While people may think it’s safer to store data on a “cloud-based” system rather than on-site, in today’s world, neither environment is safe from hacker attacks.
Recent highly publicized infiltrations compromised millions of consumer records stored in the cloud.
As aggregators of data, CPAs have in their possession their clients’ most sensitive personal and financial information. Increasingly CPA firms of all sizes are using cloud-based third-party service providers to help deliver a virtual service model for their clients.
While using the cloud offers many benefits to a CPA firm especially with regard to ease of service, there are also enhanced professional liability risks when allowing a third-party vendor to secure and manage client data. CPA firms using third-party service providers are frequently a target of cyber criminals.
Estimates attribute 63% of all data breaches to the use of third party vendors.*
“If a breach occurs in the cloud, clients will hold the CPA responsible for their lost data, because he or she was the one that opted to choose that particular service,” said Ken Kumor, Senior Vice President of Aon Insurance Services. “If you store data in the cloud you give up a certain amount of control, but CPAs can manage that risk by practicing some tried and true best practices.”
How to Manage Cloud-based Risks
Assess whether your firm’s current client base and areas of practice will even benefit from third-party access to and management of client data. If you chose to use a third-party provider, identify key firm protocols for allowing such access, and then establish a plan to again revisit those protocols before allowing the vendor access.
When selecting a third-party vendor, undertake adequate due diligence. This might include assessing the vendor’s compliance with known data security industry standards, its cyber insurance policies, and its own data security procedures. The National Institute of Standards and Technology’s (NIST) “Framework for Improving Critical Infrastructure Cybersecurity” is a great resource for formulating a due diligence assessment plan.
Classify the type of data (i.e., personal data, trade secrets, non-confidential information, etc.) that will be provided to a third-party vendor. By doing this, you gain a better understanding of the types of data moving through the third-party system and will able to design appropriate protocols for the management of the information.
Perform periodic checks on the performance of the third-party vendor in managing and securing your data.
Make sure that the service agreement with the third-party vendor provides sufficient protection for your firm in the event of a data breach. For example, the agreement should spell out the third-party vendor’s responsibilities in the event of a data breach to neutralize the threat, comply with breach notification laws, provide credit monitoring to affected clients, and, most importantly, agree to defend and indemnify you for any claims made by clients or other third parties as a result of a breach.
Finally, maintain appropriate cyber insurance that covers data breaches by third parties and require, through the service agreement, that the third-party vendor likewise carry its own cyber policy that covers your firm for any expenses or losses caused by a data breach.
“When purchasing a cyber insurance policy,” said Alvin Fennell, a Vice President at Aon Insurance Services, “be aware that these types of policies are so new there is no standardization yet in the industry. Talk to a broker that works with CPAs. They’ll understand your exposures and how to best protect your firm.”
*Soha Systems, Third Party Access Is a Major Source of Data Breaches, Yet Not an IT Priority, available at go.soha.io.
This article is provided for general informational purposes only and is not intended to provide individualized business, insurance or legal advice, You should discuss your individual circumstances thoroughly with your legal and other advisors before taking any action with regard to the subject matter of this article. Only the relevant insurance policy provides actual terms, coverages, amounts, conditions, and exclusions for an insured.