Fall 2024

Possession of the financial and personally identifiable information of their clients makes CPA firms prime targets for cyberattack. Reputational damage, financial losses, and decreased client trust are the potential consequences of a cybercrime that should drive the need for stringent cybersecurity protocols at all firms. This feature examines the role of cybersecurity in CPA firms, explores common security threats, and outlines effective strategies for mitigating these risks.

Why Is Cybersecurity Important?

The famous bank robber Willie Sutton supposedly said to a question asking him why he robs banks, “That’s where the money is.” The same principle applies to hacking accounting firms: that’s where the data is. Public accounting firms are attractive targets for cybercriminals because they have custody of highly sensitive financial and personally identifiable information. Targeting an accounting firm, rather than a single company, could potentially provide criminals with access to the sensitive information of dozens of companies all in one place.

One example that received significant attention was a 2017 breach at Deloitte when hackers gained access to emails sent and received by staff as well as access to usernames, passwords, and IP addresses. A study published in the Journal of Information Systems analyzed more than 11,000 observations of Big 4 audit clients in the context of the Deloitte breach. The study found that the breach led to significant reputational damage, decreased fees following the incident, and a significant decrease in the likelihood that new clients would engage Deloitte. In addition to the immediate and long-term consequences related to the firm’s reputation and revenue, the analysis showed Deloitte’s clients suffered significant negative market reactions after the breach.¹

Don’t assume that big firms are the only, or even the primary, targets of cybercriminals. Recent trends, such as lower ransoms demanded by cybercriminals, indicate that smaller firms may be especially attractive targets. There may be several reasons behind this. Many firms are not able to function without access to their data, so this increases the odds of ransom payment. Other firms do not possess strong information security, so it makes a hacker’s job easier. Furthermore, it seems cybercriminals are avoiding larger organizations to mitigate their own risk of national media coverage and law enforcement action.²

While average ransom demands have decreased, the costs to recover from a ransomware attack continue to increase. The cost to recover from an incident has doubled over the past two years to $26,000 per incident. Ninety-five percent of those incidents resulted in losses between $1 million and $2.25 million.³

Businesses that are “significantly engaged” in providing financial products or services are subject to the Federal Trade Commission (FTC) Safeguards Rule.⁴ These organizations are required to implement and maintain information security programs to protect clients’ information. CPA firms are covered under this rule, and the penalties for noncompliance are significant: $100,000 per violation, $43,000 per day for consent violations, and additional fines levied on officers and directors.

CPA firms must also recognize the significant costs directly related to a breach, such as investigations, response teams, and legal fees. The Cost of a Data Breach report by IBM and the Poneman Institute estimates that each lost customer record costs $150. The average breach involves more than 25,000 records and took 279 days to contain.⁵

Common Security Threats

Hacking exploits technical weaknesses in systems, networks, or software to gain unauthorized access. For example, Deloitte’s global email server was hacked via an administrator’s account that did not have two-step verification.⁶ Exploiting human weaknesses is another method used by cybercriminals, sometimes in conjunction with hacking. Verizon’s Data Breach Investigations Report analyzed more than 16,000 security incidents and 5,000 breaches across 20 industries and found 74% of breaches involved a human element.

Social Engineering – The objective of social engineering scams is to manipulate individuals into disclosing sensitive information or providing access to systems. Because these schemes are relational, victims are unaware that they are being manipulated.

Phishing scams, for example, involve criminals posing as legitimate parties, such as a client, vendor, or financial institution, and often use emails with attachments or links. Opening the attachment initiates the installation of malware on the victim’s computer that can spread throughout an entire system. Clicking on a link in a phishing email usually takes the user to a fraudulent website where sensitive information is solicited from the victim to enable password theft, installation of malware, or access to the network.

As many as 91% of cyberattacks begin with a spear phishing email, which typically targets staff.⁷ Spear phishing, though, comes in many forms in addition to emails to staff. Deepfakes are the next generation of fraud. About 66% of cybersecurity professionals report that they see deepfakes incorporated in cyberattacks.⁸ Deepfakes use artificial intelligence and machine learning to create video, audio, or images that look and sound like real individuals. For example, a manager of a Japanese bank was duped by deepfake voice technology impersonating a bank director. The manager’s “recognition” of the director’s voice led him to authorize the transfer of $35 million for a fictitious acquisition.⁹

Deepfakes are becoming increasingly more difficult to distinguish from the real thing. For example, cybercriminals created a deepfake of a cryptocurrency executive by using past television appearances and news interviews. This allowed fraudsters to impersonate the executive in web conference meetings with cryptocurrency developers.¹⁰

Clients, Vendors, and Other Third Parties – With connected systems, a malware infection of a client’s or vendor’s network has the potential to spread to a CPA firm’s network. In addition, criminal access to a client’s system can increase the effectiveness of social engineering efforts targeting public accounting firms. After gaining access to a client’s system, hackers may be able to monitor and analyze messages to execute more effective business email compromise (BEC) attacks that impersonate trusted vendors via email. The frequency of these attacks doubled from 2022 to 2023.¹¹ These emails are designed to appear genuine by mimicking email addresses and using familiar language to motivate the recipient to transfer funds or disclose sensitive information.

Aside from enhanced replication of third-party emails, hackers may be able to use a client’s or vendor’s actual email for communication with a firm. This differs from “spoofing,” in which a bad actor sends a message posing as a trusted individual but with a slightly different email address than the client’s real email. Instead, these emails are sent from the client’s genuine email address. Here is a real-life example from a firm that provided bill-pay services. A firm received an email requesting payment for numerous large invoices. As standard practice, the firm asked the client to verify the invoices and approve payment. With access to the client’s system, the hacker “verified” the invoices via the client’s email and, consequently, the firm disbursed funds.¹²

Ransomware – This type of malware works by holding information hostage. Once ransomware is installed, it restricts access to files, possibly the entire system, which can paralyze a firm. Reestablishing access to files is promised in exchange for an extortion payment. Naturally, there are no guarantees: one must take criminals at their word that access will be reestablished. Sarah Ference, CPA, risk control director at CNA, finds that hackers are using increasing pressures to force firms to pay ransom, including threats to release the held data to the public or the deletion of a firm’s files.¹³ In addition to holding data for ransom money, criminals can also generate revenue by selling data on the dark web where there is high demand for personally identifiable information.

How CPA Firms Can Combat Security Threats

Sometimes these threats seem too big or complicated to mitigate. Not so! Firms can take very reasonable actions that can go a long way toward their own protection.

Training – While firms can invest in and implement a host of technologies to improve security, the reality is that a firm’s people are the first line, and most effective form, of defense.

It is important for employees to gain an appreciation of why cybersecurity is critical for public accounting firms and the personal implications that can transpire from incidents. Once that foundation is laid, educate employees about common cybersecurity practices. Then, more targeted training can take place to familiarize employees with the firm’s security policies and procedures that are relevant to their roles. Keep in mind that cyberthreats are constantly evolving, necessitating the need for regular training and updates.

In addition to what we may think of as traditional training or education programs, testing and assessment activities help evaluate a firm’s security controls and participants’ understanding of procedures. Cybersecurity simulations help firms practice and assess how they respond to cybersecurity incidents. Phishing simulations can test employees’ vulnerability to social engineering attacks. Penetration testing actively attempts to gain unauthorized access to systems, networks, and applications to help illuminate security weaknesses.

Perhaps the most beneficial outcome of training initiatives is that it keeps cybersecurity top of mind. Regular training and simulation exercises implicitly communicate that cybersecurity is of utmost importance. Developing such a culture not only helps avoid negative economic consequences but can also be a competitive advantage. A firm marked by high cybersecurity awareness demonstrates a commitment to protecting clients and adds an increasingly important ingredient to growth and reputation management.

Access Controls – Technical and physical controls should be used to permit access only by authorized individuals. In addition, each authorized individual’s access should be limited to only what they need to do in their job. This “least privileges security” approach can help contain widespread compromise if an individual machine is breached.

Passwords are the low-hanging fruit for cybercriminals as they can be easily stolen, guessed, or reverse engineered. Multifactor authentication (MFA) requires users to enter their username and password plus one or more other items. MFA should be established for all users, including external users such as customers who access their own information through client portals. Microsoft claims that multifactor authentication can block 99% of account compromise attacks.¹⁴

Passwordless authentication is considered more secure than using passwords. Unlike MFA, passwordless authentication does not require a password or knowledge-based secret. Instead, it uses one factor to authenticate identity, such as a biometric factor. With password authentication, a user-provided password is compared to the password stored in a database. Biometric authentication works similarly, but it compares a biometric factor against verified data, such as fingerprints, face recognition, voice recognition, and retina scans.

Threat Prevention Technologies – Every firm should have robust anti-virus and malware protection, as well as firewall software. All automated security alerts should be reviewed immediately to address any potential issues promptly. Installing patches for security software and operating systems is critical. In addition, firms should be attentive to updates related to third-party software. Adobe, Java, and internet browsers are regularly targeted by attackers because of security vulnerabilities.¹⁵

Encryption of sensitive data is another great prevention technology. Encryption changes words into formats that cannot be read or converted into readable formats without having the decryption key. Encrypting a hard drive or computer protects data if these devices are stolen or compromised. Encrypting data in transit is also vital. This type of encryption ensures data remains unreadable to anyone without a key who might intercept it during transmission. Virtual private networks (VPNs) are another security measure that is advisable for staff to use outside of the office, especially when using public Wi-Fi. A VPN will mask an employee’s identity, preventing criminals from intercepting communications.

Monitor Service Providers – Vendor management is critical to a firm’s cybersecurity. CPA firms should not only assess their service providers’ cybersecurity practices when onboarding, but also include clear contractual requirements pertaining to ongoing controls. Contracts should include the firm’s monitoring and assessment of third-party security practices to ensure vendors are meeting security expectations. While this does present an additional burden for firms, it should be viewed as an extension of the firm’s responsibility to protect client information.

Backup – CPA firms really should have multiple backups. Ideally, these backups would use different technologies and be physically removed from the network. This provides another layer of protection against malware infecting backed up files. Devices can be set up to back up to the cloud automatically, but it is important to remember that these services are not immune to ransomware takeovers. Therefore, also send data stored on the cloud to an external hard drive periodically. This will help ensure the firm can still operate even if data is inaccessible online.

Planning – The latest provisions of the FTC Safeguards Rule took effect June 2023. Firms attentive to IRS Publication 4557, Safeguarding Taxpayer Data, will find significant crossover. Under both mandates, firms must designate an individual responsible for cybersecurity, conduct a risk assessment that informs a written information security plan, and implement various security measures, such as those discussed above.

The FTC Safeguards Rule requires a “qualified” individual to oversee cybersecurity; broadens the scope of data that needs protection to include essentially any data related to clients, such as their customers’ and suppliers’ data; and necessitates a written incident response plan.¹⁶ In addition to avoiding noncompliance penalties and insurance coverage issues, an incident response plan can help mitigate financial and reputational damage caused by a breach. Perhaps just as important, the process of examining risks and writing explicit policies and procedures keeps cybersecurity at the forefront.

Insurance – While insurance does not replace controls, a firm’s cybersecurity program should include cybersecurity coverage. Cybersecurity coverage may entail an additional provision to a commercial policy or sometimes it’s a separate policy. While policies differ, the following are common coverages to consider:

• Privacy event expense coverage helps protect firms against costs, such as investigating and notifying affected parties.
• Network damage coverage can cover costs related to the repair or restoration of networks that were compromised.
• Extortion coverage, while varying in degrees, protects firms from financial losses related to ransom payments or negotiation costs.
• Business interruption coverage reimburses firms for lost revenue or extra expenses that relate to a cyberincident.
• Regulatory coverage helps mitigate the financial impact of penalties and legal expenses that relate to noncompliance with cybersecurity regulations.

Similar to patching security technologies and updating response plans, cybersecurity insurance is not a once-and-done deal. The ever-changing risk landscape necessities that firms periodically examine their cybersecurity insurance policies.

Conclusion

Strong cybersecurity measures within CPA firms are crucial. The rising sophistication and frequency of cyberattacks highlight the severe repercussions of inadequate security measures, including financial losses, reputational harm, and diminished client trust. It is imperative for firms to adopt security practices such as threat detection technologies, regular employee training, strict access controls, and attentive vendor management. Additionally, compliance with regulatory requirements and the incorporation of cybersecurity insurance provide further protection against potential cyberincidents. Ultimately, prioritizing cybersecurity not only safeguards a firm’s operations and client data but also reinforces its reputation as trustworthy and reliable in the digital age. 

¹ Barri Litt, Paul Tanyi, and Marcia Weidenmier Watson, “Cybersecurity Breach at a Big 4 Accounting Firm: Effects on Auditor Reputation,” Journal of Information Systems (2023).

² Stan Sterna, JD, “The CPA’s Cybersecurity Imperative,” AICPA Member Insurance Programs (May 2022). 

³ Data Breach Investigations Report, Verizon (2023). 

⁴ Publication 4557, Safeguarding Taxpayer Data, IRS. 

⁵ Cost of a Data Breach Report 2023, Poneman Institute and IBM Security (2023). 

⁶ Litt, Tanyi, and Weidenmier Watson, Journal of Information Systems, ibid.

⁷ Identity Theft Information for Tax Professionals, IRS. 

⁸ Roman H. Kepczyk, CPA, CITP, CGMA, “Deepfakes Emerge as Real Cybersecurity Threat,” AICPA & CIMA (Sept. 28, 2022).

⁹ Matthew Miller, Deepfakes: Real Threat, KPMG (2023). 

¹⁰ Patrick Hillmann, “Scammers Created an AI Hologram of Me to Scam Unsuspecting Projects,” Binance (Aug. 17, 2022). 

¹¹ Data Breach Investigations Report, Verizon, ibid.

¹² “Q&A: 2 Cyberattacks CPA Firms Should Fear,” AICPA (Sept. 30, 2023). 

¹³ ibid.

¹⁴ Melanie Maynes, “One Simple Action You Can Take to Prevent 99.9 Percent of Attacks on Your Accounts,” Microsoft Security (Aug. 20, 2019).

¹⁵ “A CPA’s Introduction to Cybersecurity,” AICPA & CIMA (April 19, 2018). 

¹⁶ FTC Safeguards Rule: What Your Business Needs to Know, Federal Trade Commission. 

Cory Ng, CPA, DBA, CITP, is an adjunct associate professor in accounting at the Fox School of Business at Temple University and a member of the Pennsylvania CPA Journal Editorial Board. He can be reached at cory.ng@temple.edu.

Possession of the financial and personally identifiable information of their clients makes CPA firms prime targets for cyberattack. Reputational damage, financial losses, and decreased client trust are the potential consequences of a cybercrime that should drive the need for stringent cybersecurity protocols at all firms. This feature examines the role of cybersecurity in CPA firms, explores common security threats, and outlines effective strategies for mitigating these risks.

Why Is Cybersecurity Important?

The famous bank robber Willie Sutton supposedly said to a question asking him why he robs banks, “That’s where the money is.” The same principle applies to hacking accounting firms: that’s where the data is. Public accounting firms are attractive targets for cybercriminals because they have custody of highly sensitive financial and personally identifiable information. Targeting an accounting firm, rather than a single company, could potentially provide criminals with access to the sensitive information of dozens of companies all in one place.

One example that received significant attention was a 2017 breach at Deloitte when hackers gained access to emails sent and received by staff as well as access to usernames, passwords, and IP addresses. A study published in the Journal of Information Systems analyzed more than 11,000 observations of Big 4 audit clients in the context of the Deloitte breach. The study found that the breach led to significant reputational damage, decreased fees following the incident, and a significant decrease in the likelihood that new clients would engage Deloitte. In addition to the immediate and long-term consequences related to the firm’s reputation and revenue, the analysis showed Deloitte’s clients suffered significant negative market reactions after the breach.¹

Don’t assume that big firms are the only, or even the primary, targets of cybercriminals. Recent trends, such as lower ransoms demanded by cybercriminals, indicate that smaller firms may be especially attractive targets. There may be several reasons behind this. Many firms are not able to function without access to their data, so this increases the odds of ransom payment. Other firms do not possess strong information security, so it makes a hacker’s job easier. Furthermore, it seems cybercriminals are avoiding larger organizations to mitigate their own risk of national media coverage and law enforcement action.²

While average ransom demands have decreased, the costs to recover from a ransomware attack continue to increase. The cost to recover from an incident has doubled over the past two years to $26,000 per incident. Ninety-five percent of those incidents resulted in losses between $1 million and $2.25 million.³

Businesses that are “significantly engaged” in providing financial products or services are subject to the Federal Trade Commission (FTC) Safeguards Rule.⁴ These organizations are required to implement and maintain information security programs to protect clients’ information. CPA firms are covered under this rule, and the penalties for noncompliance are significant: $100,000 per violation, $43,000 per day for consent violations, and additional fines levied on officers and directors.

CPA firms must also recognize the significant costs directly related to a breach, such as investigations, response teams, and legal fees. The Cost of a Data Breach report by IBM and the Poneman Institute estimates that each lost customer record costs $150. The average breach involves more than 25,000 records and took 279 days to contain.⁵

Common Security Threats

Hacking exploits technical weaknesses in systems, networks, or software to gain unauthorized access. For example, Deloitte’s global email server was hacked via an administrator’s account that did not have two-step verification.⁶ Exploiting human weaknesses is another method used by cybercriminals, sometimes in conjunction with hacking. Verizon’s Data Breach Investigations Report analyzed more than 16,000 security incidents and 5,000 breaches across 20 industries and found 74% of breaches involved a human element.

Social Engineering – The objective of social engineering scams is to manipulate individuals into disclosing sensitive information or providing access to systems. Because these schemes are relational, victims are unaware that they are being manipulated.

Phishing scams, for example, involve criminals posing as legitimate parties, such as a client, vendor, or financial institution, and often use emails with attachments or links. Opening the attachment initiates the installation of malware on the victim’s computer that can spread throughout an entire system. Clicking on a link in a phishing email usually takes the user to a fraudulent website where sensitive information is solicited from the victim to enable password theft, installation of malware, or access to the network.

As many as 91% of cyberattacks begin with a spear phishing email, which typically targets staff.⁷ Spear phishing, though, comes in many forms in addition to emails to staff. Deepfakes are the next generation of fraud. About 66% of cybersecurity professionals report that they see deepfakes incorporated in cyberattacks.⁸ Deepfakes use artificial intelligence and machine learning to create video, audio, or images that look and sound like real individuals. For example, a manager of a Japanese bank was duped by deepfake voice technology impersonating a bank director. The manager’s “recognition” of the director’s voice led him to authorize the transfer of $35 million for a fictitious acquisition.⁹

Deepfakes are becoming increasingly more difficult to distinguish from the real thing. For example, cybercriminals created a deepfake of a cryptocurrency executive by using past television appearances and news interviews. This allowed fraudsters to impersonate the executive in web conference meetings with cryptocurrency developers.¹⁰

Clients, Vendors, and Other Third Parties – With connected systems, a malware infection of a client’s or vendor’s network has the potential to spread to a CPA firm’s network. In addition, criminal access to a client’s system can increase the effectiveness of social engineering efforts targeting public accounting firms. After gaining access to a client’s system, hackers may be able to monitor and analyze messages to execute more effective business email compromise (BEC) attacks that impersonate trusted vendors via email. The frequency of these attacks doubled from 2022 to 2023.¹¹ These emails are designed to appear genuine by mimicking email addresses and using familiar language to motivate the recipient to transfer funds or disclose sensitive information.

Aside from enhanced replication of third-party emails, hackers may be able to use a client’s or vendor’s actual email for communication with a firm. This differs from “spoofing,” in which a bad actor sends a message posing as a trusted individual but with a slightly different email address than the client’s real email. Instead, these emails are sent from the client’s genuine email address. Here is a real-life example from a firm that provided bill-pay services. A firm received an email requesting payment for numerous large invoices. As standard practice, the firm asked the client to verify the invoices and approve payment. With access to the client’s system, the hacker “verified” the invoices via the client’s email and, consequently, the firm disbursed funds.¹²

Ransomware – This type of malware works by holding information hostage. Once ransomware is installed, it restricts access to files, possibly the entire system, which can paralyze a firm. Reestablishing access to files is promised in exchange for an extortion payment. Naturally, there are no guarantees: one must take criminals at their word that access will be reestablished. Sarah Ference, CPA, risk control director at CNA, finds that hackers are using increasing pressures to force firms to pay ransom, including threats to release the held data to the public or the deletion of a firm’s files.¹³ In addition to holding data for ransom money, criminals can also generate revenue by selling data on the dark web where there is high demand for personally identifiable information.

How CPA Firms Can Combat Security Threats

Sometimes these threats seem too big or complicated to mitigate. Not so! Firms can take very reasonable actions that can go a long way toward their own protection.

Training – While firms can invest in and implement a host of technologies to improve security, the reality is that a firm’s people are the first line, and most effective form, of defense.

It is important for employees to gain an appreciation of why cybersecurity is critical for public accounting firms and the personal implications that can transpire from incidents. Once that foundation is laid, educate employees about common cybersecurity practices. Then, more targeted training can take place to familiarize employees with the firm’s security policies and procedures that are relevant to their roles. Keep in mind that cyberthreats are constantly evolving, necessitating the need for regular training and updates.

In addition to what we may think of as traditional training or education programs, testing and assessment activities help evaluate a firm’s security controls and participants’ understanding of procedures. Cybersecurity simulations help firms practice and assess how they respond to cybersecurity incidents. Phishing simulations can test employees’ vulnerability to social engineering attacks. Penetration testing actively attempts to gain unauthorized access to systems, networks, and applications to help illuminate security weaknesses.

Perhaps the most beneficial outcome of training initiatives is that it keeps cybersecurity top of mind. Regular training and simulation exercises implicitly communicate that cybersecurity is of utmost importance. Developing such a culture not only helps avoid negative economic consequences but can also be a competitive advantage. A firm marked by high cybersecurity awareness demonstrates a commitment to protecting clients and adds an increasingly important ingredient to growth and reputation management.

Access Controls – Technical and physical controls should be used to permit access only by authorized individuals. In addition, each authorized individual’s access should be limited to only what they need to do in their job. This “least privileges security” approach can help contain widespread compromise if an individual machine is breached.

Passwords are the low-hanging fruit for cybercriminals as they can be easily stolen, guessed, or reverse engineered. Multifactor authentication (MFA) requires users to enter their username and password plus one or more other items. MFA should be established for all users, including external users such as customers who access their own information through client portals. Microsoft claims that multifactor authentication can block 99% of account compromise attacks.¹⁴

Passwordless authentication is considered more secure than using passwords. Unlike MFA, passwordless authentication does not require a password or knowledge-based secret. Instead, it uses one factor to authenticate identity, such as a biometric factor. With password authentication, a user-provided password is compared to the password stored in a database. Biometric authentication works similarly, but it compares a biometric factor against verified data, such as fingerprints, face recognition, voice recognition, and retina scans.

Threat Prevention Technologies – Every firm should have robust anti-virus and malware protection, as well as firewall software. All automated security alerts should be reviewed immediately to address any potential issues promptly. Installing patches for security software and operating systems is critical. In addition, firms should be attentive to updates related to third-party software. Adobe, Java, and internet browsers are regularly targeted by attackers because of security vulnerabilities.¹⁵

Encryption of sensitive data is another great prevention technology. Encryption changes words into formats that cannot be read or converted into readable formats without having the decryption key. Encrypting a hard drive or computer protects data if these devices are stolen or compromised. Encrypting data in transit is also vital. This type of encryption ensures data remains unreadable to anyone without a key who might intercept it during transmission. Virtual private networks (VPNs) are another security measure that is advisable for staff to use outside of the office, especially when using public Wi-Fi. A VPN will mask an employee’s identity, preventing criminals from intercepting communications.

Monitor Service Providers – Vendor management is critical to a firm’s cybersecurity. CPA firms should not only assess their service providers’ cybersecurity practices when onboarding, but also include clear contractual requirements pertaining to ongoing controls. Contracts should include the firm’s monitoring and assessment of third-party security practices to ensure vendors are meeting security expectations. While this does present an additional burden for firms, it should be viewed as an extension of the firm’s responsibility to protect client information.

Backup – CPA firms really should have multiple backups. Ideally, these backups would use different technologies and be physically removed from the network. This provides another layer of protection against malware infecting backed up files. Devices can be set up to back up to the cloud automatically, but it is important to remember that these services are not immune to ransomware takeovers. Therefore, also send data stored on the cloud to an external hard drive periodically. This will help ensure the firm can still operate even if data is inaccessible online.

Planning – The latest provisions of the FTC Safeguards Rule took effect June 2023. Firms attentive to IRS Publication 4557, Safeguarding Taxpayer Data, will find significant crossover. Under both mandates, firms must designate an individual responsible for cybersecurity, conduct a risk assessment that informs a written information security plan, and implement various security measures, such as those discussed above.

The FTC Safeguards Rule requires a “qualified” individual to oversee cybersecurity; broadens the scope of data that needs protection to include essentially any data related to clients, such as their customers’ and suppliers’ data; and necessitates a written incident response plan.¹⁶ In addition to avoiding noncompliance penalties and insurance coverage issues, an incident response plan can help mitigate financial and reputational damage caused by a breach. Perhaps just as important, the process of examining risks and writing explicit policies and procedures keeps cybersecurity at the forefront.

Insurance – While insurance does not replace controls, a firm’s cybersecurity program should include cybersecurity coverage. Cybersecurity coverage may entail an additional provision to a commercial policy or sometimes it’s a separate policy. While policies differ, the following are common coverages to consider:

• Privacy event expense coverage helps protect firms against costs, such as investigating and notifying affected parties.
• Network damage coverage can cover costs related to the repair or restoration of networks that were compromised.
• Extortion coverage, while varying in degrees, protects firms from financial losses related to ransom payments or negotiation costs.
• Business interruption coverage reimburses firms for lost revenue or extra expenses that relate to a cyberincident.
• Regulatory coverage helps mitigate the financial impact of penalties and legal expenses that relate to noncompliance with cybersecurity regulations.

Similar to patching security technologies and updating response plans, cybersecurity insurance is not a once-and-done deal. The ever-changing risk landscape necessities that firms periodically examine their cybersecurity insurance policies.

Conclusion

Strong cybersecurity measures within CPA firms are crucial. The rising sophistication and frequency of cyberattacks highlight the severe repercussions of inadequate security measures, including financial losses, reputational harm, and diminished client trust. It is imperative for firms to adopt security practices such as threat detection technologies, regular employee training, strict access controls, and attentive vendor management. Additionally, compliance with regulatory requirements and the incorporation of cybersecurity insurance provide further protection against potential cyberincidents. Ultimately, prioritizing cybersecurity not only safeguards a firm’s operations and client data but also reinforces its reputation as trustworthy and reliable in the digital age. 

¹ Barri Litt, Paul Tanyi, and Marcia Weidenmier Watson, “Cybersecurity Breach at a Big 4 Accounting Firm: Effects on Auditor Reputation,” Journal of Information Systems (2023).

² Stan Sterna, JD, “The CPA’s Cybersecurity Imperative,” AICPA Member Insurance Programs (May 2022). 

³ Data Breach Investigations Report, Verizon (2023). 

⁴ Publication 4557, Safeguarding Taxpayer Data, IRS. 

⁵ Cost of a Data Breach Report 2023, Poneman Institute and IBM Security (2023). 

⁶ Litt, Tanyi, and Weidenmier Watson, Journal of Information Systems, ibid.

⁷ Identity Theft Information for Tax Professionals, IRS. 

⁸ Roman H. Kepczyk, CPA, CITP, CGMA, “Deepfakes Emerge as Real Cybersecurity Threat,” AICPA & CIMA (Sept. 28, 2022).

⁹ Matthew Miller, Deepfakes: Real Threat, KPMG (2023). 

¹⁰ Patrick Hillmann, “Scammers Created an AI Hologram of Me to Scam Unsuspecting Projects,” Binance (Aug. 17, 2022). 

¹¹ Data Breach Investigations Report, Verizon, ibid.

¹² “Q&A: 2 Cyberattacks CPA Firms Should Fear,” AICPA (Sept. 30, 2023). 

¹³ ibid.

¹⁴ Melanie Maynes, “One Simple Action You Can Take to Prevent 99.9 Percent of Attacks on Your Accounts,” Microsoft Security (Aug. 20, 2019).

¹⁵ “A CPA’s Introduction to Cybersecurity,” AICPA & CIMA (April 19, 2018). 

¹⁶ FTC Safeguards Rule: What Your Business Needs to Know, Federal Trade Commission. 

Cory Ng, CPA, DBA, CITP, is an adjunct associate professor in accounting at the Fox School of Business at Temple University and a member of the Pennsylvania CPA Journal Editorial Board. He can be reached at cory.ng@temple.edu.