In this episode of Risky Records, I spoke with Konrad Martin, CEO of Tech Advisors and former 25-year CPA veteran, about compliance, emerging cyber risks, and what your accounting firm can do to stay ahead of threat actors.
The Gramm-Leach-Bliley Act (GLBA) originally applied primarily to the financial services industry, but recent Federal Trade Commission (FTC) updates have significantly broadened its scope. As of June 9, 2023, the FTC strengthened the GLBA’s security requirements, extending its regulations to 13 additional industries. This expansion means banks and other sectors that handle personal information or extend credit must comply with the GLBA’s safeguards.
In my conversation with Konrad Martin, CEO of Tech Advisors, he emphasized that CPA firms are included under this broader definition, as they frequently deal with personal client data and may extend credit. The new regulations aim to enhance data protection practices across various industries. CPA organizations must now adopt robust security measures to protect personal information.
One of those requirements is the Written Information Security Plan (WISP), which governs how an organization protects its sensitive data from cyber threats. In this summary of my conversation with Konrad, we look at a few key points that CPAs need to consider when writing and implementing WISPs and the emerging threats that have driven their adoption.
The role of a Written Information Security Program (WISP)
A Written Information Security Plan (WISP) is a formal document that outlines staff roles regarding data security protections. Note that several related documents may overlap but should remain separate, such as incident response or technology usage plans.
Beyond being a regulatory requirement in all 50 states, the WISP is the starting point for a CPA firm of any size adopting a strong cyber defense. Konrad elaborates, “It starts with the word ‘written’ for a reason. It can’t be conceptual. It has to be written down. It has to identify what you’re doing for security, what you’re doing to prevent the breach, and what you will do if a breach occurs.”
Most regulatory bodies recommend reviewing a WISP at least once a year, but Konrad recommends that CPAs review their WISP at least once a quarter to stay current with compliance changes.
Also read: AI in Accounting: How Machine Learning is Transforming the Industry
Key components of an effective WISP
The IRS provides guidance on what should be included in your Written Information Security Plan.
- Appoint a qualified individual to oversee the information security program, which includes identifying and assessing risks to customer information across the company’s operations and evaluating the effectiveness of existing safeguards.
- Design and implement a comprehensive safeguards program with ongoing monitoring and testing.
- Use contracts to mandate appropriate safeguards and oversee customer information handling when selecting service providers.
- Regularly evaluate the program and adjust for any relevant changes in the business or security testing results.
- Implement multi-factor authentication for access to information systems unless alternative secure access controls are approved in writing.
- If a security breach affects 500 or more individuals, notify the FTC within 30 days of discovery.
Implementing the WISP
Implementing a WISP goes far beyond filling out paperwork and shoving it in a drawer to be forgotten. Konrad explains, “My contention would be it’s not just a WISP anymore, now it’s a responsibility… It’s understanding what’s in place, how it works, and how it’s implemented. It’s helping to protect you.”
A WISP must move beyond the page and into actual governance. Employees need ongoing training, such as simulated phishing attempts and tabletop exercises that emulate a breach.
Additionally, your organization must implement best practices around the transfer of funds, given the prevalence of phishing scams and emerging deepfake threats. Verbal confirmation is vital. As Konrad explains, you won’t know for sure until you make that phone call to confirm the details.
When developing a written information security plan, you must include strict guidelines for any process involving the transfer of sensitive items, such as money or personal information. With the rise of deepfake technology, it may be prudent to include passphrases or identifying questions in fund transfers as it is increasingly easy to create an AI voice print of someone in a leadership position.
“The steps we’re asking you to look at are good business practices. If you implement them, you’re going to have a lot fewer headaches.”
Konrad Marin, CEO of Tech Advisors
The influence of insurance companies and cyber insurance on compliance
The evolving complexity of cyber insurance applications is grounded in solid business practices.
According to Konrad, “Historically, when the insurance companies got this opportunity to provide cyber insurance, they said, oh, we’ll ask these 10 or 15 questions, put an addendum on, and boom, we’re going to make some extra money. Now they’re not asking 10 questions; they’re asking 50 to 60 questions.”
When I speak to new cyber insurance applicants, the first reaction is often shock at the length of the application. Companies should consider the application an essential checklist that ensures digital safety. This shift in perspective can be helpful as it encourages clients to engage more and understand that the process, while challenging, is necessary.
Also read: The 2025 Outlook for Cybersecurity Trends
Building cybersecurity buy-in
For a written information security plan to be recognized by insurance companies, everyone at the organization (including the owners and market partners) must review and sign off on it.
Creating a strong cyber defense policy also means making strategic partnerships to support your security efforts. McGowan PRO offers Information Security and Data Privacy Liability Insurance, which covers expenses related to data breaches. Our policies protect from legal liabilities, costs associated with notifying affected individuals, and expenses incurred in defending against regulatory proceedings, among other things.
Contact us today to learn more about our flexible coverage options.