If you run a regulated professional-services firm in BC, you have probably read at least one breach story in the last twelve months involving a peer firm. The pattern is almost always the same: a senior partner clicked a phishing email or reused a password, the attacker pivoted into the file server, and a few weeks of client data was either encrypted or exfiltrated. The regulator notice and the client letters follow within a month. None of those firms thought they were underprotected on the day before the incident.

The reason this keeps happening to regulated firms specifically is structural. The data is high-value and well-organised (client files, tax returns, trust ledgers, M&A drafts). The user population is small and senior (partners with elevated permissions). The tolerance for friction is low (lawyers and CPAs do not want MFA prompts during a court filing or a tax-deadline crunch). And the regulatory consequences of a breach are concrete, not abstract.

What follows is the unified IT and security baseline that satisfies the BC professional-services regulators when implemented consistently. We cover the shared baseline first, then the vertical-specific obligations.

The shared baseline (CPA BC, Law Society, FINTRAC, PIPEDA)

Every regulated professional services firm in BC, regardless of vertical, should be able to point to documentation of the following ten controls. None of them are exotic. All of them are now table stakes on cyber insurance applications.

  1. Named-user accounts only. No shared logins. Every partner, associate, paralegal, and admin has their own account.
  2. MFA enforced on every account. Phishing-resistant methods preferred (Microsoft Authenticator number-match, FIDO2 keys), not SMS.
  3. Conditional access policies. Block legacy auth, foreign sign-ins, and access from unmanaged devices on sensitive applications.
  4. Endpoint detection and response (EDR) on every device. Antivirus alone does not catch business-email compromise or credential theft.
  5. Email security. DMARC at quarantine or reject, anti-phishing, attachment sandboxing, and a documented procedure for reporting suspicious mail.
  6. Backups with offline or immutable copies. Tested quarterly. The test results documented.
  7. Patch management. Critical OS and application updates applied within 14 days, evidence captured per device.
  8. Access reviews. Quarterly review of who has access to what. Stale access removed.
  9. Security awareness training. Phishing simulations every 90 days, mandatory annual training, click-through metrics tracked.
  10. Incident response plan. Written, owner-named, tested at least annually with a tabletop exercise.

If you can produce evidence of those ten today, you have the unified baseline. The vertical-specific obligations layer on top of it. If you cannot, that is the right place to start before adding industry-specific controls.

Vertical 1

Accounting firms (CPA BC, Income Tax Act, FINTRAC for some practices)

CPA BC Rule 211 (Confidentiality of Information) imposes a duty to safeguard client information that is broadly aligned with PIPEDA but enforced through the regulator's complaint process. Add to that: client tax returns, T2125s, payroll data, and trust ledgers all qualify as sensitive personal and financial information. CRA expects encrypted-at-rest storage of tax records for the 6-year retention period.

  • Encrypt the laptop fleet and any portable drives. BitLocker or FileVault, recovery keys escrowed.
  • Separate the practice-management environment (CCH iFirm, CaseWare, QBO Accountant, Xero) from general internet browsing through conditional access policies.
  • Document the retention schedule for tax records and the secure-disposal procedure at end of retention.
  • Treat e-transfer and wire-instruction emails as high-risk; require a phone-call verification on any new banking instruction.

Our accounting firm compliance hub covers the regulatory framework in detail, and the accounting firm IT support page describes the operational service we deliver.

Vertical 2

Law firms (Law Society of BC, solicitor-client privilege)

The Law Society of BC's Cloud Computing Due Diligence Checklist and the BC Code of Professional Conduct (Rules 3.3 to 3.6) put a duty on lawyers to take reasonable steps to protect client confidences and to ensure third-party service providers do the same. Trust accounts, M&A drafts, litigation strategy, and family-law records all sit in this envelope.

  • Verify cloud-service residency and contractual security obligations before signing any new SaaS contract. Canadian or US data residency, breach notification clauses, named subcontractors.
  • Separate client data from internal firm operations data so an internal breach cannot cascade into the client file system.
  • Enforce MFA on practice management (Clio, PCLaw, NetDocuments), email, and any file-share that touches client matters.
  • Test the incident-response runbook against a "lawyer loses laptop on transit" scenario annually. The Law Society expects a documented response.

Our law firm compliance page walks the Law Society of BC obligations, and our law firm IT support service is built around the privilege and confidentiality requirements specifically.

Vertical 3

Financial services (FINTRAC, IIROC / CIRO, PCMLTFA)

Mortgage brokers, MICs, securities dealers, investment advisors, insurance intermediaries, and any firm reporting to FINTRAC under the PCMLTFA carry the heaviest compliance load of the three verticals. Know-your-client (KYC) records, suspicious-transaction reports (STRs), large-cash-transaction reports (LCTRs), and the firm's compliance program documentation all sit in scope.

  • Long retention: 5 years post-relationship-end for KYC, 5 years for STR supporting documentation. Backup retention and litigation hold policy must match.
  • Segregation of duties enforced in software: the person who initiates a transaction cannot also approve it. This is an access-control design exercise, not a policy doc.
  • Wire-fraud and business-email compromise are the single biggest operational risk; require dual control and out-of-band verification on every new beneficiary.
  • FINTRAC examinations focus heavily on whether the documented compliance program is actually being followed; access logs and approval workflows must produce defensible evidence.

Our financial services compliance hub covers PCMLTFA and FINTRAC, and the financial services IT support service is built for the operational risk profile of mortgage brokers, MICs, and advisory practices.

The 60-second triage. Pick the vertical above that fits your firm. Of the four vertical-specific controls in that block, how many can you produce evidence for today? If the answer is two or fewer, your next compliance examination or cyber insurance renewal will be uncomfortable. The fix is sequencing the gaps, not buying more tools.

What we see go wrong most often

Three failure modes account for most of the regulated-firm incidents we are called into:

  1. The senior partner who refuses MFA. A firm with 80 percent MFA coverage is not protected; attackers find the 20 percent and start there. MFA enforcement has to be uniform, with the partner who pushed back being a particularly important coverage target.
  2. The backup that was never tested. Ransomware exposes this immediately. The backup tier the firm pays for is fine; the test-restore policy is the missing piece.
  3. The cloud SaaS app procured without IT involvement. A partner signs up for a new practice tool, integrates it with the firm calendar and file share, and the resulting data flow was never reviewed against the regulator's residency or confidentiality expectations. Quarterly access reviews catch this if the review is real.

None of these are exotic. All of them are operational discipline questions, not technology questions, which is why the firms that get this right have an IT partner who treats compliance as a workflow, not a one-time project.

Compliance Readiness Review for Your Firm

We offer a 60-minute compliance and IT readiness review specifically for BC accounting, legal, and financial-services firms. You get the 10-control baseline scored, the vertical-specific gaps named, and a sequenced remediation plan you can budget against. No obligation to engage us further.

Book the Compliance Review    Or request a managed IT quote

← Back to Blog