Report the overall status of the information security program and your compliance with the Safeguards Rule
One of the key requirements of the FTC Safeguards Rule is that accounts must receive, at least annually, reports on the current status of their information security program (ISP).
The report should be reporting internal risks, like employees, contractors, and those who have information that may leak it. It needs to also include external factors, like hackers, DDoS attacks, server’s being down, and things that are usually outside of your control when they happen, but what you can do to mitigate so that they do not have an impact on the business should they ever happen.
Externally, there needs to be reports to stakeholders, the board of directors, or owner at least every year of the potential threats, what has been put in place, and how they have stopped issues from happening.
Reporting the overall status of the information security program and compliance with the Safeguards Rule is important because it keeps everyone in the loop. Many of our customers in the past have mentioned that they know they are paying us, but do not know exactly what they are getting.
Sometimes, it is similar to a seatbelt, you always wear it JUST IN CASE. It is not to say “I wear a seatbelt because I usually get in accidents” but it is saying “I recognize, accidents happen, they may not be my fault, but just in case, I wear this to protect myself in the off-chance that it happens.”
Material matters related to the information security program
It will be important that the report is addressing issues such as risk assessment, risk management and control decisions, service provider arrangements, results of testing, security events or violations and management’s responses thereto, and recommendations for changes in the information security program.
Keeping these reports happening helps in several major ways. First, it addresses that the firm knows there are issues that may exist. Some can be handled, others can’t. Acknowledging and putting together something to circumvent these issues is important for compliance and overall data security.
Second, the reporting requirements ensure transparency and accountability. Saying we recognize these vulnerabilities exist, and here is what we’re doing about them is much better than saying. “We were breached, and found this vulnerability has existed all along and we never found it.” or even worse… “We knew this issue existed, but figured it won’t happen to us, and ignored it… Sorry for the identity theft.”
Third, the reporting requirements facilitate continuous improvement. Knowing your weaknesses helps strengthen your security posture for the future. Michael Jordan used to get knocked for being all offense and no defense. Recognizing that issue, he set out to focus on his defensive skills and the next year won defensive player of the year. Had he not been called out on his shortcomings (and his own personal vendetta) he may not have mastered the skills he improved on.
Digging Deeper Beyond The Legal Requirements. Depending on the size of the firm, the qulified provider should evaluate:
- Risk assessment: Let’s look at what vulnerabilities exist, and determine if we have any.
- Risk management decisions: We have found some vulnerabilities. Time to decide do we accept them or do something about it. Some risks are so minimal and so expensive to correct, that it may not make sense for certain firms to address them with a solution.
- Service provider arrangements: List all service providers with a checklist of what you want to see from them.
- Security events or violations: Recognizing things that happen to hit security, phishing, malware, attacks, DDoS, etc and how they are identified..
- Policies and procedures: List out what you plan to do for each type of event or item in the organization. What’s the risk exposure, and how do we conduct ourselves in certain external events.
- Incident response plan: It’s required by the government, and is good practice. This is how we respond to the previously mentioned cyber events.
A lot of this may be cumbersome or overwhelming. Luckily, we have put together a full guide on how to navigate compliance.
If you need assistance with putting together your FTC Safeguards Compliance download our full guide:
Accountant Compliance Made Easy: 2023 FTC Safeguards Rule Guide