CPA firms have become prime targets for identity thieves, with cyber-attacks and data breach incidents growing in frequency. Most people assume that hackers will go after larger firms, where there is more information of value to hackers. Yet the reality is that small to mid-size CPA firms are just as prone to attacks because of hackers’ perception that smaller firms are softer targets with weaker security systems.
Hackers have many ways of exploiting accountants, especially through outdated software and email systems. Safeguarding client data is critical. As the criminals’ efforts increase in sophistication, so do the number and scope of data breaches, which serve to further expand the network and warehousing of stolen and compromised identity information. This in turn increases the potential for stolen identity information to ultimately reverberate through the tax system.
In the first week of April 2017 alone, eight CAMICO policyholders reported data breaches that resulted in the filing of fraudulent income tax returns. To avoid becoming a cyber-attack statistic, it is critical to take steps to ensure that your firm has taken all reasonable measures to protect itself against hackers.
- Does your firm backup all important data and information frequently? Regular backups reduce the likelihood that critical data is lost in the event of a cyber-attack or physical incident such as a fire or flood.
- Are your employees required to complete regular cyber security awareness training? Firms might not invest in the cyber security awareness training necessary to educate their employees on ever-present dangers, such as clicking on links or attachments found in emails, downloading malware through insecure websites or social media, or responding to requests for information from socially-engineered emails designed to scare people and exploit their desire for a good deal.
- Have you implemented the “least privilege” concept of user permissions? (In other words, giving people the lowest level of user rights that they can have and still do their jobs.)
- Do site administrators log out of systems and programs immediately after they have completed their tasks? Excessive rights and activities permit malware to cause more harm and result in greater data losses.
- Have you had a cybersecurity expert test and evaluate your firm’s systems? Experts familiar with the firm’s systems can work with insurance and breach response service providers to reduce damages from breaches, minimize the cost to address the problems, and enable the firm to recover sooner.
If you answered NO
to any of the preceding questions, your firm may be at the mercy of hackers. Now is the time to take the necessary risk management steps to prepare and safeguard your firm before you become a cyber-attack statistic.
CAMICO Cyber Claims Scenarios
The following are recent cyber claim scenarios that impacted CPA firms. These scenarios illustrate the value of the services available to respond to covered cyber incidents:
Scenario #1: Hacker breaches client base, notifications required
The CPA firm’s computer network was hacked by an outside source, partly because of a weak password and a firewall that was not fully functioning. An IT forensic firm was contacted to determine the scope of the breach, how many and which clients were affected. Forensics concluded that there was a high probability that the entire client base was affected. The CPA firm decided to notify their entire client base regarding the breach. Legal counsel was engaged to help determine the requirements for notifying clients and preparing letters, as the affected clients resided in several states. A call center was set up by the insurer and notification letters were sent to all clients. The firm’s cyber coverage paid for the IT forensic costs, the client notifications, the call center fees, and the legal fees.
Scenario #2: Ransomware demand, decryption of files required
An employee of the CPA firm opened a file allegedly from one of their clients and immediately received a message from a hacker stating that all the firm’s files had been encrypted. The hacker demanded the firm pay a ransom in Bitcoin in order to receive the decryption key. The firm immediately contacted their IT personnel, who removed the virus from their system. However, all the files remained encrypted and inaccessible. An IT forensics vendor was retained to assist the CPA firm in paying the ransom, obtaining the decryption key, and restoring their files. Legal counsel was retained to assess whether notification to the firm’s clients was necessary. After forensic work was completed, no misuse of the encrypted information was uncovered, and no notification to the clients was deemed necessary. The firm’s cyber coverage paid for the ransom, IT costs to decrypt and restore files, and legal fees.
Scenario #3: Ransomware downloaded, files encrypted, client notifications required
An employee of the firm unknowingly opened a malicious attachment to an email that immediately downloaded ransomware onto the firm’s computer system. The firm noticed immediately that the file names were being changed to “Decrypt my File.” The virus spread quickly to all the firm’s servers, and all the files became encrypted. The firm contacted their IT department, deleted the encrypted files, and restored files from a backup. However, since the IT department had deleted the encrypted files, IT forensics was unable to determine whether the hacker had gained access to the personal information contained in the files. Legal counsel was engaged to determine whether the firm had any notice obligations. Since the firm could not determine whether information was accessed, counsel advised that federal regulation required the firm notify all clients. Notification letters were subsequently mailed to all the firm’s clients. Additionally, a PR firm was retained to assist with a required media notice. The firm’s cyber coverage paid for IT forensic costs, client notifications, credit monitoring, PR expenses, and legal fees.
Scenario #4: Virus downloaded, client information breached, notifications required
The firm was notified by their online tax service provider of an issue with some of their e-filed returns. In researching the issue, the firm noticed the bank account numbers were changed on the returns, and the firm’s EFIN was used to electronically file fraudulent tax returns. Information of 45 firm clients was used to file fraudulent returns. IT forensics was hired to restore their systems and determine the scope of the breach. Forensic work determined that the firm’s system received a virus that was unknowingly downloaded onto one of the firm’s computers and resulted in approximately 2,000 clients’ information being accessed. Legal counsel was hired to assist the firm in completing notifications to the affected clients, who were provided with credit monitoring, and the firm hired a PR firm to assist with a media release. The firm’s cyber coverage paid for IT costs, client notifications, credit monitoring, PR expenses, and legal fees.
Scenario #5: Trojan virus located, forensics and legal counsel engaged
Some clients informed the firm about notices they had received that their tax returns were fraudulently filed. Concerned about a potential breach in the firm’s systems, the firm’s IT department conducted a scan on their system and located a Trojan virus. An IT forensics firm was hired to complete a deeper analysis on the firm’s servers and to determine whether a breach had occurred, and if so, the scope of it. Legal counsel was hired to assist with determining whether any notifications were required. Upon completing the IT forensic work, it was determined that there was no breach of personal information of any clients and, therefore, no notification was required. Cyber coverage paid for the legal fees and the IT forensic costs.
Scenario #6: Hacker intercepts email, steals client’s tax refund
The firm received an email from a client advising that she and her spouse had never received their tax refund. When the firm reviewed their email correspondence, it was discovered that an email sent to the client was intercepted by a hacker, who had replied to the firm and advised it of a change in bank account routing numbers for the refund deposit. When the tax return was filed, the hacker received the refund. Legal counsel was hired to assist the firm in determining whether a breach of the firm’s computer system had occurred, and IT forensics was hired to investigate. The forensics specialist found no evidence of the systems being hacked. Cyber coverage paid for the IT forensic costs and the legal fees.
As the preceding scenarios illustrate, robust breach response services and procedures, and an effective risk management program, are more important than ever to assist firms in recovering from an incident. Remember, it is not “if” you will be attacked, but “when.”
. CAMICO policyholders with CyberCPA coverage also have access to the Cyber-Security website provided by CAMICO in partnership with NAS Insurance Services. The site is also accessible from the CAMICO Members-Only Site, under the Cyber-Security tab
Another resource for tax professionals includes the Security Summit, a partnership between the IRS, state tax agencies, and the private-sector tax industry. The Security Summit has launched a public campaign aimed at increasing awareness among tax professionals: Protect Your Clients; Protect Yourself, which includes a series of fact sheets and tips on security, scams and identity theft prevention measures aimed at tax professionals and steps they can take to protect client data and their businesses. CAMICO strongly encourages you to bookmark the IRS page https://www.irs.gov/individuals/protect-your-clients-protect-yourself
to keep up with the latest information and guidance to help you protect your clients.
You can also learn about how to protect your business at the ‘Up on Cyber’ 2017 Conference on the effects of cyber crime. All attendees earn 6 units of CPE credits, 8:00 a.m. to 1:00 p.m., on Friday, August 4, 2017, at the James West Alumni Center on the UCLA campus. You’ll have the opportunity to interact with cyber experts as they provide insights on how to prepare for, and defend against, cyber threats. To register, visit www.UpOnCyber.com
. The cost is $5.00, and all proceeds will benefit men and women in uniform.
For more information please contact CAMICO at 800.652.1772 / 650.378.6800, or email the Loss Prevention department at firstname.lastname@example.org