With the 2023 FTC Safeguards Rule one of the new requirements is to designate a qualified professional to handle everything related to the ISP (Information Security Program). We will explore how to qualify, and choose the right person / organization to do the job.
As a accountant you must designate someone or a vendor to handle compliance with the Safeguards Rule.. The FTC Safeguards Rule requires businesses to designate a qualified person to oversee their information security program. We’ve put together a guide on how to know if you are using the right person/vendor including hiring a Certified Safeguards Technology Provider.
Who is a Qualified Person?
Designating a qualified person to oversee your information security program is someone who has the experience necessary to put together and execute your ISP. This should not just be the firm leader, especially if they do not have real-world knowledge on the topic.
Tips for Choosing the Right Person
Choosing the right person to oversee your information security program is critical to complying with the Safeguards Rule. Here are some tips to help you choose the right person for the job:
- Qualifiications: Look for someone with a background in IT or cyber security. Do not just choose a milenial who seems to know a lot. This is similar to the “my brothers’ friend is in school for cyber security and they know a lot.” They should have prior experience with ISP creation and the Safeguards Rule. Ask what June 9th, 2023 means to them. It should set off alarms if they know what is going on in the regulatory world.
- Authority: The person/vendor in charge should have range and the ability to do what is necessary to pull off the ISP. Do not constrict them by things that seem inconvenient. A data breach and permanent loss of reputation is inconvenient, let them do what needs to be done for compliance and safety.
- Ongoing Support: IT is always changing. Make sure your provider/person is aware of the recent updates when it comes to compliance. Even starting in the accountant niche in 2019, the amount of changes we’ve had to make per regulations is huge. It’s not just a one & done, it must evolve.
- Hire a Certified Safeguards Technology Provider: One of the best ways to ensure that you have a qualified person overseeing your information security program is to hire a Certified Safeguards Technology Provider. You should always conduct due diligence aside from the certification, but the certification itself shows that the organization has been audited and is actually following the Safeguards Rule. Just like hiring a CPA or any tax professional, there are good ones and bad ones, the designation along with online reviews and real testimonials should assist in due diligence as well.
Benefits of Hiring a Certified Safeguards Technology Provider
Hiring a Certified Safeguards Technology Provider has several benefits for businesses looking to comply with the Safeguards Rule:
- Due Diligence Up Front – A firm cannot get certified without undergoing an audit from the PTIN Security Group.
- Cost Effective – As they are narrowly focused, they don’t have to deal with different industries and getting cross-trained with hundreds of different pieces of software.
- Aware of Deadlines – We don’t talk to you while you’re busy. We know the tax, 1099, and compliance deadlines and don’t get in the way.
- Full Stack – They have proven that they not only have the security in place to protect your firm and stay compliant, but also the ability to use it proficiently to properly protect you.
From Our Guide: Designate a Qualified Individual To Oversee Security Program § 314.4
16 CFR 314.4(a) Designate a Qualified Individual to implement and supervise your company’s information security program. Pieces from the template we have created to answer:
- Who is your qualified person/vendor to handle your company’s security program?
- What makes this person/vendor qualified?
- Examples of their real-world know-how:
- How are you supervising that person/vendor?
- Do they have an information security plan that protects your firm?
- What tools & software are being used to implement and monitor your information security program?
- Do you take responsibility for this party’s compliance?
- Require your Qualified Individual to report in writing, regularly and at least annually, to your board of directors
In short, designating a qualified person to oversee your information security program is an essential part of complying with the FTC Safeguards Rule. Always conduct due diligence, and don’t just hire someone internally who seems to know what they are doing. It may be the convenient move, but again, failing to comply is much worse than the effort of hiring a qualified vendor.
If you need assistance you can download our free workbook to comply with the FTC Safeguards Rule