This blog was provided by Gallagher Affinity, a premier sponsor of the PICPA.
By James Vinocur, JD
There are good reasons why buildings conduct fire-safety drills and some people prepare go-bags in case of an emergency. After all, when it comes to an emergency, you always want to have a plan. All businesses, including CPA firms, should adopt this same approach in the face of one of the biggest threats in 2022 and beyond: cyberattacks. After all, having a cyber-incident preparedness plan could be crucial to weathering the post-attack storm and ensuring your firm’s survival. Such plans can significantly aid businesses of all sizes recover quickly and smoothly from an attack and mitigate financial losses, which should be of particular importance to all companies. It’s been reported that approximately 60% of entities that sustain a cyberattack go out of business within six months.
So, what does a cyber-incident preparedness plan entail? A thorough plan will provide a road map for stakeholders to follow in the immediate aftermath of a cyber-incident, ensuring a level-headed and effective response. First, it will address which parties need to be contacted and how to reach them – providing a hierarchical checklist of sorts – for both individuals inside and outside the organization. If nothing else, thinking through and implementing a plan will educate the firm’s employees on what the warning signs look like and what to do should steps be needed. The internal hierarchy should include for individuals who know where a firm’s sensitive data are stored, how they are stored, and how to access the data. In other words, someone who will know the answers to the questions outside vendors will likely ask. In addition, this organizational structure may include changes based on the type of threat faced by the business: is it a ransomware attack that has locked up the firm’s internal network, or is it a data intrusion that has targeted specific users within the company? It may be the same person (or people) who handle the different types of crises, but at least the plan will provide users with a clear directive to follow.
Externally, a meaningful cyber-incident preparedness plan may include contact information for a trusted IT consultant, the firm’s cyber-insurance provider, bank account manager, a forensic investigator, local law enforcement, or a data breach attorney. These individuals will first help the firm respond to and rectify the cyberattack, and then work toward recovery from the attack.
The first call will, therefore, likely be to an IT specialist who can diagnose the issue, determine its severity, preserve any data that may be needed for an ensuing investigation, and come up with a recovery plan. Predetermining whether or not your IT consultant is capable of handling such a threat will save the organization valuable time and effort in the long run. The second call may be to your cyber-incident insurance provider. After all, as with most emergencies, a cyberattack can be very expensive. Drafting a cyber-incident preparedness plan will therefore aid stakeholders in making sure they understand the details of their insurance coverage and who to contact in the immediate aftermath. For instance, does the policy cover the cost of the aforementioned IT professional who will need to be called in to remediate the issue?
In the immediate aftermath of a cyberattack, it may be necessary to obtain assistance from outside entities, such as one’s bank and law enforcement. For instance, in the event of an unauthorized wire transfer that occurred as a result of a hack, knowing who to contact at your bank (and who will pick up your call) may be the difference between stopping and/or clawing back the transfer or losing it forever. While your bank will often act as the first line of defense in stopping an unauthorized transfer of funds, law enforcement often provides a liaison role between different financial institutions. Furthermore, notifying law enforcement of a cyberattack not only is good practice, but it is also required. For example, the power to issue subpoenas and obtain seizure warrants may be necessary in certain matters. Establishing contacts and relationships with these agencies beforehand can be the difference between sustaining a business-ending loss and a mere speed bump.
There are numerous overlapping data breach laws that apply to cyberattacks, therefore it may be necessary that a detailed forensic investigation is required to determine whether statutory compliance is necessary. Once again, a thorough cyber-incident preparedness plan will include contact information for such specialized vendors, as well as outside legal counsel that can help navigate the business through these legal requirements (although it is important to note that many cyberattack insurance policies will provide for legal assistance through law firms they have relationships with). Such a plan may also include the execution of tabletop exercises that simulate such an attack, similar to how a dry run through a fire drill ensures that everyone knows what they’re responsible for and where to go in the event of a fire. In the end, a little planning ahead can go a long way if and when an emergency does arise.
James Vinocur, JD, is a partner at Goldberg Segalla in New York City, where he specializes in data privacy and cybersecurity issues. Prior to joining Goldberg Segalla, he served as deputy chief of the cybercrimes bureau of the Manhattan District Attorney’s Office. He can be reached at email@example.com.
Get more information on cyber insurance plans offered by PICPA premier sponsor Gallagher Affinity.
Sign up for weekly professional and technical updates from PICPA's blogs, podcasts, and discussion board topics by completing this form.