Ep. 9 | Securing Success: Navigating Cybersecurity in Tax Practices

Download MP3
Intro:

Welcome to the mister r show, brought to you by the Monthly Recurring Revenue Institute. If you're an accounting firm owner or manager seeking harmony between work and life while optimizing profitability, you're in the right place. Our goal, to empower you with the knowledge and tools necessary to enhance both your personal and financial well-being. In every episode, we bring you insights from esteemed individuals in the field who share their valuable expertise and practical steps. Join us on this journey as we collaborate to revolutionize your business and enrich your life.

John Tripolsky:

Hey, everybody. Welcome back to the Mr. Rorsch show presented by the Monthly Recurring Revenue Institute. On today's topic, we are gonna dive directly into somewhat of a hot topic. Well, we won't say it hot in a bad way, but it is a very interesting topic.

John Tripolsky:

A lot of engagement online, social media, newsletters, etcetera, you are probably getting flooded with information on protecting client data. So, basically, the modern day cybersecurity issues that are plaguing, in a sense, tax professionals and their practices. So this goes far beyond somebody stealing your iPhone and getting your emergency contact information. We are talking about how you can best protect and which you will hear shortly, how are you required now and moving forward to start protecting all of this client data that you, the tax professional, have really been entrusted with to hold secure, hold tight for your clients. We are gonna dive into this with none other than Brad Messner.

John Tripolsky:

So if that name doesn't sound familiar, you've been living under a rock. All joking aside, Brad is actually one of the most knowledgeable people that Chris and myself found, in our list of contacts that really knows this topic so well. Brad has been an educator on this, and, really, you'll hear a little bit more too about his practice, his business efforts, and everything that he's doing around helping fellow tax professionals with this. So hang tight. Grab that pen.

John Tripolsky:

Grab that paper like I always like to say. Get ready for this episode of the Mr. R Show. Let's get into it. This is a great topic we're gonna talk about.

John Tripolsky:

I know I always say that all the time and then a reference that I always say that all the time. But this is something we are gonna dive deep into today that is incredibly, incredibly important for not only a successful practice, but also some happy clients. So we always bring the best people we can think of to hit on these topics. Chris Piquero is obviously here with us. Chris, how's it going, man?

John Tripolsky:

It's great to

Chris Picciurro:

be back, Johnny t. How are you?

John Tripolsky:

Hey. I'm doing good. I'm doing good. And and thank you, Chris, honestly, for introducing us to our guest today, who's gonna really, really dive into this, give us all the information, pun intended, which you will realize here very short. Again, as as we mentioned in the intro, today, we're really gonna take a look at data or some reference it as information security, the importance of it, some tips and tricks maybe around this a little bit, maybe some, some maybe horror slash success stories we might be able to hear.

John Tripolsky:

We might get out of the weeds a little bit from our guest here. But without further ado, Brad Messer, how we doing today, my man? Welcome welcome to the Mr. R Show.

Brad Messer:

No. Thank you very, very much. I'm really excited to be here. And, yeah, I'm super excited to start talking about information security and, honestly, how it has impacted our industry and where it's going from here.

John Tripolsky:

Awesome, man. And and, honestly, let's start off maybe on the topic for, you know, somebody who maybe has been in this industry specifically for, say, a couple decades and obviously somebody that's newer into it, let's define actually what is all, quote, unquote, encompassed in data security. So when people hear that term, what are they actually hearing or what is being referenced in your words?

Brad Messer:

No. That that's that's actually a great place to start because I think people have a misguided understanding of what security truly means. And when we talk about information or data security, or even as some folks say cybersecurity, we're really talking about the entire breadth of our, all of our systems, how they interconnect, how we protect and safeguard the data, how we even going back to the late nineties, how we seek approval and authorization to release that information. And a lot of these requirements have been in place for in some cases decades, but now the IRS is finally catching up and saying, hold on. We need to actually start holding people accountable for this because we now live in a society where information has extreme value.

Brad Messer:

And having one firm compromised can literally compromise thousands of individuals' identities. And on the dark web or to malicious players, we're talking tens of thousands, if not hundreds of thousands of dollars worth of of information.

John Tripolsky:

And, Brad, it's it's interesting too. Anytime I hear about data being lost or mishandled, it's my mind immediately goes to the old not sayings, but, you know, oh, well, we can't find any records on this person, this building, this home in this old town because, you know, city hall burnt down. So it it's a little bit different compared to, you know, what the case hundred years ago was things being lost. Now where information's actually being sourced, potentially sold, sold again, resold again, mishandled. There's this whole string of kind of unfortunate events which could happen, which really drives all from the handling of it in the first place.

John Tripolsky:

So from really from a tax practice perspective, say somebody gets a new client, you know, they're they're in onboarding them. You know, maybe and, Chris, you might be able to speak to this too. You know, ten, even fifteen, twenty years ago, I'm sure you guys had just file folders, right, of of people's, we'll say, private information. Right? Oh, yeah.

John Tripolsky:

No.

Chris Picciurro:

I mean, we've been in doing this, running a practice for over twenty years. I know. I was a Doogie Howser of tax. Right? So I started this when I was 12.

Chris Picciurro:

Unfortunately, that's not true. But, yeah, absolutely. We had we had source documents in in the in those Manila folders, and tax returns got mailed out. But but before I move forward, I I wanna say a personal thank you for to Brad for coming on. Many of you know he is, he's royalty in the tax professional field.

Chris Picciurro:

We always say you don't have to be or, you know, just because you get paid doesn't make you a pro, but he is a pro's pro. You know, know, I'm gonna brag on him for one one second. We're talking to the National Association of Tax Professionals, tax professional of the year for 2023, and the NATP has over 24,000 members. So it's hard enough to become, like, your the best or the the tax pro of your local area, let alone the NATP. What I love about him having him on the show is, he's a third generation tax professional.

Chris Picciurro:

So when you listen to him, tax pros and if you're not a tax pro listening to this show, I don't know. That'd be rare. You must really love us because my parents don't even listen to this. But but, but he's speaking from experience. He's in the trenches like like one of us.

Chris Picciurro:

And, John, a lot of times, will bounce things off me as being someone that was that's been in the trenches. And, John, you are right. We used to collect paper, and we used to have all of our there's no technology stack. There is a if you are really fat and sassy, you might have a server in your office, and things were on PCs. And one of the things I've mentioned on this podcast, is that that I'd learned from one of our clients, and we have to understand as practitioners, is that stress is expensive.

Chris Picciurro:

Remember, I always say that stress is expensive? But now I'm gonna steal this. Information is valuable, and if you think about a lot of the the information that you have, it is valuable in many ways as far as helping grow a client base, working with clients to, dive deeper and lean into that relationship for other opportunities, But, also, it comes with a lot of responsibility. So, but, yeah, that that's you're right, John. We used to put thing you know, things used to be on paper.

John Tripolsky:

So And then, Brad, I guess a a question for you too, maybe segueing off of that. You know, I think of, you know, I've been in the marketing space for a while. So we think of, you know, data is very important to us as marketers. The more we know about somebody, you know, the more we can target them, the better result, you know, we we'd get for our clients, etcetera, etcetera. So as data's lost on one end, you know, we're talking about it being resold and, you know, unfortunately, maliciously used in some case.

John Tripolsky:

I mean, you look at companies even, you know, like Meta, so previously Facebook. I mean, that company is solely based off data. You're for billions and billions and billions of dollars, and it's a data business is really at the end of the day. So for so for text, bros, maybe if you can walk us through, and, again, Chris, to kinda echo what you said, you know, to put Brad on even, you know, a bigger pedestal. If anybody's just listed this, he literally just put his digital crown on, and he's wearing it.

John Tripolsky:

Right? Not really, but that would have been hilarious if you would have done that. So so, yes, this guy knows exactly what he's talking about. So write down these notes, because they will be very important. And and we'll talk about some of the the newer requirements here shortly as we move along, you know, from the IRS.

John Tripolsky:

So there is some very important information. Again, kind of pun intended, a little bit. But maybe walk us through. Let's look at it from a preexisting practice, maybe. You know?

John Tripolsky:

Say that say it is somebody that's still in a very antiquated system of, you know, writing down information. You know? What would be maybe your suggestions on how they could transition or modernize and really just get up to really the requirements now from the IRS? And then after we get that long, if we have some time, obviously, maybe let's look at it from a perspective of somebody who's getting in the in the industry and maybe the best places or the best practices, to start with right out of the gate. So I'll kinda turn the baton over to you for a little bit.

Brad Messer:

Yeah. Absolutely. And I think the one probably the biggest roadblock I see most people face is that they think they have to be perfect. And they're striving just from point one hitting like that ultimate endpoint. And when we're talking about security, this is a constantly evolving and changing field.

Brad Messer:

I mean, we saw in the more recent history what MGM Entertainment Group went through, And they're now experiencing over a billion dollars of added cost due to that data breach. A couple years ago, we would not have felt or seen that level of impact. So for a firm that is really trying to digitize or modernize, honestly, the first thing I would say is find a good partner to work with. Because in a lot of cases, most tax professionals are tax professionals. They don't specialize in a lot of these other systems or so forth.

Brad Messer:

And it really, really will do them so much benefit if they can truly focus on that and partner with someone who understands all the upcoming threads, keeping them updated and so forth. I've seen just way too many who have reached out and they're like, I just, I can't figure this out. And it's purely just them. And they haven't tried working or partnering with someone. So I really do highly suggest trying to find that partner so that you can focus on your business.

Brad Messer:

They can partner with you and help you grow and and keep you updated. Like, I I have one client that I've been working with recently, and they have a superb tech company they're working with, but the tech company doesn't understand the accounting space. So they've been bringing that knowledge and understanding to their tech firm so that it really is this, this strong partnership. So that would be my first kind of suggestion would be, don't assume you have to do this alone. Find that local or find that national resource that you can kinda work and partner with.

John Tripolsky:

And when you say a partner in that field, do you mean really like an IT service provider? Is usually

Brad Messer:

IT service provider or an MSP that will kind of that will step in and ultimately just manage your entire environment for you. And that I think is a really good solution at the moment because a lot of people will bring the specialist in. They'll partner with an IT company, get their whole system deployed, and then that person disappears. Mhmm. And as these updates come and these threats continue, they don't have that person who's vested in their business.

Brad Messer:

Whereas with an MSP or a managed service provider, they're constantly connected to your environment and monitoring and watching. So if you did have that 4AM weird blip, most people would be like, oh, I don't know. We had a power outage or something. Whereas they could go in, they could review the logs, and they could truly make sure was it really just the utility outage or was there some sort of vulnerability that was impacted at that moment? So having that that IT partner to work with and when we're when we're saying this, we are meaning true professionals.

Brad Messer:

We see this all the time in the accounting space and the tax growth space with and I see on a lot of Facebook groups, like someone will say, oh, I just got a new self prepared or they they found their information by talking to their neighbor. We're just as guilty of doing that on the IT space. So many people I've talked with have relied upon getting information from a neighbor or the business next door. And I actually just had a, I got a very last minute phone call from a company that suffered a breach. And they were relying on one of the senior partners, college age grandchildren to manage their entire I.

Brad Messer:

T. Infrastructure. And it was by the time we truly dug into what exactly happened, it was purely, I would say, inexperience that led to their breach. So it really is a matter of finding that true professional who you can partner with on the I. T.

Brad Messer:

Side.

John Tripolsky:

And, Brad, to that point too, I had, one of our friends, you know, we again, being in the marketing space, we had a lot of very diverse clients. We had one of our really close friends was an MSP, and they only focused on law firms and I think doctors for a while. And they ended up taking us on, and it was I can say, we had an office of, I think, nine people at one time. But it was the best. At first, it was kind of we were a little standoffish, like, oh, you know, we really don't, you know, we don't need to spend that right now.

John Tripolsky:

And it wasn't drastically expensive. You know, we were a startup at the time. But I can say this, and and, Chris, to echo what you said as well about stress being expensive. When we started working with them, I think, for one, it just the the amount of warm and fuzzies you get from just your data and info and everything being secure and backed up is huge. But then also too, when there is an issue, you're no longer just, like, looking in the office at who's there and who has any free time and can step in and, you know, help with whatever the issue is, and hope to gosh they actually solve it, and not taking them off off of other tasks too.

John Tripolsky:

So it's the they're not, you know, we're not gonna mention any companies you should contact for this specifically, but do some research, figure them out. You're probably smart enough if you're successful in the tax space. Two examples came into my head that happen all the time out there.

Chris Picciurro:

Do you ever have that client that went and got a living trust put together and never put any of their assets in it? That happens all the time in the tax world. Right? So that's like, oh, I absolutely come in and, you know, set this up for me, but it's not managed. Or do you ever have that client come in and say, hey.

Chris Picciurro:

I formed an LLC, and they bring in their SS4 and and you say, oh, did you

John Tripolsky:

start a bank account? Where's your operating agreement? Oh, I

Chris Picciurro:

didn't I didn't start a bank account. I still do everything the same way. Well, you have nothing in this LLC. Nothing you're not operating in as an LLC. You just paid someone a few hundred dollars probably or, or more.

Chris Picciurro:

And and that's the point is, I think maybe, you know, Brad, and you you mentioned something also. The vast majority of tax professionals are solopreneurs or are run an office with, I would say, one, maybe two owners. So we're a lot of us are out on a dinghy. You know, we don't have a 10 partner firm, and so for us, you know, the the it is intimidating to start and and, like, it's like when you have a list of a hundred things to do, there's so many things you don't do it. You gotta start with the first three.

Chris Picciurro:

So if someone is like John said, let's say they're in, you know, Council Bluffs, Iowa. I'm sure we know someone there. But let's say they're in whatever. It's little Iowa. They have a they're they're on their own.

Chris Picciurro:

They don't have necessarily they might have a seasonal employee. The first step, I mean, is there, like, is there a review or an audit, for lack of a better term, that they could they should have a a third party come

Brad Messer:

in and and look at that their situation? Yeah. No. Ab absolutely. And it it's odd you bring that up because right before we hopped on to record, I was working with someone who had reached out.

Brad Messer:

And this gentleman thought he, again, was solopreneur off on his own. And he thought he was in a really good shape. So we just chatted for a bit and I then provided him with a checklist. And I said, go through this. And this will just kind of give you an idea of really how solid you are at the moment.

Brad Messer:

And in that case, it's like there's zero commitment on any side. It's truly just saying, do a self assessment. Find that good solid checklist of this is what should be in place and self assess. If you don't feel comfortable self assessing, then that immediately is the red flag that, okay, I do need to get a third party to come in. Because if I can't answer certain basic questions, then I really do need someone to come in and help me manage this.

Brad Messer:

But yeah, go through that initial checklist and hopefully it comes back a little more positive than you were expecting. I've had quite a few when they look at some of these checklists that they're thinking, oh my gosh, like I'm gonna fail. And they realize they're not in terrible shape. And then that checklist serves, well, here's everything we're doing well, but now here's a collection of items that we need to improve on. And I always suggest from that point, pick two or three that are easy, quick wins, just to build that momentum, that whole snowball effect.

Brad Messer:

And then come up with a plan to move the others forward. So, again, it's not about having everything done. It's about acknowledging and recognizing where you need to improve and coming up with a plan to resolve that. Right. It's it's like, you

Chris Picciurro:

know, we talk about practice management a lot. And I've for me, I always have the before I leave, you know, where I'm working, then it could be remote or wherever. I have the first three things I'm gonna do the next day written down is the first one's gonna be really difficult, some I really didn't wanna do, and then the next two are gonna be easy wins, layups. Now I've got some momentum going. What are in in that's the that's a great point.

Chris Picciurro:

It's almost like when when you're working with a client and and let's say they start engaging, you know, you're getting involved with their financial advisor and the financial advisor says, hey. Have you you know, what kind of life insurance do you have? And they say, oh, my husband has it from work. Okay. Can you give me detail?

Chris Picciurro:

I really don't know what it is. Well, that okay. That's not good. Right? But if they have a good idea of it, then that you know, just like when you do that self assessment.

Chris Picciurro:

I'm gonna ask specifically on a couple pieces of technology that we we as tax professionals should be thinking about, because we you know, Brad, you you and I hear a lot of other practitioners talking about two things a lot. One, tax preparation software. Two, task management slash CRM. And a lot of times, they're talking about the functionality, the mostly the price, which I've got a soapbox about tax prep software. I don't think you should go cheaper on it.

Chris Picciurro:

If you if you're worried about the price, then your prices are too low. But that's another that's another show topic. But for a data security standpoint, what are the some of the things that they should be asking? And we know the major players out there, the software you know, the tax preparation software companies and then also the the the CRM task management companies.

Brad Messer:

Yeah. So when we look at the when we look at the tax preparation side, it is definitely clear that there are multiple layers or levels of quality across some of these products. And to your point, a lot of people just focus on the price and not necessarily some of the additional features. And one thing I always suggest, if you're evaluating software, call the help desk and start talking to them about how to handle a situation. Like one of the one of the software products out there, their recommendation for sharing a return with a client is actually a built in piece of functionality that emails that client those documents.

Brad Messer:

And even the IRS publications have come out and directly stated that even if the file is encrypted, that sending an email is not a secure means of communication. And this software product was point blank through their support help or their support center suggesting that. So that's usually one of my quick resolutions is I tell people call their help desk and just ask how to how would I send this to a client? Or how would I go about doing x y or z? And if it feels a little sketch and that's probably not a good solution to move forward with.

Brad Messer:

The other thing I also look at with software is how complicated does it make it on the user end? Because this is our industry. We, we have to adapt no matter what. If we make it too difficult for the end user, we don't wanna risk losing those clients that are good clients, purely because the system we have in place, isn't a good solution for them. And I see that a lot with some of the per the tax preparation software, because it's some of it's very clunky.

Brad Messer:

Some of it is, is not as, and I know we'll talk about automation in a second, but not as easier or automated to work in. And now you're going back and forth a lot more with the clients. And as we communicate details with clients, it just continually opens that small door for them to say, oh, well, I'm, I know we were just talking, but I just sent you a quick email on that. And you're panicking thinking, oh my gosh, why did you email? We were on the phone.

Brad Messer:

But I really do encourage, ask questions about the security, ask where their backups are stored, ask how often they back up, and then even ask, especially if you're a solo practitioner, ask what third parties your software is supported by. For example, which one of the MSPs partner with your company? There's quite a few service providers focused on the accounting space. Not all of them support all of the different software floating out there. And I always ask on both sides, why?

Brad Messer:

And one time, I actually had one of the MSPs tell me, well, we, we weren't comfortable with the security protocols they had in place. We could not accommodate. The, their environment while keeping ours secure to our expected levels. So just asking point blank, especially sneaking in through the help desk side. I know that sounds a little sneaky, but it's our client's data that we do have to we have to protect.

John Tripolsky:

And, Brad, that's actually a great suggestion. I've never I can't say I've ever thought about that even just with any any service provider. Right? Because, I mean, it's almost like buying a car in a sense. You might have a really good salesman that you talk to, but the service center is only open two hours a day and, you know, they're kind of a broken system.

John Tripolsky:

So you're kind of No. You're kind and you don't figure that out until you need it, unfortunately. Right? And you you mentioned a couple things there too with I mean, if we can if we can still kinda hover around the topic or the scenario of somebody who's been in the industry for a while, has been doing it the old way, which they're comfortable with, their clients are comfortable with. They're comfortable, you know, operating that way.

John Tripolsky:

They're afraid to change because they don't wanna turn off any clients. They may be afraid to just being able to speak to that change. And and a couple things you mentioned there are really important, and I'd love to kinda reiterate these a little bit is if we can maybe expand on maybe some experiences that you've seen that tax pros have have had, good or bad, on just going from, we'll say, spreadsheets of information, just flash drives full of documents and and etcetera to transitioning to something that's more con more secure. But then maybe how they communicated that to their clients and and, obviously, as as you alluded to, as everybody knows, there's always that balancing act of, well, this is what the gold standard is now, which we need to be, but does it become a real pain in the you know what for our clients to where it's a turn off? So if you had some examples, maybe you could share with us there or or even just, you know, make one up, change some names.

John Tripolsky:

I'd love to walk walk our listeners through that because I've heard that actually in person from some people where they're like, oh, you know, it's we'll kick the can down the road. We'll deal with it later. I'm more focused on sales right now than I am security in a sense. So

Brad Messer:

No. And, I mean, there there are so many examples that I mean, it's actually probably hard to pick a couple, but one of one of the examples, and this is slightly more on the automation than the preparation side, but the number of emails or the number of points of touch or communication with a lot of these systems drastically changes. So for example, someone that has been slightly on the more manual side, they may acknowledge when they receive a return. They will then reach out when that return is being finalized or processed. Now that those documents come in, and as soon as they come in, the client's immediately getting three or four emails.

Brad Messer:

And then they're getting reminders and they're getting touch points. And then the return starts getting worked on and it it removes some of the limbo, but it creates a more detailed limbo. And and that I think is where there really does need to be added communication and customer relationship. And that's where Chris a moment ago had mentioned about CRMs, because I think people look to some of this technology as being this like this point of perfection. And we've actually gotten more clients coming to our firm from highly automated firms because it just felt so unhuman.

Brad Messer:

And I hate saying inhuman, but it just, they, they, they felt the lack of human touch. And to this one point they said, if I didn't want to talk or work with someone, I could have just done this myself. I like working with someone. I like getting that extra comfort. And that's a lot of what we're seeing is they're not communicating directly.

Brad Messer:

They're relying on technology to handle the client relationship. And I worked in technology for years in the travel space. And one of the points that travel got to was almost every travel management company out there had the same technology. And it was very easy to then switch from one company to another to another. What started becoming that little tip of the hat was how they handled it from the actual human side.

Brad Messer:

So we're kind of getting to a similar point here where we're, we're trying to add so much technology. That we're remu, we're removing that human touch. And when it's only tech versus human with our clients, the security side also falls in the background too. Because if we add too many layers of security into automation processes, the clients don't wanna deal with it. And it creates a barrier.

Brad Messer:

So coming up with that nice balance is really the, the key point we need at the moment. And I'm not seeing too many. I feel like we're at a divisive point and we're saying we need 100% human interaction or we need full automation. I'm not seeing too many step in and say, the, the key point might actually be that middle section where we can provide that comfort, but we also have the tech to back up our processes and services and so forth.

Chris Picciurro:

And, you know, that's a great point in our private practice. What we're what we're really working on and we've gotten some had some successes is try to automate the data collection process Isn't it? But the actual interpersonal communication, let's be as face to face as possible. It it might be you know, and ours is virtual because our tilt is real estate, but, you know, we've created some tools with, that that people can go face to face with. We created something called CPA Urgent Care.

Chris Picciurro:

So three days a week, a client can go face to face with one of us. And and what we found is a set of clients setting up hour long meetings, or forty five minute meetings, the average the average stay in our CPA urgent care service is nine minutes. The average wait time is less than three minutes. And it's

Brad Messer:

been phenomenal. They probably leave happy because they got in. They got their answer. They didn't feel like they had to schedule something two weeks out. And mentally, as much as they realized they got your time, they really didn't need that whole hour scheduled.

Brad Messer:

But they got their answer very quickly. So, no, I love that model, and it makes you feel very accessible to them as well.

Chris Picciurro:

Yes. And, you know, it's like in sports. The availability is sometimes your best ability. And, you know, we've got to yeah. So that's just, you know, that's just the one hack that we have.

Chris Picciurro:

We also were committed to replying to any type of communication within one business day, but the CPA urgent care has been, phenomenal. You know? And that's No. That's awesome. That's been great.

Chris Picciurro:

On the tax prep software, just kinda thinking it from the practitioner standpoint, when I first started, the few first few years, I was on a desktop. Then about eighteen years ago, we went to a hosted desktop for a lot of our, for let's say, say, I'm just talking about let's just focus on tax preparation software for now. Yep. Then about we're only in the hosted desktop for probably five years, and we've been we've been in the cloud for a long time. I don't know.

Chris Picciurro:

Almost ten years now. Well, maybe whatever. Mhmm. Cloud based. Obviously, I get to I get the privilege of talking to a lot of tax professionals and tax practitioners throughout my course of the year, and a lot an alarming amount to me are still on a desktop.

Chris Picciurro:

Mhmm. And and, you know, it's and there's there's many reasons. It could be cost. It could be that they don't they feel that it's unsafe to be in the cloud. I mean, I'm not here to ask which one's right or which one's wrong.

Chris Picciurro:

I'm I'm asking, what are some of the considerations that someone might want to think about if they if they feel like, what are some of the risks on being on a desktop only for their tax prep software that they might not be thinking of? And then what are some of the considerations if they want to move over to a either, a completely cloud based or or a hosted environment?

Brad Messer:

No. Absolutely. And this is probably one of the top questions I get asked a lot of different conferences I attend. And my initial response and people usually hate this is the same thing we say to our clients all the time is it depends, but it really truly does. So for example, especially if you are that solo practitioner, Yet, you may think, Oh, well, I can save some money.

Brad Messer:

Or, It's only me. So, having everything on my laptop is great. But, it's also creating that one point of risk or failure. If that equipment gets stolen or if it is a laptop, laptop hardware has much lower resiliency than desktop hardware. So you're putting all of your data onto this piece of equipment that is known to have increased failure rates.

Brad Messer:

And even if you do have solid backup, do you really want to spend your time focused on trying to recover backup data and switch to a new piece of equipment? So there is definitely reasons for for someone to really consider that migration to a cloud environment, especially for that solo practitioner. The other side I look at is it cuts ties from me always having to have that specific piece of hardware. So for example, I travel a lot and I travel to some super sketchy areas. And when I travel to some of these really questionable areas, I don't want to carry a $2,000 piece of equipment.

Brad Messer:

I have a $200 Chromebook that allows me to remote into systems that I need to access in an emergency. So there are some good sides, but I will also say it's very environment based. So where we're at, we we we fluctuate between ten and fifteen employees. Our office location is right by a major highway, and we u lose utilities constantly. So for us to have requirements on a dedicated high speed Internet connection, it puts our business at risk because at least three times a week, we have an Internet blip in our office.

Brad Messer:

Purely because there was an accident or there was this excessive traffic just for whatever reason. So for us, it's actually made more sense for us to have a physical environment. But especially if someone is not super tech savvy, having that hosted environment gives you that kind of hidden team in the background that is managing and monitoring your systems constantly. So if you are that person that doesn't feel super comfortable with tech, having that hosted environment, while it may not be your typical go to comfort zone, should give that added comfort of, oh my gosh, like I have this entire team of people who ex are experts in this specific area that are managing this. And I had, there was a Facebook post a few months ago and we were talking specifically about this and whether or not people should be moving to the cloud or at the point there had just been a relatively large cloud breach.

Brad Messer:

So folks were like, oh, I'm moving entirely off the cloud. And I brought up the concern. Well, what if someone breaks in and stills your laptop? Their response was, well, they would never get through. I have two very large dogs.

Brad Messer:

And I'm thinking That is not what I wanna write in my security plan Yeah. As much safety net for data ingestion.

John Tripolsky:

That's actually I could see it. I could try to illustrate that. Be like, well, here you know, here's 10 lines where you could fill in that description. It's just two pictures, right, of, like, two dogs and then be like, what is this? And then But they're Rottweiler.

John Tripolsky:

Rob. Which are actually some of the sweetest dogs if you coax them

Brad Messer:

with it. So it everything changes. And that and that right there is yeah. You might be able to get them to show their teeth and look nasty on TV, but you throw a couple treats at a lot of these dogs, and they'll roll over

John Tripolsky:

and let you rub their belly in a second. Right. Right. And even and and, Brad, so here I I definitely do wanna touch on two very important topics before that. I mean, I have I I feel like we could have this discussion, three of us, for probably four hours, which is great because we've all kind of been in it from different angles just as technology has progressed in time and, you know, the whole working remote has drastically changed a lot of things as far as for accessing data.

John Tripolsky:

I I do wanna put it out there. I definitely wanna talk about WISP. If you're not familiar with that, we're gonna describe what that acronym is. But then also the FTC safeguard, rule, which I think was 2023. So I wanna talk about those two things.

John Tripolsky:

But before we do that, I know, if anybody's out there looking for an MSP, so that's a managed service provider. Again, there it's a great resource, for them. I mean but everybody who spends any time online will as soon as you search for that, you're gonna see a ton of ads pop up, and you could thank the marketers like myself for completely taking everything that you're interested in and throwing it all in your face. They'll see things like Dropbox, Box, iCloud storage, Google storage, all the stuff they'll AWS, Amazon Web Servers, All the stuff will start popping up. And a lot of it, I almost guarantee it's gonna trigger and start saying that it's HIPAA compliant, which is not related.

John Tripolsky:

HIPAA is is everybody knows is medical, medical, patient records. But maybe maybe just do a little bit of comparison and contrast just on that. Because if to be honest, if I was a unethical hacker, I would look at alright. I want the most valuable information I can get with the lowest amount of effort. Right?

John Tripolsky:

So am I gonna target a hospital system, or am I gonna target a two person tax pro office? But if you think about it, I would almost I mean, not giving any hackers any advice out there, but do you talk about low hanging fruit? Right? I would almost bet the farm that a lot of these tax practitioners, these offices probably don't have the best systems in place as of yet, but then the amount of information they have on an individual is almost second to none. Right?

John Tripolsky:

We're talking family records, spousal information, bank records, social I mean, the list goes on and on and on. Everything besides blood type as of yet. I mean, well, that's a whole another topic. But the amount of value or the the value of the information that y'all have on a person is absolutely incredible, and it is very accessible to some. So, yeah, Brad, if you could do that, just quick comparison between HIPAA

Brad Messer:

would be awesome. Absolutely. I I love this comparison because to me, it's the matter of the risk of ruining someone's physical life versus ruining someone's digital life. And that's really so for example, several years ago, I donated a kidney. And I had to go through this massive number of tests.

Brad Messer:

And as I'm going through, I'm thinking all this data is being collected about me and it's being stored hopefully securely. But in the end, I I was sitting there thinking, what would happen if someone gained access to this information? I mean, they could share my personal records, which might add to some not even embarrassment in my world, but maybe embarrass some people. It could, I guess, put some physical risk on someone. So if we found out that maybe a specific senator had a peanut allergy, Then maybe we could target that senator if we were trying to but there's not a like, outside of the physical side, there's that's what the HIPAA side is looking at.

Brad Messer:

When we move over to our world, yeah, like, if our data's compromised, I mean, we're ruining people's financial history. We're ruining potentially people's ability to even get jobs. I mean, if you hop on the dark web, you'd be shocked at some of the requests that come through. I mean, people hop on is like, I just broke up with my boyfriend and I just wanna completely financially ruin him. And all it takes is like a phone number, social security, and like their name.

Brad Messer:

So the data we have, even though it may not cause physical harm, it can it can wreak havoc and potentially ruin their financial life, honestly, for the rest of their life. So there is definitely those differences. But, yeah, to your point, the standard on the the finance side is so much lower. I mean, the big thing on HIPAA that we're truly not recognizing on the financial side is they require partnership agreements. So if I'm going to be storing HIPAA data on third party servers, they actually have to sign agreements about data access and sharing and so forth.

Brad Messer:

In our world, we can just go off and throw data anywhere. I mean, hopefully, you're throwing it somewhere secure, but there's nothing inhibiting from a regulation side. Us us on this on this podcast joining in starting a firm and having access to all of the data that other people are throwing in. There's no regulation protecting that. So we really do have significantly lower standards than what are present on the medical side.

Brad Messer:

And it's kind of shocking a little bit. But It's scary. That's my that's my own 2¢, which I think is a a fantastic segue. Let's talk about WISP. So that's the written information security plan, if I got if I got that right.

Brad Messer:

So Right. Let's identify what's that?

Chris Picciurro:

Is it a wasp's cousin? What? The bite. There's the joke.

John Tripolsky:

There it is. There's a dente o.

Chris Picciurro:

You know what? I didn't have one. It's

John Tripolsky:

been saving that one. You still have the whole it's like the cheesy dad jokes, but I'll I'll let I'll let you take the prize for that one. So so a wisp. Right? So the the written information security plan, it it basically is what it is.

John Tripolsky:

Right? It's a written plan for how you are how you plan to secure and protect the data slash information you have. So if you can walk us through that a little bit, like, who who really who finally stood up and said this is this should be the requirement? But then also, how does one go about this? I mean, is this something you just draw on a bar napkin, something you just think about, something you might throw in your Evernote?

John Tripolsky:

Is it something you compile and submit? Tell tell us, you know, and I couldn't think of a better person to explain this to us. So please walk

Brad Messer:

me through this one. Absolutely. So yeah. So it is the written information security plan. And the groundwork was truly laid back in the late nineties with the Gramm Leach Bliley Act.

Brad Messer:

There were requirements put in place, but it was not expressly stated that we had to have this official plan in writing. But over the course of time, the the plan itself placed the ownership on the FTC to oversee this. And the FTC has started putting more effort into our focus direction. So several years ago, the plan became a requirement for all folk for all individuals in financial services. And this is a very, very broad this includes financial planners.

Brad Messer:

It includes banks. It's a very broad perspective. But the idea here is we have to have a document that explains our SOP, our standard operating procedures connected to security. It outlines who is responsible for security. It outlines our, our whole list of how do we handle security?

Brad Messer:

How do we handle passwords? How do we handle wireless activity? How do we handle user authentication, User access to data? I I've sat down and made a checklist and the checklist is well over a hundred items long of all of these pieces that should be part of this information plan. And going back, people worry like, oh my gosh, I don't wanna do this because I don't think I'm there.

Brad Messer:

And it really is this living document that should be modified. And part of it is assessing where you have risks. So part of it is acknowledging that there are certain areas you need to improve. And you include those as your timelines. We want to implement this issue with our Wi Fi by January 2024.

Brad Messer:

We want to improve our our password management by March of twenty twenty four. And so it really becomes this guided tool of how we manage our entire operation. And last year, and and I just I just realized that in the last couple of days, the wording has shifted a little bit. So every year when tax professionals renew what is called their PTIN or essentially a number that allows us to electronically file tax returns that year. Last year, we had to acknowledge that we had a written plan.

Brad Messer:

This year, the wording's a little different that we are aware of the need. And this is very different because the issue before was, do you have this? Yes or no. If someone didn't and it came up later, their pushback was, well, I didn't really even know I had to do this. So now the question is, are you aware of this?

Brad Messer:

And if you acknowledge you're aware of it, then you have to, at the same point, acknowledge that you have a requirement for it. So as the FTC is stepping in doing these audits, we've now stepped in and acknowledged that we're aware of this requirement. And the IRS has actually finally, I'm gonna say that with a grain of salt here, because we know how this can backfire, but the IRS is actually actively reviewing this as well. So I've had two individuals reach out to me because they sat down with a revenue agent over a letter notification that their one of their clients received. And the agent would not speak to them because they could not produce a copy of their wisp.

Brad Messer:

So before the IRS would speak to them, they had to produce a copy of the existence of their, their written plan and neither one could. And, and the agent just said, then I'm unable to move forward with this. And they were re they were essentially required to either hand off the client elsewhere or come back with a formal version of a written plan. So we've hit that critical point where it's no longer, we can kind of look the other way. We now have to acknowledge that we're aware of it, and we actually have to have it available if we are requested by either the FTC or the IRS.

John Tripolsky:

Which actually, I mean, in in my eyes, again, kinda looking outside in, it's I mean, it may sound more more of a task than it really is. Right? Like, it could be some some fairly simple for the most part. And there's really just the fact of getting that thought process going. And and we do not have to dive into this question I'm about to ask you too deep, but I'm gonna make the assumption is that is this really becomes more and more of an awareness slash requirement as we move forward.

John Tripolsky:

I mean, either of you might be able to answer this, and please feel free to to jump in. But I almost see it as it becoming probably as deep as it is from a from a business owner's perspective. I mean, from an insurance policy, I'm sure it's gonna be a big question. Right? Like, when you go to renew a BOP or an errors and emissions policy, any of that stuff, like, this is pretty important because that's I know from a buddy of mine is a dentist.

John Tripolsky:

He was a dentist in the navy and they left and and opened up a practice. And he he I remember him saying, like, holy crap. I didn't realize how expensive insurance was until you don't have all your ducks in a row, and then you're uninsurable. So even with this, I mean, have if either of you seen that, don't mind me prying too deep personally. I mean, I guess tax pros would relate to this.

John Tripolsky:

But is that something you have to reference, you know, as far as for business insurance goes?

Brad Messer:

So every year with our with our especially our cyber insurance, we have to provide a copy of our list for them to review. Additionally, and this I'll share a scary story here. The, the situation that I referenced about the firm from a week or two ago, when I, when I went on-site to talk to them, not only did they have someone unqualified overseeing things, the reason they reached out to me was they called their cyber insurance company when their breach occurred. The first thing that the company asked for was a copy of their WISP so that they could review to make sure they were in line with their response plan, and they didn't have one. On the phone call, the insurance claim was denied.

Brad Messer:

And they just point blank said, because you have violated the covenant, we will not be moving forward with covering or even discussing this claim. And thankfully they had a good account manager who knew me and they said, you should probably call brat, but it's, I mean, it can point blank. Disrupt your insurance and ultimately allow them to deny a claim. So this does have very far reaching expectations.

Chris Picciurro:

Kinda like, it's kinda like putting on your seat belt. You know, when we were little kids, you just shoot. Your parents would slap you in the car. They loved you, but we were bouncing around doing whatever. But now we just put the seat belt on automatically.

Chris Picciurro:

Some cars most cars will beep at you, yell at you if you don't, or they just, you know, put it right on. I wanna I have one more question I wanted to touch on specifically as we talked about WISP and, what are just maybe 30,000 foot view thoughts? I because I think there's some sneaky, there's some sneaky breaches out there that practitioners don't think about. There are two specifically. One, team members or yourself working at from a home office and or Internet without, like, without a a public Internet.

Chris Picciurro:

You know, Starbucks, we'll call it. Two, tax professionals communicating with clients on their cell phone or using apps on a cell phone that obviously do not don't have maybe the the security in place that a that a laptop would or desktop. So just some thing are those valid are those things that people should think about when they're developing their WISP?

Brad Messer:

Yeah. So as we talk through them and I'll I'll break your first point out kind of into two sections. Is it? First one being the the virtual or work from home employee. I will wholeheartedly admit I'm an office person.

Brad Messer:

I love being around other people. So I am a little biased mentally, but my concern is I think people kind of feel followed that out of sight, out of mind. I work from home. It's less of a risk because I work from home. I truly view in most cases, it's more of a a risk because are those home environments, are they deploying the commercial grade hardware and software to protect?

Brad Messer:

We have in our office, our router, I mean, our firewall is about a $1,500 device, and we pay about $700 a year to maintain updates for it. I highly doubt many people are doing that for their their virtual or work from home people. They're probably going off and grabbing a hundred dollar router from Best Buy that doesn't have those same updates and in management. And in general, people tend to be a little more lax on security at home. I I joke in some of my online classes and that that, okay, we have that 15 year old teenager that gets home at 3PM, rushes up to their bedroom.

Brad Messer:

We have absolutely no clue what's going on in that bedroom or what they're viewing online. But if that's being done on the same network or the same environment, you're exposing your entire collection of information to whatever's happening up in that bedroom. And I personally don't trust too many fifteen year olds. So I very much do. I have a lot of fear around work from home environments.

Brad Messer:

And when I, when I worked for a company in the past, we actually managed and deployed all the technology for them. And that was the requirement of working from home was we provided and we managed all the security and configuration for them. Now I will say, and this is a, this is a new evolving one, the, the public wifi side of things. And this is brand new and I actually, I'll I'll I'll share a video with you afterwards just so you can kind of have a little bit more exposure as well. But the DOD, the Department of Defense actually recently downgraded the level of threat of public Wi Fi.

Brad Messer:

And that's been a large topic that so many of us have been talking for a while. But with the increased reliability of security certificates and encryption from point to point, they're ultimately saying it's about the same level of risk as working in your own office environment. Now, you still need to take the precautions. Like, if you walk into a Panera and you can literally see their wireless router sitting on a shelf in the dining spring, Yeah. Maybe avoid that one.

Brad Messer:

But if it is in a secured location back where maybe only a manager has access, the DOD is ultimately saying it's the same level of risk as working from home or working from your actual office environment, As long as you're ensuring your point to point encryption for the software or the tools that you're using. So I have actually loosened up a little bit on that because we do have the security in place and the level of risk is pretty much the same. So on that side, I, yeah, I'm I'm a little looser than I think some folks, but everyone does truly need to gauge their level of risk and comfort.

John Tripolsky:

And all that makes great sense

Chris Picciurro:

to you. Obviously, we have a lot of practitioners out there, listening, and they haven't started the WISP process. Can you give someone a a kind of a a reasonable timeline and and range of maybe cost that you know, we love when people ask us our how much our services are gonna cost. You know, like, are they looking at a $10,000 endeavor, $2,000 endeavor? Is it gonna take nine months, six months, you know, a month?

Chris Picciurro:

What what can to send that quickly.

Brad Messer:

The the first thing I will say is as you're evaluating, receiving, or or looking into assistance with your WISP, the first thing you really wanna look at is unless you feel comfortable using a template. Going off, with one of these services that provides you a quick and easy for those that can't see, I just did air quotes, the quick and easy template. Right. I've received from several folks these quick and easy templates, and they're super scary. Not a single one of them falls within a level of compliance.

Brad Messer:

So if you're truly looking to have a valid usable wisp, then it's going to not be a, oh, let me just sit down in one afternoon and it's done. If you're working with someone, there will typically be tours for your discovery phone calls, followed by a brief span where they write it, followed by then usually a response call where you talk through and maybe modify any final adjustments. It will typically be, if you provide quick responses, a two to three week turnaround period. Okay. A lot of services are saying, hop on this quick two hour CPE.

Brad Messer:

And by the time you're done, you get a template and you're good to go. No, the WISP is very, very dedicated to your individual environment. Now, if you have a more complex environment with multiple users, even multiple tiers of clients, then it may end up being a one to two month to truly gauge everything from like a third party perspective. But this is not something that should take weeks or months of time because once it's finalized, it now moves into that weeks to months of review on an ongoing cycle. So the initial one really should not take more than in any point more than a month to kind of finalize.

Brad Messer:

Okay. Now, pot wise, you're looking at, are you looking at just having a wisp Or are you looking at having a wisp with some of the support to correct some of the deficiencies or so forth? But I've not seen many individual wisp, services that have a massive or significant cost. Right. Where the larger costs come are on the, oh, holy crap.

Brad Messer:

I don't know how to do this. So I actually need somebody to come in to help me implement it now. Right. So the WISP, which is what is required for compliance, is actually not an overwhelming task or process.

John Tripolsky:

And with a WISP, you know, the the WISP's cousin is mister Piquera referenced that. So really, in taking what you said there, Brad, and kind of, you know, spinning and bringing it down just a little bit, and then let's definitely jump it in the, the FTC news there. But really, you could you could have you run the dangers, right, of kind of running and developing your own wisp without any outside inside because from what I'm hearing, right, is you could have this list of everything you're doing, a rough plan on when you're gonna implement, some changes you see, some red flags, some some holes. But then really, even if you're doing it all internally, you could check every box, go to sleep, feel great the night that you check the final one. And, really, you could have somebody working remote that the chain is only as strong as its weakest link, and they, in a sense, have a wide open hole, and your whole system could go kaplank on you right there.

John Tripolsky:

Is No. That could be the case. Correct?

Brad Messer:

Absolutely. And part of the wish should be including ongoing updates and security scans and checking, but also training of your staff and limiting access for points of your staff. Like, I don't think there's been a single firm that I've talked with that has seasonal people where they terminate their access at the end of the season. So they're leaving a lot of these logins and accounts open for eight, nine months of the year that have no one validating its use or locking out its privileges. So it really is in a lot of cases, it comes down to that person creating more of a problem than than that one or two systems you were super panicked or worried about.

Brad Messer:

And this would obviously I mean, for my HR family member that I'm thinking of, that I would be remissed

John Tripolsky:

if I didn't mention to put that in the handbook, for lack of better terms.

Brad Messer:

Oh, absolutely. That is That,

John Tripolsky:

I think, really stresses up how important it is. But before we wrap, let's let's take a quick minute again. I know we've been teasing this a little bit. So let's let's put on our FTC hat. So, obviously, the FTC, the the Federal Trade Commission, so they they basically are built off those measures that they have in place keeping customer information secure and safe.

John Tripolsky:

So I, in the marketing space, am very familiar with I believe it's the can spam act of 02/2003, which is, you you know, basically, in a sense, is trying to keep as much spam mail marketers, sales guys from abusing access to your email. So if we're looking at it from how this affects tax pros, so the FTC has implemented, I believe it it is called the safeguards rule of 2023, if I'm not mistaken. So give us kind of the overview on that, the importance of that, and really why that matters to tax pros if we can.

Brad Messer:

Well, and and a little bit of history in this one, I think actually tells the level of importance that they're driving here. So the the FTC safeguards role was revised all the way back to 2021. And they added roughly an additional nine key points that financial services firms had to comply with. And keep in mind, this was 2021. They gave them until December of twenty twenty two to be compliant.

Brad Messer:

But December comes along and the FTC realized, oh, like hot dang, there's not enough security professionals to help with this. So they extended it to June of twenty twenty three. And everyone was waiting with debated breath the weekend right before June 9, which is when they went official, hoping well, maybe except me because I was not wanting this to get extended, that it would get extended again, and they chose not to. And the reason they chose not to extend was the longer the cyst keeps getting pushed off, the longer people just not gonna be or feel that they have to be compliant. So it took two years to actually get us here.

Brad Messer:

But they allowed a little bit of breather room, but they officially said, no, we're not allowing this to continue any longer. We have to have these items in place. Some of the new items are pretty easy or minimal. For example, you have to have a qualified, now that's not defined, but a qualified individual to oversee this plan. Well, that right there, if you self assess and you're not qualified, that immediately means you have to find that person you can work with.

Brad Messer:

It also puts in place that you have to be training your staff. So if you do have those folks, and I even push this the point of even yourself, you're required to provide ongoing training to your staff. It also includes having a plan to implement and manage your program. So this goes back to people in the past saying, well, I have a wisp. I'm good to go.

Brad Messer:

Well, this is now actually saying, okay, but now you actually have to implement and manage it. So it's adding all of the things that people were kind of using as workarounds before as saying, oh, the requirement was we just had to have this. Not that we had to use it. So now we have to use it. Now we have to monitor our service providers.

Brad Messer:

Honestly, this has been one of the bigger ones is, and there was a, there was actually, I was super thankful they asked. Someone asked in one of the Facebook groups yesterday about whether or not their internet provider would fall under a qualified service provider or not. Like I was super glad to see people actually thinking through this. So, managing our service providers becomes one. Conducting an ongoing risk assessment.

Brad Messer:

Now, the FTC did do something that I'm not super happy with, but I understand why they did it. Three of the nine items, they put a qualifying size on the firm. So items such as doing a risk assessment, having a response plan in place, and regularly monitoring. So having a logging and monitoring system are only required for people who maintain 5,000 records or more. Now that doesn't mean 5,000 returns.

Brad Messer:

It means 5,000 records. So that family that has is married and has three children, we're looking at five records right there. You house their data for three years. We have 15 records now. So those 5,000 records get consumed super fast.

Brad Messer:

But they put it in place back to Chris's point for some of those individual solo practitioners who maybe only do thirty, forty, fifty returns a year, and maybe you're looking to retire or that first one or two years they're starting, they don't have the budget to go out and bring in someone to do a logging or monitoring of their system. So I was very, very thankful that the safeguards rule was more firm this time, but it has put a very heightened level of expectation on firms who are managing this financial data. And as far as for somebody when it if it is mishandled in this sense, like, are there any fines, penalties, repercussions that are kind of on the table at that point? So and this is the this is the part where I I'm not waiting on a public instance to come through, but I feel like once that very loud public instance comes through, it's gonna kind of ripple through the industry. But, yeah.

Brad Messer:

If there it is a violation found, they the individual firm can be fined up to a hundred thousand dollars. If it is determined that the individual was aware of the need, and purposefully avoided it mostly for cost or whatever reason, then it could be up to $10,000 per record or incident that was located. Plus, if there is found to be malicious intent, there's actually the risk of having, prison time involved. And we've seen that followed through on the HIPAA side. So I don't have doubt that that would be followed through on

John Tripolsky:

the financial services as well. So if you're talking potentially, say, 5,000, we'll just use 5,000 records if my non non tax pro math equates right. If I if I'm thinking two or less many zeros, I mean, you're potentially looking at, you know, very high number, but $50,000,000 in fines for 5,000 records. No. Absolutely.

John Tripolsky:

Like, it's it's pretty intense. So if I mean, even 1% of that is a shot in the gut. Right?

Brad Messer:

Mhmm. Absolutely. And this is

John Tripolsky:

a topic I'd love to revisit too at a later date and maybe dive into it a little bit more. You know, obviously, as as it grows legs and we roll into it, I'd love to talk on this. And I guess the the last question I have before we wrap, and then I'll I'll let Chris wrap us up here is, you know, going into 2024. So, obviously, some significant changes. Cybersecurity is a is a term that's thrown around a lot.

John Tripolsky:

Data security, information security. Looking at 2024, what would be your top items even just revisiting some of the stuff we discussed that you would say regardless where you at or where you're at in your practice, even if you're not the owner of a firm, if you're just in it, what are some things to be aware of and maybe some kickoff starting points, some tasks looking at that new year?

Brad Messer:

No. I mean, the the first one, and it's probably been the same for the last several years is make sure you get that wisp in place and and implement it. That's the absolute number one item is getting that wisp in place. If we can universally in the industry start focusing on that, we will be so much further along. But even more so, start educating and understanding what risks are coming down the line.

Brad Messer:

For example, with with my, PhD program that I'm in, my dissertation is focused on how bringing cryptocurrency and blockchain applications into financial applications is possibly increasing or decreasing the risk of security. So we need to be on the cusp of what's changing in our industry, And we just don't have a good impact on that in 2023. So I'm hoping as an industry we can improve in 2024. But I'll throw out the other thing, and this has become news in the last month or so is we are going to be getting some updated requirements as part of circular two thirty. And there's going to be some significant inclusion of WISP requirements or implementation as part of circular two thirty, which for the accounting space is a very, very significant requirement.

Brad Messer:

And that should be coming around in 2024. So for folks who are not in compliance, now it may actually fully inhibit your ability to operate at some point next year. So that really needs to be a priority at this point is getting in compliance and focusing on, again, not where we are, but building that plan for improvement on where we have to be.

Chris Picciurro:

Absolutely. The tip-off on that, and I agree we we've, discussed this with other practitioners is that the the IRS has finally has the funding and maybe the green light to to redo circular two thirty, maybe more of the maybe even the flexibility to do it. And if the IRS is asking for your WISP before they sit down for representation work, you know that it's important. Like, you that's the read the tea leaves, you know. Mhmm.

Chris Picciurro:

Exactly. Now a lot of tax pros are probably listening to the have listened to this. They're probably driving or walking or or something like that. Maybe they're doing some work, and they might be feeling like, oh, gosh. I'm just really happy I listened to this.

Chris Picciurro:

I'm a little afraid now. You know, Brad, you started Financial Guardians, and you're and I know that you can you and your company can help help the tax professionals out. What I love is you're very obviously, you're you're a national speaker. You you are kind of the gold standard, for lack of a better term, in this space. Yet, you're very relatable to the the the tax pros.

Chris Picciurro:

So those local tax pros, those, you know, Main Street, not Wall Street kind of people. So you know,

Brad Messer:

could they contact you at, with Financial Guardians? I and I think it's your financialguardians.com and Correct. Or especially if you're in a car or something, cybersecurity.tax will get you the same place. Just super easy to remember.

Chris Picciurro:

Awesome. Cybersecurity..tax. And if you're you just wanna dip your toes in the water, check just follow Financial Guardians and Brad on social media. You're gonna you'll you'll you'll see a lot and and, it's kinda like where the hear

Brad Messer:

it a lot.

Chris Picciurro:

Yeah. Tax will people go, what is teaching tax? What is tax planning? Just check some of our videos out. Check out our vibe, and and you'll understand what we're doing.

Chris Picciurro:

So, but I honestly I I can't thank you enough for joining us here, and I know that there are a lot of people out there that you're gonna be

Brad Messer:

able to help within the tax community. Because we we are trusted by our clients, and we owe that to our clients to, keep up our end of the bargain with as far as data security. No. And and again, thank you so much for having me. I love talking about this.

Brad Messer:

And more so, I truly just want us as an industry to take security seriously and be known that tax professionals are trusted resources for information protection.

John Tripolsky:

Excellent. Excellent. Chris, thanks for for setting this one up, Brad. Thank you so much for joining us on the Mr. R Show.

John Tripolsky:

I mean, this this was probably one of the better conversations that I think we've had in a bit. I mean, we have some great guests, and and, Brad, obviously, you took significant time to run through this. Hopefully, everybody that's listening to this, you took advantage for one of this the free CPE. We did not create a wisp for you on this because it is more complicated than that as we discussed. But hopefully, I mean, I say this nicely.

John Tripolsky:

Hopefully, you got a little scared, kinda ruffled your feathers a little bit. Just enough. Right? Just to to move the needle a little bit. And I think, Brad, you'd mentioned it a few times and just did again.

John Tripolsky:

It's the point of this is not put out there to really scare you into doing something that you don't need to do. It really is for the betterment of your practice and really for your clients, which is everything that that we stand for. So we will definitely be touching on this topic again. I think various components of it as we get into the new year. And, Chris, as you mentioned, any questions, any of our listeners, anybody in our community has, please feel free to reach out to Brad directly or us, and we can connect you.

John Tripolsky:

But as always, we will see you here same place, with some great information. So thank you everybody for the insight. Thank you everybody for listening to the show, and we will see you very soon as always. Thanks for hanging out with us everybody here on this episode of the Mr. Rower Show.

John Tripolsky:

Thank you, Brad, for taking that time out, really diving into the topic with us. Your insight into this is completely invaluable, really just for tax pros out there. Really, in a sense too, just for business owners as a whole. Right? This is a topic that is really just kind of taking over some of our daily lives.

John Tripolsky:

Right? And, also, it's one of those things that we really don't realize is that important possibly or that big of a a pain in the rear until it actually happens and becomes an issue and becomes a headache. So, Brad, your suggestions and really you're walking us through the process of creating that wisp, the the value behind it, not just checking a box for the sake of requirements and and regulation on doing so and really just planning for really the the unfortunate scenario where we have to deal with it. And I would I don't have a number in front of me, but I'm sure, you know, not just in the tax pro space, but as a whole, as individuals. I'm sure we have a you know, possibly had somebody get a credit card number and or a pair of sunglasses or a bunch of fraudulent Amazon purchases, and we thought that was a real pain.

John Tripolsky:

Can only imagine what it's like if somebody really takes control, you know, by way of ransomware, etcetera, an entire tax practice. So again, thank you, Brad. Thank you, Chris, for diving into this with us, helping steer this ship for us. We look forward to really touching this again here next year in 2024 as we're sure some of these regulations will change. Obviously, technology changes with the time, so we look forward to seeing where this goes.

John Tripolsky:

And as I mentioned in the last episode, and I will probably mention it on everyone moving forward. Any questions, fellow tax pros, please feel free to join that private Facebook group we have. Really, if you just get on Facebook and search tax pro two point o, should pop right up. You'll see it come up there. If you prefer the easy route, which there's nothing wrong with taking the easy route.

John Tripolsky:

Actually, we won't call it the easy route. We'll call it being efficient. We'll save you from having having to search that, and I've put the link directly in the show notes wherever you consume your podcast. So thank you much for joining that group. Any questions, always feel free to reach out to our team here at the Monthly Recurring Revenue Institute.

John Tripolsky:

As I always like to wrap it up, we will see you back here on the Mr. R Show very soon.

Disclaimer:

The content of this podcast does not constitute an offer of securities. Offerings can only be made through an offering memorandum, and you should carefully examine the risk factors and other information contained in the memorandum. The content provided is for educational purposes only. We encourage you to seek personalized investment advice from your financial professional. For all tax and legal advice, please consult your CPA or attorney.

Disclaimer:

Investment advisory services are offered through Cabin Advisors, a registered investment adviser. Securities are offered through Cabin Securities, a registered broker dealer.

Creators and Guests

Chris Picciurro
Host
Chris Picciurro
Founder, MRR Institute
John Tripolsky
Host
John Tripolsky
VP of Marketing, MMR Institute
Brad D. Messner
Guest
Brad D. Messner
VP & Enrolled Agent, M & J Tax Service
Ep. 9 | Securing Success: Navigating Cybersecurity in Tax Practices
Broadcast by