Simplifying Compliance for Accounting Firms

Firms must develop, implement, and maintain a documented Information Security Program. This program should be comprehensive, include administrative, technical, and physical safeguards, and be easily accessible to authorized personnel. The WISP should clearly outline policies and procedures designed to protect customer data and address both current and future risks.

A specific person must be appointed to oversee the Information Security Program. This individual is responsible for implementing, managing, and regularly updating the program. They will also act as the primary point of contact for security-related matters and ensure compliance with the FTC Safeguards Rule requirements.

Firms are required to perform regular, written risk assessments to identify and evaluate potential risks and threats to customer information. These assessments should consider external threats (e.g., cyberattacks) and internal vulnerabilities (e.g., outdated software or insufficient employee training) and provide clear recommendations for addressing these risks.

Based on the findings of the risk assessment, firms must implement appropriate safeguards to mitigate identified risks. These safeguards should include technical solutions (e.g., firewalls and intrusion detection systems), physical protections (e.g., locked file cabinets and secure office spaces), and administrative measures (e.g., employee training on security best practices).

Firms must determine who has access to customer information and ensure access is granted on a need-to-know basis. Access controls should include password protection, user authentication, and role-based permissions. Firms are also required to periodically review access rights and revoke unnecessary access to reduce risks.

Customer data must be encrypted during transmission and while at rest. Encryption ensures that even if data is intercepted or accessed by unauthorized parties, it cannot be read or used without the encryption key. This is a critical measure to protect sensitive information.

Firms must evaluate the security of both in-house and third-party applications that handle customer information. This includes ensuring that applications are regularly patched, updated, and configured securely. Vendors providing third-party applications should also meet security and compliance requirements.

Multi-Factor Authentication adds an extra layer of security by requiring users to verify their identity through multiple methods (e.g., a password and a one-time code sent to their phone). This requirement applies to all systems where customer information is accessed to prevent unauthorized access.

Firms must securely dispose of customer information that is no longer needed. Data should be deleted or destroyed in a way that ensures it cannot be reconstructed. The FTC Safeguards Rule specifies that data no longer in use must be securely disposed of within two years of its last use unless otherwise required by law.

Firms must create a detailed, written plan for responding to security incidents, such as data breaches or cyberattacks. The plan should include steps for identifying the incident, containing the threat, assessing the impact, notifying affected parties, and documenting the response for future improvements.