In the digital age, data security is a crucial issue for any business that handles sensitive information, especially financial services institutions such as accounting firms and CPAs. Data breaches can result in severe consequences, such as reputational damage, legal liability, regulatory fines, and loss of customer trust. Therefore, CPAs need to comply with the relevant laws and regulations that govern the protection of customer data, such as the Gramm-Leach-Bliley Act (GLBA) and its Safeguards Rule. The Safeguards Rule requires CPAs to develop, implement, and maintain a written information security plan that describes how they will safeguard and protect their clients’ nonpublic personal information from unauthorized access, use, or disclosure.
Designated Individual in Charge
One of the changes in the revised Safeguards Rule is that CPAs must designate a qualified individual to be responsible for overseeing, implementing, and enforcing the information security program. This individual should be an information security professional whose qualifications are appropriate to the firm’s size and complexity. The designated individual should have the authority and resources to carry out the information security plan, and to report to the senior management on the status and effectiveness of the plan.
Risk Assessment and Mitigation
Another change in the revised Safeguards Rule is that CPAs must conduct a written risk assessment of their information systems, and include specific criteria in their assessment, such as:
- Evaluation and categorization of identified security risks
- Assessment of the information system and customer information, within the context of identified risks
- Mitigation of identified risks, based on the risk assessment
The risk assessment should be periodically re-examined to determine its reasonableness and adequacy. Based on the risk assessment, CPAs should design and implement safeguards to control the risks identified, such as:
- Verifying who has access to information systems, including technical and physical controls, to both authenticate and limit access
- Identifying and managing all data, personnel, devices, systems, and facilities
- Encrypting customer information at rest or in transit
- Employing multifactor authentication to access any information system
Monitoring and Testing
The revised Safeguards Rule also requires CPAs to monitor, test, and evaluate the effectiveness of their safeguards on a regular basis, and to adjust their information security plan accordingly. CPAs should use various methods to monitor and test their safeguards, such as:
- Conducting internal and external audits
- Performing vulnerability and penetration tests
- Reviewing network activity and security logs
- Implementing incident response and recovery plans
Training and Oversight
The revised Safeguards Rule also emphasizes the importance of training and oversight for CPAs and their employees, contractors, and service providers who have access to customer information. CPAs should provide regular training and education to their staff on the information security plan and the best practices for data security. CPAs should also oversee and verify that their contractors and service providers comply with the information security plan and the applicable laws and regulations. CPAs should establish contracts and agreements with their contractors and service providers that specify their data security obligations and responsibilities, and that allow CPAs to monitor and audit their performance.
Frequently Asked Questions
1: What is the GLBA and the Safeguards Rule?
A: The GLBA is a federal law that regulates nonbanking financial institutions in the United States, such as accounting firms and CPAs. The GLBA mandates that these institutions take affirmative steps to protect the privacy and security of their customers’ personal information. The Safeguards Rule is a regulation under the GLBA that requires these institutions to develop, implement, and maintain a written information security plan that describes how they will safeguard and protect their customers’ nonpublic personal information.
2: What is the Safeguards Rule and how does it affect CPAs?
A: The Safeguards Rule is a federal regulation that requires financial institutions, including CPAs, to develop, implement, and maintain a written information security plan to protect their clients’ nonpublic personal information. The rule was updated in 2022 to reflect the changes in technology and cyber threats.
3: Who is responsible for overseeing and enforcing the information security plan in a CPA firm?
A: The revised Safeguards Rule requires that firms designate a qualified individual to be in charge of the information security program. This person should be an information security professional whose qualifications are appropriate for the firm’s size and complexity.
Conclusion
Data security is a vital issue for CPAs and their clients, and they need to comply with the GLBA and the Safeguards Rule, which are federal laws and regulations that govern the protection of customer data. As a CPA, you know how important it is to protect your clients’ sensitive financial data from cyber threats. But do you have the right technology and security measures in place to comply with the Safeguards Rule and other regulations? If you are not sure, or if you want to improve your data security, you need Uprite IT Services. Uprite IT Services is a leading IT service provider that specializes in data backup and disaster recovery solutions for CPAs and other financial professionals.
