What CPAs Need To Do To Protect Themselves In 2023

by David Rose
| February 20, 2023 |

In our previous blog, we discussed the changes to the Federal Trade Commission’s (FTC) guidelines for certified public accountants (CPAs) and other non-banking financial institutions. As a reminder, these entities are required to comply with the “Safeguard Rule” by June 9th, 2023. In this blog, we will go into further detail and provide a step-by-step guide on how to ensure compliance with each of the 9 requirements outlined by the FTC.

9 Elements Your Information Security program must include:

1. Designating a qualified individual to implement and supervise the program.

  1. This person can be an in-house employee or an outside agency, such as an outside cyber security company like Rosects.com. However, it’s important to note that if you use an outside agency, they must also have a security program in place. Additionally, the individual does not need a specific title, but they should be prepared to implement a program tailored to your company’s specific needs.

2. Conducting a thorough risk assessment.

  1. A risk assessment is a comprehensive evaluation of potential vulnerabilities within your organization, including identifying areas that require attention with regards to data, technologies, and procedures. It is worth noting that organizations responsible for managing less than 5,000 consumer records may be exempt from this requirement.

3. Designing and implementing safeguards to control the risks identified through your risk assessment. This includes:

  1. Implementing and periodically reviewing access controls to understand which users have access to what data.
  2. Maintaining a comprehensive understanding of your company’s data landscape, including information, systems, devices and platforms.
  3. Encrypting customer information both on your system and during transit.
  4. Assessing and implementing security measures for all apps in use, including proprietary and third-party apps.
  5. Implementing multi-factor authentication for anyone accessing customer information on your system, as per the Safeguards Rule.
  6. Securely disposing of customer information not in use for two years, unless there is a legitimate business need or legal requirement.
  7. Anticipating and evaluating changes to your information system or network, and adjusting safeguards accordingly.
  8. Maintaining a log of authorized users’ activity and monitoring for unauthorized access attempts.

Schedule a security consultation with Rose CTS today to get started on your risk assessment.

4. Regularly evaluating the effectiveness of your safeguards through various means such as penetration testing (also known as a Pen Test) which simulates an attack to test your response and identify vulnerabilities. These tests should be conducted at least once a year, or whenever your system undergoes changes that may introduce new vulnerabilities. Additionally, conduct regular vulnerability scans every six months. An alternative option is to implement continuous monitoring of your information systems, if feasible for your organization.

5. Properly training your staff on information security measures. The human element is often considered one of the most vulnerable components in an information security program. Ensure that all staff, particularly non-IT staff, are knowledgeable in basic cyber security principles and techniques for avoiding cyber attacks. Partner with a reputable cyber security company to provide training and evaluate staff knowledge through methods such as phishing tests.

6. Monitoring service providers to ensure that they are implementing appropriate information security measures.

  1. Service providers are also responsible for protecting the information they handle on behalf of your organization.
  2. Establish expectations for information security in contracts with these providers and establish methods for ongoing monitoring and assessment of their security strategies.

7. Maintaining the currency of your information security program by regularly reviewing and updating it in response to new discoveries, emerging threats, changes in your business, and findings from risk assessments and security tests. Ensure that the program is adaptable to changing circumstances, including new technology and new hires.

8. Developing a comprehensive written incident response plan that outlines the steps to be taken in the event of a cyber attack or other emergency that threatens the security of your data. This plan should be reviewed and updated regularly, particularly when changes are made to your technology or new staff members are hired. According to the Safeguards rule, the written incident response plan should cover the following:

– The goals of the plan.
– Internal processes to be activated in response to a security event.
– Clearly defined roles, responsibilities, and levels of decision-making authority within the organization.
– Procedures for communicating and sharing information both internally and externally.
– Processes for identifying and remedying any weaknesses in systems and controls.
– Procedures for documenting and reporting security events and the organization’s response.
– A post-incident review and revisions to the incident response plan and overall information security program based on the learnings.

It’s important to note that having an incident response plan in place and regularly testing it, can help an organization to respond effectively and efficiently in the event of a security incident, which can minimize damage and reduce recovery time. For more information on developing a written incident response plan, visit Rose CTS.

9. It is important for a company to have a designated “qualified individual” in charge of their security measures. This individual should be responsible for submitting a written report to the company’s Board of Directors at least once a year. In the event that a company does not have a Board of Directors, the report should be submitted to a “senior officer responsible for the information security program”. The report should provide an overview of the company’s compliance with their information security program. Additionally, it should include information on:

  1. Risk assessment
  2. Risk management and control decisions,
  3. Service provider arrangements,
  4. Test results
  5. Any new security events (such as attempted attacks) and
  6. Their response, as well as any recommendations for changes to the security program.

By regularly reviewing and updating their security measures, a company can ensure the protection of their sensitive information.


Rose Computer Technology Services has 25 years of experience in keeping businesses safe, specializing in security for CPAs and Tax Accountants. We take a security-first approach and have received the CompTIA Security Trustmark+ from CompTIA, the association for the world’s information technology (IT) industry. We are also dedicated to our community, as evidenced by our receipt of the 2022 Citizens Bank Small Business Community Champion award and our commitment to community service as shown on their website.

Pin It on Pinterest

Share This
Skip to content