MenuClose
 Log Out
Cart 0 items
Site Search
Course Search

CPA firms see uptick in cyber attacks

These 6 best practices can keep your firm safe.
September 27, 2022
  1. Home
  2. CPA firms see uptick in cyber attacks

By Suzanne M. Holl, CPA

There appears to be a new cybersecurity story in the news every day, from attacks on major infrastructure to small companies being held for ransom. Therefore, it should be no surprise to anyone that CAMICO is also seeing an uptick in the number of cyber-related claims impacting CPA firms and unfortunately, the severity of these cybercrimes and ransomware attacks have grown in recent years.

As you would expect, first-party cyber exposures (damages experienced by the CPA firm) have become increasingly problematic for CPA firms as cyber criminals are targeting firms and tax professionals with greater frequency because of their abundance of client data. If they are successful in gaining access to the firm's information, there can be costly measures that need to be taken by the firm including: hiring IT forensic experts to determine the extent of the breach, consulting with attorneys specializing in data breach laws and providing credit monitoring to those impacted by the breach.

What may be surprising to some CPAs, however, is the increase in third-party cyber exposures that are impacting firms. These situations often arise when a client has been hacked and the hacker has penetrated the client's computer system. Once inside, they can cause losses for which the CPA firm may be blamed, in part or in whole. These claims typically include allegations such as failure to detect the red flags associated with communications that were executed by the hacker, falling below the standard of care by initiating wire transfers without "proper" client authorization, failure to "warn and advise" clients of the potential risks/threats of cyberattacks, and the list goes on.

The human element

It is important for CPA firms to understand that cyber threats are not just an "IT problem," as the number one root cause of cyber breaches continues to be the "human element." People are considered by many experts to be the weakest security link and according to the 2021 Verizon Data Breach Investigations Report, 85% of breaches involved a human element.

Although people may be viewed as the weakest security link, CAMICO believes that with proper training and strict adherence to firm-wide protocols, firms can and should consider their people as the first line of defense against cyber threats. For example, firms can help to minimize the potential for innocent mistakes made by people by putting in place cybersecurity awareness education and training to alter employee risk behaviors and create a sense of shared accountability. Although it may not seem obvious, employees want to know what to do to assist in data security but often lack the necessary knowledge and skills. And given the recent shift to a more hybrid workplace model in response to the pandemic, security practices to address the "human element" become even more critical. 

Cyber claims trends

Most cyberattacks that take place with CPA firms today take advantage of two common cybersecurity risks: social engineering attacks that trick users into inadvertently providing access, and security misconfigurations that are often just human error.

Social engineering is one of the most dangerous types of cybersecurity threats to CPA firms given the type of information that firms gather and store. Phishing is one of the more widespread social engineering schemes, where the information in an email attempts to convince a user that the email is from a legitimate source and the user needs to respond to the request by clicking on a link. 

Consider the following scenarios from the CAMICO claims files, which unfortunately are becoming all too familiar for CPA firms:

Scenario #1: Client hacked; CPA firm initiated fraudulent wire-transfers

A client of the CPA firm was hacked, and the hacker penetrated and commandeered the client's email account. The hacker emailed several requests to the CPA firm to wire funds to a new account – a classic "man in the middle" attack. After receipt of each request, the employee of the CPA firm emailed the client to verify the wire transfer instructions. With full control of the client's email account, the hacker was able to respond back to the CPA firm to "verify" the veracity of the payments to the hacker's own overseas bank account.

The above scenario is all too familiar for CAMICO, as we are seeing a significant rise in fraudulent email requests to CPA firms and these fraudulent wire transfer requests frequently cause large-dollar losses. When the fraud is discovered after the transfer, the funds are usually not recoverable. Domestic banks are not always helpful in preventing fraudulent transfers, as laws often limit their risk exposures and enable them to deny responsibility.

With the increased number of claims related to fraudulent wire transfers, best practice in the absence of any written protocols to the contrary would be to verbally confirm ALL wire transfer requests with these clients to minimize risk. 

Scenario #2: Ransomware; cyber extortion

An employee of a CPA firm opened an unsolicited email attachment that immediately downloaded ransomware onto the firm's computer system. The employee noticed that file names were rapidly being changed to "Needs Decrypting." The employee promptly turned off and rebooted the computer, but the virus had already spread to all the firm's servers, and all files were encrypted. The employee reported the incident to the firm's managing partner. An attorney was engaged to assist the firm and worked with an IT forensics expert under the direction of the attorney, so that the investigation would be protected by attorney-client privilege. Once it was determined that a breach occurred, the firm complied with applicable state and federal laws and the breach was reported to law enforcement.

Ransomware and cyber extortion represent malicious types of hacker attacks and firms of all sizes have been victimized. They sneak into computer systems, encrypt files, and demand ransom before decrypting files. A major problem is that ransomware does not always decrypt files even after ransom is paid.
According to a recent statistic, only 8% of businesses who pay a ransom get back "all" their data. Therefore, being prepared and taking precautions against cyber risk exposures such as ransomware is essential.

Remember, it is not "if" you will be attacked, but "when."

Although not meant to be all-inclusive, the following additional basic best practice measures are extremely important when addressing the human element of data security:

  1. Cybersecurity awareness training: Consider sharing "real-life" examples with the staff of actual and potential scam emails received by members of your firm, to heighten awareness of the nature and types of scams that pose threats to your firm. As part of the firm-wide cybersecurity awareness training, consider reviewing the firm’s existing protocols and infrastructure (refer to the firm's written security plan) that supports the firm's commitment to taking appropriate cybersecurity precautions so that all employees are aware and updated if any changes have been made by the firm. 
  2. Use multi-factor authentication: This can add an extra level of security to prevent an account hack, especially when employees work remotely.
  3. Change and strengthen passwords frequently: Systems are only as secure as the passwords used by people to access those systems.
  4. Require regular data backups: By encouraging employees to regularly back up their data, you can prevent data loss when disaster strikes. While this may be a hard policy to enforce while employees work remotely, it remains a best practice. In many instances, devices can be set to back up to the cloud automatically. When relying on cloud storage, remember that ransomware can take control of cloud services. Any data stored in the cloud should also be backed up to an external hard drive from time to time. Data backups ensure that a business can continue to operate, even if resources are taken offline by a ransomware attack.
  5. Maintain strong cyber hygiene: Reinforce cyber protocols to be followed when employees enjoy the hybrid work model permitting them to work in the office and remotely (e.g., machine use restrictions, WiFi passwords, VPN, firewalls, etc.).
  6. Remind all employees of the importance of powering down computers when not in use: Computers are not accessible to attacks or intrusions when powered off.

Suzanne M. Holl, CPA, is senior vice president of Loss Prevention Services with CAMICO. With almost 30 years of experience in accounting, she draws on her Big Four public accounting and private industry background to provide CAMICO’s policyholders with information on a wide variety of loss prevention and accounting issues.

CAMICO is the VSCPA's preferred CPA firm insurance provider. It's the nation's largest CPA-directed program of insurance and risk management for the accounting profession and offers broad policy features as well as deductible credits of 50% up to $50,000 if the policyholder reports a potential claim prior to the claim being made, or for the use of mediation. Click here to learn more.