Know the risks, consequences and best practices.
As aggregators of financial data, CPA firms are entrusted with their clients’ personal and financial information. As such, they’re primary targets for cybercrimes. Any size firm can fall victim. In fact, while more than half (55%) of all small businesses surveyed have already been the victim of a cyber-attack,1 8% of all cyber claims are related to professional services firms.2
The nature of cyber risks vary. First-party risks impact the accounting practice or firm directly, meaning the loss of data is directly correlated to lost business income. Third-party risks, on the other hand, arise from a breach of a CPA’s duty of care to others. Those risks are triggered by the unauthorized disclosure of a client’s sensitive/non-public personal information or by infection of a client’s network resulting in data corruption.
Other risks to CPAs as a result of cybercrimes include regulatory action by state and federal agencies, reputational damage and ancillary expenses related to complying with various breach response laws. To date, 48 states have data breach notice requirements, with the average cost of a breach response at over $200 per record.3 In addition, HIPAA requires notification after disclosure of unsecured personal health information, while the recently enacted New York State Data Security Regulations set forth a framework that financial institutions operating within the state must follow to maintain data security.
Successfully avoiding a cyber threat means first understanding the mindset and motivation of cybercriminals. Not all hackers are teenagers hanging out in their parents’ basements, simply looking for something to do. Many are disgruntled, unemployed “coders” or nation state-sponsored paramilitary groups lurking on the deep web hawking their skills, exchanging tradecraft and selling stolen data. Some are involved in traditional hacking methods, such as breaking into networks to steal and corrupt data. Still others manipulate users through phishing expeditions and social engineering to receive access into a system. Regardless of their motives — from mischievous, to malicious, to moneymaking schemes – cybercriminals can seriously threaten your firm’s continued success and profitability.
What can you do to thwart cybercriminals? The best defense to a data breach is to implement procedures to minimize the threat. Understand the nature of the data in your possession and establish methods for how to discover a breach. Having a robust internal reporting process and incident response plan is key. Two major points of vulnerability for CPA firms are the wide spread use of mobile devices, which can be vulnerable to malware when not patched properly, and easily lost exposing unencrypted data, and remote access to internal systems for the mobile workforce. To protect against these threats we recommend the following Best Practices in regard to cyber security:
Ensure full disk encryption on all laptops, desktops, mobile devices, and external storage
Utilize multi-factor (or at least two-factor) authentication for remote login
- Establish robust cloud/vendor management controls
- Conduct regular security awareness training for all employees
- Extend internal security controls to embedded devices like internet connected web cameras, HVAC, and door badge access systems
- Document and test incident response plans
- Establish a formal data retention policy – including secure deletion of data
- Ensure physical security of hardware
- Conduct annual penetration tests, and remediate identified issues
Since each state has its own breach notification laws, the timing to execute remedial measures is critical. Apply the law as the facts are discovered, and be cognizant of the applicable breach reporting deadlines. Under most breach statutes, one must comply with the rules even if no theft or damage occurred. When necessary, consider hiring vendors that have expertise in implementing a breach response plan that sets forth timely notification, forensic analysis of how the breach occurred, client credit monitoring and other regulatory compliance measures.
An inadequate breach response can be devastating to an accounting practice. Not only does it result in reputational harm, but can result in higher out-of-pocket expenses, including heavy fines, and more. Often times, the firm becomes a future “target” for other cybercriminals.
To further help insulate your firm from exposure, purchase appropriate cyber liability coverage. Remember that your existing coverage may not adequately cover a data security breach and the necessary response. Accordingly, consult with your insurance agent or broker when assessing your cyber coverage. Read the general terms and conditions of the policy and understand how it applies to first party risks (i.e., business interruption and data restoration) as well as to third party risks (i.e., network damage, privacy injury, event expenses, regulatory proceedings and extortion).
Cybercrimes are constantly evolving, which means CPAs need to stay abreast of the latest threats and take measures to impede them. In the meantime, firm employees should be fully trained in security awareness. Most of all, recognize that statistically, you have a greater chance of being hacked than not. Having adequate data security measures in place can make all the difference between being just another data victim or being a bulwark against data fraud.
1 2016 State of Cybersecurity in Small & Medium-Sized Businesses (SMB), Ponemon Institute LLC and Keeper Security.
2 NetDiligence 2015 Cyber Claims Study.
3 Ponemon Institute© Research Report, 2015 Cost of Data Breach Study: United States (based on 2015 reported breaches).
About the Authors:
Stanley D. Sterna, JD, serves as Vice President in the Professional Firms Division of Affinity Insurance Services, Inc. (Aon Affinity). As a Claim and Risk Management Consultant, Stan provides quality control, claim/litigation management, and risk control expertise to many of the country’s largest accounting firms. He also advises clients on broader enterprise risks including cyber liability. He supports business planning, client relations, and sales/marketing initiatives for the AICPA Professional Liability Program and Aon Affinity’s business partners. Aon Affinity has been the endorsed administrator of the AICPA Professional Liability Insurance Program since 1974. To learn more about the AICPA Program, visit www.cpai.com.
Nick Graf serves as Consulting Director of Information Security for CNA’s Risk Control unit. Nick has more than a decade of information security experience and specializes in data leakage prevention, security policies, incident response, data breach and security awareness. He has presented courses on privacy, big data, the cloud and healthcare risks, and has also written and contributed to articles regarding information risks, social engineering, mobile device security, phishing and personal password management.
This article is provided for general information purposes only and is not intended to provide individualized business, risk management or legal advice.
Continental Casualty Co., one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program. Aon Insurance Services, the National Program Administrator for the AICPA Professional Liability Program, is available at 800-221-3023 or visit cpai.com.
This article provides information, rather than advice or opinion. It is accurate to the best of the authors’ knowledge as of the article date. This article should not be viewed as a substitute for recommendations of a retained professional. Such consultation is recommended in applying this material in any particular factual situations.
Examples are for illustrative purposes only and not intended to establish any standards of care, serve as legal advice, or acknowledge any given factual situation is covered under any CNA insurance policy. The relevant insurance policy provides actual terms, coverages, amounts, conditions, and exclusions for an insured. All products and services may not be available in all states and may be subject to change without notice. “CNA” is a registered trademark of CNA Financial Corporation. Certain CNA Financial Corporation subsidiaries use the “CNA” trademark in connection with insurance underwriting and claims activities. Copyright © 2018 CNA. All rights reserved.