IRS e-file requirements have once again been updated in preparation for the upcoming 2020 tax season. These security standards serve to protect taxpayers’ personal information against abuse, fraud, and cyber intrusions.
Technology is progressing at a rapid rate. These tools offer lawful business services more options for digitized solutions. But the reality is that black hat hackers also take advantage of the latest technology. As such, reliable security protocols must iterate over time to confront evolving cyber threats; hence, the IRS continues to update its security requirements for authorized e-filers.
The Importance of an IRS E-File Compliance Guide
The IRS e-filing program provides opportunities for taxpayers and businesses to enjoy and provide added convenience during tax season. To maintain these conveniences and allow providers to offer value-added services like e-filing, the IRS monitors compliance among authorized e-filers.
The bulk of these privacy and security compliance standards are outlined in IRS Publication 1345. Policymakers update these standards regularly – sometimes multiple times a year. The burden of responsibility lies on the online provider.
Organizations and individuals face austere consequences if they fail to comply with IRS e-file requirements. These consequences range from warning letters to federal prosecution. Providers that endanger the safety of taxpayer data face a minimum one-year suspension from the e-filing program.
The purpose of this IRS e-file compliance guide is to provide an overview of what the IRS’s security standards are, along with actionable step-by-step instructions to help you meet those standards in a sustainable way.
Who is Responsible for IRS E-File Compliance?
Many authorized e-filers are medium to large corporations with hundreds of employees and managers. Other providers are owner-operator establishments managing a modest portfolio of clients.
Either way, the IRS holds all relevant personnel responsible for IRS e-file compliance, beginning with every name listed on the e-file application (i.e., the person filing the application, assigned responsible officer, and principal officers).
According to IRS Publication 1345, an Online Provider is any person or department critical to the e-filing process. Many authorized e-filers include tax preparers that choose to offer to electronically file a client’s individual income tax return.
Other names and titles that Online Providers go by are electronic return originators (EROs), transmitters, intermediate service providers (ISPs), and software engineers that design and maintain an e-filer’s web service.
To operate legally as an authorized e-filer, Online Providers must apply to the IRS and secure an Electronic Filing Identification Number (EFIN). Software engineers and transmitters must also pass a competency test to obtain an Electronic Transmission Identification Number (ETIN).
Responsible Officer (RO)
To complete the e-filing application process, Online Providers must assign a Responsible Officer (RO) to oversee IRS compliance within the organization. ROs need not be cybersecurity experts, but they must ensure that the proper policies and procedures are in place. For example, ROs typically serve as a liaison between the organization and the third party authorized to run weekly vulnerability scans, in accordance with IRS security standards.
What are the IRS E-File Requirements in 2020?
The IRS continues to make minor adjustments to their privacy and security policies for authorized e-filers. For example, the IRS recently required all Online Providers to maintain an extended validation secure socket layer (EVSSL) for their website for impeccable encryption and web service reliability.
Even though the IRS security standards exist in a 46-page guidebook, policymakers have broken down the key requirements into four priorities:
- Building and Maintaining a Data Security Plan
- Spotting Email Phishing Attacks
- Regularly Assessing Data Security Protocols
- Immediately Reporting Lost or Stolen Taxpayer Data
Building and Maintaining a Data Security Plan
The mandate to establish a data security plan implies a sustainable cybersecurity program, including system monitoring, incident detection, and response. Most organizations can’t prevent every kind of cyber attack, but they can employ tools, policies, and procedures to minimize intrusion damage and ensure the safety of taxpayer data.
Spotting Email Phishing Attacks
Phishing represents the greatest internal threat to an Online Provider’s cybersecurity. Untrained or inattentive employees open an email, link, or attachment from an unknown sender posing as a friendly source.
Phishing attacks infiltrate an organization and wreak havoc on that organization’s digital infrastructure. These attacks take place over email, text message, and even online instant messaging. Online Providers are responsible for informing all employees of their responsibility to not accept messages or click on attachments/links from unknown sources.
Regularly Assessing Data Security Protocols
One of the leading concerns of IRS e-filing requirements in 2020 is that Online Providers regularly revisit their data security plan and procedures. Cyber threats continue to develop with the latest technology.
Thankfully, it is far easier to wage a cybersecurity defense than it is to stage a massive, successful intrusion. This is particularly true if organizations update their security policies and procedures. The IRS’s mandate for providers to hire approved third parties to run weekly vulnerability scans helps authorized e-filers partially fulfill this requirement automatically. That said, it is up to the Online Provider to maintain adequate, up-to-date security safeguards and internal compliance.
Immediately Reporting Lost or Stolen Taxpayer Data
Because it is difficult to prevent every intrusion, the IRS insists that Online Providers immediately report any lost or stolen data. Authorized e-filers have until the end of the next business day to report the damage to the IRS.
In most cases, the authorized e-filer must demonstrate basic understanding of a breach’s root cause and institute remedial measures to repair the intrusion and prevent future attacks. Online providers that partner with managed security services providers (MSSPs) and managed detection and response teams (MDRs) are less likely to experience any major fallout from an intrusion or intrusion attempt since these third-party teams know how to respond to perimeter attacks in a timely manner.
A Step-by-Step IRS E-File Compliance Guide
Despite how rigorous and evolving IRS compliance standards tend to be, it is possible to maintain compliance proactively. These steps can help you place your organization on the front end of IRS security expectations of authorized e-filers.
Build or update your network diagram.
“Network diagrams refer to the documentation that identifies the flow of data within an organization. Project managers often refer to network diagrams more broadly, but in the case of cybersecurity, it pertains to data flow across telecommunication hardware.” – RSI Security, Elements to a Great Network Diagram
Without a working network diagram, it is impossible to know one’s cyber vulnerabilities. Understanding where your data comes and goes is the foundation for protecting your and your clients’ data in accordance with IRS security standards.
Perform a risk assessment.
From an IT standpoint, it is far easier to understand ROI when discussing digital capabilities. Technology streamlines complex tasks and makes conveniences like IRS e-filing possible.
But all the benefits of technology come crashing down in the wake of a significant security breach. The challenge for many ROs lies in demonstrating cybersecurity risk in actual dollars and cents. Lax leadership often results from an information disconnect.
Taking advantage of popular cybersecurity risk assessment models, such as the FAIR assessment, can bridge that disconnect and help stakeholders understand the importance of cybersecurity. Additionally, these assessments help your cybersecurity teams perform audits and maintain effective security protocols.
Select a PCI-SSC-compliant vendor for weekly vulnerability scans.
One of the most critical mandates by the IRS is that authorized e-filers partner with a PCI-SSC-compliant third party to run weekly vulnerability scans. Not only does this requirement help Online Providers understand where they are most likely to receive an attack, but it also provides the IRS a track record to assess that provider’s security policies and procedures.
However, meeting the weekly vulnerability scan requirement is not enough to constitute a sustainable cybersecurity program. These scans will only reveal the obvious threats to your network. Most hackers and malware take advantage of non-proactive security measures by infiltrating quietly and waiting for a period of time before initiating their malicious activity.
Complete a cybersecurity audit.
All the data available from network diagrams, risk assessments, and vulnerability scans provide the information you need to perform a security audit on your business. Following IRS security standards closely can help you build a checklist and see where your cybersecurity protocols fall short.
Many providers outsource their security audits to a third-party equipped to provide thorough audits specifically for IRS e-filers. These outsourced security teams can also advise Online Providers on affordable, effective tools and best practices to prevent even the most insidious cyber intrusions.
Though uncomfortable for most stakeholders, internal audits allow your organization to identify non-compliance before the IRS does. This approach minimizes the chances of security breaches and IRS sanctions.
Create a cyber intrusion detection and response plan.
Cyber attacks are inevitable, even for small and medium-sized businesses. That’s why establishing a reliable detection and response plan is critical.
A sustainable intrusion detection and response plan requires your organization to activate qualified personnel to quarantine the intrusion and patch the system while also performing root cause analysis. Meanwhile, some digital capabilities may not perform optimally for employees and clients. As such, part of your response plan must be setting up a help desk to guide personnel through the temporary inconvenience.
The best detection and response plans include diagnostics and security protocol updates. Each new intrusion is an opportunity to update your security policies and procedures. Organizations that fail to implement root cause analysis and intrusion diagnostics are bound to experience the same security breaches over and over again.
Establish cybersecurity policies and procedures.
Each input listed above provides the substance of your cybersecurity policies and procedures. As the IRS makes clear, it is futile to establish these security protocols and set them on autopilot. Maintaining effective security protocols requires decision-makers to reexamine their policies on a regular basis.
The best approach to establishing your cybersecurity policies and procedures is to employ the help of technical writers and virtual CISOs. These cybersecurity experts can function as independent contractors – saving you the cost of putting more people on payroll – and help you build and maintain a fully operational cybersecurity program. More importantly, these third-party experts provide services at scale so that you are only paying for what you need.
Train your staff on security compliance.
It is not uncommon for an organization to overhaul its cybersecurity policies and procedures, invest in new solutions, and lose the security battle due to a careless employee. That’s why cybersecurity training for all staff members is essential in any working cybersecurity program.
The IRS will not look favorably upon Online Providers that can’t maintain security protocols among their employees. This is also true when back-door attacks occur through lax third-party vendors. Cybersecurity training will not only help employees reinforce healthy habits for logging in and out of devices, reporting suspicious messages, etc. but it will also make every team member more vigilant. Many security breaches are easily preventable when every staff member understands the “signs” present in most cyber threats.
Partnering with Cybersecurity Providers
The unpleasant reality about cybersecurity threats in the 21st Century is that businesses of every size are more vulnerable than they’ve ever been. Even elite black hat hackers see small-time operations as an opportunity to infiltrate multiple systems containing sensitive taxpayer information.
The IRS also knows this, motivating their constantly evolving privacy and security compliance standards. For many Online Providers, an IRS e-file compliance guide like the one above helps them realize that they can’t meet these requirements on their own.
That’s why there exist multiple third-party solutions that help providers with low budgets maintain rigorous security protocols. Among the most popular outsourced cybersecurity solutions include:
- Virtual CISOs (vCISOs)
- Cybersecurity staff augmentation
- Managed security services providers (MSSPs)
- Managed detection and response (MDR)
- Industry compliance assistance
IRS e-file requirements in 2020 represent how seriously the IRS takes taxpayer privacy. Online providers that establish acceptable safeguards on behalf of taxpayers not only remain compliant with the IRS, but they also ensure client retention and offer a competitive advantage over authorized e-filers that only perform the bare minimum.
RSI Security is a fully-credentialed, third-party cybersecurity agency servicing organizations of all sizes. The company maintains teams specializing in the latest IRS privacy and security standards. These teams offer assessments, audits, customized security solutions, and more.