CPAs keep perhaps more sensitive and valuable personal data than any other profession. The type of data that cybercriminals would love to get their hands on and actively looking to exploit.
Some of the most common CPA security breaches result in identity theft for fraudulent tax returns. Many victims never know their data has been compromised until they file their taxes, and the IRS notifies them. It’s never a good day for the CPA or client when something like this happens.
Why cybercriminals go after CPA firms
CPA firms are targeted for the amount of valuable client data typically stored on their computer network. This data includes, but is not limited to:
- Client names and addresses
- Social Security numbers
- Telephone numbers
- Bank account numbers
- Employment, income, and expense information
- Brokerage information
- Confidential communications
Once cybercriminals obtain this sensitive information, they need to set more elaborate traps to gain direct access to bank accounts and computers. Hackers use various phishing schemes, malware, and other tactics to get login information that allows them to do serious financial damage to victims.
Another cybercriminal favorite is capturing sensitive information discussed in private emails or text-message conversations between CPAs and clients. Cybercriminals can use ransom tactics to threaten to make sensitive information public if not paid. The liability in all of these situations is enough to cripple many CPA firms if they’re carrying cyber insurance.
CPA ransomware risks
Ransomware is the most serious and dangerous cyber threat that has emerged in recent years. Cybercriminals use a wide range of tactics that allow them to access an organization’s computer network. Once they have access, they wait for a vulnerable moment to strike. They encrypt the system, essentially locking the organization out of their own network, and demand a ransom before decrypting them.
In this worst-case scenario, a CPA firm could pay the ransom to get the system back online and then still be faced with the risk that private client data is in the hands of cybercriminals. Even worse, many ransomware attackers refuse to unlock computer systems after they get their money.
Increased regulatory demands
States across the country are increasing regulations to meet the rising threat posed by cybercriminals. In August 2020, California’s Office of Administrative Law approved the Department of Justice’s regulations regarding the California Consumer Privacy Act (CCPA). CCPA grants consumers the right to know, to delete, and the right to opt-out of the sale of personal information a business collects.
As more and more states try to do their part, CPAs must understand the regulations and how to stay in compliance. For perspective on the types of changes CPA firms can expect, New York’s new rules require companies to:
- Assess current cybersecurity risks and put formalized cybersecurity policies in place
- Have a plan to dispose of nonpublic information they no longer need securely
- Review and limit access privileges
- Ensure third-party service providers are secure
- Assign a Chief information security officer (CISO)
- Train employees and monitor authorized users
- Create an incident response plan
- Establish multi-factor authentication
- Conduct penetration testing and vulnerability assessments
- Establish security policies for applications developed in-house
- Encrypt data at rest and in transit
- Establish an audit trail
With cyber risk on the continual rise, a comprehensive network security program is only one component of a sound risk-management program. Another critical component is a cyber insurance policy that can protect organizations that become litigation targets following a security breach.
A cyber insurance policy for CPA firms can cover liability from:
- Failure to comply with state breach notice laws.
- Failure to comply with the insured’s privacy policies.
- Failure to administer an identity theft prevention program required by governmental regulation
- Loss, theft, or unauthorized disclosure of private data or third-party corporate information
- Unauthorized access, destruction of data, or theft.
- Virus transmission involving the insured’s computer systems resulting from computer security breaches
- Denial of service attacks
All of these risks highlight why in today’s digital era, all CPAs need to carry a cyber insurance policy from McGowanPRO.