Voices

Cybercrime and punishment: How accountants can keep up

We live in the digital age. But as accountants adopt new technology, they need to be aware of the corresponding rise in cyber threats — and the regulation surrounding them.

Digital transformation is taking the financial services industry by storm, and accounting firms are no stranger to this technological shift. In fact, Gartner found that CIOs in this sector identified “digital” as their biggest task to tackle in 2019. Like many industries, financial services organizations are catching onto how they can improve processes, optimize their business models, and deliver a much better customer experience through mobile applications, artificial intelligence and the cloud.

However, there are always new external threats emerging with any change in business. In today’s age, these threats come in the form of cybercriminals. The financial services industry stores a high volume of personally identifiable information that hackers know their victims would pay a pretty chunk of change to have safely returned. Now more than ever, it’s critical for these organizations to not only invest in cybersecurity defenses, but also business continuity and disaster recovery (BCDR) technology to prevent data loss and instill consumer confidence.

Ransomware attacks per minute 2019 chart

Understanding cyber risks to the firm and its clients

In 2018, the state of New York rolled out a cybersecurity regulation dubbed 23 NYCRR 500, which requires all organizations reporting to the Department of Financial Services to “assess its specific risk profile and design a program that addresses its risk in a robust fashion.” And while accounting firms are not directly impacted by this mandate, many of their customers certainly are. Therefore, they must also adopt the requirements outlined in this legislation if they are to work with these kind of companies.

New York might have been the first to roll out a regulation such as this one, but it certainly won’t be the last. South Carolina, Ohio and Michigan have enacted data security laws for insurers over the past year, targeting a key client for firms. As laws and regulations emerge across states for different financial services industries, firms need to make sure they are staying abreast of these changes and using the most stringent regulation as their baseline for meeting compliance.

To keep clients out of harm’s way, firms need to work toward preventing cyberattacks while also having the mindset that they may eventually fall victim to one (even despite increased cybersecurity defenses). Where there’s a business to disrupt or data to take hostage, hackers will find a way to gain network access and wreak havoc. Social engineering has made phishing scams incredibly difficult for the average employee to detect, new vulnerabilities are constantly being exploited, and cybercriminals are continuing to find creative ways to break in. So to truly keep data safe, minimize risk, and neutralize the impact of an attack, firms need to make sure they have an insurance policy through BCDR.

Overcoming downtime and data breaches

Before assessing any new technologies, it’s important to take a digital inventory of the applications and systems currently operating in the IT environment. As digital transformation efforts are in the early stages at many accounting firms, it’s likely that they’re dealing with multi-generational IT infrastructures. Not all BCDR technologies are capable of meeting the backup and recovery requirements of every system and application out there. There are some niche players that are more focused on virtual environments and the cloud, and some are better equipped to deal with the hodge-podge of diverse systems and applications most common in today’s accounting firms.

To avoid inadvertently making the management of these environments more difficult, it’s best to ask vendors how closely they match their digital inventory of applications, otherwise the team will end up with several disparate BCDR tools. Further, it’s critical to understand how they replicate data, as this can be very impactful in determining how quickly a firm can get its operations back up and running after falling victim to an attack.

Some data protection vendors offer what’s called "high availability" technology. This technology continuously replicates files, systems, and applications at the byte-level in real time and creates recovery points. What this essentially does is take the recovery aspect completely out of the equation, as companies should be able to automatically go into failover if a system is knocked offline. Everything should be as it was prior to the incident, effectively neutralizing the attack altogether.

This is different than traditional backup and recovery technology, which creates a backup of files or application data to an on-premises or cloud location. In the best-case scenario, it can be used to recover data by copying back within a few minutes, but most likely it will take hours or even days. However, being offline for even minutes can be very costly, as Gartner reports that the average cost of downtime is $5,600 per minute. That price tag doesn’t even include regulatory fines that could be incurred, the costs of doing forensics assessments, and the long-term indirect impact associated with lost client confidence.

With the regulatory landscape constantly changing, new cyber threats emerging, and digital transformation efforts sweeping firms, it’s critical to make sure that data — arguably a firm’s most important asset — is at the forefront of every technology purchasing decision. If firms are able to do that, they’ll be better equipped to mitigate downtime, neutralize attacks, and keep their clientele out of regulatory cross fire.