irs and ftc cybersecurity expectations of tax practitioners

your tools for a cybersecurity compliance check-up.

by donny shimamoto
cybersecurity for accountants

in august 2019, the irs published its list of “security six” steps to protect taxpayer information.[i] these described the six “basic protections” that it expects tax prepares to utilize.

more: how hacker-proof is your firm? | unleashing the power of technology: transforming accountants into trusted advisors | future firm growth requires a mindshift | ai, ocr, nlp & cpas: oh my! | accounting nerds, unlock your super powers | early adopters gain an edge in audit | dustin wheeler: for serious cas success, hire tech teams | csr for cpas: the missing ingredient | donny shimamoto explains how ‘agile’ applies to cpa firms | staff retention for remote workers | why the future is in risk advisory | ready for non-cpa “cpa” firms?
exclusively for pro members. log in here or 2022世界杯足球排名 today.

these include:

anti-virus software – to scan computers for malicious software, the irs also recommended ensuring that you keep these up to date since threats evolve daily.
firewalls – to protect both computers and networks from malicious or unnecessary web traffic.
two-factor authentication (2fa) – also known as multi-factor authentication (mfa). this provides an extra layer of protection beyond a password, usually in the form of an additional security code that is sent to a user’s personal device or email.
backup software or services – this doesn’t prevent a data breach so much as helps in the event of a ransomware attack so that you can still get to your files without paying the ransom.
drive encryption – this protects the data on the device itself, especially in the event that the device is lost or stolen.
virtual private network (vpn) – since many tax firms’ employees must occasionally connect to unknown networks or work from home, the irs recommends that firms enable them to connect to the office using a vpn to provide a secure, encrypted tunnel to transmit data between a remote user over the internet and the firm’s office network.

the key word above, though, is “basic.” these are all pretty basic protections, and most of the firms that i’ve talked with already have these in place. so, if you read the above and your response was, “yep, i’m doing all this,” don’t get a false sense of security.

the better guidance to look at to understand the irs’s expectation is irs publication 4557: safeguarding taxpayer data. you can find this at https://www.irs.gov/pub/irs-pdf/p4557.pdf. this publication provides a much more comprehensive picture of what the irs expects and it aligns much better with what i would expect to see in place as an it auditor. our team’s analysis of this publication identified approximately 80 individual compliance requirements.

want to see if you have addressed all the areas in publication 4557? take the cybersecurity compliance self-assessment for tax practitioners

the original ftc safeguards rule was put in place with the gramm-leach-bliley act (glba). one of the misleading aspects of this rule is that from a quick read it says it is applicable to “financial institutions”, which makes it sound like it is only applicable to banks and insurance companies. however, there are two activities that are included in the description of “financial institution” covered activities that end up pulling tax and accounting firms into this definition:

businesses printing and selling checks on behalf of customers or wiring money
income tax return preparers

the second one makes it very clear that tax preparers are included in this definition, and many firms that also do bookkeeping for their clients may be wiring money for them to process payments, so it may not just be your tax preparers that are subject to this but your outsourced accounting team too.

according to accounting firm cliftonlarsonallen[ii], organizations classified as “financial institutions” must implement the following security practices and then review, and periodically update formal policies and procedures, including:

designating a qualified individual to oversee the information security program
developing, implementing, and maintaining a written information security program
completing a written information security risk assessment
designing and implementing safeguards to control the risks you identify through risk assessment
establishing continuous monitoring of information systems
engaging third-party penetration testing and vulnerability assessments
conducting security awareness training
assessing third-party service providers periodically
establishing a written information incident response program
providing the board or respective group with a written report periodically and at least annually from the qualified individual

specific controls requirements regarding the implementation of safeguards include:

implementing and reviewing access control
inventorying the systems that handle customer information
identifying and managing data based on risk
encrypting data both in transit and at rest
securing software development practices
requiring the use of multifactor authentication for those accessing the information systems
establishing secure procedures for disposing of data
developing change management procedures
implementing logging and monitoring procedures

these requirements were originally slated to go into effect on december 9, 2022, but the ftc has since delayed the effective date of the updated rule until june 9, 2023. however, this doesn’t mean that you should delay addressing these changes. note that a lot of the above controls and cybersecurity program elements are not simple things to just put in place. they require formalizing cybersecurity activities by writing policies and procedures and also documenting the execution of control activities.

these are also not things that you can just outsource to your it service provider—many of these require coordination and oversight of an it service provider, and the ftc specifically says this must be done by a “qualified individual”—someone that is familiar with the requirements and understands the safeguards that are put in place.

[i] irs tax tip 2019-117, https://www.irs.gov/newsroom/tax-pros-follow-the-security-six-steps-to-help-protect-taxpayer-data, august 27, 2019

[ii] https://www.claconnect.com/en/resources/articles/2022/ftc-glba-safeguards-rule-compliance, april 27, 2022

posted on august 28, 2023

donny shimamoto

about the author

donny c. shimamoto, cpa.citp, cgma, is the founder and managing director of intraprisetechknowlogies llc, a specialized cpa firm dedicated to helping small businesses and middle market organizations leverage strategic technologies, proactively manage their business and technical risks, and enable balanced organizational growth and development. donny also works with larger organizations as a trusted business advisor, facilitating organizational strategic planning and execution, it governance and planning, enterprise architecture, information architecture and assurance, business process improvement, and business intelligence initiatives.

click here for more by donny shimamoto

as the founder of the center for accounting transformation, shimamoto is leading a movement to change the world for the better by empowering and equipping accountants with the leading-edge tools and techniques.

donny was the first certified information technology professional (cpa.citp) in the state of hawaii and is one of only four in the state. the citp credential is a specialty designation of the american institute of certified public accountants (aicpa), that identifies certified public accountants (cpas) with the unique ability to bridge between business and technology; meeting the strict requirements for a cpa license as well as additional training and experience in technology strategic planning, it architecture, business process enablement, system development and acquisition, it audit and control, and it governance.

the immediate past chairman of the aicpa’s imta executive committee, donny has been both influential and critical in several aicpa initiatives including the development of an it competency model for cpas, and redesign of the citp credential. donny previously co-chaired the aicpa’s business intelligence working group, researching and creating practice aids in the area of evidence-based management, application & data integration, and information assurance. donny has also been involved in the authoring of guidance published by the aicpa on it considerations for risk-based auditing and enterprise business intelligence. as a subject matter expert, donny is often an invited speaker at national and international webinars and a familiar key-note speaker at national-level conferences.

donny obtained invaluable knowledge and exposure to a wide range of industries and sectors (retail, hospitality, state government, defense, and higher education) while earning his cpa license as a member of pricewaterhousecoopers llp's business assurance services, operational & systems risk management services, and management consulting services lines of business. with itk he has expanded his industry expertise to include not-for-profit (social services, foundations, and membership organizations), professional services, small businesses, technology, and mobile professionals.

click here for more by donny shimamoto