- column
- PROFESSIONAL LIABILITY SPOTLIGHT
Are you prepared for the cost of a data security incident?
Related
Building a better firm: How to pick the proper technology
Professional liability risks related to Form 1065, CPA firm acquisitions
Managing teams, managing time: The importance of setting expectations
Another day, another cyber incident. One does not have to search hard to find a news headline about the latest breach of consumer data or a warning about the ransomware threat du jour. Stories about sophisticated global cybersecurity attacks perpetrated by criminal enterprises or nation-states can be a riveting read for anyone who likes a good thriller.
With such fascinating stories, it may be easy to confuse this reality with fiction — so far-fetched and removed that something similar couldn’t possibly happen to your firm. Indeed, why would any threat actor bother trying to infiltrate something as small potatoes as an accounting firm?
The reason is that sometimes the path of least resistance provides the easiest way for threat actors to get what they want, which may include but is not limited to:
- Personally identifiable information that can be sold or used to perpetrate fraud schemes;
- The ability to seize a firm’s system and threaten release of confidential information unless a ransom is paid; or
- An entry point into a firm client that may have been inaccessible directly.
DATA SECURITY INCIDENTS AND ACCOUNTANTS
Still think a data security incident won’t happen to your firm? Consider these incidents taken from the recent experiences of CPA firms in the AICPA Professional Liability Insurance Program:
- A CPA clicked on a phishing email, granting access to his system, including tax return preparation software. In early April, the CPA discovered that multiple in-process returns were submitted to the taxing authority without authorization but not before bank account information was changed to redirect refunds to the bad actors.
- In the middle of busy season, a CPA received multiple calls from individuals who received an email from the CPA with a link to click and download a secure document. An investigation revealed that the bad actor had gained access to the CPA’s email system and sent a phishing email to more than 2,000 contacts, some of whom took the bait.
- A CPA firm was subject to a ransomware event that encrypted a workstation, two servers, and local backups. In addition, the firm’s backup service was not currently synced. The firm was down for multiple weeks and had to redo hours of additional work.
- A CPA received a phone call from a “QuickBooks representative” who communicated that the CPA’s account needed to be updated and that the “representative” could assist with this. The CPA granted remote access to his computer to the “representative” but became suspicious when the “representative” requested banking information.
Spooked, the CPA hung up but subsequently noticed unusual activity on his computer. A forensic investigation followed to determine what information had been compromised.
- A threat actor gained access to a CPA’s email and contact list and sent emails instructing the firm’s clients to change banking information for future fee payments to the firm. The scheme was discovered only when the firm contacted clients about delinquencies.
- A CPA received a call from someone in another state stating that the CPA had filed their taxes even though the caller was not a client. After a similar call claiming the same, the CPA contacted the IRS, which communicated that nearly 500 tax returns were filed using the CPA’s compromised tax filing number.
While these stories might not be gripping, should-be-made-into-a-movie page-turners that you can’t put down, the CPA firms that went through these incidents would likely argue that their experiences were no less dramatic.
DATA SECURITY INCIDENT RESPONSE COSTS
After experiencing a jarring event like any of those described above, a CPA’s first inclination might be to shut down, wipe everything clean, restore from a backup, and start over. Unfortunately, that response might not be the best approach. The steps in responding to a data security incident after the initial containment are typically more extensive, complex, and expensive.
Investigation
Myriad state and federal laws and regulations, primarily centered on notification to affected individuals, can guide an organization’s response to a data security incident. But before individuals are notified, an investigation must be completed to determine exactly who should be notified. A data forensics team typically performs the investigation, which looks to determine what data a bad actor may have accessed or exfiltrated from the organization.
Remediation
If one data security incident wasn’t bad enough, can you imagine what it would be like to experience another only months later? Often, bad actors leave a backdoor they can use to re-access the firm’s systems later, the CPA none the wiser. IT and data forensic teams can help assess whether a parting gift was left and help identify and fix the vulnerability that led to the data security incident in the first place.
Notification
All states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands have enacted legislation requiring notification to affected individuals whose personal information was breached. Specific requirements vary depending on the jurisdiction. Depending on the type of information involved, such as personal health records, other laws and regulations may apply. Law enforcement, the IRS, and regulatory bodies may also need to be notified.
Other costs
In addition to the often-significant outlay for investigation, remediation, and notification, there are costs that are harder to quantify but just as impactful.
- Litigation risk: The hacker who stole an individual’s information is likely too elusive to be held responsible for the damages caused by their misdeeds. Instead, plaintiff attorneys may target the organization that failed to protect the data entrusted to it and seek class certification if a data security incident is large enough. Indeed, data breaches are a fast-growing area of class-action litigation, with nearly 1,500 class actions filed in 2024 compared to just over 600 in the two years prior, according to a January 2025 article from law firm Duane Morris.
- Operational and emotional disruption: Responding to data security incidents can cause a significant disruption to a firm’s day-to-day activities and take an emotional toll on those involved. Depending on the source and scope of the breach, it may be several weeks or months before a return to normalcy.
- Reputational damage: CPAs act as the protector of a client’s trust, so it is embarrassing to have to tell clients that their information was compromised because of something that happened at the firm. Once lost or damaged, trust is hard to regain. A data security incident can have long-lasting repercussions.
BOLSTERING YOUR DEFENSES
Combating a nimble, sophisticated, and resilient cybersecurity foe requires a CPA firm to be nimble, sophisticated, and resilient as well. While not an all-encompassing list, here are some practices to consider:
- Create and maintain an Incident Response Plan. This is a written plan that helps guide your firm in the wake of a security incident. A typical incident response plan identifies roles and responsibilities, provides guidance on key activities, and includes a list of key individuals and their contact information. Contacts on the list may include the firm’s cyber liability insurance carrier, breach coaches, data forensic investigators, and legal counsel.
- Employ sound data security protocols, which not only help prevent intrusions, but also detect and contain incidents when your perimeter defenses are breached. Protocols include, but are not limited to, access control reviews, multifactor authentication, and endpoint encryption, detection, and response tools.
- Continually train all personnel to recognize and appropriately respond to phishing attacks. The human element continues to be present in the vast majority of data security breaches involving small and medium-size organizations, according to the Verizon 2025 Data Breach Investigations Report.
- Understand where your firm’s data resides. Data that exists outside a firm’s centralized data management system, known as shadow data, can be exposed in a data security incidentW, which can increase risk and cost of a data security incident.
- Adopt a record retention policy (and follow it). A strong record retention policy addresses when data, in all formats, should be deleted. Just because it is easy to store years’, or even decades’, worth of data does not mean you should. Doing so may increase the cost of a data security incident as more individuals may need to be notified than necessary.
- Don’t neglect third parties. Most CPA firms use third-party service providers in some capacity. Conduct thorough due diligence on your vendors’ security practices and understand what happens if the third party experiences a data security incident that affects the firm’s data. Memorialize each party’s responsibilities in an agreement.
- Be prepared. A data security incident can happen to any firm. Responding to one is generally not cheap or quick. Set aside resources and have appropriate insurance coverage in place to help you lessen the impact to your firm.
WIRE TRANSFER FRAUD — A COSTLY ATTACK SCHEME
While not specifically addressed in this article, wire transfer fraud schemes are a costly type of data security incident that should not be overlooked. For more on how to address the risk of wire transfer fraud, read “10 Tips to Help Avoid Wire Fraud Schemes” (JofA, October 2024) and “How mental shortcuts expose you to wire fraud risk” (JofA, November 2023).
48 minutes
The average amount of time in 2024 for a cyber attacker to move across an organization’s systems after the initial compromise, 22% faster than in 2023.
Source: CrowdStrike 2025 Global Threat Report.
Sarah Beckett Ference, CPA, is a risk control director at CNA. For more information about this article, contact specialtyriskcontrol@cna.com.
Continental Casualty Co., one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program. Aon Insurance Services, the National Program Administrator for the AICPA Professional Liability Program, is available at 800-221-3023 or visit cpai.com.
This article provides information, rather than advice or opinion. It is accurate to the best of the author’s knowledge as of the article date. This article should not be viewed as a substitute for recommendations of a retained professional. Such consultation is recommended in applying this material in any particular factual situations.
Examples are for illustrative purposes only and not intended to establish any standards of care, serve as legal advice, or acknowledge any given factual situation is covered under any CNA insurance policy. The relevant insurance policy provides actual terms, coverages, amounts, conditions, and exclusions for an insured.