Industry Compliance Guide

Professional Services Compliance

FTC Act, state privacy law, and client flow-down compliance for consultants, agencies, architects, engineers, and business services firms.

Get a Free Consultation
← All Industries

What’s at stake: Your reputation runs on the trust your clients place in you with their data. Bigger clients increasingly require security questionnaires, attestations, and proof of controls before they sign.

Regulations That Apply

RegulationWhat It Covers
FTC Act §5Unfair and deceptive practices — covers privacy and security promises
State Breach LawsUniversal — applies anywhere PII is held
CCPA / Other State PrivacyIf meeting consumer or revenue thresholds
Customer Flow-DownInherits client compliance requirements through contract
Insurance E&OProfessional liability often requires baseline cyber controls

What You Need In Place

  • Multi-factor authentication on email and file storage
  • Endpoint detection and response
  • Encryption of client deliverables
  • Backup and recovery
  • Vendor due diligence on SaaS tools
  • Privacy notice and consumer rights workflows
  • Workforce phishing awareness training

Common Threats In This Sector

Professional-services firms — consultants, agencies, marketing shops, staffing firms, advisory practices — sit on client data they have signed contracts to protect. The threat profile depends heavily on what kind of client data is in scope, but a few patterns recur.

  • Business email compromise on client invoices and vendor payment requests
  • Client data exfiltration aimed at downstream extortion or competitive use
  • Phishing for cloud productivity credentials (Microsoft 365, Google Workspace)
  • Ransomware against project files and client-deliverable repositories
  • Vendor and subcontractor compromise reaching back into your environment
  • Client confidentiality breaches via misdirected email or insecure file sharing

Documentation You’ll Be Asked For

Mid-market and enterprise clients increasingly require evidence of an information-security program before engaging vendors. Cyber insurance applications ask the same questions. The exact framework depends on the client mix.

  • Written information-security policy
  • Vendor and contractor security review process
  • Client contractual data-protection commitments (DPA, MSA security exhibits) tracked and met
  • State data breach notification compliance for every state where clients or staff reside
  • Incident response plan with client-notification workflow
  • Cyber insurance application support documentation
  • SOC 2 readiness or equivalent attestation if larger clients require it

Where Most Small Firms Fall Short

The gap between what client MSAs commit to and what the firm actually has in place is the most common finding in cyber-insurance forensic reviews. Most firms sign aggressive data-protection terms and then fail to operationalize them.

  • No formal written information-security policy — or one that lives in a folder no one reads
  • Client security clauses signed and then never operationalized
  • No vendor management for SaaS tools across the firm
  • MFA missing on cloud productivity platforms
  • No tested backup of project files and deliverables
  • Generic privacy policy and terms that do not actually reflect data handling practices

How CGetty Helps

Security questionnaire support, baseline cybersecurity programs, and managed IT for consultancies, agencies, and professional services firms.

Build your security baseline

Not Sure Where Your Business Stands?

We help small businesses understand what applies to them and build a practical plan to get there. Let’s talk.

Contact Us