Industry data has long indicated that small and mid-sized CPA firms are just as vulnerable to cyberattacks and data security breaches as larger organizations. To date, this trend continues as recent cyber claims experience shows an increase in the frequency of CPA firm cyber-related incidents requiring incident response services such as data recovery, IT forensics, legal counsel, public relations, client notification services, credit monitoring, and identity theft assistance.

For years, many smaller firms reasoned that they were too small and their information too insignificant for a hacker to want to exploit. “Why,” the thinking went, “would anyone try to take advantage of a three-CPA tax preparation practice when a Deloitte or PwC may have a much larger pool of resources to exploit?” However, institutional companies have the resources to install much more layered and effective cybersecurity protections, so that less sophisticated hackers, working on their own or in small groups, don’t have the expertise to successfully attack such big targets. Instead, they go after relatively unprotected or vulnerable “soft” targets in the form of smaller firms.

Hackers regularly use Google Maps and Yelp to find local, independent CPA firms and then scan the networks of selected firms electronically to determine their vulnerabilities. Often, the firms are woefully underprepared for the resulting breach and significant risk exposure due to the disclosure of client confidential information.

There are three main reasons why small businesses are particularly vulnerable to cyber attack:

1. Email storage may be unencrypted and, thus, not secure. Furthermore, web-based email products may be easily exploited; their flaws are widely known because of the ubiquity of major email services.
2. Small businesses often have outdated, unpatched software that can be exploited at the operating system level. For example, many small businesses still use operating systems such as Windows XP or Vista. Such systems provide an easy target for hackers since Microsoft no longer creates security patches for these systems and the vulnerabilities are well known by “black hat” hackers. Small businesses can reduce this risk by upgrading to newer, more secure operating systems and automating their patch management.
3. Social engineering continues to be a problem, no matter the size of the firm. But small firms might not invest in the cyber security awareness training necessary to educate their employees on the ever-present dangers such as clicking on links or attachments found in emails, downloading malware through insecure websites on the internet or on social media, or responding to requests for information from socially-engineered emails designed to scare a person or tap into their desire for a good deal.

Most hackers who target small businesses do so because the amount of time and effort required is minimal. Hacking into a machine that runs Windows XP or unpatched operating systems and does not have basic cybersecurity software is easy for an inexperienced hacker and even easier for an experienced “black hat.”

Recommended Steps

In order to add more layers of security, a firm, first and foremost, should encrypt every single device and make sure each device has basic anti-virus and anti-malware software installed and configured to update automatically. A firm should keep all of its software current with security updates, and install and run software patches recommended by security experts on a regular basis (e.g., Microsoft has “Patch Tuesday” every week). Cybersecurity experts are also valuable resources.

Another recommended step is to acquire a secure client web portal that will archive and store your clients’ personal documents and data. It will also lower your staff’s administrative burden by reducing their processing, sorting, and filing work, and important electronic documents will be much harder to misplace in extended email threads. A number of companies provide excellent, secure web portal services.

Even if a firm is careful about protecting its clients’ data, it might still be held legally liable for any data loss from hacking and other cyber attacks. To that end, it’s critical to obtain strong, well-designed insurance coverage and breach response services. Your clients will want to recoup their losses from hacking. Since it is unlikely that they will be able to do so from the hackers, they might seek to hold the firm accountable, even if the firm is not at fault (i.e., the hacking occurred on their end). Cyber and professional liability insurance and loss prevention are the best defenses for the firm.

The following are two recent cyber claims scenarios drawn from actual claims against CPA firms. These scenarios help illustrate the value of cyber coverage and cyber incident response services:

Scenario #1

The CPA firm’s computer network was hacked by an outside source. An IT forensic firm was contacted to determine the scope of the breach, how many and which clients were affected. Forensics concluded that there was a high probability that the entire client base was affected. The CPA firm decided to notify their entire client base regarding the breach. Legal counsel was engaged to help determine the requirements for notifying clients and preparing letters as the affected clients resided in several states. A call center was set up by the insurer and notification letters were sent to all clients. The firm’s cyber coverage paid for the IT forensic costs, the client notifications, the call center fees as well as the legal fees.

Scenario #2

An employee of the CPA firm opened a file allegedly from one of their clients and immediately received a message from a hacker stating that all the firm’s files had been encrypted. The hacker demanded the firm pay a ransom in Bitcoin in order to receive the decryption key. The firm immediately contacted their IT personnel, who removed the virus from their system. However, all the files remained encrypted and inaccessible. An IT forensics vendor was retained to assist the CPA firm in paying the ransom, obtaining the decryption key, and restoring their files. Legal counsel was retained to assess whether notification to the firm’s clients was necessary. After forensic work was completed, no misuse of the encrypted information was uncovered, and no notification to the clients was deemed necessary. The firm’s cyber coverage paid for the ransom, IT costs to decrypt and restore files, and legal fees.

As the preceding scenarios illustrate, a robust cyber insurance policy, security breach response services and procedures, and an effective risk management program are more important than ever to assist firms in recovering from an incident. Remember, it is not “if” you will be attacked, but “when.”

Randy R. Werner, J.D., LL.M./Tax, CPA, is a Loss Prevention Executive with CAMICO (www.camico.com). She responds to CAMICO loss prevention hotline inquiries and speaks to CPA groups on various topics. Werner has Big Four public accounting experience in federal and state tax as well as regional accounting firm experience. She has practiced as a sole practitioner in estate planning since 1984.

Looking for more information on cybersecurity issues? Find a variety of CPE programs here.