Top 13 Mistakes CPA Firms Make with Their FTC Safeguards Rule Information Security Program
Sep 26, 2024
Introduction
As cybersecurity threats continue to rise, CPA firms and covered financial institutions are responsible for protecting their clients’ sensitive financial information. The FTC Safeguards Rule aims to ensure that financial institutions, including CPA firms, implement comprehensive safeguards to protect personally identifiable financial information (PIFI). Despite this clear mandate, many firms fail to fully comply with the requirements, exposing themselves to potential fines, lawsuits, and even criminal penalties.
This article identifies and explores the 13 most common mistakes CPA firms make when trying to comply with the FTC Safeguards Rule. By understanding these issues and learning how to avoid them, your firm can ensure it stays compliant and better protects client data.
What is the FTC Safeguards Rule?
The FTC Safeguards Rule is a critical component of the Gramm-Leach-Bliley Act (GLBA). It requires financial institutions, including CPA firms, to develop, implement, and maintain a Written Information Security Plan (WISP). This plan must be tailored to the size, scope, and complexity of the firm, outlining how the firm will protect client data from unauthorized access or misuse. The rule applies to various entities, including finance companies and financial advisors.
The core goal of the Safeguards Rule is to ensure that companies are proactive about preventing security incidents that could compromise client information. This requires the implementation of reasonable administrative, technical, and physical safeguards to protect client data from a wide range of threats.
FTC Safeguards Rule Requirements
To comply with the FTC Safeguards Rule and the standards for safeguarding customer information, CPA firms must meet several core requirements. These requirements provide a comprehensive framework for securing sensitive data and ensuring compliance. The main components include:
-
Designate a Qualified Individual: The firm must appoint someone responsible for overseeing and implementing the security program.
-
Develop Your Information Security Program Using a Risk-Based Approach: Firms must identify internal and external risks to the security, confidentiality, and integrity of client information.
-
Develop a WISP - Written Information Security Program Policy: Firms must ensure they have policies and procedures in place designed to protect customer information and meet compliance requirements.
-
Implement Security Control Safeguards to Address Risks: Based on the risk assessment, firms must design and implement appropriate safeguards to control risks identified.
-
Oversee Service Providers: Ensure third-party providers that handle client information maintain appropriate safeguards.
-
Regularly Monitor and Test The Effectiveness of Your Security Controls: Firms must regularly monitor and test the effectiveness of their safeguards.
-
Continually Improve the Information Security Program: The security program should be periodically reviewed and updated to address changes in the firm’s business operations or risk environment.
-
Provide Information Security Training to Personnel: Employees must be trained on how to implement and adhere to the firm’s information security practices.
-
Establish, Document, & Test an Incident Response Plan: Firms must establish a plan to respond to and recover from security breaches or data incidents.
-
Review the Performance of the Information Security Program with Top Management: The performance of the information security program, along with identified risks, must be reviewed with top management - at least annually.
The Consequences of Non-Compliance
Non-compliance with the FTC Safeguards Rule can lead to severe consequences, including substantial fines and other penalties. The FTC can impose fines of up to $100,000 per violation, $10,000 to management, and even over $43,000 per day of non-compliance (after notification). In certain circumstances, management could face up to 5 years in prison.
Beyond financial penalties, non-compliance can damage a firm’s reputation and erode customer trust. A security breach can also lead to costly litigation and settlements, further straining the firm’s resources.
Financial institutions must also adhere to other regulations, such as the Gramm-Leach-Bliley Act (GLBA) and the Payment Card Industry Data Security Standard (PCI DSS). Failure to comply with these regulations can result in additional penalties and legal challenges.
The 13 Most Common Mistakes CPA Firms Make with Their FTC Safeguards Rule Information Security Program
Below, we’ll examine the 13 most common compliance mistakes CPA firms make, and for each, offer quick steps to help your firm avoid the issue.
1. Insufficient WISP (Written Information Security Policy)
A comprehensive Written Information Security Policy (WISP) is central to FTC Safeguards Rule compliance. Many CPA firms either don’t have a WISP in place or create a policy that lacks key details. A WISP should clearly outline how the firm will manage, protect, and secure client information.
Avoid this Issue - Quick Steps to Check:
-
Review your WISP annually to ensure it is up-to-date with current laws and technology.
-
Include all administrative, technical, and physical safeguards.
-
Ensure the WISP is specific to your firm’s size, scope, and operations.
-
Appoint someone responsible for reviewing and updating the WISP.
2. Inadequate Risk Assessments
Risk assessments are crucial for identifying vulnerabilities in a firm’s security posture. Failing to conduct adequate assessments often results in missing or inadequate safeguards for protecting client data.
Avoid this Issue - Quick Steps to Check:
-
Conduct an annual risk assessment or whenever there are significant business changes.
-
Include a thorough evaluation of both internal and external threats.
-
Document and prioritize risks based on their potential impact on client data.
-
Use results to implement or improve safeguards.
3. Inadequate Employee Information Security Training
CPA firms often overlook the importance of ongoing information security training for employees. Without proper training, employees may be unaware of cybersecurity risks or may not follow proper data handling procedures.
Avoid this Issue - Quick Steps to Check:
-
Implement mandatory cybersecurity training for all staff, with updates at least annually.
-
Provide specialized training for employees handling sensitive data.
-
Test employees on their knowledge of security protocols.
-
Send regular security reminders and updates about new threats, like phishing attacks.
4. Poor Incident Response Planning & Management
Failing to prepare an incident response plan can severely hinder a firm’s ability to respond effectively to data breaches or security incidents. A poorly managed incident could worsen the impact of a breach and delay recovery efforts.
Avoid this Issue - Quick Steps to Check:
-
Create a documented incident response plan outlining roles, responsibilities, and steps to take.
-
Regularly test the incident response plan with simulated exercises.
-
Appoint an incident response team responsible for managing breaches.
-
Ensure the plan includes communication strategies for clients and stakeholders.
5. Inadequate Supplier Management & Assessments
Many CPA firms fail to ensure that their third-party vendors implement adequate safeguards. Without proper vendor management, firms risk non-compliance if a breach occurs through a supplier.
Avoid this Issue - Quick Steps to Check:
-
Require all third-party vendors to have documented security practices.
-
Conduct vendor risk assessments before onboarding and periodically thereafter.
-
Establish clear security expectations in contracts with third-party suppliers.
-
Review third-party compliance certifications, such as SOC 2 reports, annually.
6. Poor Auditing & Logging Capabilities and Practices
Auditing and logging are critical for detecting and responding to unauthorized access or data misuse. Many CPA firms fail to implement sufficient auditing processes or do not regularly review logs.
Avoid this Issue - Quick Steps to Check:
-
Enable logging for all critical systems that store or process client data.
-
Regularly review logs to detect anomalies or unauthorized access.
-
Set up automated alerts for suspicious activities.
-
Periodically audit access logs and compare them to user roles and responsibilities.
7. Neglected Physical Security Controls
While CPA firms often focus on digital security, physical security measures are just as essential. Neglecting physical controls like secure access to offices or data storage areas can lead to unauthorized access to sensitive information.
Avoid this Issue - Quick Steps to Check:
-
Install access control systems for office areas where sensitive information is stored.
-
Use security cameras and locks for sensitive data storage rooms.
-
Conduct regular physical security audits to identify vulnerabilities.
-
Ensure that documents containing sensitive information are stored in locked cabinets.
8. Poor Backups - Lack of Adequate Backups
Inadequate backup strategies can lead to devastating data loss in the event of a breach, system failure, or ransomware attack. Many CPA firms either do not back up data frequently or fail to store backups securely.
Avoid this Issue - Quick Steps to Check:
-
Implement automated daily backups for all critical systems and data.
-
Store backups in a secure, offsite location or use encrypted cloud backups.
-
Regularly review your backup procedures to ensure all necessary data is included.
-
Verify that backups are encrypted to protect client data.
9. Not Testing Backups to Ensure Data Is Recoverable
Even with regular backups, failing to test data recoverability can lead to disaster during a crisis. Many CPA firms fail to test their backups, which could result in incomplete or unusable data when restoration is needed.
Avoid this Issue - Quick Steps to Check:
-
Schedule regular (at least quarterly) tests of your backup restoration process.
-
Confirm that all critical data can be restored successfully from backups.
-
Document backup test results and resolve any issues immediately.
-
Incorporate backup testing into your annual disaster recovery planning.
10. Poor Password Management
Weak passwords are one of the easiest entry points for cybercriminals. Many CPA firms lack proper password management policies, leading to the use of easily guessed or reused passwords.
Avoid this Issue - Quick Steps to Check:
-
Enforce password complexity requirements (minimum length, upper/lower case, symbols, numbers).
-
Implement mandatory password change intervals (e.g., every 90 days).
-
Use a password management tool to generate and store strong, unique passwords.
-
Require multi-factor authentication (MFA) for all system access.
11. Assuming IT or MSP Company Fully Manages Security & Compliance
Some CPA firms rely too heavily on their IT department or Managed Service Provider (MSP), assuming these entities fully handle security and compliance efforts. This misconception can leave gaps in your firm’s security posture.
Avoid this Issue - Quick Steps to Check:
-
Regularly review your IT or MSP’s security practices to ensure they meet FTC Safeguards Rule requirements.
-
Stay involved in key security decisions, such as risk assessments and incident responses.
-
Conduct independent audits of your IT or MSP’s compliance with the Safeguards Rule.
-
Ensure you retain ultimate accountability for compliance, even if outsourcing technical controls.
12. Not Using Multi-Factor Authentication (MFA)
Multi-factor authentication (MFA) provides an extra layer of security by requiring additional verification beyond just a password. Despite its importance, many firms neglect to implement MFA across all systems that contain sensitive information.
Avoid this Issue - Quick Steps to Check:
-
Enable MFA for all systems, especially those that store or process client financial information.
-
Ensure MFA is required for remote access to firm systems.
-
Regularly review MFA logs to ensure compliance across all employees.
-
Consider using hardware tokens for especially sensitive systems.
13. Inadequate Data Classification & Handling
Failing to properly classify and handle data can lead to insufficient protection for sensitive information.
Many CPA firms lack a structured approach to data classification, resulting in inconsistent application of security measures.
Avoid this Issue - Quick Steps to Check:
-
Develop a data classification policy to categorize data based on its sensitivity.
-
Apply different levels of security controls based on data classification (e.g., encryption for highly sensitive data).
-
Train employees on how to properly handle and store data according to its classification.
-
Regularly review and update your data classification scheme.
Reporting Security Events to the FTC
The Federal Trade Commission (FTC) mandates that financial institutions report certain security events to the Commission. A security event is defined as the unauthorized acquisition of unencrypted customer information without the individual’s consent. The FTC specifies that a notification event occurs when unencrypted customer information is acquired without authorization.
Financial institutions must report these security events to the FTC within 30 days of discovering the event, especially if it involves the information of 500 or more consumers. The report to the FTC should include the name and contact information of the reporting financial institution, a description of the types of information involved, the date or date range of the event, the number of consumers affected or potentially affected, a general description of the event, and whether any law enforcement official has provided a written determination that public notification would impede a criminal investigation or harm national security.
The FTC allows financial institutions to delay or withhold notification at the request of a law enforcement agency. This delay can be extended for an additional 60 days if the law enforcement official requests it in writing. Further delays may be permitted if the FTC staff determines that public disclosure would continue to impede a criminal investigation or cause damage to national security.
The Role of the Information Security Program in Protecting Sensitive Data
An effective information security program is crucial for protecting sensitive data, including customer information. This program must ensure the security, confidentiality, and integrity of customer information through a combination of administrative, technical, and physical safeguards.
The program should be documented and tailored to the size and complexity of the business, the nature and scope of its activities, and the sensitivity of the information it handles. A qualified individual must oversee the program, ensuring its proper implementation and supervision.
Key components of the information security program include conducting a risk assessment to identify potential threats to customer information and implementing measures to control these risks. This includes limiting and monitoring access to sensitive information, encrypting all sensitive data, training security personnel, and developing a robust incident response plan.
Implementing a Culture of Security Awareness
Creating a culture of security awareness is essential for protecting sensitive data, including customer information. This involves ensuring that all employees understand the importance of safeguarding customer information and actively participate in preventing security breaches.
Financial institutions should provide comprehensive training to employees on the importance of data security, including the FTC Safeguards Rule, the GLBA, and other relevant regulations. This training should cover best practices for data protection and the specific roles and responsibilities of employees in maintaining security.
Institutions must also implement clear policies and procedures to guide employees in protecting customer information. These should include measures such as limiting and monitoring access to sensitive data, encrypting all sensitive information, and developing a detailed incident response plan.
A culture of security awareness requires continuous monitoring and assessment of security practices to ensure their effectiveness. Regular risk assessments, penetration testing, and vulnerability assessments are crucial for identifying and addressing potential weaknesses in the security framework.
How Input Output Can Help
At Input Output, we understand the complexities of staying compliant with the FTC Safeguards Rule. Our FTC Safeguards Rule compliant information security program is designed to make compliance easier and more manageable for CPA firms and tax preparation firms. Our solutions include:
-
A complete Written Information Security Policy (WISP) tailored to your firm.
-
Detailed procedures, forms, and checklists to guide your compliance efforts.
-
Walk-through workbooks that help your firm assess and document security risks.
-
Tools and services that streamline data encryption, backups, and incident response.
By partnering with Input Output, CPA firms and tax preparation firms can ensure that they are fully compliant with the FTC Safeguards Rule while also protecting client data. We help reduce the administrative burden of compliance and offer peace of mind by providing end-to-end security solutions.
Conclusion
Complying with the FTC Safeguards Rule is essential for CPA firms that handle personally identifiable financial information. By understanding and addressing the 13 common mistakes outlined above, your firm can stay compliant and avoid costly penalties or breaches. Whether you’re refining your WISP, improving employee training, or managing third-party suppliers, each step toward stronger data security helps protect your clients and your business.
For CPA firms looking for additional support, Input Output offers a comprehensive information security program that ensures full compliance with the Safeguards Rule. Don’t leave your compliance to chance—take proactive steps to secure your firm’s future today.