There appears to be a new cybersecurity story in the news every day, from attacks on major infrastructure to small companies being held for ransom. Therefore, it should be no surprise to anyone that CAMICO is also seeing an uptick in the number of cyber-related claims impacting CPA firms and unfortunately, the severity of these cybercrimes and ransomware attacks have grown in recent years.
As you would expect, first-party cyber exposures (damages experienced by the CPA firm) have become increasingly problematic for CPA firms as cyber criminals are targeting CPA firms and tax professionals with greater frequency because of the abundance of client data found on the firms’ computers. If they are successful in gaining access to the firm’s information, there can be costly measures that need to be taken by the firm including, but not limited to, hiring IT forensic experts to determine the extent of the breach, consulting with attorneys specializing in data breach laws and notification obligations, and providing credit monitoring to those impacted by the breach.
What may be surprising to some CPAs, however, is the increase in third-party cyber exposures that are impacting firms. These situations often arise when a client has been hacked and the hacker has penetrated the client’s computer system and once inside can cause all manner of losses for which the CPA firm may be blamed, in part or in whole. Unfortunately, many of these do tend to be high-dollar claims against the CPA firm. These claims typically include allegations such as failure to detect the red flags associated with communications that were executed by the hacker, falling below the standard of care by initiating wire transfers (later determined to be fraudulent) without “proper” client authorization, failure to “warn and advise” clients of the potential risks/threats of cyberattacks, and the list goes on.
It is also possible that a single cyber incident may give rise to the first-party damages suffered by the firm and damages allegedly suffered by others that blame the firm (third-party losses). For more information on the different types of cyber exposures that could impact CPA firms, refer to CAMICO’s article
Understanding First-Party and Third-Party Cyber Exposures.
The Human Element
It is important for CPA firms to understand that cyber threats are not just an “IT problem,” as the number one root cause of cyber breaches continues to be the “human element.” People are considered by many experts to be the weakest security link and according to the 2021 Verizon Data Breach Investigations Report, 85% of breaches involved a human element.
Although people may be viewed as the weakest security link, CAMICO believes that with proper training and strict adherence to firm-wide protocols, firms can and should consider their people as the first line of defense against cyber threats. For example, firms can help to minimize the potential for innocent mistakes made by people who fall prey to seemingly legitimate emails that fool them into clicking malicious links by putting in place cybersecurity awareness education and training to alter employee risk behaviors and, hopefully, create a sense of shared accountability. Although it may not seem obvious, employees want to know what to do to assist in data security but often lack the necessary knowledge and skills.
Given the recent shift to a more hybrid workplace model in response to the pandemic, security practices to address the “human element” become even more critical. Firms need to have a robust cybersecurity strategy that is largely people-driven and integrated with technology to support a hybrid workplace model. With these mechanisms in place to address and mitigate the root cause of many breaches for true “cybersecurity preparedness,” firms can significantly reduce the risk of a cybersecurity incident. See CAMICO’s Cyber Best Practices for Remote Work for more on this topic.
Cyber Claims Trends
Most cyberattacks that take place with CPA firms today take advantage of two common cybersecurity risks: social engineering attacks that trick users into inadvertently providing access, and security misconfigurations that are often just human error.
Social engineering is, of course, one of the most dangerous types of cybersecurity threats to CPA firms given the type of information that firms gather and store. “Phishing”
is one of the more widespread social engineering schemes, where the information in an email attempts to convince a user that the email is from a legitimate source and the user needs to respond to the request by clicking on a link. As employees are the most common entry point for phishing attacks, a firm’s best protection against social engineering attempts is to continuously raise staff awareness of the importance of vigilance and enhanced skepticism with every email and online interaction.
Consider the following scenarios from the CAMICO claims files, which unfortunately are becoming all too familiar for CPA firms:
Scenario #1: Client hacked; CPA firm initiated fraudulent wire-transfers
A client of the CPA firm was hacked, and the hacker penetrated and commandeered the client’s email account. The hacker emailed several requests to the CPA firm to wire funds to a new account – a classic “man in the middle” attack. After receipt of each request, the employee of the CPA firm emailed the client to verify the wire transfer instructions. With full control of the client’s email account, the hacker was able to respond back to the CPA firm to “verify” the veracity of the payments to the hacker’s own overseas bank account.
The above scenario is all too familiar for CAMICO, as we are seeing a significant rise in fraudulent email requests to CPA firms and these fraudulent wire transfer requests frequently cause large-dollar losses. If the fraudster is controlling the client’s email, and the fraudulent request mimics previous legitimate requests, many times it is very difficult for the firm to identify illegitimate requests. When the fraud is discovered after the transfer, the funds are usually not recoverable. Domestic banks are not always helpful in preventing fraudulent transfers, as laws often limit their risk exposures and enable them to deny responsibility.
With the increased number of claims related to fraudulent wire transfers, best practice in the absence of any written protocols to the contrary would be to verbally confirm ALL wire transfer requests with these clients to minimize risk. Additional loss prevention guidance to minimize fraudulent wire transfer exposure can be found in Avoiding Social Engineering Scams/Fraudulent Wire Transfers.
Scenario #2: Ransomware; cyber extortion
An employee of a CPA firm opened an unsolicited email attachment that immediately downloaded ransomware onto the firm’s computer system. The employee noticed that file names were rapidly being changed to “Needs Decrypting.” The employee promptly turned off and rebooted the computer, but the virus had already spread to all the firm’s servers, and all files were encrypted. The employee reported the incident to the firm’s managing partner. An attorney was engaged to assist the firm and worked with an IT forensics expert under the direction of the attorney, so that the investigation would be protected by attorney-client privilege. Once it was determined that a breach occurred, the firm complied with applicable state and federal laws and the breach was reported to law enforcement.
Ransomware and cyber extortion represent malicious types of hacker attacks and firms of all sizes have been victimized. They sneak into computer systems, encrypt files, and demand ransom before decrypting files. A major problem is that ransomware does not always decrypt files even after ransom is paid.
Ransom demands have risen in recent years, and it is not unusual to see them range from a few thousand dollars to several hundred thousand dollars. Some ransomware attacks rely on software that now have known fixes, so a solution might be found online. Other ransom attacks are more advanced and have no known fixes, other than the victim retrieving and relying on the latest backup files. According to a recent statistic, only 8% of businesses who pay a ransom get back “all” their data. Therefore, being prepared and taking precautions against cyber risk exposures such as ransomware is essential.
Scenario #3: Virus downloaded; fraudulent tax returns filed
A CPA firm was notified by their online tax service provider of an issue with some of their e-filed returns. In researching the issue, the firm noticed bank account numbers were changed on the returns and the firm’s identification number was used to electronically file more than 40 fraudulent tax returns. An IT forensics firm was hired to restore their systems and determine the scope of the breach. Forensic work determined that a firm employee had unknowingly downloaded a virus onto one of the firm’s computers. Legal counsel was hired to assist the firm with notifying affected clients and those clients were provided with credit monitoring.
This is a common cyber breach scenario for CPAs as nefarious hackers have many ways of exploiting firms facing tax filing deadlines, especially when firms have outdated tax software, vulnerable email systems, or inattentive employees. Firms need to ensure that all software has the latest security options/patches and prioritize employee awareness training in order to help protect against malware, viruses, and hacker attacks.
Has your firm prepared for a cyber incident?
Remember, it is not “if” you will be attacked, but “when.”
The weakest link in most cybersecurity attacks today is the human element, so it is important to remember that your firm employees are a vital line of defense. Take action now to arm your employees with education, awareness, and reminders, so that they can make informed decisions about what they click.
Although not meant to be all-inclusive, the following additional basic best practice measures human element are extremely important when addressing the of data security:
- Cybersecurity awareness training: As employees are the most common entry point for phishing attacks, a firm’s best protection against social engineering attempts is to make continuous efforts to raise staff awareness of the importance of vigilance and enhanced skepticism with every email and online interaction. Education can come in many different forms, both formal and informal. Consider sharing “real-life” examples with the staff of actual and potential scam emails received by members of your firm, to heighten awareness of the nature and types of scams that pose threats to your firm. As part of the firm-wide cybersecurity awareness training, consider reviewing the firm’s existing protocols and infrastructure (refer to the firm’s written security plan) that supports the firm’s commitment to taking appropriate cybersecurity precautions so that all employees are aware and updated if any changes have been made by the firm. If your firm does not yet have a written security plan in place or you are in the process of updating your document, refer to CAMICO’s Information (Data) Security Plan template. The template can be found on the Cyber/Data Security Resource Center on the CAMICO Members-Only Site. Raising the cybersecurity IQ of all employees will help tremendously in guarding against a breach and will minimize your firm’s potential exposure as employees will be better able to recognize social engineering attempts and understand the importance of guarding their login/authentication credentials both in the office and at home. To be of ultimate value, it is important for firms to commit to the motto of continuous education because the threat landscape doesn’t just stop evolving when your employees’ cybersecurity training is done.
- Use multi-factor authentication: This can add an extra level of security to prevent an account hack, especially when employees work remotely.
- Change and strengthen passwords frequently: Systems are only as secure as the passwords used by people to access those systems.
- Require regular data backups: By encouraging employees to regularly back up their data, you can prevent data loss when disaster strikes. While this may be a hard policy to enforce while employees work remotely, it remains a best practice. In many instances, devices can be set to back up to the cloud automatically. When relying on cloud storage, remember that ransomware can take control of cloud services. Any data stored in the cloud should also be backed up to an external hard drive from time to time. Data backups ensure that a business can continue to operate, even if resources are taken offline by a ransomware attack.
- Maintain strong cyber hygiene: Reinforce cyber protocols to be followed when employees enjoy the hybrid work model permitting them to work in the office and remotely (e.g., machine use restrictions, WiFi passwords, VPN, firewalls, etc.).
- Remind all employees of the importance of powering down computers when not in use:Computers are not accessible to attacks or intrusions when powered off.
Additional CAMICO Resources
Additional risk management guidance and information on this topic is available on the Members-Only Site under the CAMICO’s Cyber/Data Security Resource Center. CAMICO policyholders with questions regarding this communication or other risk management questions should contact the Loss Prevention department at firstname.lastname@example.org, or call our advice hotline at 800.652.1772 and ask to speak with a Loss Prevention Specialist.