insight magazine

Is Your CPA Firm Prepared for a Cyberattack?

It’s no longer a question of “if” you’ll be impacted by a cyberattack, but “when.” Being prepared and taking the necessary precautions are more critical than ever to protect your firm and your clients. By Suzanne M. Holl, CPA | Digital Exclusive - 2022


From attacks on major infrastructure to small companies being held for ransom, the severity of cybercrimes and ransomware attacks have grown significantly in recent years, and cyber-related claims impacting CPA firms are also seeing an uptick. Because of their abundance of client data, CPA firms and tax professionals are attractive targets to cybercriminals. And, if they’re successful, these cybercrimes may have a detrimental impact on your firm’s financials and reputation.

With first-party cyber exposures (i.e., damages experienced by the CPA firm), costly measures for the firm may include: hiring IT forensic experts to determine the extent of the breach, consulting with attorneys specializing in data breach laws, and providing credit monitoring to those impacted by the breach. With third-party cyber exposures (i.e., when a client has been hacked), CPA firms may be blamed for any loss, in part or in whole. These claims typically include allegations, such as failure to detect the red flags associated with communications that were executed by the hacker, falling below the standard of care by initiating wire transfers without “proper” client authorization, failure to “warn and advise” clients of the potential risks/threats of cyberattacks, and the list goes on.

It's important for CPA firms to understand that it’s not a question of “if” they’ll be attacked, but “when.” Here’s some guidance for CPA firms to use and better prepare for their next cyberattack.

Cybersecurity Trends: Understand Your Risks

There are two common cybersecurity risks that occur in CPA firms today: social engineering attacks that trick users into inadvertently providing access, and security misconfigurations that are often just human error.

Social engineering is one of the most dangerous types of cybersecurity threats to a CPA firm given the type of information that firms gather and store. One of the more widespread social engineering schemes is phishing—where information in an email attempts to convince a user that the email is from a legitimate source and the user needs to respond to the request by clicking on a link.

To illustrate some of these risks, consider the following scenarios.

Scenario 1: Client hacked; CPA firm initiated fraudulent wire transfers: A client of a CPA firm was hacked and the hacker penetrated and commandeered the client’s email account. The hacker emailed several requests to the CPA firm to wire funds to a new account—a classic man-in-the-middle attack. After receipt of each request, the employee of the CPA firm emailed the “client” to verify the wire transfer instructions. With full control of the client’s email account, the hacker was able to respond back to the CPA firm to verify the veracity of the payments to the hacker’s own overseas bank account.

This scenario is all too familiar. These fraudulent wire transfer requests frequently cause large dollar losses, which aren’t usually recoverable. Domestic banks aren’t always helpful in preventing fraudulent transfers, as laws often limit their risk exposures and enable them to deny responsibility.

With the increased number of claims related to fraudulent wire transfers, a best practice in the absence of any written protocols to the contrary would be to verbally confirm all wire transfer requests with your clients to minimize risk.

Scenario 2: Ransomware; cyber extortion: An employee of a CPA firm opened an unsolicited email attachment that immediately downloaded ransomware onto the firm’s computer system. The employee noticed that file names were rapidly being changed to “Needs Decrypting.” The employee promptly turned off and rebooted the computer, but the virus had already spread to all the firm’s servers, and all files were encrypted. The employee reported the incident to the firm’s managing partner. An attorney was engaged to assist the firm and worked with an IT forensics expert under the direction of the attorney, so that the investigation would be protected by attorney-client privilege. Once it was determined that a breach occurred, the firm complied with applicable state and federal laws and the breach was reported to law enforcement.

Ransomware and cyber extortion represent malicious types of hacker attacks and firms of all sizes have been victimized. They sneak into computer systems, encrypt files, and demand ransom before decrypting files. A major problem is that hackers don’t always decrypt files even after ransom is paid. In fact, recent statistics show that only 8% of businesses who pay a ransom get all their data back.

The Human Element

Cyber threats are not just an “IT problem.” The number one root cause of cyber breaches continues to be the “human element” (i.e., people). People are considered by many experts to be the weakest security link. In fact, according to the 2021 Verizon Data Breach Investigation Report, 85% of breaches involved a human element.

Here are some best practices to consider when addressing the human element of data security:

  • Hold cybersecurity awareness trainings: During the trainings, consider sharing real-life examples with staff of actual and potential scam emails received by members of your firm to heighten awareness of the nature and types of scams that pose threats to your firm. Also, consider reviewing the firm’s existing protocols and infrastructure with staff (refer to the firm’s written security plan) that supports the firm’s commitment to taking appropriate cybersecurity precautions so that all employees are aware and updated if any changes have been made by the firm.
  • Use multi-factor authentication: This can add an extra level of security to prevent an account hack, especially when employees work remotely.
  • Change and strengthen passwords frequently: Systems are only as secure as the passwords used by people to access those systems.
  • Require regular data backups: By encouraging employees to regularly back up their data, you can prevent data loss when disaster strikes. While this may be a hard policy to enforce while employees work remotely, it remains a best practice. In many instances, devices can be set to back up to the cloud automatically. When relying on cloud storage, remember that ransomware can take control of cloud services. Any data stored in the cloud should also be backed up to an external hard drive from time to time. Data backups ensure that a business can continue to operate, even if resources are taken offline by a ransomware attack.
  • Maintain strong cyber hygiene: Reinforce cyber protocols to be followed when employees work in the office and remotely (e.g., machine use restrictions, Wi-Fi passwords, VPN, firewalls, etc.).
  • Turn off computers when not in use: Remind all employees of the importance of powering down computers when not in use. Computers aren’t accessible to attacks or intrusions when powered off.

Although people may be viewed as the weakest security link, with proper training and strict adherence to firm-wide protocols, firms can and should consider their people as the first line of defense against cyber threats. And given the shift to a more remote/hybrid workplace model in response to the pandemic, implementing these best practices to address the “human element” have become more critical than ever before.

Suzanne M. Holl, CPA, is senior vice president of Loss Prevention Services with CAMICO. With almost 30 years of experience in accounting, she draws on her Big Four public accounting and private industry background to provide CAMICO’s policyholders with information on a wide variety of loss prevention and accounting issues.


Related Content:

  • Is Your Cybersecurity Strategy Still Relevant?: Organizations must continually update their risk management strategy to protect against the constantly evolving world of cybercrime. Here are some of the latest cyberthreats—and ways you can fight back.
  • Internal Controls in a Remote World: As remote work takes hold at CPA firms and organizations, getting a grip on internal controls is essential for overcoming the security risks of an at-home workforce.
  • Fraud Is the New Normal: Fraudsters are taking advantage of the upheaval and anxiety of the COVID-19 crisis—here’s how to protect yourself and your organization.

Leave a comment