MenuClose
 Log Out
Cart 0 items
Site Search
Course Search

The CPA’s cybersecurity imperative

Cybersecurity isn’t an option for CPAs – it’s a necessity.
September 27, 2022
  1. Home
  2. The CPA’s cybersecurity imperative

By Stan Sterna

Cyber incidents continued their upward trajectory in 2021 once again breaking records and setting the stage for an even more active 2022. While the motivation and rationale behind a cybercriminal can vary, this fluid environment is challenging firms to not just create, but continually enhance their security strategy.

Targeting CPAs

In recent years, hackers have been shifting their focus to smaller, “under the radar” victims and avoiding larger organizations, so they don’t evoke national political or law enforcement response. According to Sherry Bambrick, senior underwriter for the AICPA Member Insurance Programs, this evolving strategy has serious implications for CPAs.

“Hackers have always found CPA firms particularly attractive because they are, in essence, aggregators of data – both financial and personal identifiable information (PII),” stated Bambrick. “This trending focus on smaller organizations, coupled with the level of PII a firm potentially holds, quite simply increases the risk they face.”

Beyond the data, hackers also tend to target CPA firms because they frequently have access to client funds. Cybercriminals may also assume that mid-size and smaller firms do not have strong information security preparedness strategies in place.

Understanding the vulnerabilities 

Firms can face many obstacles on the path to better cybersecurity and must navigate a wide range of risks. Today, one of the biggest vulnerabilities to firms comes from beyond their own physical and virtual walls. Third parties, such as clients and vendors, and their security protocols – or lack thereof – can have a major impact.

Firms’ deeper presence in the virtual world has also contributed to the growing list of cyber exposures. The rise of remote work and the increased use of cloud computing puts data in a location where it may be more easily accessed if there is a lapse in security protocols.

The consequences of ignoring these weak spots can be profound. While financial impact may be one repercussion, firms can also face regulatory action by state and federal agencies as well as lasting reputational damage. In short, the effects of an attack can impact a firm’s ability to grow and remain profitable.

Addressing the risks 

Firms must put measures in place to proactively detect risks and vulnerabilities and help protect against breaches and/or “active” concerns such as phishing and ransomware, and those measures must address both the technology and the people using it. Leaders should begin by gaining a thorough understanding of evolving cyber threats and shape an approach to security that should include:

  • Conducting security awareness training.
  • Building a culture of security that is focused on data governance and management.
  • Reminding staff to practice self-awareness by assessing suspicious URLs for irregularities or confirming the sender’s identity.
  • Using multi-factor authentication for all access points.
  • Asking staff to limit the amount of work-related information they share online.
  • Using a Virtual Protected Network (VPN) to mask staff identities so would-be attackers can’t intercept communications.
  • Installing, maintaining and regularly updating anti-virus/anti-phishing software to scan and block malicious links, attachments or accounts.
  • Using controls when working with third-party providers such as indemnification clauses or language requiring the provider to maintain cyber insurance.
  • Creating a robust security and breach response plan that can be activated quickly in the event of an issue.

Protecting your digital footprint

In addition to taking the appropriate risk mitigation measures, firms should look to cyber insurance to provide another layer of security and support. As firm leaders review protection options, they should consider their coverage in two areas:

Cyber while every policy has its own nuances, some common coverages include:

  • Privacy event expense
  • Network damage claim
  • Extortion
  • First party
  • Regulatory proceedings/fines

Crime this can help limit exposure to your firm against risk of loss of or damage to certain types of property resulting from fraud schemes, and coverage can include:

  • Computer fraud
  • Funds transfer fraud
  • Social engineering fraud

Conclusion

A smart, nimble, proactive cybersecurity strategy has broader implications for a firm than just data safety and can impact a firm’s ability to grow. Committing to developing and enhancing a cybersecurity framework can make all the difference in your firm’s future.

Stan Sterna is a vice president with Aon Insurance Services.

Reprinted with permission from the Massachusetts Society of CPAs.

This information is provided for general informational purposes only and is not intended to provide individualized guidance or advice. You should discuss your individual circumstances thoroughly with your professional advisors before taking any action. All descriptions, summaries or highlights of coverage are for general informational purposes only and do not amend, alter or modify the actual terms or conditions of any insurance policy. Coverage is governed only by the terms and conditions of the relevant policy.