CPA firms are under constant threat of a cyber-attack based upon the abundance of confidential and sensitive client data they receive, use, and store. The transformation of how firms do business — including the movement to cloud-based applications and data storage, an increasingly mobile workforce, and the expansion of service offerings that give firms greater access to client information and funds — has, likewise, increased the number of entry points for a cybercriminal. Meanwhile, the cyberthreat landscape continues to evolve, with schemes becoming increasingly sophisticated and difficult to detect.
FORMS OF ATTACK
Cyberattacks come in many forms, as these recent experiences illustrate:
A small CPA firm unknowingly had malware introduced to its system, likely from an infected email attachment or malicious website. This malware was designed to alter the tax overpayment instructions on client tax returns to be e-filed, redirecting refunds to the hacker's account outside the United States. The attack was discovered when a CPA followed up on a number of client calls regarding delayed refunds. As the clients were unable to recover the stolen amounts, several brought suit against the CPA firm for the lost refunds.
A midsize CPA firm performed client accounting services for a small restaurant group, including payment of vendor invoices and other disbursements as directed by the client. An engagement team member received email instructions from the client directing him to process wire transfers to various client vendors. The team member completed the transfers without additional verification only to later discover that the email was fraudulent. The client demanded payment from the CPA firm for the lost funds.
A large CPA firm lost network access and received a ransomware demand for the return of its data. Fortunately, the firm had a sound backup recovery process in place and was able to restore its data and regain system access. However, unbeknownst to the firm, the attacker left a backdoor into the firm's system and perpetrated another, more severe, ransomware attack. This time, the attack resulted in the firm's being unable to complete client services. Client data was exposed, and the firm had to notify affected individuals. Moreover, the attack was an embarrassment to the firm and a blow to its reputation.
Not all threats emanate from outside the firm. CPA firms can also face threats as a result of their failure to properly and timely address their own system vulnerabilities. As such, firms should frequently review and test their cyber risk management protocols to help prevent, detect, and contain data security incidents. Consider the following strategies, which, among others, can help diminish the likelihood and impact of an attack:
- Use multifactor authentication, which requires two or more pieces of evidence (factors) to access a system, wherever possible, especially when the data being accessed is highly sensitive.
- As ransomware attack victims often learn too late, an automatic, routinely scheduled system backup that replicates data to a secure location off-site or in the cloud can help protect data if systems are compromised by an attack or simply fail. Maintain an offline backup so it, too, is not compromised in the event of an attack. Perform periodic restoration tests to help ensure backed up information can be accessed when needed.
- Keeping your systems secure is an ongoing effort. Accordingly, implement patch management protocols to identify, acquire, install, and test necessary patches, or code changes, to fix bugs, close security holes, and add necessary features. Create a plan for when testing and patches will be implemented to avoid unnecessary system downtime.
- Install an endpoint detection and response security solution to provide continuous monitoring, collection, and analysis of data; to detect unauthorized access, suspicious activity, and changes as they occur; and to remove malware.
- Encrypt mobile devices, such as laptops, tablets, and cellphones, as they are easy targets for theft or loss. Enable remote disabling and wiping to remove sensitive data if the device is lost or stolen.
- Apply the principle of least privilege and limit access to sensitive data on a need-to-know basis. Limit administrator privileges to trusted IT staff and key personnel. Perform routine access reviews to ensure that access remains appropriate.
- Avoid using the autofill email addresses function and/or implement a "delayed send/confirm" function to potentially catch a misdirected email before it is sent.
- Phishing is one of the most common entry points for cybercriminals. As such, implement anti-phishing tools and simulate phishing attacks to test firm personnel's security awareness.
- Exercise extreme care when handling client or firm money. Never assume that an email request is legitimate, regardless of the sender, amount, or tone. Pause, pick up the phone, and call the requester at a trusted number to validate the request.
- Practice sound data management and hygiene. Understand how data is received by the firm, what data is received, what protections are required by law or regulation, where data is stored, how long it is stored, and how it is disposed of. Implement security measures wherever sensitive data is stored, and move or purge unnecessary or outdated client data in accordance with the firm's data retention policy. The risk of a data security incident, and the cost of responding to one, can increase significantly if a firm has not implemented appropriate data management processes.
- Training is one of the keys to successfully managing data security risk. Set the tone from the top and remind all firm personnel of the significant impact that a cyber incident can have on the firm and, consequently, the need for sustained vigilance by all. Have a clear "think before you react" policy and train and test personnel on how to respond to potential threats.
- Develop, routinely test, and update an incident response plan that provides a road map in the event of a data security incident. The plan should delineate specific steps the firm will follow and identify external resources, such as the firm's cyber liability insurer, breach counsel, and forensic and IT experts, that will help guide the firm's response.
- Assess insurance coverage. Responding to a data security incident can be expensive. CPA firms should understand the coverage parameters of their current policies and how coverage would apply in the event of a data security incident.
Understanding and implementing data security controls may seem daunting. Work with your IT professional to help understand the regulatory requirements applicable to your firm and implement security measures appropriate for your business. Leverage additional resources such as the free AICPA resources mentioned on this webpage. Visit the U.S. Cybersecurity and Infrastructure Security Agency's Cyber Essentials page or the Federal Trade Commission's Cybersecurity for Small Business page for additional resources to help businesses implement cybersecurity practices.
The share of cyber incidents experienced by CPA firms in the AICPA Professional Liability Insurance Program in 2021 that were caused by external breaches of a network or email or a ransomware event.
Source: CNA Accountants Professional Liability Claim Database, underwritten by Continental Casualty Company. Copyright © 2022. All rights reserved.
Karen Nakamura, CPA, is a risk control consulting director at CNA. For more information about this article, contact firstname.lastname@example.org.
Continental Casualty Company, one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program. Aon Insurance Services, the National Program Administrator for the AICPA Professional Liability Program, is available at 800-221-3023 or visit cpai.com.
This article provides information, rather than advice or opinion. It is accurate to the best of the author's knowledge as of the article date. This article should not be viewed as a substitute for recommendations of a retained professional. Such consultation is recommended in applying this material in any particular factual situations.
Examples are for illustrative purposes only and not intended to establish any standards of care, serve as legal advice, intended to constitute a contract, or acknowledge any given factual situation is covered under any CNA insurance policy. The relevant insurance policy provides actual terms, coverages, amounts, conditions, and exclusions for an insured. All products and services may not be available in all states and may be subject to change without notice.