Is your business compliant with the FTC’s new guidelines? Are you a CPA, Tax preparer, or car dealership? If you are, you are subject to the new safeguards, and should be compliant by June of this year.
The Standards for Safeguarding Customer Information – (shortened to “Safeguards Rule”)– aims to ensure that financial institutions protect their consumer information from cyber threats and other potential security hazards.
In this case, “customer information” means “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.” Affected institutions will need a written information security plan that covers all of the rules’ requirements.
The rule applies to all non-banking financial institutions subject to the FTC’s jurisdiction, including CPAs, tax accountants, and Auto Dealerships, who will be required to keep their customers’ data safe with a comprehensive security program.
While the safeguards rule was established in 2003, it was amended in 2021 to better fit the modern threat landscape. This means that even if you were previously covered, there is a good chance you aren’t any longer. The deadline for compliance was recently extended by 6 months, meaning that CPAs have until June 9, 2023 to ensure that they are compliant with the Safeguards rule.
What does the safeguards rule mean for CPAs?
The Safeguards Rule requires non-banking financial institutions to create, implement, and maintain a carefully thought out and comprehensive plan for information security, with the goal of keeping their customer information as secure as possible.
The new FTC guidelines apply not only to your own customers’ personal information, but also to the data that any other financial institutions have shared with you. It should include administrative, technical, and physical safeguards In short- develop an information security program, and begin sooner rather than later.
What does a compliant information security plan look like?
Your plan should be written, comprehensive, and meet the 9 requirements of the rule. Its contents will depend somewhat on the needs of your business, its scope and size, and the type of data that you are responsible for. The goals of this plan are that customer data will be:
– Kept secure and confidential
– Protected from potential hazard and threats to its security
– Protected from unauthorized access, resulting in harm or inconvenience to the consumers.
Specifically, the safeguards rule includes 9 essential steps that financial institutions must take to protect themselves in order to ensure compliance, which we’ll be diving deeper into in our next blog, so stay tuned. Here’s a brief overview of what your plan will need in order to be compliant with the new FTC guidelines:
- Designate a Qualified Individual to implement and supervise your company’s information security program.
- Conduct a risk assessment.
- Design and implement safeguards to control the risks identified through your risk assessment. Including:
- – Implement and periodically review access controls.
- – Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted.
- – Encrypt customer information on your system and when it’s in transit, or secure it by using effective alternative controls approved by the Qualified Individual who supervises your information security program.
- – implement procedures for evaluating the security of your company’s proprietary apps.
- – Implement multi-factor authentication for anyone accessing customer information on your system.
- – Dispose of customer information securely after 2 years.
- – Anticipate and evaluate changes to your information system or network.
- – Maintain a log of authorized users’ activity and keep an eye out for unauthorized access..
- Regularly monitor and test the effectiveness of your safeguards.
- Train your staff.
- Monitor your service providers and vendors using these same guidelines.
- Keep your information security program current.
- Create a written incident response plan
- Require your Qualified Individual to report to your Board of Directors.
Getting Started With Help From Rose Computers
Many businesses have reported issues in obtaining and upgrading their technology to comply with the new regulations, hence the deadline extension. There is also a shortage of personnel available to make the required updates. That’s where we can help.
Rose Computers has been keeping businesses safe for 25 years, and specializes in cyber security for CPAs and tax accountants
It’s important not to wait until the last minute to begin your path to compliance, as there is likely to be a bottleneck of increased demand as we draw nearer to the June deadline. There is already a shortage of personnel available to conduct the necessary changes (hence the updated deadline).
Rose CTS can help you understand where your business currently stands and exactly what you need to do to be compliant. We can also help you with each of the necessary steps you need to take, such as your comprehensive risk assessment. Finally, we can provide ongoing support for your cyber security program.
We use a security first approach: https://rosects.com/security-first/ and are the only Vermont company to have received the CompTIA Security Trustmark+ from CompTIA, the association for the world’s information technology (IT) industry. We have also received the 2022 Small Business Community Champion award from Citizens Bank, in recognition of businesses that serve their communities.
Contact us today to get started!