The bad news:
- Many professionals (CPAs included) don’t believe that a data breach or cyber-attack will happen to them. Some firms regard themselves as being too small to attract hackers, resulting in the firm being unprepared for a cyber incident. A hacker or ransomware attack can put the firm at the mercy of someone whose top priority is stealing or extorting money; or, the firm may suffer unnecessarily prolonged setbacks and expense once an event occurs. As cyber-fraudsters become more sophisticated and formidable in their attacks, firms need to be more prepared.
- In an increasingly connected world, cyber issues are becoming common for all organizations, including CPA firms. The number of confirmed data breaches across all organizations has been climbing. The Identity Theft Resource Center reported 781 U.S. data breaches in 2015 after a record-setting 783 breaches in 2014. These figures are up from 421 breaches in 2011. Verizon’s Data Breach Investigations Report tracks breaches each year in 82 countries. There were 1,367 in 2013; 2,100 in 2014; and 3,141 in 2015 — a 230 percent increase in two years. This increase in frequency also has an impact on how organizations should respond to breaches.
The good news:
- Expertise and resources are available to help avoid or mitigate the damages and aftermath of an attack or breach, including ways to minimize and repair damage to assets such as data, work products, reputation, and brand value. Cyber insurance coverage should include risk and legal advisory services to guide investigations, to ensure compliance with applicable laws, and to protect confidential communications and information. Accordingly, CAMICO works with cyber and breach specialists to provide specialized cyber expertise and resources as part of our cyber coverages. (See sidebar on "First- and Third-Party Cyber Coverage from CAMICO.")
- CAMICO continuously studies its claims experience, including recent claims stemming from cyber risk exposures. The following summarizes the major types of cyber claims being reported, the red flags that often precede them, and loss prevention tips.
Fraudulent Wire Transfers
Recent large claims have carried substantial third-party exposure, ranging from $250,000 to $900,000. The claims generally involve CPA firms with authority over client funds in order to provide business management or bill-paying services, including wire transfers for high net worth clients.
A fraudulent email request for a wire transfer will arrive and may resemble prior legitimate requests for transfers. The transfers are often made to a bank in a foreign country or through a U.S. bank to a foreign bank. When the fraud is discovered after the transfer, the funds are usually not recoverable. Domestic banks are not always helpful in preventing fraudulent transfers, as laws tend to limit their risk exposures and enable them to deny responsibility.
CPA and client email accounts are sometimes commandeered by a hacker who inserts a link or an extra step into an email message, asking for a password to be entered or changed, thereby enabling the hacker to take control over email messages. If the hacker has control over both the CPA’s and the client’s email accounts, it can be difficult to figure out that communications are being manipulated.
A phishing scheme may also appear to be from a legitimate source, only to trick the user into performing an action such as clicking a link or opening a document, enabling malware to be installed, or allowing a hacker to access email and to send messages perpetrating a scheme. Hackers can also divert legitimate messages from being sent. Services that convert voicemail messages into email messages can also be commandeered by hackers to perpetrate schemes.
Phishing schemes may also target information such as W-2 forms in order to access employee Social Security numbers or credit card information. (See War Story 107 in this issue of IMPACT.) The information can then be sold or used in attacks against the employees’ own personal computers, credit card, and other accounts.
Loss Prevention Tips
Avoid getting lulled into a sense of comfort with email and other communications. Be suspicious if asked to do anything out of the ordinary or routine. A fake email address can be disguised as a legitimate email address by being off by one character (e.g., “businesware.com” vs. “businessware.com”). By hovering your mouse over a link, without clicking it, you can check the website address. If the address is for a different website, that’s a red flag, as is a misspelled link.
Messages may contain broken English inconsistent with language used by the client. A new bank account receiving the funds is often a red flag, especially if the new account is in another country.
Beware of any wire transfer requests made via email and proceed with the wire only after verbally confirming with the client that they want the wire to proceed and in accordance with the directions in the email. This includes, but is not limited to, confirming the dollar amounts, the name of the financial institution, and the actual bank account number. Call senders to verify email or attachments before you open them. Another way to verify transfers is to confirm information that only the client would know and a hacker would not. Consider using both methods to confirm the authenticity of the request.
General risk management guidance for firms that have authority over client funds is provided in the CAMICO article, “When Client Funds Disappear from CPA Firms.”
Firms of all sizes continue to be plagued by ransomware, which enters computer systems via a clicked hyperlink or attachment, or a typed password. Ransomware encrypts all files and demands the payment of ransom to decrypt the files. A major problem is that paying the ransom is no guarantee that the cybercriminal will actually decrypt the files.
Ransom demands range from a few hundred dollars to several thousand, depending on the perceived ability of the victim to pay. Some attacks rely on software that now has known fixes, so a solution might be found online. Other ransomware are technically advanced and have no known fixes, other than the victim retrieving and relying on the latest backup files.
Loss Prevention Tips
Ransomware may enter a computer system via innocuous-looking MS Word, Excel and PDF documents attached to an email, so any attachments or hyperlinks within the attachments should be not be opened or clicked if the documents were not specifically sought by you. Instructions to “enable macros” or “enable content” should not be followed. Unusual requests for passwords are also suspect.
Attacks may appear to come from someone familiar or a trusted source as part of a social engineering scheme. Scheduled events, travel plans, or user interests can be used to create what looks like a legitimate document, employing logos and brands to deceive users into opening a document, or clicking a link.
Institute a policy to frequently backup files you cannot afford to lose. Some ransomware even seeks out backup copies of files, so creating multiple backups in different locations is a good practice. Cloud services, or remote backup services, and external or USB hard drives are options to consider for multiple backups. Use encryption to protect any sensitive information about your firm and clients. Backups are extremely valuable after extreme events such as a fires, flood or other disasters.
If personally identifiable information (PII) such as Social Security numbers is involved in a breach, the firm may need a professional risk assessment to determine its legal reporting responsibilities.
Losses are better avoided by creating user awareness and training everyone in the firm to be cautious about unsolicited or questionable attachments, hyperlinks or requests.
Disgruntled employees have long been a source of embezzlement and other fraud-related claims. Employees who hold grudges against their employers—whether or not justified—are more likely to commit occupational fraud and abuse, so it’s not surprising that employees with computer expertise have committed cybercrimes against their employers.
Cases have involved employees programming illegitimate access for themselves into employer computer systems, exporting confidential information in order to threaten their employers in attempts to preserve their jobs or extort money. The results are usually discovered by forensic analyses.
Loss Prevention Tips
Background checks may reveal unfavorable issues about potential employees. If so, speak with a risk management adviser about your options.
Automation controls include:
- Strictly defined user permissions and restrictions so that users have only the program and system rights and access they need—the “least privilege” concept. The same applies to administrators, who should be logged in as an administrator only as long as is necessary. Excessive rights and activities can also allow fraudsters and malware to cause greater harm and losses.
- Access to personnel and vendor master file records should be password protected and restricted by job function.
- Log administrators and other users out of the system when the system is inactive.
- Computer systems should create an audit trail of all changes made to the vendor master file records, including an identification of those who made the changes.
- Changes to vendor master file records should require supporting documentation, supervisory approval, and independent review.
Basic Steps in Breach Preparedness
- Have a cyber-security expert (consultant or staff coordinator) test your computer and data security systems and evaluate their effectiveness in preventing a breach. A cyber expert will also help secure client/personal information stored with the firm or in the cloud, and while in transit inbound and outbound. In the event of an incident, the expert should be able to work with insurance and breach response services providers providing legal guidance, forensics, notification, data restoration, and other services.
- Have an incident response plan in place that responds quickly and professionally to an incident. If the response includes the notification of clients and other affected parties, these parties will be interested in identity theft assistance and credit monitoring. If they don’t receive a quick and professional response, prolonged anxiety can provoke negative sentiment about the firm and damage its reputation.
- Develop an information security plan. Some state regulations require such plans to be in writing. A plan should:
- satisfy state and/or federal regulations;
- facilitate the training of staff in policies, procedures, and potential threats;
- clarify how the safeguards work and how to monitor them to ensure that they are working;
- govern the flow of communications among the stakeholders (internal) and other organizations (e.g., insurance companies); and
- establish checklists and action items.
- Provide regular staff training to enhance awareness of potential threats. Training can make all the difference between the success or failure of fraud schemes. Some experts recommend adding a data breach simulation to the training schedule at least once per year. Others will test awareness by “inoculation” in which all users are sent benign phishing e-mail. Those who err are then educated on how to avoid the errors.
- Consider cyber insurance that includes risk and legal advisory services. An insurance policy by itself will not protect the firm as well as a policy that includes comprehensive risk management and response services.
More information and advice is available in the ID Theft/Data Security Resource Center on the CAMICO Members-Only Site. CAMICO policyholders with CyberCPA coverage also have access to the Cyber-Security website provided by CAMICO in partnership with NAS Insurance Services, also available on the CAMICO Members-Only Site (www.camico.com).
As always, CAMICO encourages policyholders to contact CAMICO with any questions at 1.800.652.1772.