CPA firms are lucrative targets for hackers. They store, send, and receive Personally Identifiable Information (PII) for a living. Because CPA firms are especially targeted, the IRS recently released Publication 4557, which explains the legal requirements tax preparers are subject to and further offers guidance on maintaining compliance (Source).
What is it about CPA firms that makes them so enticing for hackers looking for an easy victim?
Financial data. From CPA firms' databases, hackers have the potential to gain access to social security numbers, bank accounts, and other sensitive data. Additionally, hackers will often hold this information at ransom, causing significant potential damage to the firm attacked.
How do ransomware attacks typically take place within a CPA firm?
When hackers attack a CPA firm with ransomware, they lock down file shares (among other things) and threaten to release or destroy that data unless the firm pays a ransom. Hackers will often target a firm's busy season (i.e., tax season) to make their attack. This puts firms in a particularly vulnerable state as losing any time during tax season is not an option. With the leverage of known deadlines, hackers are more successful with their ransom/extortion demands during this season.
What is Publication 4557?
The IRS Publication 4557 was created to raise awareness of cyber threats to CPA firms and serve as a guide to tax return preparers for how to maintain compliance in their operations. The FTC Safeguards Rule requires that tax return preparers create and enact security plans to protect client data. If a CPA firm is non-compliant, they face the potential of an investigation by the FTC and substantial penalties.
What else does Publication 4557 focus on?
Outside of compliance, the publication also focuses on cybersecurity best practices for CPA firms. Cybersecurity best practices include using cybersecurity software, using strong passwords, recognizing malicious emails, and securing wireless networks.
It's interesting to note that the majority of 4557 explains fundamental cybersecurity best practices you'd expect to be in place with any organization that deals in PII. This may indicate that the IRS believes many CPA firms are behind the curve regarding cybersecurity competency.
The rest of Publication 4557 breaks down the FTC Safeguards Rule--essentially a checklist for compliance. You can view the full checklist here: Checklist for Safeguarding Taxpayer Data.
The FTC Safeguards Rule's primary goal is to require companies to create a written information security plan and require financial institutions (i.e., CPA firms) to protect sensitive consumer information's confidentiality and security.
An information security plan must include the following actions to be compliant with the FTC Safeguards Rule:
- Must design, implement, and monitor a safeguard program.
- Must designate an employee(s) to manage the information security program. Also known as a security officer.
- Identify and assess the risk to customer data and then assess how adequate the current safeguards are. Also known as a risk assessment.
- Must adjust the safeguard program as needed based on #3 on an ongoing basis.
- Select appropriate service providers in line with compliance directives.
Are you a CPA firm with concerns around compliance under the new IRS publication 4557? PK Tech can help. Our company was founded inside a CPA firm. We have the unique experience of first-hand CPA firm knowledge and have worked with multiple CPA firms in IT security (among other things) for over a decade.
PK Tech can help your firm build and maintain necessary safeguards to remain in compliance with IRS Pub 4557 and more. Contact us here.