Some tax preparers may not be aware that all tax professionals with preparer tax identification numbers (PTINs) are required to affirm that their organization has a “written security plan in place” to protect their clients’ data. This was mandated by the IRS and was also the focus of its Security Summit partners, which created checklists to assist in protecting data in response to escalating cybercrime against tax practitioners. For example, since 2014, reported data breaches of CPA firms have increased by over 80%, and, since 2018, the portion of breaches that include ransomware or extortion has risen to over 40%. However, less than 1% of cybercrime results in arrest and prosecution, according to the Third Way Cyber Enforcement Initiative.

Today’s cybersecurity threats and vulnerabilities generally have several characteristics:

• A cybersecurity breach is very costly to both clients and the CPA firm. Forensic discovery, remediation, determination of exfiltration of data, reporting requirements, and cost of outside counsel to protect the CPA firm’s litigation exposure will typically cost $70,000 to $300,000, in the experience of clients of the cybersecurity company of one of the authors. Cyber insurance can cover some of these costs but not nearly all of them.
• Depending on the size of the breach, state and federal reporting and credit monitoring requirements could cost an additional $100,000 to $300,000, in the author’s clients’ experience.
• Some breaches involve ransomware, which is a type of malicious software designed to deny access to a firm’s system or data until a ransom is paid. Ransom amounts have generally ranged between $100,000 for a small firm to $2.6 million for a large firm. Further, paying the ransom does not guarantee that the firm’s computer systems will be recoverable and operable (beyond the cybersecurity remediation efforts) without the significant efforts of an outside remediation team, possibly costing tens of thousands of dollars more.
• An intangible cost of the loss of clients as a result of the breach is difficult to calculate.
• Extortion based on client-sensitive or firm-sensitive data is the new twist to a breach. Such extortion attempts may threaten retaliatory disclosure of client or company data on the internet, the value of which may be over $2 million per incident in one author’s company’s client experience.

Updating passwords, training to avoid email phishing, and periodically reviewing where the data resides and who has access to it are good steps, but by themselves are insufficient to protect the CPA firm’s computer systems, client data, firm-sensitive data, and reputation. In this environment, it is best to plan around these working assumptions:

• If a CPA firm is targeted, it will be hacked;
• A firm might not prevent a cybersecurity breach, but it can reduce the costs of one;
• Since a firm cannot prevent a system breach, it must protect the data; and
• Knowing what happened and how will reduce the cost of the breach significantly and allow a quick evaluation of the breach’s extent and the firm’s reporting requirements.

In 2017, President Donald Trump issued Executive Order 13800 on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. With the dramatic increase in cyberattacks and breaches, many businesses are forced to review how they can reduce enterprise risk. To help them do this, the National Institute of Standards and Technology (NIST) developed The Framework for Improving Critical Infrastructure Cybersecurity. This structure aids a discussion of moving management of cyber systems from relying on reactionary measures to proactively enhancing enterprise security and mitigating risk.

The NIST framework includes five functions: identify, protect, detect, respond, and recover:

• Identify:To review and document recommended changes to current standards and practices, the current governance model, the risk assessment/management framework, and the supply chain risk management protocols.
• Protect: To review and recommend opportunities to increase education and public awareness of the most prevalent threat vectors and what personnel recourse may be needed to assist in training, identity management, and protective measures.
• Detect: To investigate opportunities for centralized security capabilities, such as a cybersecurity operations center, and investigate opportunities for increased partnerships and current coordination practices.
• Respond:To address who will respond, what is vetted with a (full-scale) incident response, and to review statutory requirements and proper notification using incident management procedures.
• Recover: To have a plan to recover from a breach through strong procedures and current practices while auditing the issue and communicating the recovery with a long-term mitigation strategy.

Although the NIST recommendations provide a basis for implementing cybersecurity changes that reduce vulnerabilities, threats, impact, and probability, implementing this framework could be a continuous struggle. Cybercrime has progressed beyond the early days when thieves filed fraudulent tax returns for deceased persons and underage children who would not normally be filing. Then, the IRS built various filters to help automate the process for an additional review protocol for refunds. As a result, many potential fraudulent refund filings have been caught, saving taxpayers millions of dollars. Additionally, to increase protection of IRS data, the Service developed additional procedures to enhance security of access to such sensitive information as taxpayer transcripts and login procedures to e-services.

Similarly, CPA firms need to protect against the sale of their server access and client information on the dark web to the highest bidder, which has happened to more than 250,000 U.S. servers of various businesses, allowing fraudulent tax returns to be processed through a firm’s tax software without its knowledge. (For a thorough discussion of steps to take with the IRS in cases of business identity theft, see “Business Identity Theft Poses Continuing Challenges,” also in this issue.) Many firms are targeted, or “pinged,” several thousand times daily by thieves looking for penetration opportunities. As CPA firms provide critical services with sensitive data, it is absolutely imperative that they take proactive steps to protect client information and stay vigilant in their efforts to maintain a safe environment for their business and their clients.

Per IRS Tax Tip 2019-119, this begins with creating a data security plan to protect sensitive data in their offices and on their computers. Each plan should be tailored for each specific office and should consider the company’s size, the nature of its activities, and the sensitivity of its client information. This plan should:

• Include the names of all information security program managers;
• Identify all risks to customer information;
• Evaluate risks and current safety measures;
• Design a program to protect data;
• Put the data protection program in place; and
• Regularly monitor and test the program.

Selecting a service provider

Companies should have a written contract with their service provider requiring the provider to maintain appropriate safety measures, oversee the handling of customer information reviews, and revise the security program as needed.

For tax practitioners, that security plan should include knowing if their information technology (IT) provider understands and can implement the necessary cybersecurity measures to protect them and their clients.

In addition to creating and implementing a cybersecurity plan, firms can mitigate any subsequent disasters if they work with their IT provider to:

• Encrypt client and firm data while it is not being processed but is on a data storage device “at rest.” If an encrypted computer system is breached, any data that is exfiltrated remains encrypted and might not require certain notification and credit monitoring services. Encrypting client and company data also reduces the risk of extortion.
• Back up data at least daily. Backups should be maintained on devices disconnected from the network so that if the network is hacked and ransomware demanded, the backed-up data will not also be at risk. Local backups are recommended because, depending on how cloud- or web-based backups are performed, they may also open themselves to ransomware attacks.
• Ensure that the firm’s IT provider is maintaining system activity, security, and operations logs for at least 90 days. This includes firewall logs, anti-virus and anti-malware activity logs, and aggregate logging of email activity to include logs for email protection systems such as Proofpoint. A review of the logging activity after a breach helps determine if the breach was detected and contained and if any reporting or remediation is required. Proper logging and maintenance of logs can significantly reduce recovery and remediation costs.
• If the IT provider cannot demonstrate a knowledge of these issues and show you how they are addressing them, you need to hire another provider.
• Ensure that the IT service provider documents, implements, and signs off on all relative cybersecurity patches and upgrades to the firm’s enterprise network. Perform a cybersecurity audit that includes at least the items listed above. The audit should also provide a list of vulnerabilities in order of severity, suggested remediations, and associated costs and the time frame to successfully implement the remediations. A satisfactory quick audit may typically cost $12,000 to $40,000, depending on the size of the firm and its current cybersecurity posture. This is far less expensive than the cost of a breach.

Several additional sources of information are available for CPAs, including IRS Publication 4557, Safeguarding Taxpayer Data (available at www.irs.gov; the NIST’s Small Business Information Security: The Fundamentals (available at nvlpubs.nist.gov; and IRS Publication 5293, Protect Your Clients; Protect Yourself: Data Security Resource Guide for Tax Professionals (available at www.irs.gov.

The AICPA also has several resources to assist member firms, including many articles that focus on cybersecurity and include checklists. These can be found at aicpa.org. For firms that have not yet begun a plan, the time to do so is now.