Safeguards Rule and cybersecurity leadership

The Federal Trade Commission’s (FTC) updated Safeguards Rule reflects a global shift toward more stringent data protection regulations, introducing a set of mandatory compliance requirements for businesses handling sensitive information.

The FTC casts a wide net with the Rule, covering entities from multinational banks to small accounting practices. While the updates are a step in the right direction, they expose a fundamental issue: the Rule’s applicability to vastly different types of institutions.

A global bank, equipped with plentiful resources, complex infrastructure, and dedicated cybersecurity teams, is in a vastly different position compared to a small tax and accounting firm with a handful of employees. Yet, the Rule makes little distinction between these entities and raises concerns about the Rule’s practical effectiveness. How can a small firm with a limited budget and expertise realistically meet the same requirements as a large, resource-rich institution?

At the heart of the Safeguards Rule are mandates wrapped in vague terminology. Firms are required to establish “comprehensive” information security programs with “reasonable” safeguards that are “appropriate” to their size and complexity. This language seems to offer flexibility, allowing firms to tailor their security measures to their specific needs. However, in practice, this vagueness is a double-edged sword.

Vague cybersecurity compliance rules leave firms to fend for themselves

While the flexibility acknowledges that a one-size-fits-all approach to cybersecurity is impractical, it also introduces significant ambiguity. For large organizations with dedicated cybersecurity teams, interpreting what constitutes “comprehensive” or “reasonable” may be straightforward. But for small- and medium-sized tax and accounting firms, this language can lead to confusion and inconsistency.

There are two risks. First, some firms may overestimate their cybersecurity capabilities, believing they meet the requirements when they do not. Second, other firms may interpret the rule too conservatively, expending unnecessary resources on measures that go beyond what is required, straining their limited budgets.

Why the WISP is just the tip of the iceberg in cybersecurity

The IRS and Security Summit Partners released a Written Information Security Plan (WISP) template for tax professionals in response to the Safeguards Rule. While their document provides useful information, it highlights the lack of a standardized approach to information security for financial institutions and accounting firms, and an overemphasis on technical controls. A plan is not a substitute for a comprehensive program. Rather, it is a document outlining an organization’s approach to information security controls and measures.

A comprehensive information security program operationally integrates three key elements: people, processes, and technology. This integration is not a one-time effort, but a continuous, evolving process that responds to the ever-changing threat landscape. There are many components, including third-party supplier management, cloud security management, risk management, vulnerability assessment and mitigation, incident response preparation, and business continuity during disruptive events.

These elements are not merely items on a checklist; they represent ongoing responsibilities that require continuous effort, vigilance, and resources. They demand active engagement from all levels of the organization, from the board of directors to frontline employees.

These elements are not merely items on a checklist; they represent ongoing responsibilities that require continuous effort, vigilance, and resources.

The distinction between a plan and program is crucial and commonly misunderstood. For a plan to be effective, it must be reflective of a firm’s practices as part of a wider program. It must move beyond something that you have and be something that you do.

Acting despite the ambiguity for firms, taking action beyond compliance mandates 

The Rule’s lack of sector-specific guidance is problematic. Accounting firms, with their blend of financial data handling and professional services, face distinct cybersecurity challenges. The ambiguity in what constitutes “reasonable” and “appropriate” security measures opens the door for interpretation, which could lead to inconsistent standards across the profession.

In the absence of clear regulatory direction, industry leaders and cybersecurity firms are stepping in to define these terms. While this will drive innovation and best practices, it also risks creating a fragmented approach to security that may not align with regulatory intent or provide comprehensive protection. 

Regulatory authorities simply cannot afford to play catchup in the evolving compliance landscape. The onus is on them to provide not just oversight, but clear, actionable guidance that meets the unique needs of different financial institutions, from large multinational firms to small accounting practices. The time has come for regulators to move from merely enforcing compliance to being catalysts for innovation in cybersecurity.

This is the moment that requires bold leadership and a willingness to step into uncharted territory. Regulatory authorities must rise to the occasion, providing the clarity and direction the profession desperately needs, and firms must push beyond compliance and move toward more secure practices. How the accounting profession chooses to respond will determine whether it remains a follower or emerges as a leader in the ongoing battle against cyber threats. How will your firm respond?