3 min read

IRS Releases New Data Security Plan to Help Tax Professionals: What You Need to Know

Josh Macfarland, Senior Account Executive

Are you up to speed with the new IRS requirements for data security? The Security Summit, a partnership between the IRS, state tax agencies, and the tax industry, has released a new data security plan to help tax professionals.

The new plan, which is available on the IRS website, contains recommendations and requirements for strengthening data security—including training employees and implementing industry-leading cybersecurity practices. The plan also includes a new tool called the Website Information Security Planner (WISP), which simplifies the process of creating a comprehensive security plan.

The new data security plan is part of the ongoing efforts of the Security Summit partners to combat identity theft and refund fraud. The WISP:

Provides step-by-step instructions for creating a comprehensive security plan.
Walks users through identifying their critical systems and sensitive data, assessing their vulnerabilities, and implementing countermeasures to prevent or mitigate attacks.
Includes templates for creating incident response plans and employee training programs.

In addition to the WISP, the new data security plan contains several other recommendations for strengthening data security including:

Developing and implementing information security policies and procedures.
Training employees on information security best practices.
Conducting regular risk assessments.
Implementing industry-leading cybersecurity practices, such as two-factor authentication.
Restricting physical access to servers and workstations.
Encrypting all sensitive data.
Backing up data regularly.

As part of the plan, the FTC requires each firm to:

Designate one or more employees to coordinate its information security program.
Identify and assess the risks to customer information in each relevant area of the company’s operation and evaluate the effectiveness of the current safeguards for controlling these risks.
Design and implement a safeguards program, and regularly monitor and test it.
Select service providers that can maintain appropriate safeguards by ensuring your contract requires them to maintain safeguards and oversee their handling of customer information.
Evaluate and adjust the program considering relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.

A security plan should be in line with your company’s size, scope of activities, complexity, and the sensitivity of your customer data. There is no one-size-fits-all WISP. The needs of a sole practitioner will differ from a 10-15 partner accounting firm. No matter your firm’s size, a good WISP should focus on employee management and training, information systems, and detecting and managing system failures.

The Security Summit's release of this new data security plan is a welcome development for tax professionals who are looking to strengthen their data security posture. The WISP is a particularly useful tool for simplifying the process of creating a comprehensive security plan. Tax professionals who implement the recommendations in this new plan will be well-positioned to protect their businesses from attack.

A written information security plan is just one part of what tax professionals need to protect their clients and themselves. Given the rapidly evolving nature of threats, the Summit also strongly encourages tax professionals to consult with technical experts to help with security issues and safeguard their systems.

Rough ride during busy season? Assess your CPA firm’s cloud, compliance, and cybersecurity foundation to prepare for next year.

Download the 3Cs checklist to help identify easily overlooked gaps in your cloud applications, compliance measures, and cybersecurity best practices.

Resources

Oct 13, 2022