CPAs keep vast troves of valuable personal data that cybercriminals are itching to get their fingers on.
So far, the most notorious CPA breaches have culminated in identity thefts that led to fraudulent tax returns. Those cases became the bane of recent tax seasons when victims tried to file their taxes with the IRS and found that a hacker had used their personal data to file a fraudulent return and get an illicit refund.
An IRS-led crackdown slashed those kinds of cases in half last year, USA Today reported, but that still amounted to 787,000 fraudulent returns processed in 2016 alone. And the crackdown is not exactly good news for CPAs. After all, the news headlines about tax-return fraud make CPAs an inviting target.
Why cybercriminals want to breach CPA firms
Let’s quickly review the kinds of private data CPAs have in their computer systems:
- Full names and addresses
- Social Security numbers
- Telephone numbers
- Bank account and routing numbers
- Employment, income, and expense information
- Brokerage information
- Confidential client communications
It’s difficult to imagine what cybercriminals could not do with all this data. With names, addresses, and Social Security numbers, hackers can use phishing, malware, and other tactics to break into people’s home computers, access their logins to their banks and financial providers, and clean them out.
Another cybercriminal favorite, information on the financial condition of CPA clients, is extremely valuable. And private email or text-message conversations between CPAs and clients can wreak havoc if they are made public. When these kinds of confidential information fall into the wrong hands, there’s no telling how much damage can be done. But it’s safe to say the liabilities could cripple many CPA organizations — if they lack cyber insurance.
Ransomware Underscores Risks CPAs Face
Ransomware is the most serious and insidious cyber threat to emerge in recent years. Cybercriminals use a range of tactics sneak into organizations’ computer networks, take up residence, and wait for a vulnerable moment to strike — encrypting systems and demanding a ransom in return for decrypting them.
If undetected, these breaches can give cybercriminals widespread access to computer networks and the sensitive data within them. So, your CPA firm could pay the ransom to get your systems back online and still face the risk that private client data now belongs to cybercriminals.
What’s more, many ransomware attackers these days refuse to unlock computer systems after they get their money, potentially creating ruinous downtime for organizations that depend heavily on their computer networks.
Regulatory demands are expanding
New York State created new cyber security rules in 2017 for organizations that report to the state’s Department of Financial Services (DFS). Generally, CPA firms are not covered (yet), but given that many CPAs work with financial companies, they still need to be familiar with the regulations.
As CPA Journal put it: “In order to counsel these businesses, CPAs must understand the new regulations and their impact. In addition, it makes sense for CPA firms to be proactive in adopting the new regulations, as the profession itself is likely to be included in future regulatory efforts.”
New York’s rules provide a broad outline for safer cyber security practices. According to CPA Journal, New York’s rules require covered companies to:
- Assess current risks to create a cybersecurity program and put cybersecurity policies in place.
- Create a plan to dispose of nonpublic information they don’t need anymore.
- Review and limit access privileges.
- Ensure third-party service providers are secure.
- Assign a chief information security officer (CISO).
- Train employees and monitor authorized users.
- Craft an incident-response plan.
- Establish multifactor authentication.
- Conduct penetration testing and vulnerability assessments.
- Establish security policies for applications developed in-house.
- Encrypt data at rest and in transit.
- Establish an audit trail.
These kinds of practices reflect the principles of sound cyber hygiene that every company that any firm would be well advised to follow (and may well have to if more states adopt the rules). Also, companies that implement programs and policies to secure private data can potentially reduce their overall liability in a breach (though this depends on the facts of an individual lawsuit).
With cyber risk rising every day, a comprehensive network-security program is just one component of a sound risk-management program. Another crucial component is a cyber insurance policy that can protect your organization if it becomes the target of litigation.
A cyber insurance policy for CPAs can cover legal liability from:
- Theft, loss, or unauthorized disclosure of private data or third-party corporate information.
- Failure to comply with state breach notice laws.
- Failure to comply with the insured’s privacy policies.
- Failure to administer an identity theft prevention program required by governmental regulation.
- Unauthorized access, theft, or destruction of data.
- Denial of service attacks and virus transmission involving the insured’s computer systems resulting from computer security breaches.
All these risks underscore why professionals like CPAs should look into cyber coverage from McGowanPRO. We can help CPAs in organizations of all sizes get the right cyber coverage for their exact needs.
If you would like to speak to a professional advisor concerning your company’s exposure to cyber risks, please contact Rob Ferrini at McGowanPRO. 508-656-1327 or firstname.lastname@example.org.