes their security posture, we alert you immediately and recommend action. Vendor risk management is a requirement under FTC Safeguards, SOC 2, and most regulatory frameworks.
Compliance Reporting & Dashboards
Compliance is not something you check once a year and forget about. Our compliance dashboards give your firm real-time visibility into your security posture across every applicable framework. You can see which controls are in place, which need attention, and how your compliance posture has changed over time. When a regulator calls for an examination, when your cyber insurer sends a renewal questionnaire, or when a client requests security documentation — you pull the report in minutes, not days. We also provide scheduled compliance summaries to firm leadership so partners stay informed about their firm's security obligations without needing to understand the technical details.
Audit Preparation & Support
Regulatory examinations and compliance audits are stressful for firms that are not prepared — and routine for firms that are. One82 prepares your firm well before any examination. We organize evidence packages, ensure all documentation is current, conduct pre-audit reviews to identify and fix any last-minute gaps, and brief your team on what to expect. During the actual examination, we participate in technical discussions alongside your leadership team and address auditor questions about your IT controls, security architecture, and compliance documentation. After the examination, we help remediate any findings and update your documentation. Firms that work with One82 enter audits with confidence, not anxiety.
Ongoing Compliance Monitoring
Compliance is not a one-time project — it is an ongoing operational requirement. Regulations change, your environment evolves, staff turn over, and controls can drift out of alignment without active management. One82 continuously monitors your environment for compliance drift, tracks regulatory changes across every framework relevant to your firm (FTC Safeguards, IRS guidance, state bar rules, SEC, DFPI, FINRA), and proactively updates your controls and documentation before deadlines arrive. We conduct periodic internal assessments to verify that what was implemented six months ago is still working as intended. Your firm stays compliant year-round — not just at audit time.
Compliance That Holds Up Under Scrutiny — From Any Regulator
Most firms treat compliance as a one-time checklist. One82 builds programs that survive regulatory examinations, client due diligence, and cyber insurance audits because we understand how your specific frameworks overlap — and how to satisfy all of them at once.
Multi-Framework by Design
We map your environment against every framework your firm faces simultaneously — FTC Safeguards Rule, IRS Publication 4557, SOC 2, DFPI, SEC, FINRA, state bar technology rules — and engineer controls that satisfy multiple requirements with a single implementation.
We Fix, Not Just Report
A compliance assessment that ends with a 40-page gap report is not compliance — it is paperwork. One82 remediates the gaps we find: deploying the technical controls, writing the policies, configuring the systems, and validating the results.
Continuous Monitoring, Not Annual Snapshots
Regulations do not wait for your next annual review. Our compliance monitoring runs continuously — tracking configuration drift, flagging new vendor risks, and alerting your team when a control falls out of spec. You maintain compliance every day, not just before an audit.
Audit-Ready Documentation, Always
When a DFPI examiner, FINRA reviewer, cyber insurance underwriter, or LP due diligence team asks for evidence of your security controls, One82 clients have it ready. We maintain current policy libraries, control evidence logs, and vendor risk records.
How compliance & regulatory helps your industry
CPA & Accounting Firms
Accounting firms face an increasingly complex web of compliance requirements. IRS Publication 4557 mandates specific data protection practices for tax preparers. The FTC Safeguards Rule — updated in 2023 — now explicitly covers CPA firms and tax preparers as "financial institutions," requiring a comprehensive written security program with nine specific elements. State boards of accountancy add their own technology and data protection requirements. Firms pursuing institutional clients need SOC 2 certification. And if your firm processes client payments, PCI DSS applies. One82 helps CPA firms navigate this landscape by building and maintaining compliance programs that satisfy every regulator simultaneously. We understand how these frameworks overlap so you implement once and satisfy many — not duplicate effort across separate compliance projects.
Learn more about our services for cpa & accounting firms →Law Firms
The legal profession has undergone a quiet compliance revolution. California, New York, and a growing number of states now impose explicit technology competence obligations on attorneys through their rules of professional conduct. State bar ethics opinions increasingly address data security, cloud computing, email encryption, and the duty to safeguard client information in digital environments. A law firm that suffers a data breach may face not only civil liability but bar disciplinary proceedings. One82 helps law firms implement security controls that meet state bar ethical obligations, protect attorney-client privilege in digital systems, and satisfy the technology provisions of malpractice insurance policies. We understand the intersection of legal ethics and cybersecurity — a combination that general IT companies simply cannot provide.
Learn more about our services for law firms →Boutique Financial Services
Boutique financial services firms operate under some of the most extensive regulatory oversight in professional services. California's DFPI conducts examinations of state-licensed lenders and financial service providers. The SEC's cybersecurity rules now require registrants to disclose material incidents and maintain documented cybersecurity programs. FINRA imposes technology governance requirements on broker-dealers. The GLBA and FTC Safeguards Rule apply to any non-bank institution handling consumer financial data. And increasingly, institutional LPs and investors require SOC 2 certification or its equivalent before committing capital. One82 builds compliance programs that address all of these requirements in a coordinated framework. When you face a DFPI examination, an SEC inquiry, or a 100-question LP DDQ, the evidence is documented, organized, and ready — because we maintain it continuously, not just before audits.
Learn more about our services for boutique financial services →Common questions about compliance & regulatory
The FTC Safeguards Rule requires non-bank financial institutions to develop, implement, and maintain a comprehensive information security program. It applies to CPA firms, tax preparers, financial advisors, mortgage brokers, private lenders, and other businesses that handle consumer financial data. If your firm touches financial information, the Safeguards Rule almost certainly applies to you. One82 implements every requirement — from designating a qualified individual to maintaining written policies, access controls, encryption, monitoring, and incident response.
SOC 2 is a framework developed by the AICPA that demonstrates your firm's commitment to security, availability, processing integrity, confidentiality, and privacy. You need SOC 2 if institutional clients, LPs, investors, or enterprise customers are asking about your security controls — typically through due diligence questionnaires (DDQs). SOC 2 is increasingly table stakes for financial services firms, accounting firms serving large clients, and any firm that stores or processes client data in the cloud.
Some professional services firms — particularly law firms handling healthcare litigation and CPA firms with healthcare clients — must comply with HIPAA when they handle protected health information (PHI). We implement the HIPAA Security Rule technical safeguards: access controls, audit logging, encryption, integrity controls, and transmission security. We also help with administrative requirements including risk analysis, workforce training, and business associate agreements.
PCI DSS (Payment Card Industry Data Security Standard) applies if your firm accepts credit card payments — for client invoices, retainer payments, or filing fees. Even if you use a third-party payment processor, certain PCI requirements still apply to your environment. We assess your cardholder data environment, implement required controls, and help you complete the Self-Assessment Questionnaire (SAQ) that your payment processor requires.
The Cybersecurity Maturity Model Certification (CMMC) is required for firms that work with the Department of Defense or handle Controlled Unclassified Information (CUI). Some law firms, consulting firms, and financial services firms that serve government contractors must meet CMMC Level 2 requirements. We assess whether CMMC applies to your firm and implement the 110 NIST SP 800-171 controls required for certification.
A typical compliance gap assessment for a professional services firm takes 2-4 weeks. We review your current technology environment, policies, and procedures against the applicable frameworks. You receive a detailed report with findings prioritized by risk level, a remediation roadmap with clear timelines, and cost estimates for each fix. The assessment itself is non-disruptive — your team continues working normally while we evaluate.
We prepare your firm well before the examination. When regulators or auditors arrive, we provide organized evidence packages, technical documentation, and policy records. We participate in technical discussions alongside your team and address questions about your IT controls. After the examination, we help remediate any findings and update documentation. Firms that work with One82 enter examinations with confidence, not anxiety.
Yes. We help financial services firms, accounting firms, and law firms complete security questionnaires from institutional clients, LPs, investors, and counterparties. We maintain a library of your firm's security controls and compliance evidence so DDQ responses are accurate, consistent, and fast. For firms that receive frequent DDQs, we build a response framework that turns a multi-day process into hours.
We track regulatory changes across every framework relevant to professional services: FTC Safeguards updates, IRS data security guidance, state bar technology rules, SEC cybersecurity rules, DFPI requirements, FINRA updates, and emerging frameworks like CMMC. When a regulation changes, we proactively assess the impact on your firm and update your controls and documentation before the compliance deadline.
Most compliance consultants hand you a report and leave. They identify gaps but do not fix them. One82 is both your compliance advisor and your IT provider — we identify what needs to change and then implement it directly. No handoff, no lost-in-translation, no second vendor. We have supported professional services firms through compliance programs for over 26 years, and we maintain your compliance posture continuously, not just at audit time.
Ready for IT that actually works?
Book a free 15-minute discovery call. No obligation, no pressure — just a conversation about how we can help your firm.
No obligation • No pressure • Just a 15-minute conversation