By William E. Ebersole, CPA, JD

The cost of a data breach can easily exceed $100,000, even for smaller CPA firms.¹ In addition, CPAs must expend efforts and funds to mitigate damage to their brand. The good news is there are low-cost, nontechnical efforts – generally referred to as cyberhygiene – that can mitigate the top cyberattack vectors, including ransomware.²

Technological solutions are certainly important security components, but all CPAs can implement cyberhygiene policies at little or no cost to defend their most critical data. Cyberhygiene covers policy, procedural, and behavioral practices to reduce the “attack surface” or vulnerable area of a company’s digital infrastructure susceptible to compromise. In this blog, I will focus on the nontechnical, low-cost practices of having a cyber incident response plan and ensuring third-party vendor due diligence.

Response Plan

A cyber incident response plan should be implemented well before a data breach occurs. Ensure that you have the technical capabilities – either in-house or via third-party vendor – to address the immediate consequences of a breach, such as isolating the affected system. Also, have the contact information for a good digital forensics expert and data privacy attorney. Having the ability to immediately engage these service providers is a top mitigation factor. A conversation early on with these professionals will shed light on what they view as critical early steps that will allow them to immediately start addressing your situation.

Cyber liability insurance should be a part of your incident response plan too. If you don’t have this insurance, get the policy which is right for you and your firm. If you do have a cyber liability insurance plan, make sure you fully understand two things. First, make sure you are aware of what is covered, such as the payment of victim notification expenses or forensic exams. Second, make sure that you are complying with your requirements under the policy. For example, a policy may require patching or updates to your network at various intervals. Failure to comply with the terms of your coverage may render any protections null and void.

Finally, have a press release and media talking points prepared in advance. Having a concise, professional response to a curious member of the media will help prevent further damage to your brand and limit liability exposure. This is something that is good to run by a data privacy attorney in advance.

Third-Party Due Diligence

When contracting with a third-party vendor, especially a cloud service provider (CSP), ensure that the contract provides you with cybersecurity provisions that give you a level of protection that is at least equivalent to your own firm’s practices. First and foremost, understand your obligations under the contract. The CSP may assume many responsibilities for data security under the service level agreement, but firm owners will still retain some obligations to protect their data. Also, have an understanding about who owns your data and your meta data (information about your data). In the event of a lawsuit, subpoena, or peer review, a CPA needs to know he or she can get a copy of a significant email or information about when a particular email was opened that gave notice of critical facts.

Many CSPs offer to store highly sensitive data under enhanced protections, for example, HIPAA protected information or information protected under the Payment Card Industry Data Security Standards. Having a contractual provision that allows you to audit the CSP’s cybersecurity practices and procedures will allow you to verify the proper handling of your data.

Don’t forget to find out where the CSP stores backup data. Is the backup storage facility outside of the United States? If yes, is the country of storage a safe, developed area or is it subject to turmoil and void of data security regulations? Finally, make sure you can get all of your data (and meta data) out of the CSP should you chose to go to a different vendor. You want to ensure that the vendor you are going to work with has the technical capability and willingness to transfer your valuable information to a competitor.

A great place to start researching a CSP is the Cloud Security Alliance, a not-for-profit organization that helps individuals and businesses navigate the many platforms for cloud services.

Although cyberhygiene techniques can seem basic, ensuring that you and your employees adopt cyberhygiene everyday will help protect your valuable data and your brand.

^{1 Byron Shinn and John Jorgensen, “Cybersecurity: An Urgent Priority for CPA firms,” The Tax Adviser (April 1, 2020). 
2 Center for Internet Security (CIS) Releases New Community Defense Model for Cybersecurity, Center for Internet Security (Aug. 20, 2020).}

William E. Ebersole, CPA, JD, is security compliance/emergency manager for Disney Cruise Line in Celebration, Fla. He can be reached at spykids1229@brighthouse.com.

Sign up for weekly professional and technical updates from PICPA's blogs, podcasts, and discussion board topics by completing this form.