IRS Releases Part 1 of a Five-Part Security Summit Tips for Tax Professionals

On July 21, 2020 the IRS and Security Summit partners issued specific guidance to assist tax professionals with implementing basic security measures. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) are urging organizations remain in a heightened state of alertness as cybercriminals remain active during COVID-19 and prey on vulnerabilities during this time. The IRS state tax agencies and nation’s tax industry created a five-part series called Working Virtually: Protecting Tax Data at Home and at Work.

Due to the fact that many tax professionals are working from home, this five-part series is designed to walk practitioners through various strategies to assess and secure their home and office data. The first recommendation that was released on July 21 outlines six basic security steps, “Security Six,” that every tax professional should take whether they are working in the office or remotely. This series will continue each Tuesday and end on August 18.

The “Security Six” protections that everyone, especially tax professionals handling sensitive data, should use are:

  1. Anti-virus software. It is essential that professionals purchase anti-virus software that scans computer files or memory for certain patters that can detect the presence of malicious software, also known as malware. Tax professionals should educate themselves on the type of anti-virus software, also called anti-malware software package that they purchase. Additionally, it is best practice to configure the anti-virus software so that it automatically scans specific files or directories in real time, rather than the individual performing their own manual scan. Tax professionals also should keep security software set to automatically receive the latest updates to ensure it is always current.

While anti-virus software should protect against spyware, a type of malware that steals    sensitive data and passwords without the user’s knowledge, individuals should never:

  • click links with pop-up windows, nor
  • download “free” software from a pop-up, nor
  • follow links that offer anti-spyware software.

This advice also pertains to phishing emails. Never open an email from a suspicious        source, click on a link in a suspicious email or open an attachment.

  1. Firewalls provide protection against outside attackers by shielding a computer or network from malicious or unnecessary web traffic and preventing malicious software from accessing systems. Firewalls can be configured to block data from certain suspicious locations or applications while allowing relevant and necessary data to pass through, according to CISA.

Properly installing a firewall is not full proof, however. Cybercriminals love phishing- don’t become the bait! Firewalls cannot protect data if an employee clicks on a link sent in a scam email or text message, or accidently installs malware. Stay vigilant when scanning emails and text messages, and make sure your employees are also aware of phishing and malware.

  1. Two-factor authentication. Two-factor authentication is a free security feature that gives a user an extra layer of protection from being hacked, even if a cybercriminal obtains access to a user’s password. That is because, in addition to entering in the password, a user is prompted to enter a security code sent via text message.

Two-factor authentication is a basic security feature all professionals must use. Three-     factor authentication is even in use. Tax software providers, email providers and others that require online accounts now offer customers two-factor authentication protections to access email accounts. Using the two-factor authentication options offered by tax   software providers is critical to protect client data stored within those systems. Tax pros also can check their email account settings to see if the email provider offers two-factor protections.

  1. Backup software/ services.  Critical files on computers should routinely be backed up to external sources. This means a copy of the file is made and stored either online as part of a cloud storage service or similar product. Or, a copy of the file is made to an external disk, such as an external hard drive with multiple terabytes of storage capacity. Tax professionals should ensure that taxpayer data that is backed up also is encrypted – for the safety of the taxpayer and the tax pro.
  1. Drive encryption. Given the sensitive client data maintained on tax practitioners’ computers, users should consider drive encryption software for full-disk encryption. Drive encryption, or disk encryption, transforms data on the computer into unreadable files for an unauthorized person accessing the computer to obtain data. Drive encryption may come as a stand-alone security software product. It may also include encryption for removable media, such as a thumb drive and its data.
  1. Virtual Private Network. This is critical for practitioners who work remotely. If a tax firm’s employees must occasionally connect to unknown networks or work from home, establish an encrypted Virtual Private Network (VPN) to allow for a more secure connection. A VPN provides a secure, encrypted tunnel to transmit data between a remote user via the Internet and the company network. Search for “Best VPNs” to find a legitimate vendor; major technology sites often provide lists of top services.

Review professional insurance policy

The guidance also reminds tax professionals to review their professional insurance policy to see if their business is protected should a cyberattack occur.

As a final note, tax professionals should seek out addition security best practices as recommended by the  IRS Publication 4557, Safeguarding Taxpayer Data (PDF), and Small Business Information Security: The Fundamentals (PDF) by the National Institute of Standards and Technology.

VW Contributor: Skylar Young
© 2020 Vandenack Weaver LLC
For more information, Contact Us

Legacy ERISA Regulation Triggers Fiduciary Acknowledgement and Disclosures from Plan Advisers

By Monte Schatz

The Department of Labor’s fiduciary rule became effective June 9, 2017.  A whole new set of client disclosures will be required for advisers who previously were not operating under the fiduciary standard.  Interestingly, many of these disclosure requirements are not mandated by the fiduciary rule itself, but under a regulation that was part of the Employment Retirement Income Security Act of 1974 commonly referred to as ERISA.

29 C.F.R. § 408(b)(2) requires certain pension plan service providers to disclose information about the service providers’ compensation and potential conflict of interests.   Ironically, this regulation was introduced originally as an interim rule in 2010.  It was published as a final rule on February 3, 2012.  The intent and purpose of the regulation was to assist plan fiduciaries in assessing the reasonableness of compensation paid for services.  Also, the disclosure requirements are designed to assist plan fiduciaries to act prudently and solely in the interest of the plan’s participants by defraying reasonable expenses of administering the plan and avoiding conflicts of interest.

From 2012 to the present day, brokers and other non-fiduciary providers to ERISA retirement plans largely didn’t disclose they were fiduciaries.   However, with the institution of the fiduciary rule the status of those types of advisers have been elevated to the fiduciary standard which triggers the new disclosure requirements.  This subjects those groups to covered provider status.  The three major categories of covered service providers include:

(1) fiduciary investment managers and advisors,

(2) record keeping platforms and broker/dealers, and

(3) providers of other types of services that also receive revenue sharing payments                   or other “indirect” compensation other than from the plan or plan sponsor

The groups that fall under the provisions of 408(b)(2) must provide updated disclosures to plan fiduciaries within 60 days from the date of which the covered service provider is informed of such a change in status.   The 60 day standard is vague as it doesn’t define whether it is June 9th, 2017 or if the 60 days begins to run from the first day an adviser makes an investment recommendation post-June 9th.   The general consensus is to take the conservative approach and commence providing updated disclosure immediately and assume the 60 day clock runs from June 9th, 2017.

For advisers who previously have operated under the fiduciary standard the 408(b)(2) requirements will be “business as usual”.  For those advisers that are new to the fiduciary standard it is imperative that they provide the required disclosures in a concise and understandable one page format.   Previous plan adviser agreements that placed disclosures in multiple documents will no longer satisfy the disclosure requirements that are a critical part of the fiduciary rule.

© 2017 Vandenack Weaver LLC
For more information, Contact Us