June 9 is the deadline for all accountants to comply with some of the updated cyber security-related requirements of the FTC Safeguards Rule.
If you are wondering if these rules apply to you in your accounting, bookkeeping, consulting or ProAdvisor practice, you need to know exactly how the FTC interprets your business.
First, the Safeguards Rule applies to all financial institutions subject to the FTC's jurisdiction, which isn't subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act, 15 USC § 6805.
You might think your practice, especially if you are a sole practitioner, isn't a financial institution. You might even interpret that as banks, savings & loans, or credit-card companies. But don't be fooled by this big government terminology.
According to Section 314.1(b), an entity (of any size) is a financial institution if it is engaged in any activity that is financial in nature.
Do you plan on challenging the US Government that accounting, bookkeeping, consulting (business or financial), or ProAdvising is in no way 'financial in nature?
"I don't think you'll go to court unless you are there as a defendant because the FTC has levied fines or brought charges against you for violating the Safeguard rules.
It looks like you pretty much need to comply.
Not all of the FTC Safeguard Rule is due for compliance by June 9, 2023, but there are a few key provisions you need to be compliant with by that deadline.
cyber_attack
Most of these make perfect sense in light of today's ever-increasing cyber-crime.
The June 9 deadline requirements include the following, which are not necessarily presented in the same order the FTC documents them:
- Designate a qualified individual to oversee your information security program either within the organization or outside of it (under the supervision of someone inside the organization).
- To identify deficiencies, prepare a written assessment of your cyber risk(s), preventive procedures and current response capabilities.
- Provide policies and mechanisms to limit and monitor who can access sensitive customer information.
- Encrypt all financial information, including sensitive customer information.
- Implement mandatory multi-factor (requiring at least two factors) authentication (or equivalent level of protection) for every individual accessing financial data, including sensitive customer information.
- Develop an incident response plan, meeting the Safeguard Rule standards, including, but not limited to plan goals, internal processes for activating a security response, roles and responsibilities of personnel including decision-makers, policy for information sharing inside and outside your organization, weakness identification, procedures to document and report cyber events, and mandatory review post-event review and analysis.
Cyber Security Training
- Train all personnel in proper cyber-security awareness and response. Make all cyber security training mandatory (including for all new personnel) with re-training on at least an annual basis. In addition, consider response related-training involving a simulated cyber event as part of annual training.
- Periodically assess the security practices of all service providers. Any service provider acting as a resource storing critical data on your behalf should meet SOC 2 and ISO 27001 security (protection) standards.
You will find the official standards from the FTC, providing significantly more information HERE.
Insightful Accountant also has arranged for you to receive a free guide from Tech 4 Accountants to help you with the process of FTC Safeguard Rule compliance. You can download the free guide HERE.
Like what you're reading?
Subscribe to our FREE newsletter and we'll deliver content like this directly to your inbox.