A showdown between hackers and accountants is unlikely to have the same action-packed appeal as the latest summer superhero blockbuster, but the stakes in that real-life showdown are no less significant. Accounting firms are at a heightened risk for cyber attacks because they hold large amounts of their clients’ personal and financial data, they are privy to confidential corporate information that has immense value to cyber attackers, and they typically have fewer layers of cyber protection to guard against theft of that information than the sources of that information. These elements combine to create a perfect storm of cyber attack exposure that can leave accountants as the losers in any ultimate showdown.
Related: Privacy and The Digital World
A California CPA firm discovered this the hard way in August 2016 when it discovered that hackers had breached its data systems and filed 45 fraudulent tax returns using their clients’ data. The firm contacted those of its clients that might have been affected and implemented whatever procedures it could to limit the damage, including offering complimentary credit monitoring services to those clients.
The firm did not announce what costs and expenses it incurred as a result of this event. Between actual expenditures and costs associated with reputational losses, experts estimate that in 2016, a data breach cost an average of $221 per compromised record. At that rate, the firm would have lost almost $10,000 as a result of the hack. That might not be a significant number to a larger CPA firm, but that magnitude of loss can impact the viability of many smaller CPA firms.
Rather than waiting for the showdown to come to them, CPA firms can take affirmative steps to protect themselves and their clients’ data to minimize or even eliminate the prospects of these types of losses. Some of the more common recommendations include:
1 Start at the top: If a CPA firm’s senior accountants and managers do not demonstrate a commitment to implement cyber security measures, the rest of the firm will likely not follow suit.
2 Make cyber security awareness a regular topic: Like all professionals, accountants are charged with staying on top of new industry developments that affect how they manage their clients’ finances. Cybersecurity should be an integral part of an accountant’s continuing professional education efforts.
3 Periodically test the system: An accounting firm’s employees will more likely adhere to cyber security requirements if they know that their compliance will be periodically tested. Rather than just implementing a cyber protection policy, enact measures to confirm that it is being followed.
4 Keep software and systems updated: Cyberattackers rely on flaws in operating systems that become publicized on hacker bulletin boards and across the Dark Web. Software developers issue patches and updates to close those flaws. CPA firms should take steps to ensure that all patches and updates are installed on their networks, computers, and mobile devices.
5 Enhance network login requirements and encryption: CPA firms should implement dual-factor authentication and end-to-end encryption to improve their technology defenses against cyber attacks.
The best laid and most robust cyber defense strategies will raise the bar against a successful hacking attack, but it will not entirely prevent them. When an attack does succeed in breaching a CPA firm’s cyber defenses, cyber insurance for accountants can limit or eliminate the direct and third party losses that the accounting firm might face.
Related: 3 Ways Corporations are Keeping Track of Data Breaches
Roughly two-thirds of the average $221 cost per compromised record comes from reputational and client confidence losses that occur when an accounting firm’s data and network are breached. An accounting firm that carries cyber insurance will send a message to its clients that it takes their data security seriously and that it is taking all precautions to prevent a breach and to recover from a breach if one does occur. Thus, cyber insurance for accountants provides assurances that losses will not strangle the firm and that the firm’s reputation and very existence will survive any showdown with hackers.