FTC Safeguards Rule & SOC 2 for Texas Firms: What Managed Services Actually Cover (2026)

The amended FTC Safeguards Rule (under the Gramm-Leach-Bliley Act) is now in full force, and the surprise for many owners is how broadly the term "financial institution" is defined. It is not limited to banks. It reaches any business significantly engaged in financial activities involving consumer information — which is why tax preparers and CPAs, registered investment advisers, mortgage brokers, title and settlement companies, auto dealers that arrange financing, and other finance-adjacent firms are all squarely covered. See the plain-language explainer on the FTC Safeguards Rule if you are unsure whether you qualify, and our FTC Safeguards Rule compliance page for the obligations in detail.

The Written Information Security Program (WISP)

At the center of the Rule is a Written Information Security Program — the WISP. It is not a one-page policy; it is a living document describing the administrative, technical, and physical safeguards you use to protect customer information, scaled to your firm's size and complexity. Auditors and, in the event of a breach, the FTC will ask to see it first. Produce a starter program with our free WISP generator, then have your managed services partner extend it into a defensible, evidence-backed program.

The Designated Qualified Individual

The Rule requires you to name a single Qualified Individual responsible for overseeing and enforcing the information security program. For most small Texas firms there is no internal candidate with the right security background, so this role is frequently outsourced. A virtual CISO (vCISO) / fractional security leadership engagement is the standard way to fill the Qualified Individual seat with someone who can write the program, run the risk assessment, and report to ownership credibly.

The Nine Required Elements

The Rule spells out specific safeguards your program must include. In practice they break down into nine areas, and a managed services provider can deliver every one:

• Risk assessment — a written assessment of internal and external risks to customer information, refreshed periodically
• Access controls — least-privilege access, reviewed regularly, so staff only reach the data their role requires
• Encryption — of customer information at rest and in transit (or a documented, approved compensating control)
• Multi-factor authentication — MFA for anyone accessing customer information, ideally phishing-resistant
• Monitoring and testing — either continuous monitoring, or annual penetration testing plus biannual vulnerability assessments
• Secure disposal — of customer information no longer needed, on a defined schedule
• Change management — a process to evaluate the security impact of changes to systems
• Vendor oversight — selecting and monitoring service providers and requiring them to maintain safeguards
• Incident response — a written plan, plus the new obligation to notify the FTC of qualifying breaches affecting 500 or more consumers

The Qualified Individual also owes ownership or the board a regular written report on the program's status, risks, and incidents — a deliverable a vCISO produces as a matter of course. You can pressure-test your current posture against these elements with the free FTC Safeguards checklist.

SOC 2 is a different animal. It is not a law — it is an attestation report issued by a licensed CPA firm under the AICPA's standards, used by enterprise buyers to gauge whether they can trust you with their data. If your sales cycle keeps stalling at the security-review stage, SOC 2 is usually what the buyer wants. Our SOC 2 compliance page covers the mechanics.

The Trust Services Criteria

SOC 2 is organized around five Trust Services Criteria: Security (the mandatory "Common Criteria," always included), Availability, Processing Integrity, Confidentiality, and Privacy. You choose which optional criteria are in scope based on what you promise customers. Most first-time reports cover Security alone, sometimes adding Availability and Confidentiality. The Common Criteria map closely to the same controls the Safeguards Rule demands — logical access, change management, risk assessment, monitoring, and incident response.

Type I vs Type II and the Observation Period

There are two report flavors. A Type I report attests that your controls are suitably designed at a single point in time — a fast first step. A Type II report, which is what enterprise buyers actually want, attests that those controls operated effectively over an observation period, typically three to twelve months. During that window the auditor expects continuous evidence: access reviews performed, tickets showing changes were approved, logs retained, onboarding and offboarding executed per policy. An auditor cares less about what your policy says than about proof that you lived by it day after day. Check how close you are with the free SOC 2 readiness score.

This is where managed services earn their keep. Most of what both frameworks require is operational work an MSP already performs — the difference is doing it deliberately and capturing the evidence. A compliance-focused partner delivers:

• Identity and access management with SSO, role-based access, and phishing-resistant MFA, plus the periodic access reviews both frameworks expect
• Privileged Access Management (PAM) — application allowlisting, just-in-time elevation, and tight control over who can change systems
• Encryption of devices and data, centralized logging, and continuous monitoring (which can satisfy the Safeguards monitoring requirement without separate annual pen tests)
• A documented change-management workflow and ticketing that doubles as SOC 2 evidence
• An incident response plan, tested backups, and breach-notification readiness
• The WISP, risk assessment, vendor-oversight register, and the Qualified Individual role itself via fractional security leadership
• Continuous evidence collection so a SOC 2 Type II observation period or an FTC inquiry does not become a scramble

The most valuable thing to understand is that you are not building two programs. The Safeguards Rule's nine elements and SOC 2's Common Criteria are largely the same controls wearing different labels — and those same controls also satisfy much of HIPAA's Security Rule and the access and execution-control requirements behind CMMC 2.0. One well-implemented deployment of MFA, encryption, logging, and Privileged Access Management simultaneously addresses:

• FTC Safeguards access control, encryption, MFA, and change-management elements
• SOC 2 Common Criteria for logical access, change management, and monitoring
• HIPAA Security Rule access-control and integrity safeguards (see the HIPAA deep dive)
• NIST 800-171 least-privilege and execution-control requirements behind CMMC Level 2

Build the baseline once; document it against each framework you are subject to. That mapping — one control set, many compliance reports — is the core efficiency a compliance-focused MSP delivers, and it is why pursuing the Safeguards Rule and SOC 2 together costs far less than separately.

For most Texas firms the budget breaks into two parts. Ongoing compliance-focused managed IT typically runs $125-$275 per user per month, covering the security stack (EDR, PAM, MFA, monitoring), Microsoft 365 or Google Workspace, and day-to-day compliance support. On top of that sit the framework-specific items. A WISP build-out plus the Qualified Individual / vCISO role commonly runs $1,500-$5,000 per month depending on firm size and how much program ownership you outsource. A SOC 2 effort adds readiness and remediation work plus the auditor's fee: a Type I report is often $10,000-$25,000 all-in, while a first Type II — including the observation period and evidence tooling — commonly lands in the $30,000-$60,000 range. These are planning ranges, not quotes; scope and how mature your controls already are move them substantially. The offset: documented MFA, PAM, and immutable backups frequently earn cyber-insurance premium credits, and a SOC 2 report routinely unlocks enterprise deals that were otherwise closed to you.

Is my Texas firm really a "financial institution" under the Safeguards Rule?

Quite possibly. The definition is far broader than banks — it captures tax preparers, CPAs, RIAs, mortgage and title firms, and auto dealers that arrange financing, among others. If you handle consumer financial information as part of your services, assume you are covered until a qualified advisor tells you otherwise. The explainer page walks through the categories.

Can one managed services provider deliver both FTC Safeguards and SOC 2?

Yes, and it is the efficient way to do it. Because the Safeguards elements and the SOC 2 Common Criteria are largely the same controls, an MSP builds the baseline once, fills the Qualified Individual role, and maintains the documentation each framework needs — the WISP for the FTC, the control matrix and evidence trail for the auditor.

Do we need SOC 2 if we already comply with the Safeguards Rule?

Only if your customers ask for it. The Safeguards Rule is a legal obligation for covered firms; SOC 2 is a market expectation driven by enterprise buyers. Many firms need only the Safeguards Rule — but if deals are stalling at security review, SOC 2 is usually the unlock, and most of the underlying work is already done.

Look for a partner who has authored real WISPs and SOC 2 control matrices, includes PAM, phishing-resistant MFA, and immutable backups as standard rather than upsells, collects audit evidence continuously, and will sit in the Qualified Individual seat or support your auditor directly.

What is the fastest first step?

Run the free FTC Safeguards checklist and SOC 2 readiness score, generate a draft program with the WISP generator, then deploy phishing-resistant MFA and Privileged Access Management. Those two controls carry the most weight across both frameworks and deliver the biggest real-world reduction in breach risk.

• Sugar Land FTC Safeguards Rule compliance
• Houston FTC Safeguards Rule compliance
• Houston managed IT services
• The Woodlands managed IT services
• Sugar Land managed IT services

Ready to satisfy the FTC Safeguards Rule and SOC 2 with one managed-services plan? Contact LayerLogix or call 888-792-8080 for a compliance readiness assessment.