Jeremy Kaplan
The American Institute of Certified Professional Accountants (“AICPA”) has published a number of useful tools and guidelines that accountants and financial professional can use to assess their risks and exposures to cybersecurity problems. The guidelines are broadly divided into three levels as a function of a firm’s relative expertise regarding cybersecurity matters. An individual CPA or a firm with little or no cybersecurity proficiency will have different concerns than a CPA or firm who has significant experience in the data breach trenches.
The aggregate results of all three of those levels leads to a five-step process that can put CPAs on a sound path toward protecting their own internal data and information as well as the client confidential financial information that they might be holding in their own systems.
First, a CPA firm should identify and classify all information that is held in its system according to the value and risk level of that information. Financial information will receive the highest risk level classification. That information includes financial and banking information for both the CPA firm and its clients, credit card numbers, and login information for online accounts.
Second, the firm should audit its internal business processes to determine. This includes, for example, how data and information are transmitted among internal employees and outside of the firm, what level of encryption (if any) is applied to data, and what precautions are exercised by staff members when they access that information remotely. Accounting firms have generally developed some expertise in continuous process improvements. Adding cybersecurity audits to those improvements will advance the firm’s defenses against data breaches.
Third, every CPA firm should regularly review its cybersecurity technology, even if it is not conducting a thorough self-assessment of its data breach defenses. Network firewalls should be regularly updated to add patches and bug fixes to correct flaws that hackers might use to gain illicit access to the network. Portable devices should be scanned for viruses. VPN technology should be added to wireless networks to encrypt all communications over those networks. In general, all cybersecurity technology should be brought up to date with the most current defensive standards available.
Fourth, the CPA firm should conduct a due diligence review on all vendors and service providers, and particularly those providers that offer cloud-based computing services. Assessing third-party risks can be a separate multi-step process that analyzes the depth of a CPA firm’s relationship with a vendor, the risks and vulnerabilities in that relationship, and contingency plans for terminating and replacing the relationship when it fails to produce the desired results. For cybersecurity purposes, a CPA firm should refrain from conducting business with a vendor that is unable to demonstrate its own commitment to cybersecurity.
Fifth, every CPA firm should understand that regardless of its efforts, it cannot prevent every cybersecurity incident that might target its operations. Accordingly, as part of a self-assessment, the firm should develop a contingency plan that will provide a roadmap for a measured response to a cyberattack. One individual should be appointed to direct the response. That response should consider how and when to communicate details of the cyberattack to necessary parties, what can and should be done to stop the attack once it is identified, and what steps can be taken to recover any systems or data that might be lost during a cyberattack.
A critical component of a cyberattack response will be evaluating the dollar value of the losses and third-party liabilities that a CPA firm might incur because of the attack. An experienced CPA insurance company with expertise in cybersecurity can provide crucial guidance at this point of the self-assessment process. Likewise, cybersecurity insurance can help a CPA firm to recover the worst of the financial losses that it might experience as a result of a cyberattack, while protecting and defending the firm’s standing and reputation in the accounting industry.
