With stories of new data breaches hitting the headlines every day, it’s no wonder that people who aren’t cybersecurity professionals feel overwhelmed. IBM reports that worldwide the average cost of a data breach in 2024 is $4.9 million, a 10% increase over 2023. The report says in the U.S., the cost is nearly twice that amount. Among industries, the average cost in the financial sector is $6.1 million per incident. These figures don’t take into account the damage done to a company’s reputation by a cybersecurity incident, which can be substantial.
In a recent webinar, Oak Street Funding’s Vice President of Strategic Markets Jason Gaskell, spoke with Aaron Toops, the co-founder and CEO of Indianapolis-based AERIFY.io about compliance-as-a-service. They discussed cybersecurity trends and how to conquer compliance.
Phishing, a scam where company personnel are tricked into opening phony emails, accounts for 41% of all cybersecurity incidents and is the most common route by which bad actors gain access to company systems. Once opened, these emails can lead to the installation of malware, the potential for ransomware attacks, and a variety of other problems.
Often, phishing attacks deploy social engineering tactics to get recipients to open emails, click on links, or divulge sensitive information such as passwords. Social engineering takes advantage of human nature to get people to take actions that are not in their best interest, playing on fear, compassion, greed, or a wish to comply with (perceived) authority. Notably, IBM reports that increasingly cybercriminals are “logging in rather than hacking into networks through valid accounts,” often using credentials given to them through false pretenses.
A common form of phishing involves a bad actor posing as a routine client or vendor, who redirects otherwise routine wire transfers from the appropriate recipient to themselves. These efforts cost businesses billions of dollars every year, according to Tessian, a Boston-based cybersecurity firm.
To help protect consumers and their data, Congress passed the Gramm-Leach-Bliley Act, which empowered the Federal Trade Commission (FTC) to develop regulations related to how data must be handled and protected. The FTC, in turn, produced a set of guidelines known as the FTC Safeguards Rule, which must be followed by any business or individual that meets their definition of a “financial institution.”
Businesses that fall under that definition include “companies that offer consumers financial products or services like loans, financial or investment advice, or insurance,” which would encompass Registered Investment Advisors, CPAs, and independent insurance agencies. Running a busy practice or agency while trying to maintain compliance with the FTC’s safeguards is challenging, so many people are turning to compliance-as-a-service as a way of protecting their data and their clients’.
According to Toops, outsourcing compliance is a lot like outsourcing IT. “What we are doing for our clients is really trying to help them organize their thoughts and their businesses with a nod to compliance, specifically with … folks who fall under the FTC Safeguards Rule,” said Toops. Businesses that fall under the rule need to comply with nine major requirements, he added, including things like encrypting drives that contain personally identifiable information (PII) and using secure portals to ensure that only authorized users are allowed to access certain information.
Services provided by compliance-as-a-service companies include bringing in third parties to do penetration testing and vulnerability scanning. They also develop action plans based on identified vulnerabilities and help clients develop policies to protect data and stay in compliance.
A basic compliance requirement – one that is especially pertinent for CPAs – is having a Written Information Security Plan (WISP) done. Before a CPA can get a Preparer Tax Identification Number (PTIN), they must certify that they have a WISP in place. Without it, they cannot get their PTIN and cannot file taxes for their clients.
A WISP is a natural place to start for any business in developing their cybersecurity compliance plan, not just a CPA firm. "WISP is really the entryway to ultimately achieving the goal of FTC safeguard compliance. The WISP is the guiding foundation,” said Toops. It names a person in charge of the security plan. It’s a guide for what to do should disaster strike. “So the WISP is like the manual, at least the table of contents, to the actual plan of ultimately what will become FTC safeguard compliance,” Toops said.
Toops pointed out that a WISP doesn’t prevent a breach, but it helps a company navigate a breach. It helps a company “put the fire out before it burns the whole house down,” Toops said. His company focuses very hard on getting a WISP in place before moving on to other areas of compliance.
Artificial intelligence (AI) is interesting in that it poses both new risks to cybersecurity and new ways of combatting it. As Toops said in the webinar, “right now, AI is truly the wild, wild west.” There is very little guidance from Congress about what’s required to protect client information when using AI-based technology. He indicated that having home-grown guidelines in place for the safe use of AI will make it easier to comply once federal regulations are put in place. Then it will only be a matter of making tweaks to the plan rather than having to build a plan from the ground up.
Compliance is now a permanent part of the landscape of doing business. It’s not just a matter of becoming compliant, but of staying compliant. Finding a trusted partner who can help guide a company through today’s requirements and tomorrow’s new demands is important for businesses that do not have the resources to manage this important set of tasks in house.
Disclaimer: Please note, Oak Street Funding does not provide legal or tax advice. This blog is for informational purposes only. It is not a statement of fact or recommendation, does not constitute an offer for a loan, professional or legal or tax advice or legal opinion and should not be used as a substitute for obtaining valuation services or professional, legal or tax advice.