As a professional accounting firm, safeguarding your clients’ information is paramount. The Federal Trade Commission (FTC) recently updated their Safeguards Rule with more guidance to ensure that financial institutions–including non-banking financial institutions, such as accounting firms–are taking proper steps to protect sensitive data.
With the FTC’s Safeguards Rule deadline going into effect on June 9th, CPA Firms will be required to have detailed procedures and specific criteria implemented in order to provide better protection and to curb data breaches and cyber-attacks that could jeopardize sensitive customer data.
At tekRESCUE, we are committed to helping your firm succeed while complying with these regulations so you can properly protect your clients’ sensitive data, avoid fines and legal issues, and focus on delivering the accounting services your clientele relies on.
In order to ensure your business is compliant with these new regulations it is essential to know what steps to take to meet these expectations. This includes having a comprehensive understanding of the requirements, how they apply to your organization, and having a plan to continually protect sensitive data and maintain compliance.
FTC Safeguard Rules: An Overview
The Security Summit created by the IRS in 2015 brings together state agencies and private sector security experts to create robust cyber security requirements. As part of its mission, it establishes requirements for financial institutions and tax professionals to comply with FTC regulations (such as the Safeguards Rule). It also provides helpful guidelines to help those in the finance sector meet these requirements.
Your accounting firm should already be aware of, and follow the requirements outlined in the 2003 Gramm-Leach-Bliley (GLB) Act, which requires non-banking financial institutions to properly protect sensitive and confidential financial information. This Act formed the foundation of the FTC Safeguards Rule, which includes requirements for creating and implementing a written information security plan to safeguard sensitive taxpayer information.
Failure to meet these federal regulations can result in an FTC investigation and steep fines for your business. It is important for your accounting firm to stay up to date on responsibilities related to the GLB Act and Safeguards Rule so you are compliant with cybersecurity laws and able to protect taxpayer data from malicious individuals or organizations.
Does My Accounting Firm Need to Comply with the FTC Safeguards Rule?
The FTC Safeguards are applicable to most non-banking financial businesses and institutes that are related to financial services, including CPA firms of any size. Section 314.2(h) highlights some examples of companies that fall under the Rule.
The FTC Safeguards rule does have some exceptions–for example, if your accounting firm holds sensitive data from fewer than five thousand people it may not be required to follow some of the provisions of this regulation.
For more details on whether or not your CPA firm qualifies for exemption as outlined in Section 314.6, you can learn more here.
What Does My Accounting Firm Need to Do to Comply with the FTC Safeguards Rule?
To ensure your accounting firm is compliant with the FTC Safeguards Rule, it is essential to make sure your team understands the importance of following its requirements. The rule was established to require non-banking financial institutions (such as accounting firms) to plan, put into action and maintain a written information security program.
“Customer information” includes any record handled by your firm (or affiliates) that contains private personal details about customers (any personally identifiable financial information, description, or grouping used to personally identify private financial data) whether in physical or digital form.
The written information security program you create needs to outline the physical, technical, and administrative safeguards utilized by your firm to help protect private client data from cyberattacks and breaches. There are nine key elements that your security program must include:
- Ensuring that your accounting firm’s information security program is under the supervision of a qualified professional.
- Conducting a thorough risk assessment to determine what information and data is stored, where it is located, and any associated risks that may arise from potential data breaches.
- Developing and implementing measures and safeguards to reduce and mitigate the potential risks uncovered during the risk assessment.
- Testing and evaluating the efficacy of the protection measures implemented.
- Making sure your accounting staff are proficient in recognizing weak points that could jeopardize the confidentiality of data.
- Monitoring and staying up to date with your service providers to sustain appropriate levels of security.
- Maintaining and updating your security program by regularly assessing and revising your written information security program in accordance with any modifications to operations or external threats.
- Developing a robust incident response plan to address cyberattacks and breaches if they occur.
- Requiring your qualified representative to report to the board of directors or the senior executive in charge of your information security program.
Get Free Training to Ensure Your CPA Firm is Covered
Register for FREE Training to learn how to make sure your CPA Firm is compliant with the new FTC Regulations. Cybersecurity expert Randy Bryan (founder of tekRESCUE) will be sharing exactly what you need to know about protecting your CPA Firm from both FTC penalties and future security breaches.
When you attend this training, you will receive step-by-step information on how to ensure that your firm is up to date on regulations and compliance, while also procuring the necessary steps to mitigate your risk of a cyberattack.