Report the overall status of the information security program and your compliance with the Safeguards Rule
One of the key requirements of the FTC Safeguards Rule is that accounts must receive, at least annually, reports on the current status of their information security program (ISP).
The report should be reporting internal risks, like employees, contractors, and those who have information that may leak it. It needs to also include external factors, like hackers, DDoS attacks, server’s being down, and things that are usually outside of your control when they happen, but what you can do to mitigate so that they do not have an impact on the business should they ever happen.
Externally, there needs to be reports to stakeholders, the board of directors, or owner at least every year of the potential threats, what has been put in place, and how they have stopped issues from happening.
Reporting the overall status of the information security program and compliance with the Safeguards Rule is important because it keeps everyone in the loop. Many of our customers in the past have mentioned that they know they are paying us, but do not know exactly what they are getting.
Sometimes, it is similar to a seatbelt, you always wear it JUST IN CASE. It is not to say “I wear a seatbelt because I usually get in accidents” but it is saying “I recognize, accidents happen, they may not be my fault, but just in case, I wear this to protect myself in the off-chance that it happens.”
Material matters related to the information security program
It will be important that the report is addressing issues such as risk assessment, risk management and control decisions, service provider arrangements, results of testing, security events or violations and management’s responses thereto, and recommendations for changes in the information security program.
Keeping these reports happening helps in several major ways. First, it addresses that the firm knows there are issues that may exist. Some can be handled, others can’t. Acknowledging and putting together something to circumvent these issues is important for compliance and overall data security.
Second, the reporting requirements ensure transparency and accountability. Saying we recognize these vulnerabilities exist, and here is what we’re doing about them is much better than saying. “We were breached, and found this vulnerability has existed all along and we never found it.” or even worse… “We knew this issue existed, but figured it won’t happen to us, and ignored it… Sorry for the identity theft.”
Third, the reporting requirements facilitate continuous improvement. Knowing your weaknesses helps strengthen your security posture for the future. Michael Jordan used to get knocked for being all offense and no defense. Recognizing that issue, he set out to focus on his defensive skills and the next year won defensive player of the year. Had he not been called out on his shortcomings (and his own personal vendetta) he may not have mastered the skills he improved on.
Digging Deeper Beyond The Legal Requirements.
Depending on the size of the firm, the qualified provider should evaluate:
- Risk assessment: Let’s look at what vulnerabilities exist, and determine if we have any.
- Risk management decisions: We have found some vulnerabilities. Time to decide do we accept them or do something about it. Some risks are so minimal and so expensive to correct, that it may not make sense for certain firms to address them with a solution.
- Service provider arrangements: List all service providers with a checklist of what you want to see from them.
- Security events or violations: Recognizing things that happen to hit security, phishing, malware, attacks, DDoS, etc and how they are identified..
- Policies and procedures: List out what you plan to do for each type of event or item in the organization. What’s the risk exposure, and how do we conduct ourselves in certain external events.
- Incident response plan: It’s required by the government, and is good practice. This is how we respond to the previously mentioned cyber events.
- Employee Training and Awareness: Report on the status of employee training programs, covering topics such as the organization’s security policies, incident reporting procedures, and best practices for safeguarding client data.
- Third-Party Vendor Management: Discuss the organization’s efforts to evaluate and manage third-party vendors with access to customer data, ensuring that they maintain adequate security measures and comply with the FTC Safeguards Rule.
- Security Measures Implementation: Provide updates on the implementation and effectiveness of the organization’s security measures, such as encryption, access controls, and intrusion detection systems.
- Compliance Audit Results: Share the results of recent compliance audits, highlighting any areas of non-compliance and the steps taken to address these issues.
- Ongoing and Future Initiatives: Discuss ongoing and planned initiatives to improve the organization’s security posture and ensure continued compliance with the FTC Safeguards Rule.
The Importance of Reporting to the Board of Directors
Involving the board of directors in the oversight of an organization’s ISP is crucial for several reasons:
- Accountability: Reporting to the board ensures that top-level management is held accountable for the implementation and effectiveness of the ISP, promoting a strong culture of security and compliance within the organization.
- Informed Decision-Making: Regular reporting enables the board of directors to stay informed about the organization’s security posture, facilitating better decision-making on resource allocation, risk management, and overall strategic direction.
- Compliance Verification: By reporting to the board, accountants demonstrate their commitment to complying with the FTC Safeguards Rule, showcasing the organization’s dedication to maintaining the highest standards of data security.
- Enhanced Risk Management: Regular updates on the ISP help the board of directors identify potential risks and vulnerabilities, enabling them to make proactive decisions to mitigate these risks and strengthen the organization’s security measures.
By regularly reporting to the board of directors on the organization’s Information Security Program, accountants can help promote a culture of accountability, compliance, and proactive risk management. This not only ensures adherence to the FTC Safeguards Rule but also fosters trust and confidence among clients, demonstrating the organization’s commitment to protecting their sensitive financial information in an ever-changing digital landscape.
Free Download of Definitive Guide to the FTC Safeguards Rule for Accountants
Click for the Full FTC Safeguards Rule guide