Cybersecurity for CPAs – What are the federal cybersecurity requirements for CPA firms?

There are a lot of companies offering “one-size-fits-all” cybersecurity solutions, but what do CPA firms actually need?

CPA firms are subject to various federal cybersecurity laws depending on the services they provide, the types of clients they support, and the types of data they handle. The size of the firm can impact the specific portions of various laws a firm is required to maintain, however, even the AICPA encourages comprehensive cybersecurity protections for all firms, regardless of overall size.

Below are the primary federal laws that CPA firms may need to comply with:

1. Gramm-Leach-Bliley Act (GLBA)

Applies if: The CPA firm provides financial services, such as tax preparation, auditing, or financial advisory services.

Requirements:

  • Maintain the confidentiality and security of non-public personal information (NPI).
  • Implement a Written Information Security Program (WISP) to protect client data.
  • Provide annual privacy notices to clients explaining data-handling practices.
  • Ensure third-party vendors adhere to the same security standards.

2. Federal Trade Commission (FTC) Safeguards Rule

Applies if: The firm engages in activities that fall under the definition of “financial institutions” under GLBA.

Requirements:

  • Develop, implement, and maintain a comprehensive security program to protect client data.
  • Conduct risk assessments and identify specific security measures to mitigate risks.
  • Regularly monitor and test the effectiveness of security controls.
  • *NOTE: Financial intuitions that maintain customer information for less than 5,000 consumers are required by law to implement encryption of data in transit and at rest, multifactor authentication, and secure disposal of information.

3. The Electronic Communications Privacy Act (ECPA)

Applies if: The firm accesses, intercepts, or uses electronic communications as part of its operations.

Requirements:

  • Protect the confidentiality of electronic communications.
  • Avoid unauthorized interception or disclosure of client communications.

4. Health Insurance Portability and Accountability Act (HIPAA)

Applies if: The CPA firm handles protected health information (PHI) as part of its services (e.g., auditing healthcare organizations).

Requirements:

  • Comply with the Security Rule for electronic PHI, ensuring the confidentiality, integrity, and availability of data.
  • Implement administrative, physical, and technical safeguards for PHI.
  • Sign Business Associate Agreements (BAAs) with covered entities.

5. Sarbanes-Oxley Act (SOX)

Applies if: The CPA firm audits public companies or performs services for publicly traded entities.

Requirements:

  • Maintain secure systems to ensure the integrity of financial reporting data.
  • Implement controls to detect and prevent unauthorized access or tampering with financial data.

6. Federal Information Security Modernization Act (FISMA)

Applies if: The firm contracts with federal agencies or handles government data.

Requirements:

  • Comply with specific security standards (e.g., NIST SP 800-53) for protecting federal information.
  • Ensure systems and networks are secure, monitored, and regularly assessed.

Need help determining the current state of your IT infrastructure so you can verify your company’s compliance with federal regulations?

Structured Technology Solutions is offering complimentary IT assessments to CPA firms in preparation for “busy season.”

We would much rather get a call from you now than at the beginning of April when your network crashes and you have no idea how to access your backups!

Contact us today at [email protected].