Forward: If this becomes overwhelming, we have a free definitive guide for accountants to comply with the new 2023 FTC Safeguards Rule
You can download here:
As an accountant, it is essential to comply with the Federal Trade Commission’s (FTC) Safeguards Rule. The Safeguards Rule is making all accountants follow new regulations and create / implement an ISP (information security program). Not doing it can lead to big fines, legal consquences, and loss of business.
What is the FTC Safeguards Rule?
The FTC Safeguards Rule is a set of regulations that requires financial institutions to develop and implement an information security program. The rule aims to protect sensitive information, such as customer data, from unauthorized access, use, or disclosure.
The Safeguards Rule applies to all financial institutions, including accounting firms that provide financial services. Accountants handle sensitive customer information such as tax returns, financial statements, and other financial records. Therefore, it is crucial to comply with the Safeguards Rule to protect the confidentiality, integrity, and availability of such information.
When is the FTC Safeguards Rule Deadline?
June 9, 2023 is when accounting firms, regardless of size, must comply with the FTC Safeguards Rule.
What are the Requirements of the FTC Safeguards Rule?
The FTC Safeguards Rule requires financial institutions to develop, implement, and maintain a comprehensive information security program. The program must be tailored to the size and complexity of the institution, as well as the nature and scope of its activities.
The Safeguards Rule requires financial institutions, including accounting firms, to:
- Appoint a qualified company to coordinate the information security program.
- Conduct a risk assessment to identify internal and external risks to the security, confidentiality, and integrity of customer information.
- Develop and implement a written information security program that includes administrative, technical, and physical safeguards to protect customer information.
- Regularly monitor and test the information security program to identify and address vulnerabilities and ensure its effectiveness.
- Evaluate and adjust the information security program in response to changes in technology, the sensitivity of customer information, and internal or external threats.
- Require qualified professional to report at least annually the owner / board of directors with information regarding their current cyber security.
- Periodically review your security providers and make appropriate changes when necessary.
- Keep your information security program (ISP) current
- Create and update a written incident response plan
Why is Compliance with the FTC Safeguards Rule Essential for Accountants?
Compliance with the FTC Safeguards Rule is essential for accountants for several reasons. Here are some of the most significant benefits of complying with the Safeguards Rule:
- Protects Sensitive Information: Accountants have access to a slew of information that hackers want. A single return has enough information to commit identity theft. It needs to be protected from unauthorized access and needs to stay secure.
- Builds Trust with Clients: Getting things like a Cyber Safeguards Compliance and displaying it on your website or LinkedIn lets others know you take security seriously and that it’s part of doing business with you.
- Avoids Legal Actions: There are hefty fines that can put companies out of business assosciated with data breach. The average data breach can result in millions of dollars in restitution and permanent reputation damage.
- Improves Reputation: Following the Safeguards Rule helps others view you as a progressive accountant that focuses on data security. With this in mind, others will know they can trust you, and ultimately, end up doing business with your accounting firm. As you know, it usually comes down to does the client know, like, and TRUST you.
- Enhances Efficiency: Making sure vulnerabilities are patched and security measures are in place helps things run smooth. Smooth = fast and fast = more capacity. With more capacity, your firm is able to accomplish more while doing less.
What about The FTC Safeguards Rule December 2022
While the initial date for compliance was 12/9/22, the FTC decided to move the date back to 6/9/23 to allow firms more time to comply with the deadline. The current deadline is 6/9/23.
What provisions are included in the six-month extension? The new extension put out in late 2022 include following new requirements.
- Designate a qualified person to oversee their information security program
- Develop a written risk assessment
- Limit and monitor who can access sensitive customer information
- Encrypt all sensitive information
- Train security personnel
- Develop an incident response plan
- Periodically assess the security practices of service providers
- Implement multi-factor authentication or another method with equivalent protection for anyone accessing customer information
I already have a WISP, is that the same as an ISP?
- The WISP, written information security plan, that accountants with a PTIN needed to renew their license is different than an ISP, Information Security Program. While the initials are similar, a written information security plan (WISP) is outlining the security protocol and actions that a firm will take in different scenarios.
- An ISP – Information Security Program – is detailing exactly HOW you protect your firm. You can think of the WISP as the blueprint, and the ISP as the actual execution. While planning is half the battle, actions speak louder than words.
What should I be on the Lookout For?
We have written a comprehensive Top 10 Mistakes to Avoid Checklist that can be found here:
What Are The Penalties for Non-Compliance of the FTC Safeguards Rule?
[Accounting Firms] can face civil penalties of up to $46,517 per violation – FTC.gov
The FTC Safeguards Rule penalties are a crucial aspect that every accounting firm must be aware of to avoid costly consequences. Failure to comply with these regulations can result in hefty fines, with civil penalties reaching up to $46,517 per violation.
As a financial institution, accounting firms must prioritize their clients’ data security by implementing the required cybersecurity measures. Adherence to the FTC Safeguards Rule helps businesses maintain a stellar reputation and avert potential financial disasters, demonstrating the importance of staying up-to-date with the latest regulations. To safeguard your firm from non-compliance, ensure robust cybersecurity policies are in place and regularly monitor your systems for possible breaches.
What Size Firms Does The FTC Safeguards Rule Apply To?
This applies to firms of all sizes. There are some reduced compliance standards for those that have access to less than 5,000 records. Do keep in mind, if you have access to your client’s customer base through things like Quickbooks Online, this counts as more PII records.
So if you have 500 clients, and each client has 100 customers of their own, you would have access to 50,000 records, and be required to comply with all of the requirements.
Small Firms doing less than 100 personal returns per year might have lessened requirements.
Do keep in mind, even though this is legally required, it is still good business practice, with or without the government telling you to protect your customers.
All in all, compliance with the FTC Safeguards Rule is essential for accountants who handle sensitive customer information, namely, tax accountants. Therefore, it is important that all accountants comply with the new information security program (ISP) regulations. It’s not only checking boxes for the government, it’s showing you care, good business practice, and helps keep your clients information safe.
If you need assistance, you can download our definitive guide to FTC Safeguards Compliance for Accountants here:
You can also hire us as your qualified professional. Being a Certified Safeguards Technology Provider, puts your mind at ease knowing you’ll gain compliance through a tech company that not only talks the talk, but walks the walk as well. Everything the accounting professionals need to do to achieve compliance is also done by our company – AND THEN SOME. Doing what is legally required is step one, but we take this seriously, and have policies in place that not only pass FTC guidelines, but also HIPAA, and PCI.