Cybersecurity has become the most pressing issue for CPA firms. It’s no secret that cybercrime has been skyrocketing over the past decade. Hackers and cybercriminals are targeting businesses large and small across the globe and stealing sensitive data, causing business disruptions, and impacting brand reputation. CPA firms are no exception. The threat of a data breach or internal fraud is real and we at Cyber Sleuth Security believe that every CPA firm should prioritize cybersecurity. Cybersecurity is not only critical to protecting the data of your clients, but it is also important for the reputation of your firm and your own personal reputation. According to a survey by the National Association of State Boards of Accountancy (NASBA), the top three cybersecurity concerns for state boards of accountancy were improper access to client data, ransomware, and malicious code or other malware. For the second year in a row, cyber breaches were named as the third most important risk to CPA firms.
Let's take a deeper look into the reasons CPA firms should prioritize cybersecurity:
CPA firms are increasingly targeted by cybercriminals who wish to steal confidential data, disrupt operations, or otherwise cause damage. As cyberattacks become increasingly sophisticated, CPA firms are at a heightened risk of attack. Cybersecurity is no longer just a “nice to have”, but a business imperative. CPA firms must take the necessary steps to protect themselves. Our cybersecurity experts at Cyber Sleuth Security recommend that CPA firms conduct a comprehensive risk assessment to identify vulnerabilities, implement suitable defenses, and train staff to prevent a breach.
The financial consequences of a cyber attack are significant. In fact, according to the 2020 Cost of Data Breach Report, conducted annually by the Ponemon Institute and sponsored by IBM, the average cost of a data breach in the United States is $8.6m. This represents a 10% increase over the previous year, and the highest number ever recorded.
While there is no single cause of data breaches, the report found that nearly half of the organizations experienced multiple incidents within a 12-month period. The majority of breaches occurred due to human error, followed closely by malware attacks.
In addition to increased costs, the study revealed that the average cost of a PII breach is $150 per record per incident and that it can take up to 280 days for breached records to be discovered.
According to a recent survey conducted by Ponemon Institute, 84% of US consumers will stop doing business with companies that fail to safeguard sensitive customer data. This statistic represents a significant shift in consumer behavior. For example, in 2016, only 10% of respondents indicated that they would no longer do business with a company that experienced a data breach.
The study found that the number one reason people give for stopping doing business with a company is that they lost trust in the company due to a data breach. Other reasons include poor customer support and lack of transparency.
A recent report found that 93% of organizations don’t know what to do when it comes to protecting customer data. This includes how to respond to a data breach, and even if they should notify customers about such incidents.
Organizations are legally required to demonstrate they have made all necessary efforts to secure personal data. If they fail to do this, customers could, and often will, pursue legal action against them. In fact, according to a survey conducted by Ponemon Institute in 2016, 94% of respondents said they would take legal action against companies that failed to protect their information.
Reports on a study stated that nearly half of those surveyed (46%) had experienced a security incident in the previous 12 months. Of those, 44% reported that the incident resulted in lost revenue due to downtime or loss of sensitive information.
The same study found that 94% of customers wouldn't recommend a particular organization to others. And, of those, 54% said they would stop doing business with the organization entirely.
Are CPAs Liable for Cybersecurity? Many CPAs are facing increasing liability risks due to the growing prevalence of cyberattacks. With the rapid adoption of new technologies, the global cybersecurity landscape is rapidly changing. While CPAs have always been required to comply with the Sarbanes-Oxley Act of 2002, they are now facing increased potential exposure due to a variety of new threats. These threats include ransomware, which is a type of malware that locks up a user’s files and demands payment to unlock them; cryptolocker, which is a type of malware that holds a user’s files for ransom and then deletes them once payment is made; and identity theft, which is a type of fraud that involves stealing a user’s personal information and using it to commit fraud. CPAs must now understand their liability and regulatory obligations to their clients and must protect themselves against these and other cyberattacks.
While many CPAs have always focused on the preparation and filing of tax returns, they have also been working to meet increasing demands for cybersecurity and digital hygiene. Cybersecurity is the protection of a computer system from cyberattacks, and digital hygiene is the proactive use of technological solutions to protect data and information. The American Institute of Certified Public Accountants (AICPA) recently released a statement on the topic of cybersecurity and digital hygiene. The statement, titled "Cybersecurity for CPAs," recommends that CPA firms, including those that specialize in forensic audits, cybersecurity audits, and fraud investigations, take steps to address these topics. This includes taking precautions to avoid cybersecurity threats such as phishing, data breach, ransomware, and social engineering. In addition, CPAs should make sure they have a plan in place to handle a potential cybersecurity breach, and they should establish an incident response team and security policies and procedures.
Accounting firms face many challenges today. They must contend with regulatory compliance requirements, manage client expectations, and provide value to customers. But one thing is missing from the equation: cybersecurity. Cyberattacks against accounting firms are increasing, and without strong defenses, companies could lose revenue, clients, and even their reputation.
Without robust protections, accounting firms are vulnerable to ransomware, phishing attempts, malware, social engineering, and denial of service attacks. These types of attacks often target the firm’s infrastructure, including servers, network devices, applications, and databases. If left unaddressed, these attacks can cause damage ranging from lost productivity to the theft of sensitive information.
For businesses, a cyberattack could mean a significant loss of revenue, clients, and reputation. Businesses that experience a breach typically incur costs associated with notification, remediation, and monitoring. In addition, they may lose access to critical data, such as customer records, employee payroll information, and intellectual property.
The most common threat to accountancy professionals is malicious software, or "malware." Malware includes viruses, worms, Trojan horses, spyware, adware, crimeware, rootkits, dialers, and others. These programs are designed to damage computers, steal information, or otherwise cause harm to the owner. In some cases, malware can even disable or delete files on infected computers.
Around 91% of all cyber attacks start with a phishing e-mail that entices you to click on a link or attachment containing malicious code. Once you do, the attacker can steal passwords or other personal information, monitor what you type into web forms, or gain access to confidential client data. If you're tricked into downloading malware, it could infect your entire network, including your accounting system.
Malware is often spread via spam emails, social media sites, and instant messaging platforms like Facebook Messenger and WhatsApp. Other popular methods include fake apps downloaded from app stores, compromised websites, and USB drives.
If you are small business, check out our article: Cybersecurity for Small Business: Where Should A Business Owner Start To Neutralize Cyber Threats?