Barry was annoyed. He had spent all his time and effort on his fledging CPA operation. He had two other accountants on the payroll and was eyeing expansion.
But now he is going to be regulated by what he considered an obscure regulation: the Federal Trade Commission’s new and updated Standards for Safeguarding Customer Information (16 CFR § 314.1, et seq.), also known as the Safeguards Rule.
June 9, 2023 Is The Deadline For FTC Compliance!
Who Does The FTC Safeguards Rule Apply To?
The Rule states that the security of customer information is now imperative for institutions “significantly engaged in financial activities” or “activities incidental to such financial activities,” but not subject to other regulators.
These regulations now subject Barry’s firm to cybersecurity rules that are too technical for him to understand (not to mention sounding costly).
What Are The FTC Safeguards Rule Requirements?
The Rule mandates customer data confidentiality, integrity, and availability (CIA) and contains nine requirements, in brief:
1. Designate a qualified individual to implement and supervise the accounting firm or tax preparer‘s information security program risk assessment.
This may be the most difficult requirement to attain if the accounting firm or tax preparer does not currently have an IT staff member trained as a cybersecurity expert.
2. Conduct periodic risk assessments to inform and guide the continued updating and enforcement of the information security program.
The program should not be a static one. A periodic review also requires a “clear understanding of the business dynamics of customer data,” not just a technical exercise.
3. Design and carry out customer information safeguards that control risks identified through the accounting firm or tax preparer‘s risk assessment.
The Safeguards Rule requires the accounting firm or tax preparer to assess its security, enact change management, and monitor user activity.
4. Regularly monitor and test company safeguards.
Accounting firms or tax preparers must regularly test or continuously monitor the effectiveness of the their safeguards.
The firm or preparer must choose either continuous network monitoring or annual penetration testing with twice-annual vulnerability assessments and system scans.
5. Train company staff.
Employees are the weakest link in cybersecurity. Company personnel should receive “security updates and training sufficient to address relevant security risks.”
6. Monitor service providers.
An accounting firm or tax preparer must exercise due diligence on the security measures of its vendors that process, record, use, or store any of its customer data as well.
7. Keep the information security program current.
What accounting firms or tax preparers learn and encounter in their operations, technology environment, risk assessments, personnel changes, and emerging threats impact a security operations program, and change management procedures must be in place.
Employees and vendors must integrate changes and evaluate safeguards effectively to address current risks and threats.
8. Create and implement a written incident response plan.
In the event of unauthorized access, misuse, or destruction of data, the accounting firm or tax preparer’s written incident response plan should detail how it will respond to the event.
This plan includes specifics on recovery and should also be available in physical form in a secure yet accessible location as they may not be accessible on a digital system in the event of a security incident.
9. Require the qualified individual to report to the board of directors or other senior authority responsible for the security program.
The qualified individual ((1) above) must structure the written information security program to include stringent monitoring, auditing, and reporting requirements.
The solution should be capable of providing documentation that supports the accounting firm or tax preparer’s board- or governing body-facing report.
Does The FTC Safeguards Rule Apply To My Accounting Firm Or Tax Preparer?
Accounting firm or tax preparers access, store, and transmit customer data, so they are covered under the Rule, unless they fall under the following exemption.
Are Any Accounting Firms Or Tax Preparers Exempt From Any Part Of The Rule?
There are limits on the applicability of the Rule.
The following provisions “do not apply to financial institutions that maintain customer information concerning fewer than five thousand consumers” (Safeguards Rule):
- Criteria for the evaluation and categorization of identified security risks or threats.
- Criteria for assessing the CIA of information, including the adequacy of the existing controls in the context of the identified risks or threats.
- Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks.
- Regular testing and monitoring of the safeguards’ effectiveness with annual penetration testing and vulnerability assessments.
- A written incident response plan.
- A regular written report with the status of and compliance with the information security program and related material matters. (Source for all the above bullet points is Safeguards Rule)
Small business entity exemptions do not extend to an accounting firm or tax preparer’s service providers: “any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a financial institution that is subject to this part” (Safeguards Rule).
If the accounting firm or tax preparer is, by the above definition, a small business, it can still be subject to the Rule if it provides services to covered businesses or organizations.
Why Was The Safeguards Rule Updated?
The updated requirements were written to stay on top of advancing technology and the increase in cybercrime.
Increasingly, hackers and scammers are gaining unauthorized access to business networks or devices, stealing business and customer information, using it fraudulently, holding it for ransom, or selling it on the dark web.
It may not have been a priority in the past, but accounting firms or tax preparers must now strictly maintain their customer data security.
When Is The Deadline For Compliance With The Safeguards Rule?
The deadline for the Rule’s essential requirements is June 9, 2023.
That’s when penalties for non-compliance with the Rule will reach up to $46,000 per day.
Questions Covered Accounting Firm Or Tax Preparers Should Ask Themselves
Covered accounting firms or tax preparers should ask themselves:
- Do they need to maintain the CIA of their customer and business data in use, in transit, and at rest?
- Have they implemented MFA and encrypted their files, email, and apps?
- Does the accounting firm or tax preparer have either continuous monitoring or penetration testing and vulnerability assessments in place?
- Do their partners, affiliates, and third-party vendors have proper safeguards?
- Do they know what applications, users, and devices are on their network right now?
- Does their employee workforce have a dynamic process for updating access permissions?
- Have they tested and trained their staff in cybersecurity?
- Do they need a virtual chief information security officer (CISO) to be their qualified individual under the Rule?
Implementing safeguards—such as access controls, multi-factor authentication, penetration testing, or continuous monitoring—is not a trivial requirement.
Covered accounting firms or tax preparers must also create, enact, and maintain a written information security program.
This should comprise administrative, technical, and physical controls to protect customer and business data, defined as “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or another form, that is handled or maintained by or on behalf of [the company or their] affiliates.”
This data consists of customer names, addresses, driver’s license numbers, passport details, social security numbers, credit histories, loan details, and other credit information.
Covered Accounting Firms Or Tax Preparers May Need Help To Comply With The Safeguards Rule
Implementing, maintaining, and overseeing these security controls may increase in-house IT resources workload, training, and time commitment.
Even a few extra hours a week can put an excessive workload on in-house teams and increased costs on the accounting firm or tax preparer. In this case, owners and managers should enlist the support of an experienced security partner.
When carefully considering IT support with cybersecurity services, accounting firm or tax preparers should ask:
- If the security partner can help them understand and attain compliance with the Rule.The partner should provide continuous monitoring, or alternately, vulnerability scanning and penetration testing; required reporting and reviews; and regular education of the accounting firm or tax preparer’s staff on the rapidly changing nature of cyber threats.
- If the security partner can assign a named point of contact to the accounting firm or tax preparer who will serve as the qualified individual (1).
- If the security partner has prior experience with accounting firms or tax preparers like theirs.
- If the security partner can oversee all or many areas of the accounting firm or tax preparer’s security program (handling more than one area of the accounting firm or tax preparer gives vendors a complete view of the accounting firm or tax preparer’s IT environment).
- If the means of communication with the security partner is through a fast-response ticketing system or scheduled in-person meetings.
Again, the new requirements of the Rule will come into effect on June 9, 2023.
If an accounting firm or tax preparer still lacks adequate data security protections at that time, its contracts could terminate and owners could incur up to $46,000 per day in penalties for non-compliance.
Conclusion: Use Compliance Requirements To Transform Your Accounting Firm Or Tax Preparer
These requirements may seem overwhelming.
They can be expensive and too complex for typical accounting firm or tax preparation owners not equipped to meet them. External partners and vendors may add to the complexity.
Owners may need exceptional external support to meet the Rule’s new and updated, stringent security obligations.
An experienced security partner should go beyond strict compliance and partner with the organization to strengthen systems security while saving money and time.
The threat landscape is evolving. You must change the way you do business in order to comply with the updated Safeguards Rule.
Compliance is an evolving requirement and should be an indispensable part of a company’s cybersecurity posture and readiness.
An experienced security partner can help accounting firms or tax preparation companies attain compliance that will promote a culture of cybersecurity in the company.
For detailed information and requirements in the FTC Safeguards Rule, download Tech Kahunas’ The Accountant’s Guide to the FTC Safeguards Rule, below.
Tech Kahunas is a San Diego Managed IT Services provider which provides IT support and services like 24/7 monitoring, data backup and restore, and malware protection.
Tech Kahunas will help you Defend Your Island. Set up a free 30-minute Strategy Session with us now.
This informational piece was derived from the FTC Safeguards Rule, which has 18 revisited or newly defined terms at 16 CFR § 314.2. Tech Kahunas has specific recommendations on the security of data.