In May 2017, the American Institute of Certified Public Accountants (AICPA) released a cybersecurity framework that CPAs could use to evaluate their own and their clients’ risks with respect to data breaches and related cybersecurity matters in the conduct of their respective businesses.
In themselves, the framework and its recommendations are not remarkable, but the AICPA’s acknowledgement of a public accountant’s role in assessing cybersecurity risks demands greater attention.
Public accountants are advisors and auditors of their clients’ finances and business operations. To fulfil this role, they are given access to large volumes of the clients’ confidential financial information.
Large accounting firms might store and maintain this information on their own data management systems.
If those systems are not properly secured and defended, the accountants expose themselves and their clients to the type of losses and third-party liabilities that can flow from a data breach.
Notwithstanding the value of this data, many public accounting firms are not yet equipped to safeguard it against expanding cybersecurity threats. Many of those firms are prone to the same weaknesses as their clients, including:
- Ignorance of the level of the threat;
- Poor password practices that lead many CPAs and their employees to use easy-to-guess passwords, or to use the same password for multiple different logins without regular password changes;
- Internal threats from inattentive employees and vendors who inadvertently click on email links that contain malware;
- Reliance on cloud-based data storage services that are not adequately secured;
- Internal computer networks that have weak cyber defence systems, or systems with software that has not been updated with patches over known security flaws.
These problems and weaknesses extend to the very top of the public accounting world hierarchy. In September 2017, an item appeared in the news cycle that Deloitte’s information systems network had been compromised since at least March of that year.
The hackers who broke into Deloitte’s network purportedly were able to access information about many of Deloitte’s corporate and government clients.
Belying the sophistication that is sometimes credited to the hacking community, the Deloitte hackers accomplished this feat using a single administrator password that gave them the ability to open every one of the accounting firm’s internal email accounts.
Deloitte announced that this data breach impacted only a limited number of its clients and that it had no material impact on its day-to-day operations.
This event was nonetheless embarrassing to the renowned public accounting firm that had previously been recognized as one of the world’s top cybersecurity consultants.
Even where client data suffers little impact, this event demonstrates how a public accounting firm’s reputation can take a serious hit when it is the target of a successful cyber attack.
As public accounting firms beef up their cybersecurity defenses and turn their attention to remedying the cybersecurity weaknesses that run through many different industries, they will also need to acknowledge the reality that it is not possible to prevent every data breach.
Hackers offer their services over the dark web, and that marketplace creates great incentives for hackers to develop new tools and techniques that overcome new defenses against hacking attacks.
With this in mind, cyber insurance for CPAs and public accounting firms is now as important as professional liability insurance.
Cyber insurance can provide coverage and reimbursement for accountants and their firms from the direct losses and third-party liabilities that are associated with a successful data breach.
That insurance can also help a public accounting firm to defend and protect its reputation by demonstrating to the firm’s client base that the firm and its members understand the gravity of the cybersecurity problem and are willing to take concrete steps to address it.
Featured Image: Shutterstock
In-Post Images: Shutterstock.com, informationsecuritybuzz.com & phdinsurancebrokers.com