Written information security plans (WISP) are required to be in place by the end of 2023. If you missed our session on these required plans you can view it on our YouTube channel. You can also review our webinar on complying with IRS Publication 4557, which directly addresses a firm’s requirements to safeguard taxpayer information.
But preparing even with these important steps may not be enough to keep your firm compliant.
Penetration testing is now a requirement for certain financial institutions. Current laws require mostly banks and investment brokers to undergo such scrutiny, but there is a push in Congress to expand this to additional financial institutions such as tax practices and accounting firms that also house a substantial amount of protected information, including bank accounts, social security numbers, names, addresses and dates of birth.
Penetration testing, or “pen testing” as it is referred to, is legal in all 50 states and essentially involves an government audit of your system whereby someone actually attempts to hack your system. Your firm’s hackability performance is then rated with a low, medium or high performance score based on how easy your system was to hack and what information was compromised in the “hack audit.”
Don’t like the sounds of this? Me either.
The reality is that most firms are not paying enough attention, or spending enough time and money on ensuring that data is safe. The harder reality? A cyber security breach is not 100% preventable. However, it is the firm’s responsibility to have certain measures in place to protect client data.
Three things you should absolutely be doing before the end of the year to not only ensure you meet current compliance standards, but that also to reduce your risk of loss were an issue to occur:
- Ensure all your employees and contractors have read and signed off on your company’s WISP policy.
- Review your cyber security insurance policies to address gaps in coverage.
- Implement an EDR system.
EDR System stands for endpoint detection and response. The systems are designed to find security breaches at the endpoint, meaning an individual computer or workstation. The reason these systems are beneficial, is they can help protect your firm overall by addressing security concerns on the device they are happening before they potentially impact the rest of the network.
The other benefit is that they work regardless of where your employees are working with their workstations. Meaning, if you have work from home employees who are connecting to the internet on their unsecure home networks or open public Wi-Fi, the EDR system helps to keep their individual laptops more secure.
If your firm does not currently have these foundational components in place, working with an IT professional to meet these requirements before year end will help bolster the firm’s liability protection in the event of a threat. EDR systems also provide more coverage from pen testing and can help improve your audit score.