Taking effect on June 9, 2023, the updated FTC Safeguards Rule now includes specific requirements that a CPA firm’s information security plan must contain. The Rule has teeth—with penalties of $100,000 per violation, $43,000 per day for each consent violation, and other fines. And the FTC is not shy about investigating organizations.
It’s easy to assume that how you’ve previously complied will continue to work. However, the nine elements in the new Rule contain very specific requirements that, while leaving some wiggle room for how you implement them, must adhere to strict best practices.
So, how might your CPA firm trip up on these new requirements? Instead of technical challenges or understanding the language in the Rule, we’re instead seeing three obstacles that you may not expect.
- Compliance Can Be Overwhelming
- Creating a Cybersecurity Roadmap Out of the Requirements
- Aligning Business Goals with the Requirements
Let's dive into the challenges and how you can overcome them.
1. Compliance Requirements Can Be Overwhelming
Your number one job is to serve your clients and customers. Many CPA firms are small, and busy season can challenge even the most robustly-staffed organizations. It’s impossible for your day-to-day job to primarily focus on IT and cybersecurity. You care, but it’s not the center of your attention.
Previously, you may have put an information security plan together to satisfy the earlier, vaguer requirements. Now, with nine specific elements outlined in the FTC Safeguards Rule, you may wonder how exactly you will understand and satisfy each one.
This can lead to overwhelm—resulting in decision paralysis, hasty decisions, ill-informed choices, or putting off important next steps. And even though you’re trying to primarily focus on customer service and business development, you don’t just want to assume that an IT provider without a cybersecurity subject matter expert on staff or non-technical employees on your staff are ensuring compliance with the FTC.
Because compliance is so serious, it’s best to work with an experienced partner to help simplify the process of ensuring that each requirement is met. By outlining a clear path forward, your IT partner can help you comply now and continually going forward. They can also share reports that reassure the FTC and your business stakeholders that you’ve covered all the Safeguards Rule elements.
2. Creating a Cybersecurity Roadmap Out of the Requirements
You may have already identified cybersecurity gaps but delayed tackling them due to budget constraints, limited IT resource bandwidth, and time. Or, your IT to-do list may not have any rhyme or reason as you work through a smattering of projects as they come up, fight fires, or focus on reactive needs in the moment. Whatever the situation, we see a lack of prioritization as a major issue for CPA firms when they try to ensure that Safeguards Rule requirements are met.
An IT partner can help you prioritize low-hanging fruit and urgent items, build out a plan to meet all the requirements, and set up processes and tools to ensure that you’re meeting these requirements going forward. It would be great to meet all the requirements today, but that can include a lot of changes and expenses at one time. Work with your cybersecurity partner to address these requirements in a reasonable timeframe.
3. Aligning Business Goals with the Requirements
Just because you’re meeting FTC requirements doesn’t mean that these cybersecurity best practices cannot align with your business goals. After all, cybersecurity is really about protecting your customers’ sensitive and confidential information while also ensuring that your CPA firm will remain operational despite cyber threats and attacks.
For example, your business goals likely involve improving and enhancing customer service. The Safeguards requirement about security awareness training is essential in making sure that all your employees are aware of how they have a role to play in protecting customer information. Specific safeguards such as access controls, multi-factor authentication, application security, and encryption are also needed to protect customer information and reassure customers that you take cybersecurity seriously.
Without implementing cybersecurity best practices, you risk reputational and brand damage. Your business goals likely include efforts toward building your brand, acquiring customers, and positioning yourself as a thought leader in your market. An FTC investigation, cybersecurity incident rooted in negligence, or word of mouth concerns spread across your potential customer base can all severely damage the success of these business goals.
Meet Compliance Requirements With Help From A Partner Who Understands Your Needs
The updated FTC Safeguards Rule is a classic example of how compliance around cybersecurity only gets stricter, not looser. The volume and sophistication of cyberattacks continues to increase, and government regulators are responding to this evolving environment in order to make sure organizations protect sensitive and confidential information.
To reassure yourself that you’re meeting requirements while continuing to focus on what you do best, we recommend a cybersecurity partner who can take the brunt of compliance overwhelm off your plate, help you prioritize next steps, and assist in meeting your business goals along the way.
If you need help, reach out to us today by filling out the form below.