Cybersecurity for CPAs: Beware the inside threat

XYZ & Associates, a CPA firm in business for over 50 years, knows as well as any firm that tax season is the busiest time of the year and extra hands are often necessary. So when it brought on an independent contractor to help with the workload, everything seemed business as usual.

That is, until the firm received a call from one of its longtime clients. The client had discovered that a fraudulent line of credit had been opened in their name and was understandably upset. The client demanded to know how this could have happened as the firm was the only other entity entrusted with the client's financial records. In addition, the client also demanded to know what the firm was going to do about it. 

XYZ & Associates conducted an internal investigation to determine who had access to the client's data. The investigation revealed that the client (and client's information) had been assigned to the independent contractor. Further investigation revealed that this client, and others, had been targets of malicious activity perpetrated by the independent contractor. 

The contractor's account was promptly locked to prevent further abuse, access to the network was revoked, and relevant clients, their financial institutions and law enforcement were contacted. Even with the malicious contractor appropriately handled, significant damage had been done. The ultimate cost of the incident totaled several hundred thousand dollars, but perhaps even more significant was the impact on the enduring relationship between XYZ & Associates and their clients. 

This real-life tale came from professional liability insurance provider CNA. Continental Casualty Company, a member of the CNA group of insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program. 

It pointed out that this type of data security incident, known as an "insider threat" attack, occurs when an employee or individual within the organization abuses their access to sensitive data in order to commit fraud. The scenario above emphasizes the importance of a security aspect many organizations take for granted or overlook — their business partners. An organization's vendors, suppliers and contractors are all potential sources of data loss or a cyberattack. 

It is imperative that CPA firms consider their third-party relationships when evaluating and managing their cybersecurity risks. Review relationships on an annual basis, especially with those partners with access to sensitive client data, and consider including language in vendor agreements to help shift risk and liability to the third party. Maintain comprehensive and detailed access management procedures, including the rapid identification and response if access privileges are abused. Finally, train employees on how to spot potential indicators of an insider threat, such as excessive movement of data or files, requests for escalated access, and the use of unsanctioned or nontraditional software. The firm's personnel can often act as an early warning system.

Taxpayers sue Google, Meta over privacy leaks: Tech companies Google and Meta are each facing class-action lawsuits from taxpayers who say the companies collected sensitive information from them via special tracking pixels placed on filing websites.

New SEC cybersecurity rules mean work for accountants: New cybersecurity disclosure rules from the Securities and Exchange Commission will require accountants to work with their clients to ensure they'll be ready for its implementation, whether that means simply reassessing current protocols or building out an entire security infrastructure. 

Generative AI used to conduct cybersecurity drills : Generative AI is being used as a way to train people on cybersecurity threats by providing real-time simulations of cyber attacks. Two recently launched products demonstrate the interest companies have in providing such training.

Percent of companies making cybersecurity performance a factor in executive pay: 

2018: 0%
2023: 12%
Source: E&Y