4 minute read
REVIEW YOUR CYBER RISK HOW TO ASSESS YOUR FIRM’S CYBERSECURITY COMPLIANCE STATUS IN 12 EASY STEPS
BY JAMES HARRISON
As the world navigates the digital transformation, the accounting industry has found itself in the crosshairs of cybercriminals. Firms sit on a treasure trove of sensitive data, making them prime targets for cyberattacks. Not surprisingly, there has been a surge in cyberattacks targeting accounting firms in recent years.
Protecting clients’ sensitive information should be a top priority for CPA firms and financial professionals. Is your firm or business doing enough to prevent a breach? Do you meet minimum regulatory requirements and the commonly accepted cybersecurity standards for safeguarding customer information?
WHAT ARE CYBERSECURITY REGULATIONS AND STANDARDS?
While customers are expecting their information to be protected, governments are requiring it. Under various federal and state laws, as well as industry standards, firms and businesses of all types and sizes must meet minimum data security and privacy requirements to protect against the exposure or theft of customer and employee data.
Well-known federal cybersecurity regulations for financial companies include GLBA, SEC/FINRA and FFIEC. Utah, along with all other states, has enacted data security and privacy laws such as the Utah Cybersecurity Affirmative Defense Act (2021) and the Utah Consumer Privacy Act (2023). These laws require, among other things, that businesses “establish, implement, and maintain reasonable administrative, technical, and physical data security practices.”
And within the accounting industry itself, the AICPA’s System and Organization Controls (SOC) cybersecurity standard details the recommended information security controls for both general business and accounting firms, including assessment and reporting on the maturity of the organization’s information security program.
Where To Start In Assessing Your Cyber Risks And Compliance
Conducting a comprehensive cybersecurity risk and compliance assessment is not only a best practice, but also a common requirement in all government and industry cybersecurity standards. Good assessments help you identify potential threats and vulnerabilities while evaluating the current level of compliance with regulatory requirements, client expectations and industry best practices.
Cyber risk assessments should be completed at least annually, or in response to security incidents, upon changes in geographic market, regulatory environment, or substantial change to operations.
Use this short checklist to get a quick indication of how well your organization is doing at a high level in these 12 critical areas of cyber risk management and compliance.
1. Information Security Plan. Do you have a written cybersecurity plan detailing all your organization’s current data security and privacy policies, and is it reviewed and updated at least annually?
2. Risk and Compliance Assessments. Do you conduct regular cyber risk and compliance assessments to identify new security threats and any required updates to your information security plan?
3. Network and Device Security. Do you have an IT security plan, including network and endpoint protection, external network vulnerability scans, data access controls, email security, encryption, data disposal, and other mandatory compliance requirements?
4. Security Awareness Training. Do you have an employee cybersecurity training program, and are all personnel regularly trained and tested?
5. Remote Workforce Security. Do you have a home office cybersecurity and technical support plan in place for employees authorized to work remotely?
6. Vendor Risk Management. Do you have information security agreements in place and do you periodically evaluate your company’s third-party service providers’ cybersecurity practices?
7. Business Continuity. Have you established policies and procedures for the continued protection and availability of sensitive data during adverse or disruptive events such as a ransomware attack or a natural disaster?
8. Privacy Rights Management. Have you established data privacy policies and procedures that comply with applicable consumer privacy rights laws such as GDPR, CCPA and other state laws?
9. Breach Response. Do you have a formalized data breach incident response plan, and is it tested periodically?
10. Audit Readiness. Do you have the necessary compliance reports and response processes in place to quickly respond to cybersecurity audits and questionnaires?
11. Cybersecurity Certification. Has your company’s cybersecurity plan been reviewed by an independent third party? Does your organization have any cybersecurity compliance certifications?
12. Cyber Insurance. Do you have adequate cyber liability insurance and is your business compliant with the policy’s cyber risk management requirements?
Keep in mind that this short assessment is the proverbial “tip of the iceberg” when it comes to standardized risk and compliance assessments, but it’s a good starting point to get a quick feel for how your firm or business is doing today.
If you answered “No” or “Not Sure” to two or more questions in this short checklist, it’s time to step up your game!
Free offer to UACPA members
As a UACPA member, you have exclusive access to a complimentary InfoSafe® Risk and Compliance Assessmentd report and consultation for your business. To learn more and register for free, contact us at (801) 724-6211 or by going to www.invisus.com/uacpa.
Take Action To Safeguard Your Business
In light of the escalating risks of data breaches for CPA firms, financial professionals, and businesses in general, you may need to take the lead and ratchet up your organization’s cyber risk management efforts. If you haven’t had an outside risk and compliance assessment done recently, make the commitment to get that done right away.
A Word of Caution
Don’t make this too complicated. For small and mid-sized firms, completing your cyber risk assessment shouldn’t take more than an hour or two, and it shouldn’t break your budget. While it’s critical that you have a solid cybersecurity compliance plan, it shouldn’t be so complicated that you don’t take action.
Keep in mind, you don’t have to go it alone. Guidance, assistance, and oversight from outside experts is available to help take the bulk of this work off your plate.
The UACPA has partnered with INVISUS, a Utah-based cybersecurity company specializing in cyber risk management and compliance for professional services companies, including accounting and CPA firms, to help you learn about and take action to reduce risks and stay compliant. n
James Harrison is the founder and CEO of INVISUS, an industry pioneer in cybersecurity and identity theft protection since 2001. As chief strategist and product visionary, he leads the development of the company’s innovative security solutions and is a featured author, speaker and trainer.
