Have you asked your Fractional CFO for their Written Information Security Plan (WISP)? Do you even know what a WISP is? Let’s take a look at what a WISP is and what it contains. And why they are important to both financial firms and for clients alike.
Cybersecurity is Always in the News
Cybersecurity is a major topic for companies all over the world. We all are getting near daily notifications of data breaches, where our personal information is being exposed or stolen by criminals.
And what more attractive target than a financial services firm? Seriously, financial firms are target rich environments, containing lots of personal information like names, social security numbers, addresses, and then things like salary, familial relationships and the answers to a lot of security questions.
So while it’s important for all companies to have a robust cybersecurity plan, it’s required for financial firms.
And not just as a good business practice, but also because the IRS and the FTC require formal policies called Written Information Security Plans.
What’s a Written Information Security Plan?
Under the Gramm-Leach-Billey Act, financial institutions must be able to explain their information-sharing practices to customers and how they safeguard sensitive data.
The Federal Trade Commission was tasked with enforcing the law and created the Standards for Safeguarding Customer Information, or the Safeguards Rule for short. The Safeguards Rule originally took effect way back in 2003 and was then amended in 2021 to reflect changes in current technology advancements.
What “Financial Institutions” are Covered?
The first question that we have to ask is what is a “financial institution” — you are probably thinking a major bank or credit card company. But under the GLB, “financial institutions” go far beyond banks and credit cards.
Under the Safeguards Rule, financial institution means “any institution the business of which is engaging in any activity that is financial in nature or incidental to such financial activities… An institution that is significantly engaged in financial activities, or significantly engaged in activities incidental to such financial activities, is a financial institution.” (Emphasis added)
The rule lists 13 different examples:
- Retailer extending credit by issuing its own credit card
- Automobile dealership leasing vehicles
- Personal property or real estate appraiser
- Career counselor for financial institutions or for people seeking careers with the same.
- Company that prints or sells checks
- Money transferor (wires money)
- Check cashing business
- An accountant or other tax preparation service
- Travel agency in connection with financial services
- Real estate settlement services
- Mortgage broker
- Investment advisors and credit counseling services
- Finders (companies bringing together buyers and sellers of any product or service for transactions)
State privacy laws, such as California’s Consumer Privacy Act and New York’s SHIELD Act, often have similar requirements to the federal rules to protect consumer data, including having a formal WISP.
What is in a Written Information Security Plan?
WISPs are the formal documentation about a company’s information security plan. It should be appropriate to the size and complexity of the business, along with taking into consideration the nature and scope of what services are provided and the sensitivity of the information.
So similar to an analysis for reasonable accommodations under the Americans with Disability Act, the complexity of the WISP and the protections that are required will vary for every business and activity. In particular, there are formal exemptions for small companies that have limited amounts of sensitive data on how detailed their plans need to be or on vulnerability testing.
Common elements of a WISP include:
- Risk assessment of what data is stored and where
- Analysis of the sensitivity of the data
- How the company is protecting the data, including things like multi-factor authentication, how it handles offboarding employees, and technology employed to prevent unauthorized access or disclosure to sensitive information
- Identification of the person responsible for the security program
- Disposal of information
- Regular monitoring and testing
- Training staff
Why a WISP is Important for Fractional CFOs
We all know that cybersecurity is important. We never want to be on the front page of the newspaper (ok, front page of the major news websites these days) by being the next data breach. It’s expensive to go through the investigation and notification process, as well as the reputational damage. To the tune of $5 million to $10 million per breach for financial institutions.
A WISP is designed to make us be proactive in thinking about the data that we receive, how we receive it (saying no to unsecured email attachments, for example), and what we do with it afterwards.
Then there are the times that we have to deal with regulators, like the IRS or other federal agencies, where we will be asked if we have a WISP. In order to get a PTIN (preparer tax identification number), paid tax preparers have to certify that they have a WISP in place. There have been other times when in conversation with the IRS that the question has been asked of third-party representatives like CPAs and lawyers, even when not preparing tax returns.
See Also: Protect Your Business From Online Services Shutting Down
Why a WISP is Important to Business Clients
Businesses are handing over important and non-public or secret information to their Fractional CFO. And it’s not just their own data, but also that of their employees, customers, and vendors.
These clients want to know that cybersecurity is important to the firms that they are working with. And while we cannot guarantee that there will never be a breach, we can take measures to prevent breaches and to also ensure that if there is one, that the data is minimized.
For our clients, knowing that we take information security seriously is often a dealbreaker. That’s why Springboard Legal has a Written Information Security Plan in place and is available for review for clients and potential clients.
Want to work with a Fractional CFO that takes cybersecurity seriously? Then let’s talk!