six steps to battle cybersecurity risks

what cost or time investment would you pay to protect your firm and your clients?

by donny shimamoto
cybersecurity for accountants

when it comes to cybersecurity, one risk aspect to consider is whether or not the steps you’ve taken to protect clients’ pii will stand up in court in the event of litigation related to a data breach or damages to a client because of a cybersecurity issue caused by your firm. during litigation, opposing counsel will often bring in cybersecurity experts to describe cybersecurity best practices—which are often a higher level of controls than just compliance.

more: understanding the full cost of a data breachthe 7 categories of of cybersecurity solutions firms needfuture firm growth requires a mindshift | donny shimamoto explains how ‘agile’ applies to cpa firms | ai, ocr, nlp & cpas: oh my!   |  accounting nerds, unlock your super powers  | early adopters gain an edge in audit | dustin wheeler: for serious cas success, hire tech teams | csr for cpas: the missing ingredient | donny shimamoto explains how ‘agile’ applies to cpa firmsstaff retention for remote workers | why the future is in risk advisory |  ready for non-cpa “cpa” firms?
goprocpa.com exclusively for pro members. log in here or 2022世界杯足球排名 today.

be sure to consult with both your cybersecurity advisor and legal counsel to determine which controls you may still want to implement even if you qualify for some of the exemptions. many controls, like the ones identified in the ftc exception, do not cost much to implement and can demonstrate that you still fulfilled your professional obligation to protect clients’ data—reducing your litigation risk.

your responsibilities and obligations as a tax practitioner can be overwhelming because of all the complexities and jargon, as well as the risks and technologies in the cybersecurity space. however, hopefully these guidelines will help you feel a little more comfortable discussing cybersecurity with your it service provider or cybersecurity advisor.

ensure that you understand your cybersecurity risk posture and that you’ve met the compliance requirements. you can do this by following this action plan:

  1. determine if you have an it security policy
    • if you have a policy, check whether it addresses both the irs and ftc requirements
    • if you don’t have a policy, obtain a template and personalize it for your firm.
      • if you’re an aicpa tax section member, the aicpa provides a free gramm-leach-bliley act information security plan.
      • the center for accounting transformation also has a low-cost plan template available for purchase that is mapped to the cybersecurity solutions described in the previous section. learn more about this template here: https://link.improvetheworld.net/cyberfortaxplantemplate.
  1. conduct or update your cybersecurity risk assessment
  1. determine your compliance gap
    • once you have an understanding of your policy and technical controls, determine if you meet the minimum requirements described by the irs and ftc. identify areas where you may need to implement additional policies, procedures, or solutions to become compliant.
  1. determine your risk tolerance gap.
    • keep in mind that the irs and ftc requirements are minimum requirements. you may want to be more proactive to prevent a malware attack and the potential disruption that it would cause. work with your cybersecurity advisory to identify areas where a more proactive approach may be cost-effective.
  1. implement/change solutions.
    • implement new solutions or change/upgrade solution configurations to fill the gaps that you’ve identified above.
  1. monitor solution effectiveness.
    • just as keeping vigilance when you’re in a physically unsafe part of town is an ongoing activity, cybersecurity vigilance isn’t a one-time activity. you (or someone you trust) must monitor notifications and respond appropriately when needed.

the above should be done at least annually, with the exception of monitoring solution effectiveness, which is done on an on-going basis. the first time you go through this process can be a bit of a bear and it may require some upfront investment, but maintaining your policy, undergoing risk assessment, and fixing gaps are usually much easier and less costly in subsequent years.

just as you can’t do anything to help clients minimize tax liabilities if they don’t proactively let you know before they enter into transactions, you should be proactive in managing your cybersecurity risks before an incident occurs. this minimizes the disruption that it can cause to your practice and can enable you to sleep better at night knowing that your clients’ pii and your firm’s operations are protected.