A cyber-attack could spell disaster for your CPA firm-old

Know the risks, consequences and best practices.

As aggregators of extremely sensitive financial data, accounting firms are entrusted with their clients’ personal and financial information, which makes them a primary target for cyber criminals. Smaller businesses are particularly at risk, as in most cases they don’t have the appropriate resources to properly combat these criminals. In fact, more than half (55%) of all small businesses surveyed have already been the victim of a cyber-attack.

The nature of cyber risks vary. First-party risks impact the accounting practice or firm directly, meaning the loss of data is directly correlated to lost business income. Third-party risks, on the other hand, arise from a breach of a CPA’s duty of care to others. Those risks are triggered by the unauthorized disclosure of a client’s sensitive/non-public personal information or by infection of a client’s network resulting in data corruption.

Other risks to CPAs as a result of cybercrimes include regulatory action by state and federal agencies, reputational damage and ancillary expenses related to complying with various breach response laws. To date, 48 states including California have data breach notice requirements. In addition, HIPAA requires notification after disclosure of unsecured personal health information, while the recently enacted California Consumer Privacy Act (CCPA) set forth a framework that financial institutions operating within the state must follow to maintain data security. In California, firms must also offer credit monitoring services to each effected client and can be held liable for civil penalties of up to $7500 – per violation.

Successfully avoiding a cyber threat means first understanding the mindset and motivation of cybercriminals. Make no mistake, hackers are in this for the money in what is now a multi-billion dollar industry. Many are disgruntled, ex employees or nation state-sponsored paramilitary groups lurking on the deep web hawking their skills, exchanging tradecraft and selling stolen data. Some are involved in traditional hacking methods, such as breaking into networks to steal and corrupt data. Still others manipulate users through phishing expeditions and social engineering to receive access into a system. Regardless of their motives — from mischievous, to malicious, to moneymaking schemes – cybercriminals can seriously threaten your firm’s continued success and profitability.

What can you do to thwart cybercriminals? The best defense to a data breach is to implement procedures to minimize these threats. Understand the nature of the data in your possession and establish methods for how to discover a breach. Having a robust SIEM or internal reporting process and incident response plan is key. Two major points of vulnerability for CPA firms are the wide spread use of mobile devices, which can be vulnerable to malware when not patched properly, and easily lost exposing unencrypted data, and remote access to internal systems for the mobile workforce.

To protect against these threats we recommend the following Best Practices in regard to cyber security:

12 steps you can take now to help protect your business:

  1. Protect your data with a 3,2,1 backup plan.
    • A 3,2,1 backup can be explained like this: 3 different backups on 2 different types of media with at least 1 copy off-site
    • Many businesses have a backup in place, but what they don’t realize is how long it might take to get their business operational in the event of an outage or a breach. Advanced backup systems can get your business operational within minutes. Contact Skyward for more information.
  2. Protect your network with a business grade next-generation Firewall
    • Businesses of all sizes need to have a business grade next generation firewall. Skyward can assist you with identifying the right product for your needs.
  3. Keep all systems up to date with the latest updates
    • Windows updates, firmware updates, 3rd party software updates, antivirus updates, zero-day vulnerability patching – these are all critical to keeping your business protected from known vulnerabilities
  4. Implement a next generation antivirus
    • Traditional antivirus is dead. Next generation antivirus uses artificial intelligence to identify odd behavior.
  5. Implement an Endpoint Detection and Response (EDR) system
    • Endpoint protection helps to identify malicious behavior that may have made it past your antivirus solution
    • Uses technology such as AI and honeypots
    • A good EDR can isolate an infected device from the rest of the network to prevent spreading
  6. Implement a SIEM for log gathering and analysis
    • SIEM = Security Information and Event Management
    • A good SIEM provides real-time analysis of security alerts generated by applications and network hardware.
  7. Enable multi-factor authentication
    • MFA is critical for account safety
    • We recommend protecting both o365 and your network / VPN access
  8. Encrypt data (and emails) while at rest and in transport
    • Data must be encrypted
    • Do not send sensitive information via email without encryption
  9. Email filtering
    • Most malicious activity is coming in through email. Use of a 3rd party mail filter such as Barracuda is recommended
  10. Conduct security awareness training for all employees
    • Train employees to look for fraudulent and malicious behavior
    • Conduct simulated attacks to determine which employees need further training
  11. Document and test incident response plans
    • Every business needs a written incident response plan (WISP)
    • This document is followed in the event of a breach
  12. Conduct annual penetration testing
    • Penetration testing is key to identifying weaknesses in your environment

Seem overwhelming? Skyward Technical Solutions offers these services as a “done for you” package. We offer 24/7 critical service monitoring; best in class helpdesk where our techs answer live, speak clearly and have the ability to remote into your systems to assist in a matter of seconds. Our security experts are always on standby waiting to assist. Contact us today for a risk free assessment.

An inadequate breach response can be devastating to an accounting practice. Not only does it result in reputational harm, but can result in higher out-of-pocket expenses, including heavy fines, and more. Often times, the firm becomes a future “target” for other cybercriminals.

To further help insulate your firm from exposure, purchase appropriate cyber liability coverage. Remember that your existing coverage may not adequately cover a data security breach and the necessary response. Accordingly, consult with your insurance agent or broker when assessing your cyber coverage. Read the general terms and conditions of the policy and understand how it applies to first party risks (i.e., business interruption and data restoration) as well as to third party risks (i.e., network damage, privacy injury, event expenses, regulatory proceedings and extortion).

Cybercrimes are constantly evolving, which means CPAs need to stay abreast of the latest threats and take measures to impede them. In the meantime, firm employees should be fully trained in security awareness. Most of all, recognize that statistically, you have a greater chance of being hacked than not. Having adequate data security measures in place can make all the difference between being just another data victim or being a bulwark against data fraud.

2016 State of Cybersecurity in Small & Medium-Sized Businesses (SMB), Ponemon Institute LLC and Keeper Security.
NetDiligence 2015 Cyber Claims Study.
3 Ponemon Institute© Research Report, 2015 Cost of Data Breach Study: United States (based on 2015 reported breaches).


About the Authors:
Stanley D. Sterna, JD, serves as Vice President in the Professional Firms Division of Affinity Insurance Services, Inc. (Aon Affinity). As a Claim and Risk Management Consultant, Stan provides quality control, claim/litigation management, and risk control expertise to many of the country’s largest accounting firms. He also advises clients on broader enterprise risks including cyber liability. He supports business planning, client relations, and sales/marketing initiatives for the AICPA Professional Liability Program and Aon Affinity’s business partners. Aon Affinity has been the endorsed administrator of the AICPA Professional Liability Insurance Program since 1974. To learn more about the AICPA Program, visit www.cpai.com.

Nick Graf serves as Consulting Director of Information Security for CNA’s Risk Control unit. Nick has more than a decade of information security experience and specializes in data leakage prevention, security policies, incident response, data breach and security awareness. He has presented courses on privacy, big data, the cloud and healthcare risks, and has also written and contributed to articles regarding information risks, social engineering, mobile device security, phishing and personal password management.

This article is provided for general information purposes only and is not intended to provide individualized business, risk management or legal advice.

Continental Casualty Co., one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program. Aon Insurance Services, the National Program Administrator for the AICPA Professional Liability Program, is available at 800-221-3023 or visit cpai.com.

This article provides information, rather than advice or opinion. It is accurate to the best of the authors’ knowledge as of the article date. This article should not be viewed as a substitute for recommendations of a retained professional. Such consultation is recommended in applying this material in any particular factual situations.

Examples are for illustrative purposes only and not intended to establish any standards of care, serve as legal advice, or acknowledge any given factual situation is covered under any CNA insurance policy. The relevant insurance policy provides actual terms, coverages, amounts, conditions, and exclusions for an insured. All products and services may not be available in all states and may be subject to change without notice. “CNA” is a registered trademark of CNA Financial Corporation. Certain CNA Financial Corporation subsidiaries use the “CNA” trademark in connection with insurance underwriting and claims activities. Copyright © 2018 CNA. All rights reserved.