Why You Need To Be Speaking With CPAs About Their Cybersecurity

It’s May … a month has passed since tax season ended and CPAs are returning from vacation, preparing to get back into the swing of things. On their dockets are items they put off because they had to focus on taxes — a huge chunk of their revenue. Among a few of those things are audits, marketing, administrative tasks, IT, catching up on emails, and planning for the next round of returns due in September.

Wait, did I just mention IT? Yes, I did. One of the major things CPAs address over the summer is IT and, this year, cybersecurity should be on their minds.

Why? Multiple reasons. For one, a major vendor of theirs was hacked so awareness is heightened around that incident but, more importantly, the IRS is making a big push for it.

In an email dated March 27^th (and some as far back as September of 2018), the IRS has been reminding CPAs that a security plan is not optional. Heavy penalties can be levied, including the risk of a Federal Trade Commission Investigation if a plan is missing or not being followed. Sadly, the majority of closely held CPA firms are ill-prepared to fulfill any of these requirements.

To help them, the IRS has prepared Publication 4557, a surprisingly easy-to-read document outlining basic requirements that are flexible enough so that companies can implement safeguards that are reasonable for their own circumstances.

While the document is easy to read, CPAs may not necessarily be qualified to implement these safeguards and that’s where we, their trusted IT advisors, come into play. Let’s take a look at some of the recommendations and what we can do to help them create and execute a plan.

1. Assign a champion. CPAs understand they hold some of the most private and sensitive information about their clients, so the standards should be high when building the plan. In order to be successful doing this, someone at the firm must take ownership of the process and responsibility for the firm's adherence as time goes on. Without an internal champion this compliance will be an exercise in futility.
2. Perform a risk assessment. The first step in addressing cybersecurity is always to assess the risks. There are plenty of templates and examples of risk assessments available — choose one and stick with it. This should be completed in a collaborative manner.
3. Implement protections. Once the risk assessment is completed and we know the risks and what needs to be protected, a sensible number of protections should be implemented. They may include security monitoring, next-gen antivirus, improved firewalls, backups and disaster recovery planning, security training, two-factor authentication, and the removal of some conveniences such as remote access, if appropriate. Again, this is not prescriptive but should instead be derived from the results of the risk assessment.
4. Ongoing evaluation. On a regular basis, meet and discuss the plan. When anything changes on the network, a new risk assessment should be performed, in addition to an annual one. As a part of the ongoing evaluation, the new protections and controls should be tested to ensure they are functioning — this can be flexible according to the size and scope of the firm but should at least include an internal and external vulnerability scan.

A word of warning: You should be doing this at your own MSP. The IRS and FTC are advising CPAs to “select service providers that can maintain appropriate safeguards” and “when signing a contract with a service provider, the [firm] should make sure the contract requires the provider to maintain safeguards and oversee their [own] handling of customer information.” Yes, you read that right: CPAs are being advised to put us under the microscope, too, so do not get caught with your pants down!

Finally, when CPAs get back to their busy seasons, don’t forget to market to mortgage brokers, payday lenders, nonbank lenders, personal property or real estate appraisers, professional title service firms, and others who fall under the FTC’s “financial institution” definition. They have the same requirements and, and by then, you should have plenty of practice performing the assessments and running through the plan!