After its passage over 20 years ago, the Gramm–Leach–Bliley Act continues to influence how financial institutions secure information—including even the smallest of professional tax preparers. As part of this law, IRS Publication 4557: Safeguarding Taxpayer Data serves as a guide to CPA firms. It outlines cybersecurity best practices, how to report and respond to cyberattacks, and how to comply with the FTC Safeguards Rule.
While a variety of approaches to cybersecurity exist, depending on a CPA firm’s needs and size, it’s important that each firm develop and implement a plan. Otherwise, failure to create and implement this plan as part of your compliance may result in lost revenue and clients, an FTC investigation, or even getting shut down.
If you are a CPA firm, you likely are familiar with Publication 4557. However, the publication does not outline exact cybersecurity prescriptions, so it’s easy to wonder:
The publication is quite thorough and user-friendly, so we won’t repeat its points verbatim. Instead, we want to highlight the publication’s most important messages, compare the IRS’s recommendations against industry standards, and let you know where you need to focus the most attention. The following cyber essentials will help you identify gaps and improve your cybersecurity foundation to comply with the law.
Before we even talk about technology, it’s important to talk about cybersecurity policies. Some of the highest impact policies you can establish relate to:
Next, you need the right technology foundation to help you secure your data and automate many processes. Technology solutions and tools include:
Even a small CPA firm can benefit from proactive, professional IT support. It’s important that you avoid trying to do it yourself, using a vendor that’s merely a computer repairperson, or relying on a reactive IT vendor that only puts out fires. Your information is critically important and under regulatory scrutiny, and you need professional IT help to keep it secure.
Employees need training to stay vigilant against cyberattacks. Part of that training will include education about email phishing attacks—their various flavors, how scammers try to trick you, and how you can spot the signs of a phishing email. Simulated phishing tests also work well to test employees and give vulnerable employees additional coaching.
Finally, you need to make sure you are complying with the finer points of the FTC Safeguards Rule, which says you must:
The IRS says these requirements are flexible, but you do need to meet them. Luckily, a trusted IT vendor can help you with these FTC Safeguards Rule requirements so that the heavy lifting is taken off your shoulders and you can focus on your real job—accounting and tax preparation.
VC3 is a partner with SCACPA and can help CPA firms meet the requirements of Publication 4557. Reach out to us through the form below if you want to strengthen the security and compliance of your CPA firm.