With another busy season in the history books, do you feel your CPA firm barely got through by the skin of its teeth? For this two and a half month burst, you’re focused on doing your job well—providing high-quality yet efficient tax services to your clients, maximizing their customer experience and your billable hours. And you do it well each year.
What’s the drag? Your CPA firm’s lack of a solid cybersecurity and technology foundation.
Three specific struggles that are hindering many CPA firms include:
- Cloud: Legacy on-premises applications and aging servers limit your ability to keep uptime close to 100 percent, modernize your software and customer experience, and collaborate online with your employees.
- Compliance: CPA firms must remain compliant with a variety of regulations—including the FTC’s Safeguards (with new updates coming in June), data breach notification laws, and specific industry compliance requirements depending on what clients you serve.
- Cybersecurity: Cyber criminals relentlessly target CPA firms with phishing attacks meant to deploy malware and ransomware into your environment that can lead to permanent data loss, operational disruption, and loss of clients. All it takes is one big data breach to severely impact your firm.
As the dust of the busy season settles and you reflect over these issues, you may want to consider taking a fresh look at the 3Cs when thinking ahead to the 2024 tax season.
Cloud
You may already use the cloud for applications such as Microsoft Office 365 or Google Workspace. If you do, you know that these applications require no on-premises hardware, update automatically, and allow employee access anytime, anywhere.
For any applications not in the cloud, you may have experienced the following issues during the high demands of the busy season:
- Servers and applications crashing
- Your staff wasting time serving as “IT support” to address technical issues
- Remote employees unable to access information and collaborate, impacting productivity and efficiency
- Lack of important application functionality and modernization impacting customer service
- Competitors stealing business do to more robust services
- Inability to scale when the busy season hits
Investing in the cloud—at a level that works best for your firm—is worth investigating. A few options include using the cloud version of tax software such as Intuit, Thomson Reuters, or Wolters Kluwer (CCH), and moving common productivity software such as Microsoft Office 365 to the cloud.
If no cloud option exists for an on-premises application, you can still move it to the cloud through a process called virtualization—where the application runs in a cloud data center instead of on a server that you must maintain onsite.
By moving to the cloud, you mitigate many operational and business risks that flare up during the busy season.
- The cloud’s near 100 percent uptime and reliability only fails during rare times when the internet is not accessible.
- You are able to scale your service to new and existing clients without hitting any IT limitations.
- Your staff can focus on their work and collaborate more easily.
- Modern applications are more efficient, robust, and appealing to both clients and employees.
- You are more competitive—the ease of doing business with your firm will override many sales objections.
The cloud is a tool and does not make you automatically compliant and secure. That’s why the other two Cs are important.
Compliance
CPA firms do not have the compliance burdens of a bank or public company, but a few key regulatory areas are worth noting. A lack of cybersecurity planning and a poor IT foundation make following these regulations much tougher.
FTC Safeguards Rule Adds Stricter Requirements on June 9, 2023
We’ve already written about IRS Publication 4557: Safeguarding Taxpayer Data and the FTC Safeguards Rule—outlining how CPA firms can comply. Additional FTC Safeguards requirements were going to take effect on December 9, 2022 but the deadline was extended to June 9, 2023. These requirements will be in effect for the 2024 busy season.
The key addition to the Rule is an information security program with nine elements that include:
- Conducting a risk assessment
- Implementing specific cybersecurity best practices
- Periodic monitoring and testing
- Cybersecurity training
- Creating an incident response plan
Not following these regulations may result in an FTC investigation, fines (such as $100,000 per violation), lawsuits, and reputational damage to your CPA firm.
State Data Breach Notification Laws
Every state in the United States has a data breach notification law on the books—with stark and subtle differences across each state. If your firm experiences a data breach, it gets very complicated if you have clients in multiple states. Are you prepared to follow the law in the wake of a data breach?
Personal Information Protection and Electronic Documents Act (PIPEDA) and Provincial Statutes
In Canada, CPA firms must follow any cybersecurity requirements related to PIPEDA's data privacy laws. A slip can mean financial penalties of $100,000 per violation or an investigation from the Office of the Privacy Commissioner (OPC). A few important statutes also exist in British Columbia, Alberta, and Quebec.
Some areas that require constant vigilance include:
- User access permissions
- Data encryption
- Security awareness training
- Incident response planning
- Third party risk management
- Cybersecurity monitoring and alerting
Complying with the Industry Regulations of Your Clients
When you work with clients across different industries, you are a third party that must comply with any relevant industry laws and regulations such as healthcare (HIPAA and HITECH in the U.S.; PHIPA in Canada), financial services (the Gramm-Leach-Bliley Act in the U.S.), communications (FCC in the U.S.), etc. Many organizations are focusing more on third party risk management, and you need to make sure your CPA firm isn’t seen as a weak link.
Beyond checking off compliance requirements, your CPA firm also needs to strengthen its cybersecurity to combat the many cyber threats that continue to increase each year.
Cybersecurity
Over the years, CPA firms have experienced a relentless increase in data breaches and cyberattacks. In a now heavily remote working world, cyber criminals continue to exploit security weaknesses at accounting firms that haven’t kept up—especially exploiting vulnerable employees and weak cybersecurity protocols.
As a CPA firm, you’re well aware of cybersecurity dangers. The question is: Has your awareness translated into appropriate action?
Threats continue to evolve and escalate with each passing year as CPA firms become more targeted. Taxpayer data is a prime, prime target of cyber criminals, containing extremely valuable information (sold for high prices on the dark web) that can be used for tax fraud, account takeovers, identity theft, and social engineering. For CPA firms lacking a strong data retention policy, cybercriminals can also access and exploit older “forgotten” data stored with poor security measures.
Social engineering attacks remain a significant threat to CPA firms. Cyber criminals use various phishing attacks to trick employees into clicking on malicious links and attachments. From there, they can extract user credentials, deploy ransomware and malware, and steal taxpayer data.
A successful attack can lead to significant downtime, duplicate work, losing current and prospective clients from reputational damage, permanent data loss, and even the risk of going out of business. A firewall and some antivirus software just isn’t enough to protect against these attacks. CPA firms need to consider security measures that help mitigate the risks of social engineering such as MFA, EDR, security awareness training, and web content filtering.
---
Now is the time to assess how your CPA firm is leveraging the cloud, complying with regulations, and staying cybersecure in a hostile environment. Download the checklist to assess the 3Cs at your firm today!