Make this easy with our comprehensive guide –
Accountant Compliance Made Easy: 2023 FTC Safeguards Rule.
As accountants prepare for the 2023 update to the FTC Safeguards Rule, it’s essential to be aware of the potential pitfalls and mistakes that can occur during implementation. Failure to comply with the new requirements can result in significant fines and reputational damage. To help you avoid common mistakes, we’ve compiled a list of the top 10 mistakes to avoid when implementing the 2023 FTC Safeguards Rule.
Underestimating the Scope of the Rule
One of the most significant mistakes financial institutions can make when implementing the 2023 FTC Safeguards Rule is underestimating its scope. The updated rule is expected to expand the definition of “financial institution” to include entities that handle cryptocurrency and other digital assets. Additionally, financial institutions will be required to provide more detailed notices to consumers about their data collection and sharing practices. It’s important to carefully review the updated rule and ensure that your institution is complying with all new requirements.
Failing to Designate a Qualified Professional
The FTC Safeguards Rule requires accountants to hire a qualified professional to put together, coordinate, and execute the information security program (ISP). This person or company is responsible for developing and implementing the program, identifying and assessing risks, and regularly testing and monitoring the effectiveness of the safeguards. Failing to designate a coordinator can lead to confusion and disorganization, and may result in noncompliance with the rule. The easiest way to vet your provider is to check if they are a Certified Safeguards Technology Provider. This certification is given by the PTIN organization and is an easy method for ensuring due diligence on your provider.
Make sure your provider has real world experience with implementing cyber security compliance, don’t just try to take it on yourself if you are not familiar with technical assessments.
Neglecting Risk Assessments
The FTC Safeguards Rule requires financial institutions to identify and assess risks to consumer information in each area of their operation. Neglecting this requirement can leave your institution vulnerable to cyberattacks and other security breaches. Regular risk assessments are critical for identifying and addressing potential security weaknesses before they can be exploited.
Failing to Develop and Implement Safeguards and an Incident Response Plan
Once risks to consumer information have been identified and assessed, financial institutions must develop and implement safeguards to control these risks. This can include measures such as access controls, encryption, and multi-factor authentication. Failing to develop and implement safeguards can leave your institution exposed to security breaches and can result in noncompliance with the rule.
The incident response plan being put together for your firm helps ensure step by step instructions when there is a cyber incident. Knowing what to do ahead of time helps you to plan and negate potential issues when running your firm.
Not Doing Regular Testing and Monitoring
The FTC Safeguards Rule requires financial institutions to regularly test and monitor the effectiveness of their safeguards. This includes ongoing vulnerability assessments and penetration testing to identify and address potential security weaknesses. Neglecting regular testing and monitoring can leave your institution vulnerable to cyberattacks and other security breaches.
Your qualified professional should have a strategy and clear path to test and monitor these plans. The FTC is requiring one of the following methods of regular testing: Continuous or period monitoring.
Continuious monitoring: Using tools like RMM (remote management and monitoring) and IDS (Intrusion Detection System)
The continous monitoring method is usually included in services from a managed service provider (MSP). If not, let them know you are legally required to have that in place by June 9th, 2023.
If they are not using it, you can expect the price increase to be around $50-$75/user/month for these tools to be added to your security stack. The costs to the MSP will usually be higher than that, but they will be able to implement it at scale to offset costs with their other clients.
Period Monitoring: A full system scan every 6 months coupled with an annual penetration test aka pen test.
You will need a qualified third-party to implement the system scan. This is usually done by installing hardware on the network, or doing an extensive audit. This will identify weaknesses in your system.
The penetration test is where a third-party digs deep manually into vulnerabilities.
Find a qualified professional that is a certified Safeguards Technical Provider – it will help narrow the field. After all, according to Google, there are 492,000 IT professionals, but only a few dozen are actually certified.
Failing to Evaluate and Adjust the Program
The FTC Safeguards Rule requires tax preparers and accountants to evaluate and adjust their information security program in response to changes in business operations or the risk environment. Failing to evaluate and adjust the program can leave your institution vulnerable to emerging threats and can result in noncompliance with the rule as well as vulnerabilities.
Can you imagine if tax law was the same as it was in 2000? If you were doing taxes based on the laws from decades ago, you would be ridiculous and not qualified to prepare for the public.
There needs to be the ability from your qualified professional to evalute and adjust your program. This can be accomplished from the aforementioned monitoring then after the awareness is there, creating and executing the plan.
Relying Solely on Technology Solutions
While technology solutions such as encryption and multi-factor authentication are critical components of an effective information security program, they should not be relied upon exclusively. CPA’s, Enrolled Agents, and Bookkeepers must also implement administrative and physical safeguards, such as employee training and access controls, to ensure the security of consumer information.
Make sure that your staff is aware of the vulnerabilties that exist from their doing. You can put a lot of restrictions on employee access, but at the end of the day, 92% of cyber attacks start with an employee’s one wrong click.
One Time – EVER you can ruin your reputation and company just by assuming “I have an IT company that handles everything.”
While having a qualified individual is A. Required by Law and B. a good idea, easier, lets you spend more time working with your clients and growing your firm, (or golfing 😉 ) you should keep everyone abreast of the ever-changing landscape. Your MSP most likely has tools already in place to help with training so it’s off your plate, and helping.
Failing to Train Employees
Employee training is a critical component of an effective information security program. Financial institutions must ensure that all employees are aware of the requirements of the FTC Safeguards Rule and are trained on best practices for safeguarding consumer information. Failing to train employees can leave your institution vulnerable to human error and can result in noncompliance with the rule.
Make the employees sign off that they have received training which also helps document your compliance. A WISP (writen information security plan) is a good start at training. Make sure your employees are aware and sign off on the requirement. Anyone with a PTIN is legally required to have one in place.
Neglecting Incident Response Planning
Even with the most robust information security program, accounting professionals must be prepared for security incidents such as data breaches. Neglecting incident response planning can result in a slow and ineffective response to security incidents, which can lead to significant fines and reputational damage.
Being reactive is very difficult to begin with. You know it only happens during tax season – Murphy’s Law.
Having the plan to follow vs reacting emotionally is the analytical, and smart decision to take.
Failing to Document Compliance Efforts
Finally, when compliance is called into question, just like an IRS audit, having all of your ducks in a row helps ensure that you can confidently pass compliance. Third party validation like a Compliant Safeguards Cyber Security help make sure that you not only say you have it, but have evidence through validation.
Avoid these common mistakes to help your firm stay compliant with the new 2023 FTC Safeguards Rule.
While it can be extremely overwhelming to execute this as a qualified professional, we have created an easy to follow guide to help you in the process.
Accountant Compliance Made Easy: 2023 FTC Safeguards Rule workbook.