"Show Me Your Security": When Clients Demand Proof, Not Promises

General
1

Last week, I sat across from a prospective client—a small e-commerce business owner who’d been burned before. Mid-conversation, she stopped me and asked: “Can I see your encryption specifications? Do you have an incident response plan in writing? What happens if your laptop gets stolen?”

She wasn’t satisfied with “we take security seriously.” She wanted proof.

The 2026 Security Reality: Clients Are Scared (And They Should Be)

The numbers are sobering: cyberattacks on accounting firms have increased 300% since COVID-19. In 2023 alone, 41% of small businesses suffered a cyberattack, with a median incident cost of $8,300. When accounting firms get breached, the damage isn’t just financial—it’s trust, client relationships, and regulatory nightmares (50-state breach notification laws, anyone?).

Our clients read the same headlines we do. They know about business email compromise (BEC) attacks costing US firms $2.4 billion in 2025. They’re worried about deepfake fraud, phishing scams using AI voices, and ransomware locking up their financial records.

The days of “trust me, I’m a professional” are over. In 2026, clients expect documented security measures, not vague reassurances.

What “Proof” Means: The IRS Sets the Baseline

The IRS isn’t subtle about this. Publication 4557 outlines the “Security Six”—mandatory cybersecurity requirements for all tax professionals:

  1. Antivirus/anti-malware software (updated regularly)
  2. Firewall protection (network and host-based)
  3. Multi-factor authentication (for email, cloud services, tax software)
  4. Backup services (encrypted, tested, off-site)
  5. Drive encryption (full disk encryption for all devices)
  6. Virtual Private Network (for public Wi-Fi usage)

But here’s the kicker: You need a Written Information Security Plan (WISP). Not just “I do these things”—you need it documented. Research shows tax professionals with implemented written plans experienced 89% fewer successful cyberattacks and 76% faster incident containment than those relying on ad-hoc measures.

The FTC Safeguards Rule echoes this: documented policies, designated security personnel, incident response procedures, continuous monitoring.

The Beancount Security Advantage (And Challenge)

Here’s where it gets interesting for us plain text accounting folks. When I explain my Beancount setup to security-conscious clients, I can make strong arguments:

Security advantages:

  • Local files, not cloud targets: My client data isn’t sitting in a centralized QuickBooks or Xero database that hackers target for millions of records. It’s local, encrypted files on my machine.
  • GPG encryption: Every .beancount file is encrypted with 4096-bit GPG keys. No plaintext financial data on my drives.
  • Git commit signatures: Every transaction edit is cryptographically signed with my GPG key. The audit trail is undeniable—you can’t forge authorship or tamper with history.
  • Complete version control: git log shows exactly who changed what, when, and why. Better audit trail than any SaaS platform’s “change log.”
  • Air-gapped backups: I can keep encrypted backups completely offline. No vendor cloud to breach.

But here’s the challenge:

  • No compliance certifications: QuickBooks can wave SOC 2 reports. I can’t. I have to explain my equivalent controls.
  • Client education burden: Explaining GPG encryption to a non-technical small business owner is… an experience.
  • No “support team” safety blanket: Clients can’t call a 1-800 number if something breaks. They’re trusting my documented procedures.

My Current Approach: The Security Portfolio

When clients ask for proof now, I provide:

  1. Written security policy (2-page summary of my practices)
  2. Encryption verification (GPG key fingerprint, explanation of what it means)
  3. Backup documentation (schedule, locations, quarterly restore test results)
  4. Incident response procedure (what happens if my laptop is stolen/hacked/lost)
  5. Access control policy (who can see what data, password manager usage, MFA on everything)
  6. Professional insurance (E&O coverage that includes cyber liability)

It’s basically my homemade WISP, tailored to a Beancount-based practice.

Questions for the Community

How do you demonstrate your security posture to clients?

  • Do you have written security documentation you share?
  • How do you explain GPG encryption / git signatures to non-technical clients?
  • Have you lost clients who wanted “brand name” cloud accounting instead?
  • What compliance frameworks do you map your practices to?
  • Anyone doing third-party security assessments (penetration testing, etc.)?

Can plain text accounting be MORE secure than SaaS platforms?

I genuinely believe the answer is yes—distributed individual targets with strong encryption beat centralized honeypots—but I’d love to hear counterarguments or additional security practices I’m missing.

The irony is that Beancount gives us better security tools (encryption, signed commits, complete audit trails) than most cloud platforms… but we have to work harder to prove it to clients who trust brand names over cryptography.

Let’s build that proof together.

Alice Thompson, CPA
Thompson & Associates CPA Firm | Chicago, IL

2

Great topic, Alice! Security is one of the most underrated advantages of plain text accounting.

I had a relevant experience last year: I switched from local GnuCash to QuickBooks Online at a client’s request, then switched BACK to Beancount after reading about several high-profile accounting firm breaches. That journey taught me something important about security models.

The Security Model Difference

Here’s what clicked for me:

SaaS platforms are high-value centralized targets:

  • Hack one QuickBooks server = potentially millions of client records
  • Single authentication bypass = massive data exposure
  • You’re trusting Intuit’s security team (who you don’t know or control)
  • Centralized honeypot that attracts sophisticated attackers

Beancount is distributed, low-value individual targets:

  • Hack me = just my data (and my clients’ data, which I control)
  • Requires targeting individual practitioners, not scalable for attackers
  • I control the security measures directly
  • Not worth the effort for most threat actors compared to centralized platforms

It’s the difference between a bank vault (high-value target, sophisticated security needed) and keeping $100 in your sock drawer (low-value target, basic security sufficient).

My Specific Security Practices

Here’s what I actually do (not theoretical—this is my daily workflow):

1. File Encryption:

# All .beancount files encrypted with GPG
gpg -c ledger.beancount
# Creates ledger.beancount.gpg, original deleted

2. Private Git Repository:

  • Git repo on my own private server (NOT GitHub—no sensitive data leaves my control)
  • All commits signed with my hardware key (YubiKey for GPG signatures)
  • Nobody can impersonate me in the commit history

3. Automated Encrypted Backups:

  • 3-2-1 rule: 3 copies, 2 different media, 1 off-site
  • Daily encrypted backup to external SSD (at home)
  • Weekly encrypted backup to second external drive (stored at my parents’ house)
  • Monthly encrypted cloud backup to my personal encrypted archive (NOT a vendor platform)

4. Audit Trail Superiority:

git log --show-signature

Every change is timestamped, signed, and reversible. If I need to prove “who changed what when” for an audit or dispute, I have cryptographic proof. No SaaS platform’s “change log” can match that.

Addressing the “No SOC 2 Compliance” Objection

When clients ask about SOC 2 reports or compliance certifications, I explain it this way:

SOC 2 is about documented PROCESSES, not security OUTCOMES.

A company can have SOC 2 Type II certification and still get breached (it happens regularly). The certification means they documented their security controls and had them audited—it doesn’t mean the controls are effective.

You CAN document equivalent controls:

  • Write your own WISP (Written Information Security Plan)
  • Document your encryption, backup, access control procedures
  • Test them quarterly and document the results
  • You’re demonstrating the SAME practices SOC 2 requires, just without the expensive third-party audit

The advantage: You control the security.

  • With QuickBooks, if they get breached, you’re a victim with no control
  • With Beancount, if YOU get breached, it’s because you didn’t follow your own procedures
  • I’d rather be responsible for my own security than trust a vendor

The Bottom Line

Security through obscurity + encryption + air gaps beats “trusted” cloud platforms.

Most cyberattacks target:

  1. High-value centralized databases (SaaS platforms)
  2. Easily exploitable weaknesses (unpatched software, weak passwords)
  3. Social engineering (phishing employees of big companies)

A solo practitioner with encrypted local files, signed git commits, and offline backups? Not an attractive target. There are easier victims.

The Discipline Warning

Fair warning: This approach requires discipline.

  • Encrypted backups don’t happen automatically (you have to run the scripts)
  • You can’t “just check it on my phone” (requires decrypting files first)
  • Key management is YOUR responsibility (lose your GPG key = lose your data)
  • No 1-800-SUPPORT to call when something breaks

But for those willing to put in the effort, you get:

  • Complete data ownership
  • Superior audit trails
  • Lower attack surface
  • Zero vendor dependencies
  • Provable security controls

I sleep better knowing my clients’ financial data is in encrypted files under my control, not in a centralized cloud database with a billion-dollar “HACK ME” sign on it.

Mike Chen
San Francisco, CA | Beancount user since 2022

3

This is exactly the conversation I needed to see. I’m struggling with the client communication side of this.

The Client Education Gap

Alice, you mentioned explaining GPG encryption to non-technical small business owners is “an experience”—that’s putting it mildly!

I had a situation last month: A new client asked “Is my data safe with you?” (Fair question!) I got excited and started explaining git commit signatures, GPG key pairs, asymmetric cryptography… and watched their eyes glaze over in real-time. They just wanted to know their tax records wouldn’t end up on the dark web.

The Brand Name Trust Problem

Here’s what I’m up against:

My clients see QuickBooks ads with celebrities saying “trusted by 7 million businesses” and “bank-level security” (whatever that means). It sounds reassuring, even if it’s marketing fluff.

When I say “I use Beancount with GPG encryption and signed git commits,” they hear: “I use software you’ve never heard of with acronyms I don’t understand.”

Beancount requires clients to trust YOUR PROCESS, not a brand name.

That’s a higher bar to clear, especially for small business owners who are already overwhelmed.

What’s Working For Me

I’ve been experimenting with different approaches. Here’s what’s landing better with clients:

1. Simplified language (no acronyms):

  • :cross_mark: “Your files are encrypted with AES-256 via GPG”
  • :white_check_mark: “Your files are locked with military-grade encryption—the same type governments use for classified documents”

2. Visual proof (even if they don’t fully understand):

  • Show them git log --show-signature on screen
  • “See these green ‘verified’ checkmarks? That’s cryptographic proof that I’m the only person who’s touched your records.”
  • They may not understand HOW it works, but they can see THAT it works

3. Written procedure document:

  • Borrowing Alice’s idea—I’m creating a one-page “Your Data Security” handout
  • What I collect, how I protect it, where it’s stored, what happens in emergencies
  • Client-facing language, zero jargon

4. Regular security updates in monthly reports:

  • “Your encrypted backup completed successfully on March 10th”
  • “No unauthorized access attempts detected this month”
  • Proactive transparency builds trust

What’s NOT Working

Things that fall flat with clients:

  • Technical details: Explaining public/private key pairs loses them immediately
  • Acronyms: GPG, AES, SHA-512, MFA—might as well be speaking Klingon
  • Comparisons to SaaS security flaws: Pointing out QuickBooks breaches sounds defensive
  • “Trust me, I know what I’m doing”: That’s not proof, that’s exactly what they’re skeptical about

The Security Perception Irony

Here’s the frustrating part:

Beancount IS objectively more secure (local encrypted files, complete audit trail, no centralized target) but SEEMS less secure to non-technical clients because there’s no brand name to hide behind.

It’s like explaining that a custom-built safe is more secure than a TSA-approved luggage lock—technically true, but people trust the TSA logo because it’s familiar.

My Ask To This Community

Has anyone created a “Beancount Security FAQ for Clients”?

Something we could standardize and share? Topics like:

  • “Why don’t you use QuickBooks?” (in client-friendly language)
  • “What happens if your laptop gets stolen?”
  • “How do I know you haven’t been hacked?”
  • “Can you prove my data is encrypted?”
  • “What happens if you get hit by a bus?” (business continuity)

I’d be happy to contribute to this. I think we need better client communication tools, not just better technical tools.

Mike’s point about discipline is spot-on—but I’d add that client education discipline is just as important as technical discipline. If we can’t explain our security posture to non-technical clients, we’re limiting Beancount to technically-savvy users.

And that’s a shame, because small businesses NEED better security than “trust the SaaS vendor and hope they don’t get breached.”

Bob Martinez
Martinez Bookkeeping Services | Austin, TX

4

Excellent discussion. I want to add the regulatory compliance perspective here, because there’s an important distinction we need to make.

Security Posture vs. Compliance Documentation

These are two different things:

  1. Security posture = The actual measures you implement (encryption, access controls, backups)
  2. Compliance documentation = The written proof that you’re meeting regulatory requirements

You can have strong security but poor compliance (undocumented controls), or strong compliance but weak security (documented procedures that nobody follows). Best practice: Both.

Regulatory Requirements for Accounting Firms

Let’s be specific about what the law actually requires:

IRS Publication 4557 - The “Security Six”:

  1. Antivirus/anti-malware software
  2. Firewall protection
  3. Multi-factor authentication
  4. Encrypted backup services
  5. Drive encryption
  6. Virtual Private Network

FTC Safeguards Rule (for tax preparers):

  • Designate a security coordinator
  • Conduct risk assessments
  • Design and implement safeguards
  • Monitor and test safeguards
  • Select service providers that maintain appropriate safeguards
  • Maintain a Written Information Security Program (WISP)

State data breach notification laws:

  • 50 different state requirements for notifying affected individuals if client data is compromised
  • Many require “reasonable security measures” (undefined, but courts have ruled on this)

The stats are compelling: Tax professionals with implemented written plans experienced 89% fewer successful cyberattacks and 76% faster incident containment than those relying on ad-hoc measures.

How Beancount Can EXCEED Compliance Requirements

Here’s the framework I use to map Beancount practices to regulatory requirements:

✓ Encryption at rest:

  • Requirement: Protect client data from unauthorized access
  • Beancount approach: GPG-encrypted .beancount files with 4096-bit keys
  • Advantage: Exceeds “drive encryption” (FileVault/BitLocker) because individual files are encrypted, not just the disk

✓ Access controls:

  • Requirement: Limit who can view/modify financial data
  • Beancount approach: File system permissions + git access logs
  • Advantage: git log shows exactly who accessed/modified what, when (better than SaaS “last modified by” timestamps)

✓ Audit trail:

  • Requirement: Track changes to client data
  • Beancount approach: Git commit history with GPG signatures
  • Advantage: This is where Beancount CRUSHES SaaS platforms
    • Every change cryptographically signed
    • Tampering with history is detectable (git integrity checks)
    • Can prove authorship in disputes
    • Complete rollback capability

✓ Incident response:

  • Requirement: Documented procedure for security incidents
  • Beancount approach: YOU must document this (user responsibility)
  • Example: “If laptop stolen: (1) Report to police, (2) Revoke GPG keys, (3) Notify affected clients, (4) Restore from encrypted backup to new machine”

✓ Backup procedures:

  • Requirement: Regular backups, tested restores
  • Beancount approach: Documented backup schedule + quarterly restore tests
  • Advantage: You control backup locations (local + off-site) vs trusting vendor’s backup promises

✓ Multi-factor authentication:

  • Requirement: MFA for accessing client data
  • Beancount approach: Hardware key (YubiKey) for GPG private key access + git commit signing
  • Advantage: Physical possession required (can’t be phished)

The Written Plan Requirement: WISP

This is non-negotiable. You MUST have a Written Information Security Program.

Components of a Beancount-based WISP:

  1. Security coordinator designation (if solo practitioner: you)
  2. Risk assessment (what data you handle, threat vectors, impact analysis)
  3. Technical safeguards:
    • Encryption methods (GPG with 4096-bit keys)
    • Access controls (file permissions, git authentication)
    • Audit logging (git commit history)
  4. Administrative safeguards:
    • Employee training (if applicable)
    • Vendor management (if using hosting services)
    • Incident response procedures
  5. Physical safeguards:
    • Device security (laptop locks, office access controls)
    • Backup storage security (where physical drives are kept)
  6. Monitoring and testing:
    • Quarterly backup restore tests (documented)
    • Annual risk assessment reviews
    • Security procedure updates

Template idea: The community should collaborate on a “Beancount Practitioner WISP Template” that meets IRS/FTC requirements. I’d be happy to contribute a first draft based on my own.

The Client Proof Portfolio

When clients ask for security proof, here’s what I provide:

  1. Written security policy (2-3 page summary, client-facing language)
  2. Encryption verification:
    • GPG key fingerprint
    • Explanation: “This unique identifier proves your data is encrypted with my key. If the fingerprint doesn’t match, the encryption has been compromised.”
  3. Backup test results:
    • Last quarterly restore test date and outcome
    • “On January 15, 2026, I successfully restored all client data from encrypted backup in 47 minutes.”
  4. Incident response procedure:
    • Step-by-step plan for laptop theft, ransomware, data breach scenarios
    • Client notification timeline (24 hours)
  5. Access control documentation:
    • Who has access to what data (usually just me for solo practitioners)
    • Password manager usage (1Password with MFA)
    • Physical security measures (office access, laptop locks)
  6. Professional insurance:
    • Errors & Omissions coverage that includes cyber liability
    • Policy limits and coverage details

Addressing the “No Third-Party Attestation” Challenge

Clients sometimes ask: “Does an independent auditor verify your security?”

Honest answer: No, I don’t pay $30K+ annually for SOC 2 Type II certification like SaaS vendors.

But here’s the context:

  • SOC 2 certifies that a company documented controls and had them audited—it doesn’t certify the controls are effective
  • Companies with SOC 2 certification still get breached regularly
  • SOC 2 is designed for service providers serving many clients, not individual practitioners
  • Alternative: Annual security review by a third-party IT consultant (costs $500-2000, provides written assessment)

For clients who want independent verification, I offer: “I can engage a third-party security consultant to review my procedures and provide a written assessment. Would that address your concern?”

The Compliance Opportunity

Here’s the strategic opportunity for Beancount practitioners:

Most small accounting firms have WEAK compliance documentation.

They use QuickBooks and assume “Intuit handles security,” but they haven’t documented their OWN practices (password policies, access controls, backup procedures, incident response). When clients ask for proof or auditors review their practices, they have nothing to show.

Beancount practitioners who document their security practices have a COMPETITIVE ADVANTAGE.

You can say: “Here’s my Written Information Security Program, independently reviewed, with documented quarterly testing. Can your QuickBooks accountant show you theirs?”

Community Collaboration Proposal

I strongly support Bob’s suggestion for a client-facing security FAQ. I’d add:

Let’s create a Beancount practitioner security toolkit:

  1. WISP template (meets IRS Pub 4557 + FTC Safeguards Rule requirements)
  2. Client security FAQ (answers common questions in plain language)
  3. Security policy template (2-3 pages, client-facing)
  4. Incident response checklist (what to do when things go wrong)
  5. Backup testing log template (document quarterly restore tests)

This would help practitioners meet regulatory requirements AND communicate security posture to clients effectively.

I’m willing to draft the WISP template and regulatory compliance checklist if others contribute the client-facing communication pieces.

Fred Patterson
Financial Planning & Analysis | Portland, OR