Guide to the Updated FTC Safeguards Rule Requirements for CPAs

With the Qualified Individual requirement, the most important aspect to tackle is who you choose if you work with a managed service provider, as many smaller CPA firms will not have a full-time IT person on staff.

• We recommend that you have a cybersecurity specialist take on the role of Qualified Individual: Your managed service provider should have a cybersecurity expert made available to you who is familiar with the FTC Safeguards Rule and can speak to each component of your information security plan.
• You need to name someone within your CPA firm as liaison to the Qualified Individual: This person needs to serve as your firm’s point of contact with the Qualified Individual. The liaison does not need to have a technology or cybersecurity background, but they do need thorough familiarity with your business. Such a person could be your CEO, CFO, Director of Finance, or Director of Operations.
• The Qualified Individual and liaison will partner to hold each other accountable: Through this partnership, the Qualified Individual and liaison will ensure that the information security plan is created, implemented, and enforced. 

While this requirement is not applicable to CPA firms with less than 5,000 customers or clients, we still recommend a risk assessment to uncover gaps and vulnerabilities. 

VC3 uses a four-step process to conduct thorough risk assessments: 

• Access and document gathering: We always start off by reviewing your documentation, scanning your network, and interviewing key stakeholders to discuss existing cybersecurity policies and procedures. 
• Data collection: Not only do we collect data from our cybersecurity scans but we also visit your organization to learn more about onsite security such as physical security measures, employee knowledge about security best practices, and how business processes intersect (or conflict) with your information security. 
• Report preparation: After collecting and analyzing your cybersecurity data, we create a report that describes your current situation, analyzes gaps and vulnerabilities, and recommends remediations based on the items we find. This report is both non-technical for executives and business stakeholders, and technical for IT staff or vendors. 
• Report delivery and review: We review this report with all stakeholders and answer questions. Optionally, we can provide a roadmap to implement the recommendations—whether you work with us or not. Recommendations in a typical technical report can be overwhelming. Our report makes any recommendations digestible and helps you plan for the organizational changes and expenses that accompany the list of needed improvements to your cybersecurity posture.

As the Qualified Individual, your vCISO can help write the policies and procedures that will maintain and manage any items needed for accountability and constant improvement.

• Implement and periodically review access controls. A major aspect of cybersecurity is authorized access to information. If anyone can access sensitive and confidential information, or permissions are loose, then you’re placing customer and client data at risk. The FTC says to “determine who has access to customer information and reconsider on a regular basis whether they still have a legitimate business need for it.”
  
  You may have heard about the concept of “least privilege.” For example, the administrative team doesn’t need access to HR data, and the sales team doesn’t need access to accounting data. This is a good way to approach access controls. What information is essential for an employee to access based on their role—and no more? At the user account management level, such permissions need to be applied, enforced, and monitored. Don’t forget third party access to your data, which can be easily overlooked.
  
  
• Know what you have and where you have it. The FTC says that “a fundamental step to effective security is understanding your company’s information ecosystem. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. Keep an accurate list of all systems, devices, platforms, and personnel. Design your safeguards to respond with resilience.”
  
  Many cybersecurity incidents result from simply not knowing what data exists and where. Performing a thorough audit can help you inventory data, classify it by type, and understand any vulnerabilities related to how it’s collected, stored, and transmitted. You don’t want to have an unknown stray server or device out in the wild that contains sensitive or confidential data.
  
  
• Encrypt customer information on your system and when it’s in transit. Encryption helps make your information useless if stolen or glimpsed by eavesdroppers. It’s important to use applications that allow you to encrypt sensitive and confidential information. Ensuring proper encryption implementation is a combination of having the right tools and policies in place. 
  
  
• Assess your apps. The FTC says, “If your company develops its own apps to store, access, or transmit customer information – or if you use third-party apps for those purposes – implement procedures for evaluating their security.”
  
  Application security for CPA firms is incredibly important. Some of the biggest application security vulnerabilities usually include third-party access, lack of encryption, poor application integration, lack of access controls, and lack of data backup. You want to identify and address these vulnerabilities annually and with consistency across all your partners. In addition to understanding your partners’ security practices, you will also want to continually monitor their applications for vulnerabilities.
   
• Implement multi-factor authentication (MFA) for anyone accessing customer information on your system.  Consider MFA essential in today’s cybersecurity landscape. In simplest terms, MFA requires more than one factor to access information through an application. One factor might be a username and password. Another factor might be a code sent to your smartphone that you input after you’ve inputted your username and password. Those are two factors required to access the information, making it more difficult for a hacker to do the same. 
  
  Any email applications, VPNs, cloud-based systems, servers, workstations, administrative accounts, critical infrastructure, and systems housing sensitive data need MFA. Though these are the highest priority, it is best practice to use MFA on every account you have.
  
  
• Dispose of customer information securely. Often overlooked, a major cybersecurity gap is how CPA firms delete customer and client information. First, you should have a clear records retention policy that you enforce. When data is ready for disposal, you do not want to commit elementary mistakes such as reusing laptops with sensitive information still stored on the device. Cloud providers and IT professionals have a rigorous process they use to ensure proper data disposal on servers and cloud-based applications. For devices, a variety of techniques can be used to ensure the local disposal and destruction of data on hard drives.
  
  
• Anticipate and evaluate changes to your information system or network. Who has access to your equipment and applications? What changes can they make? Misconfigurations of servers, devices, wireless access points, and network infrastructure are common causes of cybersecurity vulnerabilities. Policies and procedures with an authorization component must exist to ensure that only authorized professionals can make critical changes to your systems and only once the proposed change has been authorized.
  
  
• Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. The FTC says you must “implement procedures and controls to monitor when authorized users are accessing customer information on your system and to detect unauthorized access.”
  
  At a minimum, logging combined with security professionals monitoring user activity is essential for alerting you to anomalous activity—such as an unauthorized user accessing your systems from an unusual country or an employee logging in at 2am in the morning to exfiltrate a large amount of data. Logging is also important evidence that you can analyze in the aftermath of a cyber incident. Without this data, you will be unable to analyze the full nature of a cyberattack, deduce the source of the attack, and remediate effectively.
  
  
• Ideally, CPA firms need to consider a security orchestration, automation, and response (SOAR) solution. This strategy combines logging, security information and event management (which sifts through logs to consolidate alerts from different systems), managed detection and response (which involves a security team proactively looking for cyberthreats across your servers, computers, and entire IT network), and automated responses to threats through tools such as endpoint detection and response.
  
  Any one of these alone isn’t enough, which is why SOAR combines them all. Over the next few years, SOAR will become a required best practice, and it’s a good idea to get ahead of the curve

Real-time continuous monitoring should be an essential part of any organization’s cybersecurity program. Threats can strike at any time. A combination of tools and human oversight with the goal of preventing, detecting, and responding to threats is critical. 

The SOAR tools discussed earlier will go a long way toward meeting this requirement—allowing you to combine important monitoring tools such as security information and event management (SIEM), managed detection and response (MDR), endpoint detection and response (EDR), intrusion detection systems (IDS), vulnerability scanning (VS), and security scans. 

In the absence of continuous monitoring, to comply with a law or regulation, or for an extra assurance about your security program, a penetration test might be required. Penetration tests poke, prod, and probe at your devices, networks, and applications looking for holes, gaps, and vulnerabilities. Usually, these are one-time tests conducted periodically. 

The Rule urges your CPA firm to do continuous monitoring, but if that’s impossible for some reason then periodic penetration testing is allowed as a substitute. Each method has a purpose and should be considered based on your CPA firm’s needs and goals.

5. Training

ACTION: Train your staff. 

Security awareness training is another cybersecurity essential. People are often the weakest cybersecurity link within an organization. All your cybersecurity tools and technology can be rendered useless if an employee clicks on the wrong link or attachment after getting tricked by a cyberattacker. 

Modern security awareness training programs are easy to implement and respectful of employee time. Automated phishing tests highlight employees who might be vulnerable to phishing attacks, computer-based security training can be watched at an employee’s convenience, and management reports ensure results and accountability. 

At a minimum, we recommend: 

• Monthly phishing tests.
  When users fail a phishing test: 
  - 1 failure within 6 months: Person gets remedial training. 
  - 2 failures within 6 months: Person gets an assessment.  
  - 3 failures within 6 months: Next step decided by management. 
• 15-20 minutes of interactive self-paced training every month. 
• Reports sent out monthly to your CPA firm’s cybersecurity liaison. 
  - Documentation of training completion/incompletion 
  - Phishing test failures 
• Liaison shares pertinent information with human resources and respective management. 

According to the FTC’s definition, a service provider is “any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a financial institution that is subject to this part.” Cyberattackers look for weak spots with third-party IT providers, vendors, and contractors who access your systems and data. Many cybersecurity incidents have occurred from an unlikely third-party vulnerability such as an HVAC system or a cloud line-of-business application. 

If you don’t hold service providers accountable for cybersecurity, they could be putting your CPA firm at risk.

Ways to monitor service providers include: 

• Getting your IT or cybersecurity resource to vet service providers before signing a contract with them. 
• Including language in your contracts about adhering to cybersecurity best practices.
• Requesting independent verification of a service provider’s cybersecurity safeguards, such as an annual Security Gap Analysis. 

It's a good idea to have someone on hand as your cybersecurity strategist and consultant who not only helps you with ongoing protection but also guides annual strategic cybersecurity planning and roadmaps the next few years. They can also keep your policies and procedures up-to-date, lead your security committee, give you periodic security briefings, and oversee the evolution of your day-to-day cybersecurity program. 

Cybersecurity is a rapidly-evolving field. If your IT staff or service provider hasn’t changed anything in a long time, be wary.

Over the past few years, tools such as endpoint detection and response, cloud security and incident event management, security awareness training, multi-factor authentication, and cloud data loss protection, to name a few, have gone from nice-to-have to essential. 

To protect your customer and client information, your cybersecurity program needs to continually evolve and never remain static. 

While this requirement is not applicable to CPA firms with less than 5,000 customers or clients, we still recommend creating an incident response plan so that you know what to do in case a cyber incident occurs

While this requirement is not applicable to CPA firms with less than 5,000 customers or clients, we still recommend some type of executive reporting to encourage accountability, transparency, and decision-making.

VC3 provides annual security reports along with periodic reporting during the year on all aspects of cybersecurity discussed in this guide. Your IT staff or service provider should provide something similar for your board or senior officer.