It’s likely that you’ve already taken action to comply with the updated FTC Safeguards Rule and prepare your security measures ahead of the 2024 busy season. But there are many ways you can get a little too busy with tax preparation and overlook some of the Rule’s nuances, continuous effort involved, and the ever-changing nature of compliance.
How do you know you’re in good shape? Before busy season overwhelms your firm, now is the time to make sure you’ve got your cybersecurity pencils sharpened by reviewing the following items related to FTC compliance.
- Conduct a risk assessment.
- Designate a cybersecurity-experienced Qualified Individual.
- Develop and implement policies and procedures around the FTC’s required safeguards.
- Regularly train your employees.
- Review your access controls.
- Review your encryption.
- Don’t forget third-party security.
- Update (or create) your incident response plan.
- Make sure you audit and continuously monitor your systems.
- Dot your I’s and cross your T’s.
1. Conduct a risk assessment.
Despite a risk assessment not being an FTC requirement for CPA firms with less than 5,000 customers, it is essential to perform one anyway. A risk assessment will identify and analyze potential risks to the security, confidentiality, and integrity of your clients’ information.
This assessment should include an evaluation of your firm's processes, systems, and types of client data handled. Knowing what data you house is particularly important so that you can categorize it by risk level.
Many firms make the mistake of assuming a previous activity, such as creating a disaster recovery plan, counts as a completed risk assessment. It’s not. A risk assessment should involve:
- An independent review of your current cybersecurity policies and procedures.
- An assessment of your physical and digital security.
- A report analyzing your current situation, gaps and vulnerabilities, and needed remediations.
2. Designate a cybersecurity-experienced Qualified Individual.
To meet the FTC’s Qualified Individual requirement, some CPA firms may appoint an individual within their firm. Remember, that person will be responsible for overseeing the development, implementation, and monitoring of your information security program. If they are non-technical, they may not have enough expertise to ensure that you are thoroughly meeting the FTC Safeguards Rule requirements, creating a huge risk for your firm.
We highly recommend that a cybersecurity specialist take on the role of Qualified Individual. A non-technical person at your firm can then be the liaison to the Qualified Individual. A specialist with technical expertise who serves as your Qualified Individual ensures that you are meeting all the details of the requirements and can answer technical questions if needed.
3. Develop and implement policies and procedures around the FTC’s required safeguards.
Your Qualified Individual can write policies and procedures that help you maintain, manage, enforce, and evolve any items related to the FTC Safeguards Rule. These written information security policies and procedures should be tailored to your firm's specific needs and risks. Without these policies and procedures, it’s easy to slip and fail to uphold the FTC requirements.
4. Regularly train your employees.
Another area where you can easily slip is training. You need to provide regular training for employees on security policies and procedures. Are they aware of their responsibilities in safeguarding client information? Do they understand the potential risks associated with their roles? Security awareness training should include phishing tests, interactive training, and reports to leadership about employee progress.
5. Review your access controls.
The FTC Safeguards Rule tells you to “periodically review access controls.” Before busy season hits, review your authentication methods and access permissions. Keep the concept of “least privilege” in mind—if someone doesn’t need access to information to do their job, then don’t give them access. Especially review third-party access to data, which can easily get overlooked.
6. Review your encryption.
Are you certain that sensitive and confidential information is encrypted both on your system and when in transit? Encryption technologies need to protect sensitive client information, both in transit and at rest, which helps safeguard data in case of unauthorized access or a security breach. Make sure you have the right tools and policies in place.
7. Don’t forget third-party security.
The FTC Safeguards Rule says, “Assess your apps” and calls out third party service providers or vendors. This ongoing activity is easy to neglect. You need to conduct due diligence to ensure that vendors have appropriate safeguards in place when working with your firm. Establish contractual provisions that outline the security requirements and responsibilities of these vendors.
8. Update (or create) your incident response plan.
This is another FTC requirement not applicable for CPA firms with less than 5,000 customers, but one we deem essential. What happens if you experience a successful cyberattack? What if data is breached, stolen, or permanently lost? What do you do?
Develop and implement an incident response plan to guide your firm's actions in the event of a security incident or data breach. This plan should include procedures for reporting incidents, conducting investigations, and notifying affected parties as required by law.
9. Make sure you audit and continuously monitor your systems.
Conduct periodic security audits and continuously monitor your systems to assess the effectiveness of your information security program. Leverage tools such as security information and event management (SIEM), managed detection and response (MDR), endpoint detection and response (EDR), intrusion detection systems (IDS), vulnerability scanning (VS), and security scans.
While the FTC Safeguards Rule only requires penetration tests, at a minimum, we highly recommend continuous monitoring. Otherwise, threats can emerge between periodic tests that can lead to a breach or incident.
10. Dot your I’s and cross your T’s.
Before busy season, now is the time to review your compliance evidence. That includes:
- Documenting your compliance efforts: Maintain documentation that demonstrates your firm's efforts to comply with the Safeguards Rule. This includes records of risk assessments, policies and procedures, training programs, and incident response activities.
- Reviewing and updating your information security program: Address any evolving risks and changes in technology. Compliance is an ongoing process that requires continuous improvement.
- Get your lawyers involved: Seek legal advice to ensure that your firm's information security program aligns with the requirements of the Safeguards Rule and any other relevant privacy and data protection regulations.
By taking these proactive steps to review your cybersecurity measures, CPA firms can enhance their information security posture, safeguard client information, and demonstrate compliance with the FTC Safeguards Rule before the busy season. This not only helps better protect your clients but also contributes to the overall reputation of your firm.
Need help with your CPA firm’s cybersecurity? Reach out to us through the form below.