Understanding and implementing the updated Written Information Security Plan (WISP) as a technology decision-maker in CPA firms is pivotal. These changes are crucial for safeguarding client data and maintaining compliance with the standards set forth by the Gramm-Leach-Bliley Act (GLBA). Additionally, they rely on your expertise and diligence in the face of increasingly sophisticated data breaches and cyber threats.
In 1999, the GLBA designated all tax professionals from small tax practices to large banks to financing professionals in auto dealerships and beyond as financial institutions. Though the complexity of security needs varies significantly across all types of practices, the requirements for tax professionals to protect consumer data remain the same. In August, the IRS released an update to the WISP requirements containing three essential changes.
Key Updates to the WISP Requirements
- Enhanced Multi-Factor Authentication (MFA) The updated WISP mandates implementing multi-factor authentication for any individual accessing information systems. MFA adds an extra layer of security. It ensures that even if one credential is compromised, unauthorized access is still preventable by requiring an additional tool or factor to access private information.
MFA is not a new concept; it’s a security measure that many of us are already familiar with. As tax professionals, you should understand the need for this additional security, and its implementation is a step toward ensuring the safety of sensitive taxpayer information. Your familiarity with MFA should give you confidence in this process.
Examples of additional enhanced factors are:- Knowledge factors like an additional or secondary password or passcode.
- Inheritance factors like a fingerprint or facial recognition.
- Possession factors like a phone demonstrate that the object is in your possession.
- Incident Reporting Obligations One of the most significant changes is the requirement to report security events affecting 500 or more individuals to the Federal Trade Commission (FTC) within 30 days of discovery. This is in addition to the current requirement of notifying the IRS Stakeholder Liaison and state tax authorities. Prompt reporting helps mitigate the impact of data compromise and ensures timely action to protect affected individuals.
- Comprehensive Security Measures The new WISP underscores the importance of a comprehensive approach to data security. This is not just a recommendation but a necessity in today’s digital landscape. Regular risk assessments, employee training, and robust security policies and procedures are all crucial components of this comprehensive approach. By fostering a culture of awareness, firms can better defend against potential threats.
Implementing WISP Updates in Your Firm
GadellNet’s dedicated team of cybersecurity professionals is ready to help your financial institution evaluate your current environment and optimize your resources to meet these new requirements. Our team will meet with CPA technology decision-makers to ensure compliance with the updated WISP requirements.
Actions to Take to Ensure Compliance
- Conduct a Risk Assessment: Evaluating your current security measures and identifying potential vulnerabilities will guide the development of a tailored WISP that addresses your firm’s specific needs.
- Update Security Policies: Revise your existing security policies to incorporate the new WISP requirements. Ensure that all employees are aware of these policies and understand their roles in maintaining data security.
- Invest in Technology Solutions: Implement advanced security technologies such as multi-factor authentication, encryption, and intrusion detection systems to protect sensitive information from unauthorized access and cyber threats.
- Employee Training and Awareness: Regularly training employees on the latest security practices and the importance of data protection is a foundational component of a strong cybersecurity posture.
- Monitor and Review: Continuously monitor your security measures and WISP regularly. Stay informed about new threats and update your plan accordingly to ensure ongoing compliance and protection.
Implementing the new WISP requirements will elevate your firm’s success.
The updated requirements represent a significant step forward in enhancing data security for CPA firms. Technology decision-makers can play a pivotal role in protecting client information and maintaining their firms’ trust and integrity by understanding and implementing these changes.
Our experienced cybersecurity team can help you stay proactive and informed and ensure your firm is equipped to navigate the evolving data security landscape. To learn more, contact us today or download our IT Risk Assessment Overview below.