Six Steps to Battle Cybersecurity Risks

What cost or time investment would you pay to protect your firm and your clients?

By Donny Shimamoto
Cybersecurity for Accountants

When it comes to cybersecurity, one risk aspect to consider is whether or not the steps you’ve taken to protect clients’ PII will stand up in court in the event of litigation related to a data breach or damages to a client because of a cybersecurity issue caused by your firm. During litigation, opposing counsel will often bring in cybersecurity experts to describe cybersecurity best practices—which are often a higher level of controls than just compliance.

MORE: Understanding the Full Cost of a Data Breach | The 7 Categories of of Cybersecurity Solutions Firms Need | Future Firm Growth Requires a Mindshift | Donny Shimamoto Explains How ‘Agile’ Applies to CPA Firms | AI, OCR, NLP & CPAs: Oh My! | Accounting Nerds, Unlock Your Super Powers | Early Adopters Gain an Edge in Audit | Dustin Wheeler: For Serious CAS Success, Hire Tech Teams | CSR for CPAs: The Missing Ingredient | Donny Shimamoto Explains How ‘Agile’ Applies to CPA Firms | Staff Retention for Remote Workers | Why the Future is in Risk Advisory | Ready for Non-CPA “CPA” Firms?
Exclusively for PRO Members. Log in here or upgrade to PRO today.

Be sure to consult with both your cybersecurity advisor and legal counsel to determine which controls you may still want to implement even if you qualify for some of the exemptions. Many controls, like the ones identified in the FTC exception, do not cost much to implement and can demonstrate that you still fulfilled your professional obligation to protect clients’ data—reducing your litigation risk.

Your responsibilities and obligations as a tax practitioner can be overwhelming because of all the complexities and jargon, as well as the risks and technologies in the cybersecurity space. However, hopefully these guidelines will help you feel a little more comfortable discussing cybersecurity with your IT service provider or cybersecurity advisor.

Ensure that you understand your cybersecurity risk posture and that you’ve met the compliance requirements. You can do this by following this action plan:

Determine if you have an IT security policy
- If you have a policy, check whether it addresses both the IRS and FTC requirements
- If you don’t have a policy, obtain a template and personalize it for your firm.
  - If you’re an AICPA Tax section member, the AICPA provides a free Gramm-Leach-Bliley Act Information Security Plan.
  - The Center for Accounting Transformation also has a low-cost plan template available for purchase that is mapped to the cybersecurity solutions described in the previous section. Learn more about this template here: https://link.improvetheworld.net/CyberForTaxPlanTemplate.

There are also some free templates available from the following organizations, but they haven’t been tailored to specifically meet the IRS and FTC requirements so you would need to do that on your own:
1. SANS: https://link.improvetheworld.net/SANSInfoSecTemplates
2. NIST via CIS: https://link.improvetheworld.net/NISTInfoSecTemplates

Conduct or update your cybersecurity risk assessment
- If you haven’t done an assessment yet, you can do an informal self-assessment by taking our Cybersecurity Options for Non-Techies course at https://link.improvetheworld.net/CyberOptionsForTax. Use discount code “CyberForTax” to get it for free.

Determine your compliance gap
- Once you have an understanding of your policy and technical controls, determine if you meet the minimum requirements described by the IRS and FTC. Identify areas where you may need to implement additional policies, procedures, or solutions to become compliant.

Determine your risk tolerance gap.
- Keep in mind that the IRS and FTC requirements are minimum requirements. You may want to be more proactive to prevent a malware attack and the potential disruption that it would cause. Work with your cybersecurity advisory to identify areas where a more proactive approach may be cost-effective.

Implement/change solutions.
- Implement new solutions or change/upgrade solution configurations to fill the gaps that you’ve identified above.

Monitor solution effectiveness.
- Just as keeping vigilance when you’re in a physically unsafe part of town is an ongoing activity, cybersecurity vigilance isn’t a one-time activity. You (or someone you trust) must monitor notifications and respond appropriately when needed.

The above should be done at least annually, with the exception of monitoring solution effectiveness, which is done on an on-going basis. The first time you go through this process can be a bit of a bear and it may require some upfront investment, but maintaining your policy, undergoing risk assessment, and fixing gaps are usually much easier and less costly in subsequent years.

Just as you can’t do anything to help clients minimize tax liabilities if they don’t proactively let you know before they enter into transactions, you should be proactive in managing your cybersecurity risks before an incident occurs. This minimizes the disruption that it can cause to your practice and can enable you to sleep better at night knowing that your clients’ PII and your firm’s operations are protected.

Posted on March 13, 2024

Click here to cancel reply.

Donny Shimamoto

About the Author

Donny C. Shimamoto, CPA.CITP, CGMA, is the founder and managing director of IntrapriseTechKnowlogies LLC, a specialized CPA firm dedicated to helping small businesses and middle market organizations leverage strategic technologies, proactively manage their business and technical risks, and enable balanced organizational growth and development. Donny also works with larger organizations as a trusted business advisor, facilitating organizational strategic planning and execution, IT governance and planning, enterprise architecture, information architecture and assurance, business process improvement, and business intelligence initiatives.

Click here for more by Donny Shimamoto

As the founder of The Center for Accounting Transformation, Shimamoto is leading a movement to change the world for the better by empowering and equipping accountants with the leading-edge tools and techniques.

Donny was the first Certified Information Technology Professional (CPA.CITP) in the State of Hawaii and is one of only four in the state. The CITP credential is a specialty designation of the American Institute of Certified Public Accountants (AICPA), that identifies Certified Public Accountants (CPAs) with the unique ability to bridge between business and technology; meeting the strict requirements for a CPA license as well as additional training and experience in technology strategic planning, IT architecture, business process enablement, system development and acquisition, IT audit and control, and IT governance.

The immediate past chairman of the AICPA’s IMTA Executive Committee, Donny has been both influential and critical in several AICPA initiatives including the development of an IT Competency Model for CPAs, and redesign of the CITP Credential. Donny previously co-chaired the AICPA’s Business Intelligence Working Group, researching and creating practice aids in the area of Evidence-based Management, Application & Data Integration, and Information Assurance. Donny has also been involved in the authoring of guidance published by the AICPA on IT Considerations for Risk-Based Auditing and Enterprise Business Intelligence. As a subject matter expert, Donny is often an invited speaker at national and international webinars and a familiar key-note speaker at national-level conferences.

Donny obtained invaluable knowledge and exposure to a wide range of industries and sectors (retail, hospitality, state government, defense, and higher education) while earning his CPA license as a member of PricewaterhouseCoopers LLP's Business Assurance Services, Operational & Systems Risk Management Services, and Management Consulting Services lines of business. With ITK he has expanded his industry expertise to include not-for-profit (social services, foundations, and membership organizations), professional services, small businesses, technology, and mobile professionals.

Click here for more by Donny Shimamoto

Leave a Reply