Cyber incidents continued their upward trajectory in 2021 – once again breaking records and setting the stage for an even more active 2022, with geopolitical events contributing to an already heightened threat level. And in this environment, CPA firms – which accelerated their digital transformation during the pandemic – are particularly vulnerable to an attack.
The motivation and rationale behind a cybercriminal can vary, from securing ransom payments to selling confidential data on the dark web. This fluid environment is challenging firms to sharpen their focus on not just creating, but also continually enhancing, their security strategy.
In recent years, hackers have been shifting their focus – moving beyond just the big name, headline-making targets that were synonymous with breaches in the past, to focusing on smaller, “under the radar” victims. For example, based on emerging patterns, it seems like some cyber criminals may be avoiding larger organizations for ransomware attacks so they don’t evoke national political or law enforcement response. According to Sherry Bambrick, senior underwriter for the AICPA Member Insurance Programs, this evolving strategy has serious implications for CPAs.
“Hackers have always found CPA firms particularly attractive because they are, in essence, aggregators of data - both financial and PII or Personal identifiable information,” Bambrick said. “This trending focus on smaller organizations, coupled with the level of PII a firm potentially holds, quite simply increases the risk they face.”
Beyond the data, hackers also tend to target CPA firms because they frequently have access to client funds. Cyber criminals may also assume that mid-size and smaller firms do not have strong information security preparedness strategies in place because their leaders believe they are too small to be targeted.
Understanding the Vulnerabilities
Firms can face many obstacles on the path to better cybersecurity – from budget and IT talent challenges to legacy technology issues – and they have to navigate a wide range of risks. Today, one of the biggest vulnerabilities to firms comes from beyond their own physical and virtual walls. Third parties, such as clients and vendors, and their security protocol – or lack thereof – can have a major impact, increasing the potential for unauthorized disclosure and use of a client’s PII or by a malware infection of a client’s network resulting in data corruption.
Firms’ deeper presence in the virtual world has also contributed to their growing list of cyber exposures. The rise of remote work, for example, means that a firm is also relying on employees to make sure their home routers are appropriately configured and patched with the most recent firmware, and more. And their growing use of cloud computing puts data in a location where it may be more easily accessed if there’s a lapse in security protocols.
The consequences of ignoring these weak spots can be profound. While financial impact – including ancillary expenses related to complying with various breach response laws – may be one repercussion, firms can also face regulatory action by state and federal agencies as well as lasting reputational damage. In short, the effects of an attack can impact a firm’s ability to grow and remain profitable.
Addressing the Risks
Firms must put measures in place to proactively detect risks and vulnerabilities as well as help protect against breaches and/or “active” concerns like phishing and ransomware. And those measures need to address both the technology as well as the people using it.
Leaders should begin by gaining a thorough understanding of evolving cyber threats and how they can adversely impact the firm and clients, then shape an approach to security that should include:
- Conducting security awareness training, including real-world exercises, such as a realistic, challenging phishing simulations. Blending teaching with engaging activities can help reinforce best practices.
- Building a “culture of security” at your firm that is focused on data governance and management. Remember, this requires strong input from the business, not just the IT and risk management sides of the firm.
- Reminding your employees to practice self-awareness. Slowing down before an employee responds to or otherwise takes action on a suspicious email can be half the battle. For example, remind them to assess suspicious URLs for irregularities or confirm the sender’s identity through an alternative/ confirmed contact method, such as a phone call.
- Using multi-factor authentication for all access points, requiring more than just a password to join the network. Confirmation via text messages, phone calls or fingerprints doesn’t take a lot of effort to implement but it can make a high impact on a firm’s security.
- Asking employees to limit the amount of work-related information they share online so would-be attackers can’t use it for social engineering schemes. Keeping things like client or colleague names out of personal social media posts gives cyber criminals one less thing to use.
- Using a VPN (Virtual Protected Network) to mask employees’ identities so would-be attackers can’t intercept communications, especially when they are using public WiFi.
- Installing, maintaining and regularly updating anti-virus/anti-phishing software to scan and block malicious links, attachments or accounts and that can intercept and neutralize malicious malware from a corrupt link or attachment.
- Using controls when working with third party providers such as indemnification clauses or language requiring the provider to maintain cyber insurance in the service agreement in the event of a breach to a third-party platform.
- Creating a robust security and breach response plan that you can activate quickly in the event of an issue. This plan should be revisited and updated on a regular basis to help ensure it addresses the current risk landscape.
Protecting Your Digital Footprint
In addition to taking the appropriate risk mitigation measures, firms should look to cyber insurance to provide another layer of security and support.
We have placed cyber coverage for nearly 14,000 CPA firms across the country, and we know just how susceptible organizations of all sizes are to a cyber-attack,” said Cathy Whitley, a senior risk advisor with the AICPA Member Insurance Programs – which created the first cyber policy for CPAs in 2009. “Firms can’t simply purchase a policy and call it a day. They should regularly evaluate their cyber coverage and consult with their agent or broker given the current evolving risk landscape.”
As firm leaders review protection options, they should consider their coverage in two areas:
While every policy has its own nuances, some common coverages include:
- Privacy Event Expense Coverage: Addresses expenses associated with complying with statutes or regulations in the event of a data breach, including notification costs and credit monitoring.
- Network Damage Claim Coverage: Pays claims brought by third parties, such as vendors, merchants, service providers, and others, whose computer networks and information may have been damaged by a wrongful act by a firm’s partners or employees that resulted in a security breach of a firm’s network.
- Extortion Coverage: Provides coverage for reasonable and necessary expenses to respond to an extortion threat to launch an attack or otherwise disrupt a firm’s network.
- First Party: Reimburses for lost business income that a firm would have earned and extra expenses incurred while operations were substantially interrupted due to unauthorized access to the a firm’s network.
- Regulatory Proceedings/Fines: Reimburses for attorneys’ fees and other reasonable costs in responding to regulatory proceedings, including associated regulatory fines.
This coverage can help limit exposure to your firm against risk of loss of or damage to certain types of property resulting from fraud schemes like social engineering/ransomware scams. It can cover:
- Computer Fraud: Use of a computer to fraudulently transfer covered property through unauthorized and intentional use of corrupt code by an outside party.
- Funds Transfer Fraud: A fraudulent instruction directing a financial institution to transfer, pay or deliver money or securities.
- Social Engineering Social Engineering Fraud: The intentional misleading of an employee (including managers, partners, owners, shareholders, proprietors, directors, officers, trustees, or governors) through use of a communication by a party, who is not, but purports to be the insured, an employee, or a pre-existing client or a vendor.
A smart, nimble, proactive cyber security strategy has broader implications for a firm than just data safety. It can impact a firm’s future ability to grow. Committing to developing and enhancing a cyber security framework can make all of the difference in your firm’s future.
Stan Sterna is a vice president with Aon Insurance Services, the broker and national administrator for the AICPA Member Insurance Programs, the nation's largest professional liability program for CPAs and the pioneer of cyber coverage for CPAs.
This information is provided for general informational purposes only and is not intended to provide individualized guidance or advice. You should discuss your individual circumstances thoroughly with your professional advisors before taking any action. All descriptions, summaries or highlights of coverage are for general informational purposes only and do not amend, alter or modify the actual terms or conditions of any insurance policy. Coverage is governed only by the terms and conditions of the relevant policy.