The Highest Impact Cyber Essentials to Meet IRS Publication 4557 Requirements

Kevin Howarth, Communications Manager

After its passage over 20 years ago, the Gramm–Leach–Bliley Act continues to influence how financial institutions secure information—including even the smallest of professional tax preparers. As part of this law, IRS Publication 4557: Safeguarding Taxpayer Data serves as a guide to CPA firms. It outlines cybersecurity best practices, how to report and respond to cyberattacks, and how to comply with the FTC Safeguards Rule.

While a variety of approaches to cybersecurity exist, depending on a CPA firm’s needs and size, it’s important that each firm develop and implement a plan. Otherwise, failure to create and implement this plan as part of your compliance may result in lost revenue and clients, an FTC investigation, or even getting shut down.

If you are a CPA firm, you likely are familiar with Publication 4557. However, the publication does not outline exact cybersecurity prescriptions, so it’s easy to wonder:

1. Am I doing the right things?
2. Am I focusing on the right priorities?
3. Will my efforts have an impact?

The publication is quite thorough and user-friendly, so we won’t repeat its points verbatim. Instead, we want to highlight the publication’s most important messages, compare the IRS’s recommendations against industry standards, and let you know where you need to focus the most attention. The following cyber essentials will help you identify gaps and improve your cybersecurity foundation to comply with the law.

1. Policies

Before we even talk about technology, it’s important to talk about cybersecurity policies. Some of the highest impact policies you can establish relate to:

• Passwords: Something as simple as passwords are a key way that cybercriminals get into your systems. Best practices should include multi-factor authentication (MFA)—a second layer of authentication needed to get into your applications (such as a code sent to your phone).
• Access and authorization: Who has access to data? Do they need access to it? Setting access and authorization policies—such as the concept of “least privilege”—will help you restrict data access to only those with a need to use that data. This includes remote access policies, where you may require highly secure VPNs to access any data from a personal device.
• Wireless network security: It’s easy to overlook how wireless routers are set up and configured.
• Physical access security: Anyone and anybody should not have access to your servers, computers, and network equipment.
• Disaster recovery and business continuity: What is your plan if you experience a ransomware attack? How will you respond to a cyberattack?
• Devices: Your investment in devices for employees also requires policies to protect those devices including areas such as lifecycle management, proper use, and securely decommissioning devices when they reach end of life.
• CPA-specific areas: This includes policies around reviewing return information (such as direct deposit information), EFINS/PTINs cleanup, and withdrawing from outstanding authorizations from former clients

2. Technology

Next, you need the right technology foundation to help you secure your data and automate many processes. Technology solutions and tools include:

• Threat detection and prevention: Endpoint Detection and Response (EDR) helps you detect suspicious activity on your computer if a cyberattacker happens to get inside.
• Antispam and email filtering: These tools prevent many malicious emails from ever reaching your inbox.
• Patching: Regularly apply software patches from vendors to shore up security vulnerabilities. Lack of patching is one of the biggest reasons cyberattackers are successful.
• Encryption: In case a device or data is stolen, a cybercriminal will not be able to view your data because it is encrypted.
• Firewalls: Firewalls and intrusion prevention tools monitor and block malicious website traffic so that it never even enters your systems.
• Data backup and disaster recovery: A data backup and disaster recovery solution needs an onsite component (for quick recovery after a small incident), an offsite component (for recovery after a ransomware or other major cyberattack), and both testing and monitoring for issues.

3. Professionals

Even a small CPA firm can benefit from proactive, professional IT support. It’s important that you avoid trying to do it yourself, using a vendor that’s merely a computer repairperson, or relying on a reactive IT vendor that only puts out fires. Your information is critically important and under regulatory scrutiny, and you need professional IT help to keep it secure.

4. People

Employees need training to stay vigilant against cyberattacks. Part of that training will include education about email phishing attacks—their various flavors, how scammers try to trick you, and how you can spot the signs of a phishing email. Simulated phishing tests also work well to test employees and give vulnerable employees additional coaching.

5. Compliance

Finally, you need to make sure you are complying with the finer points of the FTC Safeguards Rule, which says you must:

1. Designate an information security coordinator within your firm.
2. Identify and assess your current risks.
3. Design and implement a safeguards program.
4. Select a service provider to help you maintain these safeguards.
5. Evaluate and adjust your program.

The IRS says these requirements are flexible, but you do need to meet them. Luckily, a trusted IT vendor can help you with these FTC Safeguards Rule requirements so that the heavy lifting is taken off your shoulders and you can focus on your real job—accounting and tax preparation.

VC3 is a partner with SCACPA and can help CPA firms meet the requirements of Publication 4557. Reach out to us through the form below if you want to strengthen the security and compliance of your CPA firm.