What Every CPA Needs to Know About the Safeguards Rule

What’s changing in cybersecurity regulations for accountants, and how Stratti can help 

The Federal Trade Commission (FTC) recently made updates to its Safeguards Rule. Regulations have been adjusted to ensure non-banking institutions, like auto dealerships, law firms, and accounting firms like yours, will be responsible for digital security systems that protect client information. 

With the dramatic increase in cyberattacks, the need to protect personal information has escalated—and regulations have tightened. 

Just so you have full context, the Gramm-Leach-Bliley Act, known as the GLBA, is the law requiring financial institutions to protect customer data. In its implementation of the GLBA, the FTC issued the Safeguards Rule. Under the GLBA, tax and accounting professionals, including Certified Public Accountants (CPAs) are considered financial institutions, regardless of size. 

So, to avoid the risk of fines, lawsuits, or damage to your reputation, all CPAs need to be in compliance.

If you’re thinking “I already protect my client information!” that’s great! You might be ahead of the curve—however the Safeguards rule changes are such that if you don’t have a dedicated IT team, you’re going to have trouble complying. 

The rule puts it plainly: if you can’t oversee IT on your own, you need to hire someone to do it for you. 

It’s okay, though. Take a breath—as your IT wingman, we’ve got your back. Here’s what changes are happening, and what you need to know:

What Does the FTC Require from Accounting Firms?

The FTC Safeguards Rule provides guidelines for businesses of all kinds that store personally identifiable information (PII). When threat actors (cybercriminals) steal PII, it can have far-reaching consequences for the individual victims as well as for your business. The updated requirements help address cyber threats such as ransomware attacks or data breaches. 

The law now requires all professional tax preparers (yes, all) to implement a Written Information Security Plan, or a “WISP.’”

What’s a WISP? 

A WISP is a type of plan outlining all protocols, processes, and systems you and your company have in place to protect your network and data, including your stored client PII, from cyber threats. 

In plain English, a WISP includes: 

  • A designated individual responsible for implementing, maintaining, and updating the WISP.
  • Conducting a risk analysis of your company’s customer information.
  • Designing and implementing a data security program. 
  • Working with service providers who can help implement required safeguards continually evaluate ongoing risks (for CPAs, this step often requires some technical assistance). 
  • Maintain and adjust your WISP as needed, especially in response to a changing threat landscape.

There’s a bright side. Yes, the law now requires you to have a WISP… but a WISP is necessary for good business practice. In a time where breaches are a matter of “when,” not “if,” having a plan in place is crucial! 

Stratti can help ensure your firm is in compliance, but we’ll do you one better. We’ll make sure you know what you need, and why, to comprehensively protect your business.

As your IT Wingman, Stratti has your back.

We can handle the technical expertise you need to help you stay in compliance with the new FTC Safeguards Rule requirements. Here’s where we can help:

  1. Implement Stratti’s Ultimate Cybersecurity Solution to meet the FTC’s new cybersecurity requirements at once while protecting your business. We’ll help you establish:
    1. Multi-Factor Authentication (MFA)
    2. Multi-point protection from firewalls to user devices
    3. Endpoint protection with EDR antivirus
    4. Spam filtering and other email security
    5. Website blocking and online content filtering
    6. System isolation for infected systems
    7. Dark web monitoring 
  1. Test your security as often as you need with our Proactive System Management. It includes:
    1. Security and vulnerability patch management
    2. 24-hour system and network monitoring
    3. Data backup and continuous monitoring and maintenance
    4. Network penetration testing
    5. Helpdesk complete with system and network support
  1. Educate and prepare your team to spot cyberattacks with Information Security Training and Verification:
    1. Cyber awareness training for users
    2. Training and testing for email phishing scams
  1. Stratti can also generate documentation of your policies and incidents, including:
    1. Backup and Disaster Recovery (BDR) plans
    2. Risk assessment reports
    3. Asset summary reports
    4. Network penetration reports
    5. Vulnerabilities reports

You can’t get in compliance overnight, so we do recommend getting started as soon as possible. Your clients and your business will be more secure as soon as you do. 

Any questions? Ready to get started? Give us a call at (530) 342-8999 or fill out the form below for a FREE, no-obligation, 15-minute cybersecurity assessment.