Welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, and together we'll work with business leaders and industry experts to dive into the misunderstood business of cybersecurity and compliance to learn how to start making money from being secure and compliant. Welcome to Cash in the Cyber Sheets.
Hey, everyone. Welcome to episode three of Cash in the Cyber Sheets. Happy to have you all back.
I'm your host, James Bowers, Chief Security and Compliance Architect here at Input Output. And today we're doing a few different things. One, actually trying to record the podcast as we're doing it.
And really the idea there is to help reduce as much of the pre and post production stuff that's the technical term stuff that goes into putting the podcast together. Because man, it takes a lot of work just to get all the pieces together. So we're going to do as much as we can to reduce it.
And I'm not sure if we're going to keep the format where we do the recording, but we'll see how it goes maybe over a couple of episodes. It does make me realize that I need to get some Cash in the Cyber Sheets swag. I don't have any shirts.
I don't have any hats yet. Right now I'm just wearing my Bahamas hat. Actually get a lot of compliments on it.
I'm not sure if you have some of those clothes, shirts, shoes, whatever. But when you go out, people just always say things about it. For me, it's this hat, which is interesting because it's covering up all of my grain and thinning hair.
So I'm not sure how to take it that I get so many compliments with it. But I'll take them. Sometimes you just need the win.
So today I wanted to go into everything that's against small businesses. Really what it is that makes me do or put input output together that makes me do all the things that I do. And over the past couple of weeks, been doing some great work with the... Let me look at the book.
Yeah. Donald Miller, Building a Story Brand. Phenomenal book.
Really walks you through all of the different aspects of putting a story together for your brand and really talking about what it is that you do and helping to convey that to people. And that's something that in input output, we've had a lot of problems with. I say we, and I say we because it's me and I don't want to just say it's just me having the problem.
We sounds a little bit less hurtful. But honestly, even my wife who has been with me for a very long time now, stood by me since we created the business in 2018. She even has a hard time describing exactly what it is that we do at input output, which is troubling because if she's been around me for so many years, God knows what clients think.
I know what they think. They don't even, it doesn't even register. And that's too much noise.
And I'm just not going to pay attention to that. So over the years, we've had a lot of times where after talking with partners, after talking at networking groups or with other colleagues about what we do, finally, it clicks somewhere and we get the, oh, that's what you do. I actually have somebody that I could send to you.
So that really is a failure on our part. In using that story brand book to, to really help describe exactly what it is we do and also get down to the whiffle, the what's in it for me from the, from the client or from the prospect side, which really is all, all that matters. So if you've never taken a look at that book or never done anything like that on the marketing side, I would, I would highly advise you to.
And it's daunting trying to get everything that you do into a concise statement or to really hit the point that should matter to somebody is difficult because I've, it's easy to stay at the top level. Well, I, I do compliance and we give policies and procedures, but who really cares about that? What's it matter? So it's been a little bit of a journey, but really getting into it and, and dissecting all of this, getting to the actual point I was starting at. And what we're going to talk about today is it really all comes down to wanting to protect businesses, especially small business from all the crap that's coming their way.
It's, it's just becoming too difficult to do business. And I, I'm not wearing a tin hat today and I'm not exactly going to go down that road. But if you look at everything collectively, it, it feels like the pieces are getting stacked intentionally against small businesses with all the different regulations and all the different rules and all the different stepping stones that they need to do that, by the way, it doesn't apply to big business, just a small business and all these things that they have to do.
And then on top of that, if you're not in this really looking at it, you won't notice it sounds good on the outside that, oh, okay, well now everybody's protecting information. But on the inside, you realize how many penalties there are serious penalties for not doing some of these things. In some cases, up to 10 years in prison for not running your business according to the regulations.
And what's even more bonkers is some of these, they're not even telling people about on their website. They say that we're doing an extensive marketing and communication program to make sure everybody knows. And practically everybody that we talk to has no idea about it.
But regardless, whether it's intentional or not, there's, it's just domino pieces getting put all around businesses. And you, it needs to be like a full-time job focusing on these things just to get to the point that you can, that you can then start selling your widgets or selling your service. It shouldn't be that difficult for small businesses to do business, to set up the company they want to, to provide the service that they want, to support their family and build the lifestyle that they're looking for.
That's, it's, it's the American dream and there's just all these dominoes against it. So I want to dive into that. That's what we're going to talk about today.
And before we get into it, I have to, I have to say this every time, whatever you're listening on, please hit that subscribe button, Google play, Apple podcast, subscribe. We want to, we want to get the new episodes out to you, leave us some feedback, some comments. I maybe you have, I haven't been religious and looking at those yet.
I'm getting better. I promise. But leave the comments.
I'd love to hear from you what we can do better, what we can talk about. Um, and on our side, the Whiffle, we'll get back to it. That also helps us get in front of a lot more people.
So for all the subscribes already, the, the four of you out there that are listening to us, really great to have you back. Thank you. And go tell some friends.
So let's get it. Let's get into, to all the things that are against, against small businesses. And this is going to be really just a little microcosm.
It's not going to be everything. Cause there's, there's too much to get into everything. So we're just going to talk about it a little bit.
So let's assume that we're talking about a business based in Florida. They only work with Florida residents. Cause that's going to be, uh, uh, make a big difference where your clients, what States their residents of not, not where your butts at where, where there's rest every night.
But we're going to assume for this little discussion that it's just a Florida based company would just Florida based clients. And we'll say it's a tax preparer or CPA, even a bookkeeper, somebody dealing with money helping with financial transactions. And let's go through all the different things that they need to make sure they're doing and how that could just absolutely go sideways for them if they don't do it.
So one of the major things, if you're doing anything with money, if you're supporting a financial transaction, the moving of money, the moving of property of, of anything of the sort, you fall under the FTC safeguards rules. Now, this is an really an expansion to the GLBA, the Graham Leach Bliley act. It did have a provision in there about information security, protecting the privacy of, of the clients of your financial clients.
And it had a very descriptive one line sentence in that entire, entire statute, entire regulation that said, you have to have reasonable measures to protect information. Well, that says a lot. So coming into FTC safeguards rule that actually expands it and gives very much more precise guidance.
So the things in there are you have to designate a qualified individual to oversee your information security program. You have to develop an information security program utilizing a risk based approach. You also need to implement appropriate security controls that's technical, like malware encryption, there's physical locked doors, preventing access, administrative, letting people know acceptable use and unacceptable use.
You need to regularly, regularly monitor and review and test the effectiveness of your information security program. So you have to have a, an audit program in place. You have to implement policies and procedures and make sure they're approved.
So easily stated, you have to have a written information security policy. All of those documents have to be written down and approved and disseminated to everybody in the company so they understand what they're supposed to do. You have to appropriately manage service providers.
So regardless of the regulation framework that you're looking at, supplier management, supply chain management has become a massive, massive focus. Really all from, from 2020, from, from around COVID when everything just fell apart, it became a very big focus to make sure not just the suppliers we're working with, but all the way down the chain, are we going to be able to provide our service? Are we going to be able to support the people that we need to support? And not just to look at, well, I could get my, my raw materials from just another one of the four providers out there. Well, that may be the case, but those four providers all might get their raw materials from the same distributor.
So if that one distributor goes out, now you don't have access. That's kind of the idea there. You also under FTC safeguards rule, rules need to continually improve your information security program.
So that ties in with that whole audit process, audit, remediate, improve. You have to establish an incident response plan. So this is another major one that a lot of frameworks are wanting to get in place is actually the catalyst for a lot of frameworks.
It's one of the driving forces that developed the FTC safeguards rules, which is weird because they have exemptions for this part of it. Maybe we'll get into that later or some other time, but you need to have an incident response plan that goes over. It needs to be written, goes over how you're going to identify incidents, how you're going to engage, how you're going to contain, remediate, and recover from those.
And also how are you going to notify the affected parties? We also need to provide written performance to senior management, basically a management review. And I don't know why a lot of companies, a lot of businesses really balk at this one. It's really just a performance report.
Hey, here's where we're at with the information security program. Here's some things we could do better. How do we want to move forward? I mean, that also really kind of ties into budgeting, just here's what we need money for or we don't need this much money.
So that one is definitely not as arduous as a lot of people make it out to. Maybe it doesn't seem so difficult on our side because we've got an easy templated process to state all those things, but I don't know. That's kind of a sideways thought, just something that comes up a lot.
So who are some of the different companies that fall under FTC safeguards? Well, easily stated, it's any company that supports a financial transaction, that performs or supports a financial transaction. And that seems pretty broad because it is and it covers a lot. So definitely CPAs, tax preparers, bookkeepers.
It also affects mortgage lenders, payday lenders, finance companies, mortgage brokers, check cashers, those performing wire transfers, travel agencies that have connected financial services. So if you're just advising of how to do your travel, being that type of agent, you wouldn't necessarily fall under, but it's a very easy step to where if there's any type of association with the financial services side of it, that now you fall under FTC safeguards. Collection agencies, for those of you that have those out there, I'm sorry to hear that you have those.
For everybody else, you're probably happy to know that they get a little bit more red tape. Credit counselors and other financial advisors. We went over this one, tax preparation firms, non-federally insured credit unions, and entities acting as finders.
That seems a little bit of a weird statement. This is actually pulling it right from the FTC safeguards statute, 16 CFR section 314.1b. I don't know that off the top of my head. I mean, some of these I do, but it's actually right there on my screen.
The entities acting as finders is interesting because that actually pulls in real estate agents. They're supporting the financial transaction of the real estate transfer, of the real estate purchase and sale, so they fall under it. A big one that's gotten hit and almost created a cottage industry of everybody going after them is auto dealerships.
Well, if they do any type of financing, if they do any type of credit, now they're identified as a non-banking financial institution. They're supporting the transfer of some sort of financial asset, so they fall under it. Interestingly, a lot of dealerships don't want to do anything with it.
Not calling anybody out, it's just they've got so much on their plate already that this definitely gets backburnered. So I'm just curious as to how much marketing is going to these dealerships and these controllers that just don't want to hear it. I'd be interested to know the real payoff there.
But that's a lot for a company to have to manage. So here we are. I'm wanting to start up my little CPA firm or I've had it going for quite a while now.
We've got three, four, maybe five employees. We serve a good part of the community. And now I've got to create an entire written information security policy.
Where do I start with that? You can go online, you can get some templates, but what's bonkers is even a lot of those that you download, when you download them, it says put your policy here. That's not helpful. And that's what a lot of the guidance is around these things.
So that's really where we come in. We provide the whole template and the structure on the input output side. Why we put that together? Because it's so difficult.
But here I am the CPA of this small family firm and now I've got to put together an entire information security program. All right. Well, before I can even, not can, before I should even start servicing any clients, before I should start trying to make any money, I need to now figure out how to put together an information security program.
Then once I do that, and as part of that, I need to identify all the different appropriate controls, security controls that I can be in place. So now as a CPA, I've also got to be a compliance officer and understand all the information security compliance side of things. I've got to be, I guess, an IT slash cybersecurity professional to be able to identify what controls or I need to pay somebody to do this for me.
I also need to create the audit program, not so much, but then appropriately manage my service providers. All right. I need to create that risk-based approach, whatever that is.
I don't, I'm not sure what's acceptable, but now I need to be a risk manager, a risk consultant as part of everything just to run my little small business. And this isn't even touching on the fact that I'm also wearing the hat of the janitor, of the plumber, of the electrician up to a certain degree, the chief marketing officer, the CFO, all of these hats. Now there's like four or five more that I need to put on that for all intents and purposes has no real solid guidance out there.
Just, you got to do these things. And what happens if I don't? With just the FTC, my business can be fined up to a hundred thousand dollars per incident, but that's not all. I can also, as a senior manager, all the senior managers in the company get hit with a personal $10,000 fine.
And if the situation is egregious enough, or I've shown to be grossly negligent, it could actually result in up to five years in prison. And this is serious. This has actually happened on the HIPAA side with OCR where the practitioner of their practice, they just, they didn't put anything in place.
They themselves weren't doing anything malicious, but they didn't put an information security program in place. They didn't have an audit procedure, which is all part of HIPAA. We won't get into HIPAA today, but there's a lot of similarities between HIPAA and FTC safeguards rules.
FTC actually takes a lot of guidance from HIPAA. But that practitioner didn't put anything in place. They weren't being malicious, but their employees were embezzling funds and stealing from their patients.
So when the OCR, Office of Civil Rights, came in, they're the ones that manage HIPAA, enforce it, they looked at that practitioner and said, you weren't doing what you were supposed to do. HIPAA, a federal law, states that you need to have an information security program. And had you done that, had you performed your audits, you would have seen what these people were doing and been able to contain it.
You had been able to prevent it from becoming such a major issue. And because you didn't, that is grossly negligent, we're going to put you in prison. And here this almost 80-year-old practitioner had to serve some time in jail, actual years in jail, because of this.
Now, I'm not making the argument that people shouldn't put programs in place. My point is that it's just heapings of extra stuff on the plate of business owners to take care of. And the idea that, well, you could just pay somebody to take care of it.
Well, how many other professionals do I need to pay? How much money do I need to put out just to get my company rolling? So here we are with this little community CPA office struggling to take care of our family. We wanted to be able to have some time to take our kids to soccer practice, to be able to see them at their baseball games, to go to their school events. We wanted to be able to support a few of our employees to do the same, and then also provide good service to our community.
And here we have now, just with the FTC, we'll say $110,000 in fines, because if I'm a small community practitioner, fines to the business are fines to me. So $110,000 in five years in prison, just as a stark cloud kind of circling there. And maybe it's far out.
It's maybe a lot of you look at it and say, that's a very low likelihood. Fair enough, but it's there. So as this Florida-based CPA, what else do I need to take care of? Well, if I accept credit cards, then I have to adhere to PCI, Payment Card Industry Data Security Standards, PCI DSS.
This could actually be its own podcast all on itself. It probably will be one day. But PCI, in a nutshell, is all the payment card companies, MasterCard, Visa, Discover, Amex, all of those, created all these rules for how you need to process, how you need to protect, how you need to transmit cardholder information.
That's it in a nutshell. Protect cardholder information. That's understandable.
It should be done. If you don't comply with PCI, one, you can lose your ability to ever accept credit cards. The payment card industry can say, you're not doing what you're supposed to do.
You're not holding your end of the bargain that you actually sign when you do those merchant agreements. You're not holding your end of the bargain, so you can't process our cards. So that could be a major hit to a business.
It would definitely be a major hit to ours. Noncompliance with it, though, can result in anywhere, it's a small little spread, anywhere between $5,000 and $100,000 per month of noncompliance. And what are the things that you need to do with PCI? At a high level, there's 12 overarching requirements.
I want to try and buzz through these because I don't want to just keep reading lists to you, but you need to install and maintain security controls, apply secure configurations, that ties in with my FTC. I need to protect stored account data, protect cardholder data with strong encryption. I need to protect all systems from malicious software, AV and some other things.
I need to, if I'm doing development, have a really an SDLC, a secure development lifecycle, so I can develop and maintain secure systems and software, make sure the software I'm putting out there isn't leaking stuff out. I need to restrict access to components based on a need to know, which is really that should be part of any security program identity and access management. Only the people that need access should have access.
I need to identify and track all of the users that have access that are authenticated, restrict physical access, goes back to controls. I need to log and monitor all the system activity. I need to test these activities, so I need to have a vulnerability management process in place, and I need to support information with organizational policies and programs, so I need to have a written information security program.
So a lot of overlap there between FTC safeguards and PCI. There's going to be some additional controls on the PCI side, a little bit different, that have more of a cardholder, card management flavor to it, but generally the same structure. This actually reminds me on the FTC safeguards, there is in the auditing the technical control side, you actually need to do two vulnerability assessments a year, roughly every six months, and one penetration test.
There's not super amounts of guidance on the difference there, but essentially the vulnerability assessments are like running some scans, the penetration test is where you actually pay a company to try and run exploits, to try and break into your systems. Just for knowledge, even a small one of those can easily be $5,000 to $10,000, with an average one being $15,000 to $40,000, so not an inexpensive requirement there. And same thing on the PCI side.
Not inexpensive requirements that the small, community-based, family-owned CPA now has to take care of, or be able to do the dance enough to understand how they can structure everything, so that's not specifically a requirement, but that really takes some know-how, and at the very least, it takes dedicated attention away from the business, and now just focusing on these things. So there's PCI, if I want to be able to do credit cards. So now FTC, $110,000 worth of fines, five years of prison looming out there, I've also got $5,000 to $100,000 a month worth of fines circling out there too with PCI.
Well, since I'm in Florida, all states have them, their own flavor, but Florida has FIPA, the Florida Information Protection Act. And long story short with this one, this is really geared more towards notifying individuals if their data's been compromised. It provides rules there.
Basically, if somebody's data gets compromised, you have to notify them within a certain amount of time, you have to notify the state attorney general within so much time. I think it's 45 days. I'd have to double check that.
There's always so many little if-thens, but roughly it's like 45 days that you have to do your notifications. And if you don't, that can be up to $500,000 in fines plus $1,000 a day until you have satisfied any of the discrepancies that they identify. So FIPA requires reasonable measures, quote-unquote reasonable measures.
That's not a lot of guidance. What I tell clients, what we talk them through is if we stick to a framework, say like FTC, even PCI, or use something else out there, ISO 27001, NIST, CSF, any of those, we stick to those, that's a pretty good litmus test for reasonable measures. That would be hard for an auditor, hard for an attorney if there was some sort of litigious situation to say I wasn't doing what I should have been doing.
Well, I was going by global standards. I was going by US standards. What else would you like me to do? So reasonable measures, if I'm the CPA firm, I'm doing the FTC safeguards, I'm probably good under that.
But in my incident response program, I need to make sure that I've identified when I need to do my notifications. Otherwise, I could get slapped with this. So here we are, CPA, family owned, family supporting, community, community focused, with 110,000, five years in prison, five, now we'll say six to $101,000, I'm sorry, I'm doing that wrong.
PCI is month. $5,000 to $100,000 a month in fines, plus another $1,000 a day for noncompliance. And here's something I haven't been able to figure out the answer on.
I don't know what your experience has been with dealing with different government agencies like the DMV, but they were depicted as sloths in, well, now I can't think of the movie, but in that cartoon for a reason. They don't exactly move quick. So is this $1,000 per day until I fix it and say, hey, I got it fixed, stop the clock, come check me? Or is it $1,000 today until I get it fixed, I say, hey, I've got it fixed, I need you to come check.
And their first availability is four weeks from now. Is my $1,000 still clicking? Is that how that works? I'm not sure. I haven't been able to find the answer on that.
If you know, I would love some links to it, some information, put that in comments, shoot it over to us. But I have a feeling it's until they can verify that it's been fixed, which definitely ups the ante. So we're the small firm.
Here's now another one that I need to make sure I comply with. The FinCEN beneficial ownership information. Now, this has had an extensive communication program to make sure that everybody knows about it.
So if you haven't heard anything about it yet, don't worry. You're like 95% of the people that we talked to that have gotten zero information about this. The FinCEN business ownership information is part of the Corporate Transparency Act to help fight financial crimes.
What it means is that as a business owner, if I have certain percentages of ownership in any type of entity, not just a business, this could be a trust as well, a real estate trust. If I have any type of ownership at a certain level, I need to register my information in the financial crimes database so that government, financial institutions, and law enforcement can access it. I need to register the information that is essentially already on SunBiz and already with my financial institutions and put it into this whole other financial crimes database that is most definitely going to be fully secured and never get breached.
And if I don't, that can be $500 a day for non-compliance plus on the criminal side, a $10,000 fine to each of the beneficial owners and two years in prison. Now to be compliant with this, if you opened a company prior to 2024, you have until January of 2025 to get your information in. You can just go to the link, just Google FinCEN, F-I-N-C-E-N-B-O-I, and you'll be able to quickly find where you need to do the reporting.
We'll also get some links set up. If you set up a company, a new entity, sorry, not a company, a new entity within 2024 this year, you have 90 days to register. And after January 2025, if you create a new entity in 2025 or beyond, you have 30 days to register.
Otherwise, you could have these $500 a day of non-compliance and up to two years in prison. Okay, so real quick correction. In the original recording here in this spot, we talked about how FinCEN has in fine print that you can actually have no less than $250,000 in fines in up to five years in prison or no less than $500,000 in fines in up to 10 years in prison if your violation is coinciding with violating another U.S. law.
The language there is very, very weird. But the short of it is that that actually relates to the use of the FinCEN database, not business owners actually filing. And another quick correction is it's not $500 a day that business owners could get hit with.
It could actually be $591 a day. They just updated that. Not really sure where the $91 comes from.
But as far as business owners go that aren't utilizing information from the FinCEN database, it can be $591 per day for non-compliance and up to two years in prison. So wanted to make that quick correction. Back to the regular show.
So here's where it really, really bothers me, where I really feel like the cards and the chess pieces are just being stacked in the wrong way against business owners. I'm this small CPA firm. I shouldn't say small.
I'm this boutique. Boutique is better. That's serving my community.
I've got four or five employees under me that I'm trying to help keep everything running so I don't let them down. And to be able to support my family and also be able to actually enjoy the best years with them, which is why I created the company. Here I am trying to keep all of this together with everything else that I've got to do.
And if I don't follow something with the FTC safeguards rules, well, that could turn into $100,000 against my business for FTC. That could also relate to, since FTC and PCI are so related, penalties for $100,000 a month with PCI. And even if we do the lowest amount, we'll save $5,000 a month.
And we're not even going to assume we had a data breach. So there would be no reason for the FIPPA $500,000. But then FinCEN identifies that we didn't register correctly.
Okay, again, quick correction. FinCEN, as it looks, won't actually nail businesses for the 250 in five years or 510 years. That's for the use of the FinCEN database.
If that's used improperly for business owners, it's $591 a day and up to two years in prison. So I could easily be looking at $600,000 in fines, $610,000 in fines, and perhaps up to 10 years in prison for just not correctly managing my information security program. And listen, I'm all security and compliance.
It's what I do every day. But that is absolutely ridiculous. Ridiculous.
And my fear is, at its best, the FinCEN on its own is not doing anything. It is very easy to create other entities. It is very easy to create synthetic IDs to sidestep all of these things that FinCEN says that it's trying to resolve, that I could still do all of my nefarious things, that I could still do all of my crimes.
So it's not going to affect me as a bad actor. But it's just putting ticking time bombs under every small business owner and essentially putting them in a minefield that they've got to try and walk through just to get to the point to where they can start struggling to make their business work. That's why we put together everything that we did, the full information security program, the guidance, to be able to help businesses quickly get through this, to protect themselves, and to get down to business.
I could talk about this a lot more, but I think you see where this is going and how crazy this is. And at its best, you're in a minefield. Anything beyond that and it starts turning into a weaponization.
What if now you're somehow targeted? It would be very easy, just like the myriad of IRS rules, to catch somebody in one of these things and shut their business down. And it's these things that close 60% of businesses within six months of having a data breach. It's not the data breach.
It's all of the regulations, all of the other companies and regulatory bodies coming after the company for their piece of the pie. I don't think that's right. I think that's ridiculous.
We'll continue talking about it. We'll talk about other ways to battle it, but definitely make sure you get your Benson boy all filled out. Happy to connect with you and talk about that.
But that's about all the time we have for today. So thanks for listening to us here on Cash in the Cyber Sheets. Please don't forget to hit that subscribe button.
Leave us some reviews. Give us some comments. Let me know some things you'd like to hear about.
Happy to put them on. And also always happy if you have a business yourself to have you on and talk about your experience with some of these things, what you're doing. So we'll see you next Thursday, 10 a.m. Same place.
Thanks for listening and have a great day.
