CYBERSECURITY
Lilling & Company LLP emphasizes quality, integrity, and independence during every stage of the audit process.
A Practical, Client‑First Approach
At Lilling & Company LLP, we know that sharing sensitive information requires trust. Our clients count on us to handle their data with care, discretion, and good judgment – and we take that trust seriously. Cybersecurity is part of how we work every day, guided by practical safeguards that support reliability, confidentiality, and continuity.
Our goal is to keep client information secure while making it easy and straightforward to work with us. When clients have cybersecurity diligence requirements or vendor questionnaires, we approach them as partners – responsive, transparent, and ready to help.
We serve entities and individuals who value accuracy, discretion, and consistency – 401(k) plan sponsors, investment funds, registered investment advisers, nonprofits, operating companies, and high‑net‑worth families. Our cybersecurity program delivers large‑firm caliber safeguards with the personal attention, accessibility, and responsiveness of a boutique firm.
A Large‑Firm Standard of Protection
We implement security through documented governance, independent testing, ongoing training, and layered technical controls. This approach helps protect confidentiality, maintain system availability, and reduce the risk of disruption from cyber incidents.
Program Alignment and Regulatory Expectations
Our cybersecurity and data protection program is designed to align with recognized regulatory guidance and leading practices, including:
IRS guidance for safeguarding taxpayer data, including IRS Publication 4557 and the FTC Safeguards Rule expectations applicable to tax professionals and authorized IRS e‑file providers.
U.S. Department of Labor Employee Benefits Security Administration (EBSA) Cybersecurity Program Best Practices, which outlines leading practices for service providers supporting ERISA‑covered plans.
How We Protect Client Data
Our controls include administrative, technical, and operational safeguards designed to address risk across people, processes, and technology.
Governance and Accountability
A designated security lead responsible for oversight of the information security program.
A Written Information Security Plan (WISP) that is reviewed and updated at least annually.
Independent Testing and Risk Management
Annual risk assessments with documented remediation of identified findings.
Regular external and internal penetration testing, with remediation to reduce vulnerability risk.
Access Controls and Encryption
Multi‑factor authentication across key systems.
Encryption of sensitive data at rest and in transit.
Role‑based access controls that limit data access to authorized personnel.
Resilience and Incident Response
Documented incident response procedures with defined roles, responsibilities, and escalation pathways.
Disaster recovery and business continuity planning.
Robust hourly backup schedule with offsite replication and rapid recovery.
Employee Training and Phishing Defense
Mandatory annual cybersecurity training for all personnel.
Ongoing phishing simulations with targeted follow‑up training when needed.
Vendor and Service‑Provider Oversight
We rely on established technology providers to support secure operations, including audit and tax platforms, cloud collaboration tools, international partner firms, and workflow systems. Our vendor management process includes due diligence and ongoing monitoring of service providers with access to client information, review of SOC reports where available, and periodic reassessments.
Questions or Due Diligence Requests
If you have questions about our cybersecurity program or would like support with vendor due diligence or security questionnaires, please contact us.