FTC Safeguards Rule for Accountants

How-to Comply With FTC Safeguards Rule for Accountants

If you’re an accounting firm operating in the United States, chances are that you’ve heard of the revised FTC Safeguards Rule, went into effect June 9, 2023. 

If not, it’s time to listen up!

As of June 9, 2023, you are responsible for putting measures in place for “safeguarding” your client’s data. 

And if you don’t, there are hefty penalties in place that could potentially leave you hundreds of thousands of dollars in the hole. 

In today’s blog, we’re going to talk you through HOW to comply with the FTC Safeguards Rule for accountants & accounting firms, and give you a few easy tips to get it done quickly. 

Let’s dive in!

What is the FTC Safeguards Rule?

Funnily enough, the FTC Safeguards Rule is not new.

The set of regulations dates back to 2002, when the Federal Trade Commission put the rules in place to ensure financial institutions (mostly banks) did everything they could to secure and protect consumer data. 

What’s changed? 

In December 2021, the FTC revised the scope of the Safeguards Rule to include non-banking businesses as well, as long as they handle financial data in some capacity. 

Which is where you, the accounting firm, comes in. 

Accounting firms are now required to put measures in place to ensure client financial data is protected and secure from cyber hacks and general malicious activity. 
You can read the nitty-gritty details of the FTC Safeguards Rule here.

How Can Your Accounting Firm Comply With the Safeguards FTC Rule?

Essentially, you need to put together a security program for your company. And unfortunately, they don’t make it that easy for you. 

There are 9 steps that you must take to ensure that you are safely guarding your client’s financial data, including: 

a.   Designate a Qualified Individual to implement and supervise your company’s information security program. 

This step is important and involves assigning a specific person to oversee the new security program. The Qualified Individual can be someone who works for your company, an affiliate, or a service provider. They don’t need a specific degree or title; what matters is their practical knowledge and expertise that suits your company’s needs. For small businesses, the chosen individual may have a different background compared to someone managing a complex system in a large corporation. If you hire a service provider to implement and supervise your program, it’s still your responsibility to designate a senior employee to supervise that person. Additionally, if the Qualified Individual works for an affiliate or service provider, they must also have their own information security program in place to protect your business.

In essence, the FTC Safeguards Rule requires you to assign a capable person or oversee the security program either internally or through a trusted third party.

b.   Conduct a risk assessment. Now that you have someone in charge of your company’s information security program, it’s time to figure out what you need to protect. You can’t develop an effective security program without knowing what information you have and where it’s stored. So, the first thing you need to do is take inventory of your company’s information. This includes customer data, sensitive documents, and any other information that needs safeguarding.

Once you have a clear picture of what you’re dealing with, it’s time to assess the risks. This means identifying the potential threats and vulnerabilities that could compromise the security, confidentiality, and integrity of customer information. You need to consider both internal and external risks. Internal risks could include things like employee negligence or unauthorized access, while external risks might involve hacking attempts or data breaches.

To conduct a risk assessment, you’ll need to put it down in writing. It’s important to document the process and include specific criteria for evaluating the risks and threats you’ve identified. Think about all the ways customer information could be exposed, misused, tampered with, or even destroyed. The goal is to be thorough and cover all possible scenarios.

It’s essential to remember that risks and threats are ever-changing. They constantly evolve, just like those pesky viruses. That’s why the FTC Safeguards Rule requires you to regularly reassess your risks. You should review your security measures periodically, especially when there are changes in your operations or when new threats emerge. Stay vigilant and adapt your security program to stay one step ahead of the malicious actors .

So, in a nutshell, this step is about taking stock of your information, analyzing the potential risks, and keeping an eye on any changes that may require adjustments to your security program. It’s all about staying proactive and protecting your customers’ information.

Tip: Companies like Iceberg Cyber do this for you with their ongoing cyber monitoring subscription for just $100/mo.

c.   Design and implement safeguards to control the risks identified through your risk assessment. Among other things, in designing your information security program, the Safeguards Rule requires your company to:

  • Control who has access: You need to determine who within your company has access to customer information. It’s important to regularly re-evaluate whether they still have a legitimate business need for that access. Keep track of who can view or handle sensitive data and ensure that access is granted only to those who require it.
  • Understand your information ecosystem: To establish effective security measures, you must have a clear understanding of your company’s information ecosystem. Conduct periodic inventories to identify where data is collected, stored, or transmitted. Maintain an accurate list of all systems, devices, platforms, and personnel involved. This knowledge will help you design safeguards that can respond with resilience.
  • Encrypt customer information: Protect customer information by encrypting it both within your system and when it’s being transmitted. Encryption makes the data unreadable to unauthorized individuals. If encryption is not feasible, work with the Qualified Individual overseeing your information security program to identify and implement alternative controls that provide effective security.
  • Assess your apps: If your company develops its own apps or uses third-party apps to store, access, or transmit customer information, it’s crucial to have procedures in place for evaluating their security. Regularly review and test the security measures of these applications to ensure they meet the necessary standards.
  • Implement multi-factor authentication: For anyone accessing customer information on your system, it’s recommended to implement multi-factor authentication. This means requiring at least two authentication factors, such as a password (knowledge factor), a token (possession factor), or biometric characteristics (inherence factor). However, if your Qualified Individual has approved in writing the use of another secure access control method, you may use that as an equivalent alternative.
  • Dispose of customer information securely: Dispose of customer information securely within two years after its last use. Exceptions can be made if you have a legitimate business need or legal requirement to retain the information or if targeted disposal is not feasible due to the way the information is maintained. Safely disposing of customer data helps prevent unauthorized access or misuse.
  • Anticipate and evaluate changes: Changes to your information system or network can create new security risks. When you make adjustments to accommodate new business processes, ensure that your safeguards adapt accordingly. Implement change management practices as an integral part of your information security program to address potential vulnerabilities.
  • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. Implement procedures and controls to monitor authorized users’ activity when accessing customer information on your system. By maintaining logs and keeping an eye out for any unauthorized access attempts, you can quickly identify and respond to potential security breaches.

d.   Regularly monitor and test the effectiveness of your safeguards. Test your procedures for detecting actual and attempted attacks. For information systems, testing can be accomplished through continuous monitoring of your system. If you don’t implement that, you must conduct annual penetration testing, as well as periodic vulnerability assessments, including system-wide scans every quarter designed to test for publicly-known security vulnerabilities. In addition, test whenever there are material changes to your operations or business arrangements and whenever there are circumstances you know or have reason to know may have a material impact on your information security program.

Tip: Companies like Iceberg Cyber do this for you with their ongoing cyber monitoring subscription for just $100/mo.

e.   Train your staff.  A financial institution’s information security program is only as effective as its least vigilant staff member. That said, employees trained to spot risks can multiply the program’s impact. Provide your people with security awareness training and schedule regular refreshers. Insist on specialized training for employees, affiliates, or service providers with hands-on responsibility for carrying out your information security program and verify that they’re keeping their ear to the ground for the latest word on emerging threats and countermeasures.

f.    Monitor your service providers. Select service providers with the skills and experience to maintain appropriate safeguards. Your contracts must spell out your security expectations, build in ways to monitor your service provider’s work, and provide for periodic reassessments of their suitability for the job.

g.   Keep your information security program current. The only constant in information security is change – changes to your operations, changes based on what you learn during risk assessments, changes due to emerging threats, changes in personnel, and changes necessitated by other circumstances you know or have reason to know may have a material impact on your information security program. The best programs are flexible enough to accommodate periodic modifications.

h.   Create a written incident response plan. Every business needs a “What if?” response and recovery plan in place in case it experiences what the Rule calls a security event – an episode resulting in unauthorized access to or misuse of information stored on your system or maintained in physical form. 

Section 314.4(h) of the Safeguards Rule specifies what your response plan must cover:

  • The goals of your plan; The internal processes your company will activate in response to a security event;
  • Clear roles, responsibilities, and levels of decision-making authority; Communications and information sharing both inside and outside your company;
  • A process to fix any identified weaknesses in your systems and controls; Procedures for documenting and reporting security events and your company’s response; and
  • A post-mortem of what happened and a revision of your incident response plan and information security program based on what you learned.

i.    Require your Qualified Individual to report to your Board of Directors. Your Qualified Individual must report in writing regularly – and at least annually – to your Board of Directors or governing body. If your company doesn’t have a Board or its equivalent, the report must go to a senior officer responsible for your information security program. What should the report address? First, it must include an overall assessment of your company’s compliance with its information security program. In addition, it must cover specific topics related to the program – for example, risk assessment, risk management and control decisions, service provider arrangements, test results, security events and how management responded, and recommendations for changes in the information security program.

Tip: Companies like Iceberg Cyber do this for you with their ongoing cyber monitoring subscription for just $100/mo.

Do You Need More Help Complying with the FTC Safeguards Rule?

A great place to start when it comes to learning more information about the FTC Safeguards Rules for accounting firms is the FTC website itself. 

They spell things out pretty clearly over on this page here

Additionally, companies like Iceberg Cyber are helping companies like yours become FTC-compliant by handling most of the things on your list for you. 

They’ll continuously monitor your business data for cyber attacks and breaches, send you monthly reports each month (which you can share with relevant stakeholders), and put together a security program document for you to show the FTC should they ever come knocking. 

The good news is that it’s only $100/mo!

You can learn more about what they do over on icebergcyber.com and get in touch with them here

Until next time!

Share this blog