We are in a cyber age and, as such, organizations must include cyber risks in their risk management process. From multinationals to local mom-and-pop clients, any size organization could be targeted by an international cybercrime ring. Some of these attacks risk bringing businesses to a halt.
Not even the most robust controls can ensure that all cyberattacks will be prevented. Organizations should prepare to act quickly when an attack hits. When a malicious actor breaches an organization, every second counts, and a quick response can limit the breach's damage and, in turn, mitigate the cost.
A key element of the risk assessment process is building a strong business continuity and disaster recovery (BC/DR) plan. Accounting practitioners are positioned to help their clients and employers recover from cyberattacks by working with them to create a BC/DR plan. Here are several steps for creating a plan and how practitioners can add value in each step.
CREATE A BUSINESS IMPACT ANALYSIS
Practitioners should first work with clients to analyze the impact a disruption might have on revenue. Organizations should also analyze the extra expenses of an interrupting event. These costs could include overtime and the costs of third-party vendors brought in for business continuity and recovery efforts in the event of a cyberattack.
Organizations will also need to consider possible regulatory fines and contractual penalties. Breaches and other fraud events may cause reputational damage, and the business impact analysis should include the impact of customers being unhappy or defecting to a competitor.
The analysis should also consider the impact of the timing or duration of the business disruption. For example, a disruption that happens just before or during an organization's busy season or one that lasts months will have a more significant impact than one that happens during a slow season or that lasts seconds. The analysis can then identify key recovery time objectives for business processes and IT.
Practitioners should encourage organizations to consider various scenarios and quantify their impacts. In compiling this analysis, practitioners should speak with people with detailed knowledge of the business to best identify potential impacts and to determine responsible parties. Practitioners can also follow up on their interviews with key personnel to validate information and fill any gaps in the analysis.
DETERMINE RECOVERY STRATEGIES
With the information provided in the business impact analysis (BIA), the organization can chart recovery strategies by identifying which business processes are critical to the organization. Once the organization has identified critical functions, it should also check whether any dependencies exist between various business areas, functions, and third-party vendors. The organization can then calculate the resources it requires to continue to function at different levels of performance.
The BIA can help practitioners identify the organization's processes, business areas, functions, and resource requirements. It is essential that the IT recovery plan aligns with the rest of the organization's business plan. During a business interruption, IT departments' efforts should be focused on critical operations.
Backup management should be an integral part of a BC/DR plan. Are the organization's backups connected to the network? If so, they could be affected by a malware attack. Practitioners should advise clients to have critical continuity and recovery backups isolated from the network and geographically dispersed. Practitioners should find out how often the organization backs up its data and ask how much data the organization is willing to lose in the event of a breach — a day's worth, an hour's worth, or perhaps just five minutes' worth. The organization can then ensure that its needs align with its backup schedule.
Do staff know how to respond during a cyber event? For instance, do they know if they should turn off or put to sleep their machines if they suspect a ransomware attack? Do they know how to disconnect from networks and whether they should restart their machines, or if the restart might help the breach spread? Do they know how to send an emergency message to IT to stem propagation of the attack?
With the various business interruption scenarios, organizations should also think about alternate manual workarounds for getting up and running again. Practitioners can work with clients to assess the risks of fraud involved with these workarounds and how to address the risks.
After a disruption, organizations don't want to incur even more losses because of weaknesses in their workarounds. In addition, practitioners can conduct an analysis to determine gaps between recovery requirements and the organization's current capabilities.
DEVELOP CONTINUITY AND RECOVERY PLANS
The BIA and recovery strategies are brought together to develop the BC/DR plan. The plan will define the BC/DR team members' roles and responsibilities. It can be clarifying for this team to be documented in an organization chart that shows the chain of command, succession of management, and delegation of duties. The defined roles and responsibilities should address interactions with external vendors and contractors who will be involved. A listing with contact information of all these parties should be compiled. A copy of this list should be maintained outside the IT system, as the organization may not be able to access it when the IT system is down. This list should include insurance contacts, key vendor relationships, legal resources, and digital forensic experts that will be necessary parts of the continuity and recovery process, including damage assessment and situation analysis.
Detailed procedures, resource requirements, and logistics of all the recovery strategies are to be documented in the BC/DR plan. Organizations should also include a detailed plan for possible relocation to alternate worksites in the event the disruption requires moving operations.
Using information collected during the business impact recovery strategies analyses, data restoration and IT recovery plans must be well documented aspects of the BC/DR plan. It must be clear how the business and IT will work together efficiently and effectively. When a disruption occurs, employees should know how they will communicate, where they will go, and how they will keep doing their jobs. The manual workarounds that the practitioner has evaluated should also be documented in the BC/DR plan.
Finally, the BC/DR plan should define the procedures for incident detection and reporting. The more that is known and documented, the less room there is for delay, panic, and confusion.
TRAINING AND TESTING NEVER STOP
With a plan in place, employees, particularly BC/DR team members, should know what to do and have confidence that their IT systems will behave as planned. This is achieved through training and testing. Practitioners can create and review training curricula for team members, with a focus on high-risk areas. Testing of BC/DR plans may include plan review, tabletop exercises, and simulation tests.
Organizations should regularly test their backup and recovery processes. The worst time to discover that your backups don't work is when you are trying to recover lost data. Results of the testing should be documented; practitioners can follow up with clients to ensure this testing is occurring and being documented and that findings are being acted on when necessary.
Organizations change, perhaps through the implementation of new software or the opening of a new location, and as employees turn over or change roles. These organizations may learn lessons from the BC/DR training and testing. As such, their BC/DR plans must be regularly reviewed, maintained, and improved.
About the author
Rumbi Bwerinofa-Petrozzello, CPA/CFF, CFE, is senior director, Consulting at Seramount and a member of the AICPA Fraud Task Force. She is also president of the New York State Society of CPAs.
"Helping Clients Before a Cyberattack," JofA, Sept. 2021
Understanding the Forensic Technology Landscape, issued by the AICPA Forensic and Litigation Services Forensic Technology Task Force
The Certified in Financial Forensics (CFF) credential positions forensic accounting professionals for increased demand in one of the fastest-growing specialty areas for CPAs. To become a CFF credential holder, the CFF Roadmap serves as a step-by-step guide illustrating how a CPA, at any level of expertise, can utilize the resources provided to FVS Section members to embark on the journey of obtaining the AICPA's CPA-exclusive forensic accounting credential.
CPE SELF-STUDY: This certificate program will cover several cybersecurity topics to help you gain an understanding of the importance and impact of cybersecurity risks on your organization or client, including an introduction to the AICPA's cybersecurity risk management reporting framework.
CPE SELF-STUDY: Through narration by an industry subject-matter expert and practical scenario-based exercises, this CPE course delves into the role of technology in forensic accounting, covering niche areas requiring knowledge of the Federal Rules of Evidence and applicable state rules, including computer forensics, cybercrime, and electronic data analysis.
CPE SELF-STUDY: This course explains the role of technology in supporting the forensic accountant during a customer engagement, including the challenges encountered when providing such services.