Accounting firms save a tremendous amount of client information in digital files: tax returns, Social Security numbers, bank account identifiers and personal financial records. As a result, it's not surprising that CPA firms experience 300 cyberattack attempts per week and as many as
Managing cybersecurity and its risks affects not only a company's reputation, but also its ability to grow through mergers and acquisitions long-term. If your growth strategy involves M&A, understanding third-party threats, how to maintain internal security, and special cybersecurity considerations should be a priority.
Ransomware, where a criminal gains access to a firm's computer system and prevents the company from accessing it, is the most common cyberthreat today. Usually there's a demand for payment in exchange for release of the firm's information. There's no guarantee, however, that the data will be returned, or that it will be intact, or that it hasn't been copied.
Cyberthieves use a
Through artificial intelligence, deepfakes can mimic the face and voice of a company leader, providing another mode of attack.
Third-party threats
While many firms are aware of the importance of cybersecurity for their own practices, risks stemming from third-party vendors and business partners often go unaddressed. The interconnectedness of business systems, including cloud-based storage, software-as-a-service, online payroll services and bill-paying programs, greatly expands the "attack surface" beyond a firm's own computers.
Third-party risks can include loss of data access because the vendor's system has failed (such as the
Protecting against cyberthreats
CPA firms need to protect against internal cybersecurity lapses and third-party risks. Components for a strong cybersecurity program include:
- Ongoing (not one-and-done) staff training:
60% of all data breaches stem from human error, including falling for phishing attempts, inadvertent (or malicious) sharing of passwords, accessing company systems from insecure networks, or falling prey to social engineering ploys. Continual training keeps cybersecurity front-of-mind for team members. - A dedicated IT person or department: Every CPA firm should have an information technology department or at least one person with the skills to understand cybersecurity, recognize risks and be constantly trained on the ever-changing methods and risks. Even if the practice uses a contracted cybersecurity firm, there needs to be a specified person within the practice who oversees them and coordinates training and compliance among staff.
- A comprehensive cybersecurity insurance plan: Your organization can implement the best plans, procedures and products to protect against cyberattacks, but if you don't have cyber-liability insurance, your preparation doesn't matter. All businesses should have coverage that can help cover legal fees, customer notifications, costs of recovery and repair, and information monitoring.
- Vetting of third-party vendors and business partners: Any vendor or partner with shared systems access
must maintain the same high standards as the practice itself. They also should have adequate cybersecurity insurance to cover their clients for losses in case they experience a security failure. - Caution with employees using personal devices: To prevent introduction of viruses and malware to the firm's systems from employees' personal devices, the practice should have clearly outlined rules regarding what equipment can be used, how it can access the firm's systems, and what security software it must have installed.
Special considerations for CPA cybersecurity
Because of the sensitive nature of the client information CPA firms handle, they must abide by certain governmental regulations:
- Written information security plan: Since 2019, any firm that prepares taxes must have a WISP. Many firms, however, still do not have one in place, putting them at risk for substantial fines.
- Federal Trade Commission Safeguards Rule: The
FTC Safeguards Rule contains nine cybersecurity requirements for firms that handle sensitive client financial data. The rule is spelled out in layperson language on the website to promote compliance. - IRS Security Six: The Internal Revenue Service has its own requirements for cybersecurity for firms handling taxpayer data. The six controls include antivirus software, virtual private networks, multifactor authentication, drive encryption, backup services and firewalls.
Staying secure during M&A
Cybersecurity now plays a major role in the due diligence process in merger and acquisition proceedings. Just as other parts of an organization are evaluating the target, IT teams should be tasked with a technical assessment of the to-be-acquired company's cybersecurity efforts.
IT should report if the company to be acquired has experienced any data breaches in the past or if any vulnerabilities exist presently so upper management will determine if those issues are material or not. Management should work with IT professionals to discuss how the planned acquisition will impact the merger of the two company's systems.
Cyberattacks threaten client trust and pose substantial financial risks for accountancy firms. Staying up to date on cybersecurity risks and maintaining strict vigilance against them are an imperative for CPA practice operations.
