Ransomware attacks pose as a threat for any business owner, CPA, or EA. If you suffered a data breach from a ransomware cyberattack you will most likely be forced to pay exorbitant fees as the attackers exchange money for you and your client’s personal information. Since 2016 approximately 4,000 of these types of ransomware attacks have been happening every day in the U.S. In the words of Benjamin Franklin: “An ounce of prevention is worth more than a pound of cure.”
In March 2020, the NYSHIELD Act came into effect for New York State businesses and for all companies nationwide that have customer information of residents of New York State. There are no exceptions.
The new law is a case in point that all businesses, everywhere, need to be aware of cybersecurity best practices, both in their internal operations and their interactions with other companies. In 2020, amid the global COVID-19 crisis, the idea that “ignorance is bliss” in cybersecurity and compliance is now passé.
The NYSHIELD Act requires you to:
- Report data breaches to your clients and other agencies;
- Conduct a thorough and accurate risk assessment of your internal and external risks;
- Create and implement security policies and procedures to reduce those risks; and
- Provide ongoing training, review, and monitoring of your security environment.
Across the country, your documentation may need to meet compliance laws that apply to financial institutions, such as the Federal Trade Commission’s Safeguards Rule, IRS security requirements, the New York Department of Financial Services Cybersecurity Rule, possibly the Health Insurance Portability and Accountability Act, and more.
Besides the health care industry, nobody has as much sensitive-nonpublic information as tax professionals, CPAs, EAs, wealth and investment advisors, and other financial institutions. These businesses come in all shapes and sizes, from single practitioners to dozens of employees or more.
The risks don’t change. Each owner, regardless of their business’s size, needs to know what their risks are. They need a plan to reduce these risks and protect against reasonably anticipated threats. If a team of elite hackers chose to target a business persistently, they could get almost anyone. Still, nobody wants to be the low-hanging fruit for the myriad experienced or amateur hackers or even automated threats that scour the internet 24/7/365, looking for targets. Even a petty thief can steal a laptop with a password and find someone who can get in if it’s not secured.
Even with robust security, you may need to prove to the government that you have assessed and managed your risks and have the appropriate policies and procedures. Otherwise, you risk more severe consequences.
For more information visit: https://www.accountingtoday.com/opinion/why-cybersecurity-should-mean-everything-to-every-tax-professional