When cloud software provider Wolters Kluwer shut down most of its systems, including its popular CCH Axcess tax software, on May 6, accounting firms were left unable to access client data or e-file tax returns just nine days before the May 15 tax return filing deadline for calendar-year not-for-profits as well as certain fiscal-year corporations, S corporations, and partnerships.
“No one was able to get into the program when I came in,” recalled Les Nettleton, director of information technology at New Orleans-based Bourgeois Bennett, which uses CCH Axcess. “We went out to their support website and weren’t able to get on.” Nettleton went online to confer with his fellow IT professionals and found that other accounting firms were in the same predicament.
On May 7, Wolters Kluwer confirmed that it had suffered a malware attack. Service was not restored until May 9. The situation proved so disruptive that the IRS granted a waiver of the Sec. 6651 late-filing penalty for affected firms to file Forms 990, Return of Organization Exempt From Income Tax; Forms 1120, U.S. Corporation Income Tax Return; Forms 1120S, U.S. Income Tax Return for an S Corporation; and Forms 1065, U.S. Return of Partnership Income, that were due May 15.
Still, firms like Bourgeois Bennett had to scramble to make up the lost time. “We were dead in the water,” Nettleton said. Once the firm regained access to CCH Axcess, he said, employees worked throughout the weekend to meet their deadlines.
When asked for comment, Wolters Kluwer referred the JofA to its news releases. The firm hired the cybersecurity firm CrowdStrike to investigate the incident, the company said in a public statement. The investigation has not found any evidence that customers’ data was stolen.
Advance planning to stay productive
Unfortunately, outages like the one that affected Wolters Kluwer, and, more recently, Cetrom, are inevitable, tech experts say, given that hackers have become so prevalent and so sophisticated.
“It’s not a matter of if, it’s a matter of when an outage will occur, and you need to anticipate that,” said Jim Bourke, CPA/CITP/CFF, CGMA, a partner in charge of information technology at WithumSmith+Brown in New Jersey.
Bourke said that firms shouldn’t be too quick to fault Wolters Kluwer. “The same malware outage could happen to any of the cloud [software] providers,” he said. “It’s the nature of the cloud. It is going to happen.”
Once an outage occurs, there’s not much firms can do except wait for their cloud software provider to get things running again. But the proper advance planning can help firms stay as productive as possible in the interim. Here are some steps to take:
- Have a contingency plan. “Every firm should have a disaster recovery plan to address cloud-based outages,” Bourke said. Determine which of your processes are mission-critical, and center your plan on those, he said. Understand your workflow, and know which steps you can take without software.
- Back up your most vital data off the cloud. Organizations should also have vital data available in the event they’re not able to access the cloud. Many cloud software providers now allow customers to export data on a regularly scheduled basis and can even automate this process, said Lisa Traina, CPA/CITP, CGMA, president of Louisiana-based Traina & Associates, a CapinCrouse company. For example, she said, you could “get client lists and copies of tax returns, and that way you’d at least have something to work with in the event of an outage.”
- Consider business continuity insurance. This type of insurance is affordable even for smaller firms, said Marc Staut, shareholder and chief innovation and technology officer at Boomer Consulting, and it can reimburse you for lost time.
Choosing the right vendor
Of all the steps you can take to reduce the chances of a cloud outage, perhaps the most important is choosing the right vendor. When vetting potential new cloud providers, pay special attention to the following:
Their security procedures, policies, and credentials. “When we advise clients on cloud projects, we make it clear that security is job number one,” said David Cieslak, CPA/CITP, CGMA, chief cloud officer and executive vice president at business-consulting firm RKL eSolutions LLC in Simi Valley, Calif. “If a provider can’t get security right, I have great concerns.”
Make sure the vendor complies with all security regulations, said Staut, though as he notes, compliance is just the first step.
Firms should also check whether the vendor has received a Payment Card Industry Data Security Standard (PCI DSS) audit report and a pair of AICPA System and Organization Controls (SOC) reports:
- A SOC 2 report on the security, availability, and processing integrity of the systems the vendor uses to process customers’ data (and the privacy and confidentiality of the data processed by those systems).
- A SOC for Cybersecurity report on the vendor’s enterprisewide cybersecurity risk management program.
Ask vendors for details about their incident response plan, said Traina, such as what their backup process is and whether they have a second “hot” site they can move operations to in the event of a hack or a disaster.
Look at their history of responding to hacks and adverse events and how quickly they’re able to get up and running afterward. Note their uptime commitment, which you can usually find in your service-level agreement (SLA), said Cieslak.
Whether they’re a “true” cloud provider. Software that was designed for the cloud is more secure than software that was built in-house and moved to the cloud later on, Cieslak said. Legacy applications that were moved to the cloud or that use an in-house server “are vulnerable to ransomware,” he said. “SaaS [software-as-a-service] multitenant solutions don’t operate in the same way, so they’re more resistant.”
Is the cloud reliable?
The recent cloud outages may have some firms rethinking whether they should move operations to the cloud or whether they should switch providers.
Cieslak is adamant that the cloud is still a safer and more reliable place to put your data and applications than having them on-site. “It is safer than any in-house-based alternative,” he said. “It’s 24/7/365-monitored software that’s constantly updated. There’s a level of security taking place around these applications that accounting firms can’t reproduce in any affordable manner.”
Or, as Staut put it, “A small firm that thinks they can outwit a hacking team needs to rethink security.” He observed that many firms think they’re too small to make an attractive target but said that hackers often attack small firms precisely because they’re more vulnerable.
As for Nettleton, he said the outage hasn’t soured his view of the cloud, or of CCH. “I’m a realist,” he said, pointing out that, before his firm got on the cloud, they once were unable to work for four days due to a power outage in their building.
“Since we were hosting everything locally, we were down for that time,” he said. “If we’d been in the cloud, we wouldn’t have been as affected since we could have accessed our data remotely.”
— Courtney L. Vien (Courtney.Vien@aicpa-cima.com) is a JofA senior editor.