IT Can’t Address CPA Firm Cybersecurity Alone
I know you’re probably tired of hearing about cybersecurity already, but the fact is that despite IT’s best efforts, cybersecurity incidents are increasingly being seen in small and mid-sized entities—including CPA firms. You may have noticed too that the AICPA has finally changed their nomenclature and added the word “risk” to “cybersecurity risk management program” to reinforce the fact that it really risks that we are dealing with—and risk assessment and controls design are two core CPA skills. So accountants can play a key role in managing cybersecurity risk within their firms.
Understanding the Technical Risks from Cybersecurity
There are two technical risks that we are often trying to address when we are talking about cybersecurity: (1) Availability risk – or whether applications are available for us when we want to use them, and (2) Confidentiality risk – only allowing
data to be accessed by authorized people. One of the very common attacks now is ransomware, which locks down and encrypts your system so that you can’t access your files. This is an example of an Availability attack. When malware comes into your system and sends data out of your network, then it is a Confidentiality attack—as data is moved outside of your control and potentially disclosed to unauthorized parties.
When there is Personally Identifiable Information (PII) involved, then the Confidentiality risk is escalated to Privacy risk—or what we commonly think of as a “data breach”. Technically if only confidential data was stolen, that is still
a data breach, but once there is PII involved, then a lot of laws, regulations, and industry standards start to come into play—including fines and penalties. Common examples of PII include health information, social security numbers, credit
card numbers, and bank account numbers.
Accountants Collaborate with IT to Mitigate Privacy Risk
While Availability risk is normally mitigated by a good backup strategy (i.e. can be mitigated by IT), Privacy risk mitigation often is dependent upon reviewing the business processes that handle private data and implementing controls (both administrative and technical) to mitigate those risks. Often IT implements the technical controls, but these can be inadvertently circumvented to rendered ineffectual if there isn’t good employee awareness of why those controls are put in place. This is where an accountant’s expertise in drafting policy and procedures, communicating those to end-users, and testing the effectiveness of those controls, is a great supplement to Its technical expertise.
In a CPA firm, there is a large risk associated with managing the PII that is received from clients. This is particularly true with tax return information and EBP audits, both of which have PII inherent in the data that is being worked with. When dealing with taxpayer information, the IRS has provided specific cybersecurity program guidance via IRS Publication 4557: Safeguarding Taxpayer Data, much of which involves administrative controls rather than technical controls. This guidance applies to both employee data, as well as client taxpayer data, and impacts firms as well as their clients.
Audits and bookkeeping services provided to entities that contain a lot of PII also may have more risk as the client may assume that the firm is secure and that the information they provide to you is being secured appropriately. Higher risk industries
include healthcare, financial services, retail, nonprofit, and others that have a high credit card transaction volume.
What is the Cost of a Data Breach?
The Ponemon Institute does an annual study and its last report showed an average cost of $233 per compromised record. To estimate the impact of a data breach on your firm, count the number of records that you have that have PII and multiply that by $233. Since the study includes a variety of organization sizes, I often recommend that firms multiply that estimate by two or three times, as they may not have the economies of scale to realize the average cost from the study.
Another great way that accountants can partner with IT is to do a cost-benefit analysis of the cybersecurity measures that are being proposed by IT against the cost of a data breach. However, remember that cost isn’t the only factor that you should consider. One of the biggest impacts of a data breach is to a firm’s reputation. If your firm’s name were to be in the news for a data breach, how would your clients react? And how would it impact your ability to attract new clients?
Proper Incident Response is Important
When a breach occurs, how quickly you act and how organized you are in your response can help to reduce the damage from the data breach. Incident response requires more than just IT to take action; legal counsel, public relations, IT forensics, and your
insurance carrier may all need to be involved. This is why it’s important to have a well-documented incident response plan and to have actually practiced the execution of the plan on at least an annual basis. This is one of the most often missing
areas of a firm’s cybersecurity risk management plan.
Want to Learn More?
Houston TXCPA is offering a webinar to help firms understand the requirements from IRS Publication 4557 and some of the best practices in addressing those compliance requirements. There are two dates for the webinar: September 25 and October 31. I hope you will join us to help ensure that your firm is protected.
Donny is the founder and managing director of IntrapriseTechKnowlogies LLC, a Hawaii-based CPA firm focused on IT advisory services for small and mid-sized businesses and nonprofits. Donny is a recognized international thought leader in accounting and often speaks at conferences around the US on accounting innovations, risk management, and the future of the accounting profession. Donny welcomes comments and feedback via e-mail at firstname.lastname@example.org or by phone at (628) 222-3511.