Your average hacker isn’t looking to take down Goldman Sachs; most hackers are just looking for easy wins. Easy wins mostly only require easy targets, and luckily for hackers everywhere, there are plenty of easy targets to choose from. CPA firms are particularly vulnerable which is why the IRS released Publication 4557, to explain the legal requirements tax preparers are subject to and offer guidance on how to become compliant.
When cyber attackers go after CPA firms, what they generally target is client financial data. The data itself is of course exploitable, the attacker may gain access to bank accounts, social security numbers and other sensitive data. The data can also be held ransom in a ransomware attack which may be even more damaging for the firm.
In a ransomware attack, systems and/or data are locked down by an attacker who threatens to release or destroy the data unless a ransom is payed. This type of crippling attack can bring a firm to its knees and the seasonal nature of the profession makes ransomware attacks particularly effective, since losing anytime at all during tax season can spell doom.
The FTC Safeguards Rule requires that tax return preparers must create and enact security plans to protect client data. Non-compliant CPA firms may face investigations by the FTC. Of all the CPA firms Alliant Cybersecurity has engaged with, not a single one was fully compliant with the Safeguards Rule before engaging with us.
IRS Publication 4557 was released to raise awareness on cyber threats to CPA firms and serve as a guide to tax return preparers who want some high level direction on how they can start to become compliant. The majority of the publication, however, is centered around basic cyber best practices, including things like using security software, creating strong passwords, securing wireless networks and recognizing phishing emails. The fact that the IRS feels the need to spend the majority of 4557 explaining basic safety measures may be an indication of their lack of confidence in CPA firms’ ability to protect their clients.
FTC Safeguards Rule
The remainder of the publication addresses the FTC Safeguards rule and even provides a loose checklist for compliance. The Safeguards rule stems from the Gramm-Leach-Bliley act which requires financial institutions to ensure the security and confidentiality of consumer information. The main directive of the Safeguards Rule is for companies to develop a written information security plan.
Information security plans under the rule must include the following:
- Design, implement and monitor a safeguards program
- Designate an employee or employees to manage the information security program;
- Identify and assess the risk to protected customer data and evaluate the effectiveness of current safeguards;
- Evaluate and adjust the safeguards program based on relevant circumstances; and
- Select appropriate service providers
Publication 4557 also includes a Safeguards Rule checklist provided by the FTC. To be clear, checking all the boxes does not necessarily mean your firm is compliant. The checklist is simply meant as a guide and covers three main priorities:
The checklist is 50 items long and may be overwhelming for the uninitiated to go through. The task may be especially daunting for busy CPAs. CPA firms can become compliant and make themselves safer by selecting an appropriate cybersecurity service provider to address the Safeguards Rule.