As a firm owner, have you ever found yourself thinking, "I know how to serve my clients, but I don't know how to solve [insert IT issue here]." Firms that are large enough to have a dedicated IT person or team in-house can leverage their in-house help desk to get support for the IT issue, but smaller firms often find themselves going without.
This is a common scenario. In a January 2023
"Having a data plan in place is a necessity for a modern firm," says W.G. Spoor, past chair of FICPA and a partner at Spoor Bunch Franz in St. Petersburg. "Beyond the practical benefits, there's genuine peace of mind in knowing that you've taken advance action in the event of an incident. Whether we're responding to a potential cyber breach or a natural disaster, CPAs must plan in advance for the good of the firm and the good of the client."
To add fuel to the fire, the FTC Safeguards Rule entered the penalty phase on June 9, 2023. Tax firms of all sizes, and non-tax firms that collectively hold records for more than 5,000 consumers ("people") are now required to have rigorous security protocols in place to safeguard their clients' valuable data (and be able to prove that they do), yet many find they are ill-equipped to do so.
So what can small to midsized firms do to ensure they comply with the FTC Safeguards Rule and IRS Publication 4557 regulations around safeguarding taxpayer data), if they are unable to afford an inhouse IT person to help them comply?The most important first step is to create and roll out a written information security plan. The WISP creates a structure and defines key areas where the firm has taken appropriate security measures, and demonstrates that employees use agreed-upon (secure) standards of conduct when it comes to handling, transmitting, storing and disposing of client data.
Once the WISP is in place, if the firm is also subject to the FTC Safeguards Rule (all tax firms and all but the smallest of CAS firms are subject to it), then an additional information security plan is required.
Here are three ways to get your WISP done, listed in order of cost (least costly to most costly). At the end of this article we will provide information about how to get your ISP in place.
- DIY by taking training.
The Grove has a two-hour comprehensive "Complying with IRS Publication 4557 and FTC Safeguards Rule" Master Class that explains step by step how to create and roll out your WISP, and includes editable templates, policies and guidelines. There is also a technology solutions guide that helps firm owners understand which firewalls, anti-virus software, endpoint protection solutions etc., are appropriate for each size of office. - Purchase a WISP service. This is typically done by a managed service provider or lawyer. Your firm's software and hardware is examined, solutions are suggested to help patch any security issues, the policies and procedures are provided, and you can then train the staff and ensure everyone is adhering to the terms of the WISP. Suggested providers are
Tech4Accountants ,TechGuru , andNMGI . - Contract with a managed service provider. A good MSP that specializes in accounting and tax firms will ensure that your network is monitored, that patches are pushed to employee computers, and that the WISP is regularly revisited to ensure adherence. Suggested providers are
Tech4Accountants ,TechGuru ,NMGI ,Swizznet andPractice Protect .
When it comes to the ISP required by the FTC Safeguards Rule, the good news is that having a WISP in place gets you about 95% of the way towards compliance.
The FTC Safeguards Rule requirement to have a qualified IT professional in charge of your on-going ISP is the thing that most firms will struggle to solve without outside help. There are therefore only two options for most firms. The first is to hire an in-house IT person. The second is to contract with an outside IT professional or MSP. When interviewing a potential provider, be sure to ask if they specialize in accounting and tax firms. If not, they will likely not be aware of the specific requirements of the governing publications.