CPA firms are stewards of their customers’ data. As such, we must implement a cybersecurity program to protect that data. Internal and external stakeholders want assurances, and we need to seriously consider third-party attestations to substantiate and demonstrate the effectiveness of our security programs. Practices cannot afford to be slow in implementing their own internal security programs and proving what they have in place.
CPA firms must align with their clients’ desires for risk reduction. We need mitigation strategies related to the availability of our information systems and confidentiality and integrity of customer data. Consider, for example, the financial and reputational impact in the event of extended technology downtime during tax season. What about a data breach that negatively impacts your firm for years through lost revenue and damage to your reputation?
Third-party hires, like it or not, are a cybersecurity risk. In 2018, the Opus & Ponemon Institute revealed that 59% of companies experienced a data breach caused by one of their vendors or other third party. Managing vendors and their accompanying risks is critical to any cybersecurity initiative, and one of the most important reasons to adopt an effective cybersecurity program.
Your clients are assessing the risks their business partners have on their business, and you need to be able to demonstrate that your firm not only has implemented an effective control environment, but also has assessed the impact your firm’s vendors have on your firm. Doing so can be accomplished through the following steps:
- Develop risk criteria and risk tolerance. How will you evaluate each vendor? Think about what information the vendor has access to or how critical their service is to your operations.
- Maintain a list of all vendors that can be reconciled against reports from your accounts payable department. It’s critical to maintain an accurate, up-to-date list of vendors.
- Assess each vendor (at least annually) against your risk criteria, and assign a risk profile to each as low, moderate, high, or critical.
- Perform due diligence on those vendors exceeding your risk tolerance (most likely those deemed high-risk and critical vendors). One approach is to request their System and Organization Controls (SOC) reports and examine their controls and the results of their most recent audit. Or you might send them a questionnaire: the Shared Information Gathering (SIG) assessment is commonly used.
- Address problems and concerns you’ve uncovered. Either implement mitigating controls in your environment or avoid the risk by finding a new vendor.
Regulators and States
No business, large or small, is excused from implementing cybersecurity best practices, and this includes CPA firms. Each firm must demonstrate compliance, to some degree, with various demands – be it contract or regulatory.
Consider initiatives like the Department of Defense’s (DoD’s) Cybersecurity Maturity Model Certification (CMMC). The recent CMMC responded to two issues: DoD’s inability to trust and verify that its contractors complied with the National Institute of Standards and Technology (NIST) 171 framework as required, and contractors’ reluctance to implement the framework or, if they did, to do so correctly. As of August 2020, every DoD contractor will have to be certified through the CMMC program, which involves implementing DoD’s CMMC framework and obtaining a third-party audit to certify that requirements have been met. While your firm may not provide services to the DoD, expect similar initiatives from other entities that necessitate the adoption of best practices.
States are increasing consumer protections and demanding more from businesses through legislation. Noteworthy pieces of legislation include New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act, the California Consumer Privacy Act (CCPA), and the Ohio Data Protection Act (ODPA).
The CCPA requires companies to uphold their “duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” Expect this type of regulation to be adopted by other states.
The ODPA incentivizes businesses to comply with a recognized security framework to achieve safe harbor in the event of a breach. The act specifies industry-recognized security frameworks for Ohio businesses to incorporate into their cybersecurity policies. It does not require adherence to some minimum cybersecurity standard, but it is intended as an incentive for businesses to achieve a higher level of cybersecurity through voluntary action.
These California and Ohio regulations make two noteworthy points: they establish the need to implement a recognized cybersecurity framework and to demonstrate reasonable compliance with that framework, compliance that can be best demonstrated through an independent third-party attestation or audit.
Perhaps the most foretelling legislation is New York’s SHIELD Act. The legislation obligates businesses to “develop, implement, and maintain reasonable safeguards” to protect consumer data, and requires the implementation of a data security plan. Most notably, it requires a business to “regularly test and monitor the effectiveness of key controls, systems, and procedures, and adjust the security program in light of business changes or new circumstances.”
While the SHIELD Act does not require third-party attestation, justification for attestation is evident. An audit will give the business a vehicle to “test the effectiveness of controls” while a good auditor will help ensure the program is “adjusted in light of business changes or new circumstances.” Moreover, an audit will provide management with an independent opinion that can be used to support the program when scrutinized by regulators and other external parties.
If you are not already, become familiar with AICPA’s SOC suite of services. This framework not only offers familiarity, but also a method by which we can communicate the effectiveness of controls and security efforts through third-party attestation.
Ideally, you shouldn’t build your program around your attestation efforts but around your business risk. There is no one-size-fits-all solution. Subsequent to implementing your program, you should map your controls to the framework to ensure your program meets the requirements of the SOC 2 criteria.
Your firm also can choose to undergo a SOC 2+ attestation, which is an enhanced reporting option that allows your firm to demonstrate controls surrounding the SOC 2 criteria and additional criteria such as the NIST Cybersecurity Framework (CSF).
To limit the financial impact of your investment in these initiatives, you can leverage the resources you have, starting with these steps:
- Conduct your own risk assessment.
- Create a program to reduce the risk in your business.
- Select a best-practice cybersecurity framework (NIST CSF is currently the standard for most new regulations and initiatives).
- Identify the scope of what your attestation report will involve.
- Conduct a gap assessment between your program and the SOC 2 criteria.
- Remediate the gaps between SOC 2 and your attestation scope.
- Bring in your auditor to conduct the attestation examination and deliver your attestation report.
- Continually improve your program.
Stakeholders can no longer simply trust. They will seek to verify, and you must be ready.
Matthew J. Schiavone, CPA, CISSP, CISA, is a senior manager with Hill Barth & King LLC in Warrendale, and is a member of the 2020-2021
Pennsylvania CPA Journal Editorial Board. He can be reached at email@example.com.