United States Government regulations require Tax Practitioners and Medical Practitioners to be Cybersecurity Compliance with IRS and HIPAA standards. This includes businesses with as little as 1 employee, such as CPAs, Bookkeepers, Dentists, Chiropractors, Optometrists, Otolaryngologists, etc.
Financial advisors, real estate appraisers, loan brokers, and mortgage lenders who have their clients’ Personal Identifiable Information (PII) and various financial information are required to be cybersecurity compliant in accordance with Gramm-Leach-Bliley Act (GLBA) as of June 2023. Failure to comply with the GLBA can be severe, with penalties as large as $100,000 per violation/client. Owners and officers of the company can face up to five years in prison. While prison time is unlikely, the fines are very likely for those who ignore their cybersecurity compliance obligation. The level of those fines will depend on your culpability in the cyberattack. The GLBA cybersecurity requirements are basically the same as the IRS and HIPAA, because the cyber threat they face is the same. In fact, all three points to FTC and NIST websites for further clarification.
Over the years, their cybersecurity requirements have become easier to understand for people without a working knowledge of IT and human engineered cyberattacks. This has removed the most common excuse “I didn’t understand what was required”.
One requirement that is not so clear is the Written Information Security Plan (WISP). In June 2023, the IRS required all tax practitioners to have a “valid” Written Information Security Plan (WISP) or face huge fines. HIPAA also recommends medical practitioners have a Written Information Security Plan (WISP). To clearly understand that is required to create a valid WISP, you must have a working knowledge of IT and the patience to wade through over 290 pages of material on IRS, HIPAA, FTC and NIST websites. This is why you need the help of a cybersecurity specialist, to create a valid WISP.
Depending on the size of your business, some allowances can be made. In addition to avoiding fines and mitigating client lawsuits, compliance can better protect the business from the business disruption cyberattacks often create.
Government contractors can be subjected to similar cybersecurity compliance requirements. These cybersecurity requirements are often more aggressive and comprehensive depending on which government agency you are working with. Starphyre can help you understand what is required and provide you with the services you need for compliance.