January 25, 2025

FTC Safeguards and Written Information Security Plan for the Financial Sector

Is your business compliant with the FTC Safeguard’s Rule and/or the Written Information Security Plan.

With digital crime on the rise, the Federal Trade Commission (FTC) has updated its measures to enforce stronger safeguards across sectors to protect customer information, including financial details, from cyberattacks.

The new provisions establish robust protocols for securing client data. An amendment approved in October requires non-banking financial institutions to promptly report certain data breaches to the FTC or face severe consequences.

Non-compliance can lead to hefty fines, lawsuits, reputational damage, and suspension of e-filing privileges, along with significant recovery costs. The company can be subject to government fines if these protocols are not in place. These fines can be levied against not only the company but also against the company owners. Therefore, understanding this rule is crucial for businesses.

The Safeguards Rule mandates that businesses under the FTC’s authority meet legal standards for managing sensitive customer data by developing, implementing, and maintaining an information security program with administrative, technical, and physical safeguards.

The rule aims to:

1. Ensure the security and confidentiality of customer information.
2. Protect against anticipated threats or hazards.
3. Guard against unauthorized access that could cause substantial harm or inconvenience.

Written Information Security Plan for the Financial Sector
The financial sector, especially tax and accounting practices, is a prime target for cybercriminals. Breaches can cause severe financial losses and damage to reputation. Small practices are particularly vulnerable due to limited cybersecurity resources.

Developing a comprehensive cybersecurity framework starts with assessing current security measures and identifying vulnerabilities. The IRS requires tax preparers and accountants to create and maintain a Written Information Security Plan (WISP) to secure taxpayer data. A WISP outlines the administrative, technical, and physical safeguards to protect client data, which must be tailored to the firm’s size, complexity, and scope of activities. It is a legal requirement under the Gramm-Leach-Bliley Act and the FTC’s Safeguards Rule.

A robust WISP includes:

1. Risk assessment
2. Security policies and procedures
3. Employee training program
4. Access controls
5. Data Encryption
6. Secure data disposal
7. Incident response plan
8. Regular monitoring and compliance

The IRS emphasizes that a WISP is a living document that requires regular updates to adapt to new threats and changes in operations. Adhering to these guidelines helps tax and accounting professionals protect client data and comply with IRS requirements.

Do you own a small or medium-sized business in Northwest Ohio or Southeast Michigan? Are you interested in discussing your company’s adherence to the FTC Safeguards and WISP? If so, please click here to contact GUT Consulting and talk with our experts so you can be sure you have all the safeguards you need in place.