Imagine your CPA getting hacked and suddenly - all of your data is for sale on the Dark Web.
Someone opens a Credit Card in your name, your bank accounts are empty,
You file your taxes and get a note from the IRS that they show you have already filed.
Well, guess what, this and a lot more could happen to you!
The IRS has been pushing CPA’s to get their data secured for months now, but have they?
In an email dated March 27th (and some as far back as September of 2018), the IRS has been reminding CPAs that a security plan is not optional. Heavy penalties can be levied, including the risk of a Federal Trade Commission Investigation if a plan is missing or not being followed.
Sadly, the majority of closely held CPA firms are ill-prepared to fulfill any of these requirements.
To help them, the IRS has prepared Publication 4557, a surprisingly easy-to-read document outlining basic requirements that are flexible enough so that companies can implement safeguards that are reasonable for their own circumstances.
While the document is easy to read, CPAs are not necessarily qualified to implement these safeguards.
Let’s take a look at some of the guidelines established by the IRS.
Assign a champion.
CPAs understand they hold some of the most private and sensitive information about their clients, so the standards should be high when building the plan. In order to be successful doing this, someone at the firm must take ownership of the process and responsibility for the firm's adherence as time goes on. Without an internal champion, this compliance will be an exercise in futility.
Perform a risk assessment.
The first step in addressing cybersecurity is always to assess the risks. There are plenty of templates and examples of risk assessments available — choose one and stick with it. This should be completed in a collaborative manner.
Once the risk assessment is completed and you know the risks and what needs to be protected, a sensible number of protections should be implemented. They may include security monitoring, next-gen antivirus, improved firewalls, backups, and disaster recovery planning, security training, two-factor authentication, and the removal of some conveniences such as remote access, if appropriate.
This is not mandated by the IRS, but the steps taken should be determined based on the assessments and ongoing evaluations. When anything changes on the network, a new assessment should be performed, in addition to conducting a new one every year.
As a part of the ongoing evaluation, the new protections and controls should be tested to ensure they are functioning as planned and systems should be updated as needed.
It’s time you tell your CPA if they don’t secure your data according to the IRS Publication 4557, you’ll take your business elsewhere.
Published by Angel R. Rojas, Jr