Guide to the Updated FTC Safeguards Rule Requirements for CPAs
Your actionable guide to staying in compliance with the revised FTC Safeguards Rule and avoiding fines.
Although the FTC Safeguards Rule has existed for over 20 years, it recently received the biggest change ever seen during its long history.
For most of its existence, the Rule required a written information security plan showing how an organization protects customer and client information. However, the Rule did not specify particulars so that organizations could adapt the plan based on size, needs, and complexity.
Today, cybersecurity threats are more relentless, dangerous, and sophisticated than in 2003 when the Rule debuted. The FTC, after much public comment and debate, specified nine elements to ensure that an organization’s written information security plan contains some basic best practices. Without these elements, an organization will be at great risk.
The revised FTC Safeguards Rule took effect on June 9, 2023. CPA firms are covered under this Rule, and the penalties are serious—$100,000 per violation, $43,000 per day for each consent violation, and other fines. The FTC aggressively enforces its standards, and an investigation that finds your firm non-compliant can end up putting you out of business, significantly damaging your reputation, or tying you up for years in litigation and lawsuits.
We know your CPA firm is taking the new Rule seriously, and VC3 can help guide you toward becoming compliant. The FTC has only shared a high-level outline of the nine elements, so we’re going to dig a little deeper.
VC3 has experience helping CPA firms comply with the FTC Safeguards Rule and align with the best practices listed in Publication 4557. In this guide, we go through each of the nine FTC Safeguards Rule elements and show you what they mean, how to comply, and where you may need help.
1. Qualified Individual
ACTION: Designate a Qualified Individual to implement and supervise your company’s information security program.
The FTC Safeguards Rule states:
“The Qualified Individual can be an employee of your company or can work for an affiliate or service provider. The person doesn’t need a particular degree or title. What matters is real-world knowhow suited to your circumstances. The Qualified Individual selected by a small business may have a background different from someone running a large corporation’s complex system. If your company brings in a service provider to implement and supervise your program, the buck still stops with you. It’s your company’s responsibility to designate a senior employee to supervise that person. If the Qualified Individual works for an affiliate or service provider, that affiliate or service provider also must maintain an information security program that protects your business.”
With the Qualified Individual requirement, the most important aspect to tackle is who you choose if you work with a managed service provider, as many smaller CPA firms will not have a full-time IT person on staff.
- We recommend that you have a cybersecurity specialist take on the role of Qualified Individual: Your managed service provider should have a cybersecurity expert made available to you who is familiar with the FTC Safeguards Rule and can speak to each component of your information security plan.
- You need to name someone within your CPA firm as liaison to the Qualified Individual: This person needs to serve as your firm’s point of contact with the Qualified Individual. The liaison does not need to have a technology or cybersecurity background, but they do need thorough familiarity with your business. Such a person could be your CEO, CFO, Director of Finance, or Director of Operations.
- The Qualified Individual and liaison will partner to hold each other accountable: Through this partnership, the Qualified Individual and liaison will ensure that the information security plan is created, implemented, and enforced.
2. Risk Assessment
ACTION: Conduct a risk assessment.
The FTC Safeguards Rule states:
“You can’t formulate an effective information security program until you know what information you have and where it’s stored. After completing that inventory, conduct an assessment to determine foreseeable risks and threats – internal and external – to the security, confidentiality, and integrity of customer information. Among other things, your risk assessment must be written and must include criteria for evaluating those risks and threats. Think through how customer information could be disclosed without authorization, misused, altered, or destroyed. The risks to information constantly morph and mutate, so the Safeguards Rule requires you to conduct periodic reassessments in light of changes to your operations or the emergence of new threats.”
While this requirement is not applicable to CPA firms with less than 5,000 customers or clients, we still recommend a risk assessment to uncover gaps and vulnerabilities.
VC3 uses a four-step process to conduct thorough risk assessments:
- Access and document gathering: We always start off by reviewing your documentation, scanning your network, and interviewing key stakeholders to discuss existing cybersecurity policies and procedures.
- Data collection: Not only do we collect data from our cybersecurity scans but we also visit your organization to learn more about onsite security such as physical security measures, employee knowledge about security best practices, and how business processes intersect (or conflict) with your information security.
- Report preparation: After collecting and analyzing your cybersecurity data, we create a report that describes your current situation, analyzes gaps and vulnerabilities, and recommends remediations based on the items we find. This report is both non-technical for executives and business stakeholders, and technical for IT staff or vendors.
- Report delivery and review: We review this report with all stakeholders and answer questions. Optionally, we can provide a roadmap to implement the recommendations—whether you work with us or not. Recommendations in a typical technical report can be overwhelming. Our report makes any recommendations digestible and helps you plan for the organizational changes and expenses that accompany the list of needed improvements to your cybersecurity posture.
ACTION: Implement required safeguards.
The Rule lists several specific safeguards as requirements. These items lend themselves well to virtual Chief Information Security Officer (vCISO) services.
As the Qualified Individual, your vCISO can help write the policies and procedures that will maintain and manage any items needed for accountability and constant improvement.
- Implement and periodically review access controls. A major aspect of cybersecurity is authorized access to information. If anyone can access sensitive and confidential information, or permissions are loose, then you’re placing customer and client data at risk. The FTC says to “determine who has access to customer information and reconsider on a regular basis whether they still have a legitimate business need for it.”
You may have heard about the concept of “least privilege.” For example, the administrative team doesn’t need access to HR data, and the sales team doesn’t need access to accounting data. This is a good way to approach access controls. What information is essential for an employee to access based on their role—and no more? At the user account management level, such permissions need to be applied, enforced, and monitored. Don’t forget third party access to your data, which can be easily overlooked.
- Know what you have and where you have it. The FTC says that “a fundamental step to effective security is understanding your company’s information ecosystem. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. Keep an accurate list of all systems, devices, platforms, and personnel. Design your safeguards to respond with resilience.”
Many cybersecurity incidents result from simply not knowing what data exists and where. Performing a thorough audit can help you inventory data, classify it by type, and understand any vulnerabilities related to how it’s collected, stored, and transmitted. You don’t want to have an unknown stray server or device out in the wild that contains sensitive or confidential data.
- Encrypt customer information on your system and when it’s in transit. Encryption helps make your information useless if stolen or glimpsed by eavesdroppers. It’s important to use applications that allow you to encrypt sensitive and confidential information. Ensuring proper encryption implementation is a combination of having the right tools and policies in place.
- Assess your apps. The FTC says, “If your company develops its own apps to store, access, or transmit customer information – or if you use third-party apps for those purposes – implement procedures for evaluating their security.”
Application security for CPA firms is incredibly important. Some of the biggest application security vulnerabilities usually include third-party access, lack of encryption, poor application integration, lack of access controls, and lack of data backup. You want to identify and address these vulnerabilities annually and with consistency across all your partners. In addition to understanding your partners’ security practices, you will also want to continually monitor their applications for vulnerabilities.
- Implement multi-factor authentication (MFA) for anyone accessing customer information on your system. Consider MFA essential in today’s cybersecurity landscape. In simplest terms, MFA requires more than one factor to access information through an application. One factor might be a username and password. Another factor might be a code sent to your smartphone that you input after you’ve inputted your username and password. Those are two factors required to access the information, making it more difficult for a hacker to do the same.
Any email applications, VPNs, cloud-based systems, servers, workstations, administrative accounts, critical infrastructure, and systems housing sensitive data need MFA. Though these are the highest priority, it is best practice to use MFA on every account you have.
- Dispose of customer information securely. Often overlooked, a major cybersecurity gap is how CPA firms delete customer and client information. First, you should have a clear records retention policy that you enforce. When data is ready for disposal, you do not want to commit elementary mistakes such as reusing laptops with sensitive information still stored on the device. Cloud providers and IT professionals have a rigorous process they use to ensure proper data disposal on servers and cloud-based applications. For devices, a variety of techniques can be used to ensure the local disposal and destruction of data on hard drives.
- Anticipate and evaluate changes to your information system or network. Who has access to your equipment and applications? What changes can they make? Misconfigurations of servers, devices, wireless access points, and network infrastructure are common causes of cybersecurity vulnerabilities. Policies and procedures with an authorization component must exist to ensure that only authorized professionals can make critical changes to your systems and only once the proposed change has been authorized.
- Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. The FTC says you must “implement procedures and controls to monitor when authorized users are accessing customer information on your system and to detect unauthorized access.”
At a minimum, logging combined with security professionals monitoring user activity is essential for alerting you to anomalous activity—such as an unauthorized user accessing your systems from an unusual country or an employee logging in at 2am in the morning to exfiltrate a large amount of data. Logging is also important evidence that you can analyze in the aftermath of a cyber incident. Without this data, you will be unable to analyze the full nature of a cyberattack, deduce the source of the attack, and remediate effectively.
- Ideally, CPA firms need to consider a security orchestration, automation, and response (SOAR) solution. This strategy combines logging, security information and event management (which sifts through logs to consolidate alerts from different systems), managed detection and response (which involves a security team proactively looking for cyberthreats across your servers, computers, and entire IT network), and automated responses to threats through tools such as endpoint detection and response.
Any one of these alone isn’t enough, which is why SOAR combines them all. Over the next few years, SOAR will become a required best practice, and it’s a good idea to get ahead of the curve
4. Monitor and Test
ACTION: Regularly monitor and test the effectiveness of your safeguards.
The FTC Safeguards Rule states:
“Test your procedures for detecting actual and attempted attacks. For information systems, testing can be accomplished through continuous monitoring of your system.”
The SOAR tools discussed earlier will go a long way toward meeting this requirement—allowing you to combine important monitoring tools such as security information and event management (SIEM), managed detection and response (MDR), endpoint detection and response (EDR), intrusion detection systems (IDS), vulnerability scanning (VS), and security scans.
In the absence of continuous monitoring, to comply with a law or regulation, or for an extra assurance about your security program, a penetration test might be required. Penetration tests poke, prod, and probe at your devices, networks, and applications looking for holes, gaps, and vulnerabilities. Usually, these are one-time tests conducted periodically.
The Rule urges your CPA firm to do continuous monitoring, but if that’s impossible for some reason then periodic penetration testing is allowed as a substitute. Each method has a purpose and should be considered based on your CPA firm’s needs and goals.
ACTION: Train your staff.
The FTC Safeguards Rule states:
“A financial institution’s information security program is only as effective as its least vigilant staff member. That said, employees trained to spot risks can multiply the program’s impact. Provide your people with security awareness training and schedule regular refreshers. Insist on specialized training for employees, affiliates, or service providers with hands-on responsibility for carrying out your information security program and verify that they’re keeping their ear to the ground for the latest word on emerging threats and countermeasures.”
Security awareness training is another cybersecurity essential. People are often the weakest cybersecurity link within an organization. All your cybersecurity tools and technology can be rendered useless if an employee clicks on the wrong link or attachment after getting tricked by a cyberattacker.
Modern security awareness training programs are easy to implement and respectful of employee time. Automated phishing tests highlight employees who might be vulnerable to phishing attacks, computer-based security training can be watched at an employee’s convenience, and management reports ensure results and accountability.
At a minimum, we recommend:
- Monthly phishing tests.
When users fail a phishing test:
- 1 failure within 6 months: Person gets remedial training.
- 2 failures within 6 months: Person gets an assessment.
- 3 failures within 6 months: Next step decided by management.
- 15-20 minutes of interactive self-paced training every month.
- Reports sent out monthly to your CPA firm’s cybersecurity liaison.
- Documentation of training completion/incompletion
- Phishing test failures
- Liaison shares pertinent information with human resources and respective management.
6. Monitor Service Providers
ACTION: Monitor your service providers.
The FTC Safeguards Rule states:
“Select service providers with the skills and experience to maintain appropriate safeguards. Your contracts must spell out your security expectations, build in ways to monitor your service provider’s work, and provide for periodic reassessments of their suitability for the job.”
According to the FTC’s definition, a service provider is “any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a financial institution that is subject to this part.” Cyberattackers look for weak spots with third-party IT providers, vendors, and contractors who access your systems and data. Many cybersecurity incidents have occurred from an unlikely third-party vulnerability such as an HVAC system or a cloud line-of-business application.
If you don’t hold service providers accountable for cybersecurity, they could be putting your CPA firm at risk.
Ways to monitor service providers include:
- Getting your IT or cybersecurity resource to vet service providers before signing a contract with them.
- Including language in your contracts about adhering to cybersecurity best practices.
- Requesting independent verification of a service provider’s cybersecurity safeguards, such as an annual Security Gap Analysis.
7. Keep Current
ACTION: Keep your information security program current.
The FTC Safeguards Rule states:
“The only constant in information security is change – changes to your operations, changes based on what you learn during risk assessments, changes due to emerging threats, changes in personnel, and changes necessitated by other circumstances you know or have reason to know may have a material impact on your information security program. The best programs are flexible enough to accommodate periodic modifications.”
It's a good idea to have someone on hand as your cybersecurity strategist and consultant who not only helps you with ongoing protection but also guides annual strategic cybersecurity planning and roadmaps the next few years. They can also keep your policies and procedures up-to-date, lead your security committee, give you periodic security briefings, and oversee the evolution of your day-to-day cybersecurity program.
Cybersecurity is a rapidly-evolving field. If your IT staff or service provider hasn’t changed anything in a long time, be wary.
Over the past few years, tools such as endpoint detection and response, cloud security and incident event management, security awareness training, multi-factor authentication, and cloud data loss protection, to name a few, have gone from nice-to-have to essential.
To protect your customer and client information, your cybersecurity program needs to continually evolve and never remain static.
8. Incident Response
ACTION: Create a written incident response plan.
The FTC Safeguards Rule states:
“Every business needs a ‘What if?’ response and recovery plan in place in case it experiences what the Rule calls a security event – an episode resulting in unauthorized access to or misuse of information stored on your system or maintained in physical form.”
While this requirement is not applicable to CPA firms with less than 5,000 customers or clients, we still recommend creating an incident response plan so that you know what to do in case a cyber incident occurs
The Rule further outlines what the incident response plan must contain:
- The goals of your plan.
- The internal processes your company will activate in response to a security event.
- Clear roles, responsibilities, and levels of decision-making authority.
- Communications and information sharing both inside and outside your company.
- A process to fix any identified weaknesses in your systems and controls.
- Procedures for documenting and reporting security events and your company’s response.
- A postmortem of what happened and a revision of your incident response plan and information security program based on what you learned.
This is an area where most of the burden rests with your CPA firm. An incident response plan is your responsibility. That’s because only you know the subtle details, nuances, and requirements of your organization. Incident response plans should also be considered sensitive and confidential, as you don’t want the public and cyberattackers knowing how you’ll respond to an incident.
If you don’t have an incident response plan (or if it needs serious updating), then create one that is customized for your CPA firm’s needs. A typical customized incident response plan should run about 50-100 pages. Your vCISO can help make sure the incident response plan includes necessary best practices and ticks the essential boxes of what a plan must contain.
ACTION: Require your Qualified Individual to report to your Board of Directors.
The FTC Safeguards Rule states:
“Your Qualified Individual must report in writing regularly – and at least annually – to your Board of Directors or governing body. If your company doesn’t have a Board or its equivalent, the report must go to a senior officer responsible for your information security program. What should the report address? First, it must include an overall assessment of your company’s compliance with its information security program. In addition, it must cover specific topics related to the program – for example, risk assessment, risk management and control decisions, service provider arrangements, test results, security events and how management responded, and recommendations for changes in the information security program.”
While this requirement is not applicable to CPA firms with less than 5,000 customers or clients, we still recommend some type of executive reporting to encourage accountability, transparency, and decision-making.
VC3 provides annual security reports along with periodic reporting during the year on all aspects of cybersecurity discussed in this guide. Your IT staff or service provider should provide something similar for your board or senior officer.
How VC3 helps CPA firms navigate the new FTC Safeguards Rule requirements
VC3’s managed security services and financial services expertise can help you meet the new FTC Safeguards Rule requirements.
Customized for your CPA firm and depending on what you need, we offer:
- Security assessments
- 24/7/365 security response center
- Advanced web protection
- Endpoint detection and response
- Dark web monitoring and response
- Advanced email security
- Network security and incident event management
- Cloud security and incident event management
- Security awareness training
- Multi-factor authentication
- vCISO strategy and consultation
- Annual strategic cybersecurity planning
Remember, your CPA firm is ultimately responsible for meeting the FTC Safeguards Rule requirements. You know your business best, and you must ultimately answer to the FTC. Any outsourced service provider is there to support and assist you with their expertise, so you should choose a cybersecurity partner that can provide what you need. Any relationship with a service provider needs to be a true partnership where each knows who is accountable for their piece of the cybersecurity strategy.