I know you’re probably tired of hearing about cybersecurity already, but the fact is that despite IT’s best efforts, cybersecurity incidents are increasingly being seen in small- and mid-sized entities — including CPA firms.
You may have noticed, too, that the AICPA has finally changed their nomenclature and added the word “risk” to “cybersecurity risk management program” to reinforce the fact that it is really risk we are dealing with. And since risk assessment and controls design are two core CPA skills, accountants can play a key role in managing cybersecurity risk within their firms.
Understanding the Technical Risks from Cybersecurity
There are two technical risks we are often trying to address when we are talking about cybersecurity: (1) Availability risk — or whether applications are available for us when we want to use them; and (2) Confidentiality risk — only allowing data to be accessed by authorized people.
One of the very common attacks now is ransomware, which locks down and encrypts your system so you can’t access your files. This is an example of an Availability attack. When malware comes into your system and sends data out of your network, then it is a Confidentiality attack, as data is moved outside of your control and potentially disclosed to unauthorized parties.
"When dealing with taxpayer information, the IRS has provided specific cybersecurity program guidance via IRS Publication 4557: Safeguarding Taxpayer Data, much of which involves administrative controls rather than technical controls."
When there is Personally Identifiable Information (PII) involved, then the Confidentiality risk is escalated to Privacy risk, or what we commonly think of as a “data breach”. Technically if only confidential data was stolen, that is still a data breach, but once there is PII involved, then a lot of laws, regulations, and industry standards start to come into play, including fines and penalties. Common examples of PII include health information, social security numbers, credit card numbers, and bank account numbers.
Accountants Collaborate with IT to Mitigate Privacy Risk
While Availability risk is normally mitigated by a good backup strategy (i.e. can be mitigated by IT), Privacy risk mitigation often is dependent upon reviewing the business processes that handle private data and implementing controls (both administrative and technical) to mitigate those risks. Often IT implements the technical controls, but these can be inadvertently circumvented and rendered ineffectual if there isn’t good employee awareness of why those controls are put in place. This is the where an accountant’s expertise in drafting policy and procedures, communicating those to end users, and testing the effectiveness of those controls is a great supplement to IT's technical expertise.
In a CPA firm, there is a large risk associated with managing the PII that is received from clients. This is particularly true with tax return information and EBP audits, both of which has PII inherent in the data being worked with. When dealing with taxpayer information, the IRS has provided specific cybersecurity program guidance via
IRS Publication 4557: Safeguarding Taxpayer Data, much of which involves administrative controls rather than technical controls. This guidance applies to both employee data, as well as client taxpayer data, and impacts firms as well as their clients.
Audits and bookkeeping services provided to entities that contain a lot of PII also may have more risk as the client may assume the firm is secure and the information they provide to you is being secured appropriately. Higher risk industries include healthcare, financial services, retail, nonprofit and others that have a high credit card transaction volume.
"If your firm’s name were to be in the news for a data breach, how would your clients react? And how would it impact your ability to attract new clients?"
What is the Cost of a Data Breach?
The Ponemon Institute does an annual study and their last report showed an average cost of $233 per compromised record. To estimate the impact of a data breach on your firm, count the number of records you have that have PII and multiply that by $233. Since the study includes a variety of organization sizes, I often recommend firms multiply that estimate by two or three times, as they may not have the economies of scale to realize the average cost from the study.
Another great way that accountants can partner with IT is to do cost-benefit analysis of the cybersecurity measures that is being proposed by IT against the cost of a data breach. However, remember that cost isn’t the only factor that you should consider. One of the biggest impacts of a data breach is to a firm’s reputation. If your firm’s name were to be in the news for a data breach, how would your clients react? And how would it impact your ability to attract new clients?
Proper Incident Response is Important
When a breach occurs, how quickly you act and how organized you are in your response can help to reduce the damage from the data breach. Incident response requires more than just IT to take action; legal counsel, public relations, IT forensics and your insurance carrier may all need to be involved. This is why it’s important to have a well-documented incident response plan and to have actually practiced execution of the plan on at least an annual basis. This is one of the most-often missing area of a firm’s cybersecurity risk management plan.