To make it easy:
Accountant Compliance Made Easy: FTC Safeguards Rule Checklist
In today’s digital age, protecting sensitive customer information is of utmost importance. The Federal Trade Commission (FTC) Safeguards Rule outlines standards for companies to follow in safeguarding consumer information. One of the key requirements of the Safeguards Rule is to evaluate and adjust the information security program (ISP) in response to changes in technology, the sensitivity of customer information, and internal or external threats.
The Safeguards Rule, also known as the Standards for Safeguarding Customer Information, was introduced in 2003 by the FTC to protect consumers’ personal and financial information held by financial institutions. It was later revamped and made a requirement in 2023 and the deadline for compliance is now June 9, 2023. All accountants must ahere to this deadline and the new requirements. The rule requires companies to develop, implement, and maintain a comprehensive information security program (ISP) that includes administrative, technical, and physical safeguards.
Under the Safeguards Rule, companies must evaluate their information security program regularly to identify vulnerabilities, assess the effectiveness of existing safeguards, and make necessary adjustments to the program. This evaluation should take into account changes in technology, the sensitivity of customer information, and internal or external threats.
Changes in Technology
Technology is constantly evolving, and so are the risks associated with it. As new technologies emerge, so do new vulnerabilities and threats to consumer information. For instance, the proliferation of mobile devices and the use of cloud computing have created new challenges for companies in safeguarding sensitive customer data. As such, companies need to regularly evaluate their information security program to identify potential risks and implement appropriate safeguards.
In response to changes in technology, companies may need to update their information security policies and procedures to address new risks. For instance, if a company adopts a new technology that involves the collection and storage of sensitive customer information, it should ensure that the technology is properly secured and that all employees are trained on how to use it safely. Similarly, if a company uses third-party vendors to process or store customer information, it should regularly assess the security practices of these vendors to ensure that they are adequately protecting customer data.
The Sensitivity of Customer Information
Not all customer information is created equal. Some types of information, such as social security numbers, financial account numbers, and medical records, are more sensitive and require stronger safeguards. Companies must evaluate the sensitivity of the customer information they collect and store and implement appropriate safeguards based on that sensitivity.
For instance, if a company collects and stores social security numbers, it should implement stronger security measures, such as encryption, to protect that information. Additionally, if a company’s risk assessment reveals that certain types of customer information are particularly vulnerable to a specific type of attack, such as phishing, it should take steps to mitigate that risk, such as implementing stronger authentication measures or conducting employee training on how to identify and avoid phishing attacks.
Internal or External Threats
Threats to customer information can come from both internal and external sources. Internal threats include employees who intentionally or unintentionally compromise customer information, while external threats include hackers, cybercriminals, and other bad actors who seek to steal or misuse customer information.
To protect against internal threats, companies should implement strict access controls and monitoring measures to ensure that only authorized employees have access to sensitive customer information. Additionally, companies should conduct regular employee training on information security best practices, such as password hygiene and safe browsing habits.
To protect against external threats, companies should implement a range of technical safeguards, such as firewalls, intrusion detection and prevention systems, and encryption. Additionally, companies should conduct regular vulnerability assessments and penetration testing to identify and address potential vulnerabilities in their information security program.
Audits in Place
With technology changing rapidly, it will be inportant for accounting firms to keep checks and balances done through audits. Having an outside organization look what you have in place through audits like SOC will help position you in covering your blind spots. You don’t know what you don’t know, and if you’re not a cyber security expert, you may have vulnerabilities you are not even aware of.
Conduct regular training and awareness for employees to recognize what is phishing, what is a virus, and how to keep them out to begin with. An ounce of prevention is more than a poud of remediation. This could not be more true in cyber security. Prices vary, but just employee training, maybe $100/mo to prevent thousands of dollars from a one time mistake seems worth it. Think of all the insurance that is purchased that is never used, this is much more relevant and pro-active. 92% of malware comes from the inbox and poorly trained employees.
The FTC Safeguards Rule is a critical tool for protecting sensitive customer information. Accountants must develop, implement, and maintain a comprehensive information security program (ISP) that includes administrative, technical, and physical safeguards. Additionally, companies must regularly evaluate and adjust their information security program in response to changes in technology, the sensitivity of customer information, and internal or external threats.
We have a guide to help with compliance as this is just one of the nine requirements.
Exerpts Taken From Our Comprehensive Guide:
Accountant Compliance Made Easy: FTC Safeguards Checklist
Evaluate and Adjust Security Program
- FTC References Requirement Testing & Monitoring Effectiveness
- Take the assessment and modify
- Last Assessment Performed (Date) ______________________
- Assessment Evaluation (Frequency) _____________________
- Modification Execution (Frequency) _____________________
- Identify Material Changes to Company Since Last Assessment
- FTC References Requirement 2 for addressing risk assessment
- What material impact does the risk assessment list?
- What needs to change as a result of the findings in the new risk assessment?