Cybersecurity has become an increasingly important topic in public consciousness. In the past years, hackers have stolen vast amounts of consumers’ financial information and targeted national political parties. CPAs, like any group of professionals who handle confidential information, need to take steps to secure their clients’ data.
If something goes wrong, accountants need to be insured for expenses and damages from the data breach. Here are some of the reasons why.
Every accountant, no matter the size of their practice, needs cybersecurity—and not everyone has it.
Small accounting practices have, for a long time, been skeptical that they need to invest in a variety of software to provide comprehensive cybersecurity. Software upgrades can be expensive, and might come at the cost of investing in other useful, business-related costs. Small businesses always need to make choices between luxuries and essential items, and deciding which is more important may be difficult.
Recently, cybersecurity and liability protection against electronic security threats have become critical areas of need for accountants. For years, many small accounting practices justifiably thought that they were too insignificant for a hacker to exploit. “Why,” this thinking went, “would anyone try to take advantage of a three-CPA tax preparation practice when a Deloitte or PwC may have a lot more valuable resources to exploit?” Many of the largest breaches involve major retailers and financial service providers who are clearly a more appealing hacking target; the sheer amount of data large companies possess makes them more alluring than the local accountant’s office.
However, institutional companies have begun to realize their vulnerability and have installed much more layered and effective cybersecurity protections. Hackers working on their own or in small groups no longer have the resources to successfully attack
such big targets. Instead, those hackers have begun to go after smaller firms as “soft” targets.
Hackers who target small accounting firms will look on Google Maps and Yelp to find local, independent accounting firms. They then scan selected small firms electronically to determine their vulnerabilities. More often than not, the small firms these hackers find vulnerable to cyberattacks are woefully underprepared for the resulting incident, and will be exposed to serious legal risk from clients whose personal information is suddenly in the wrong hands.
Hackers have many ways of exploiting accountants, especially through outdated software and email.
As hackers have realized, small businesses can be particularly vulnerable to attack. There are three main reasons.
First, email is not very secure. Everyone has learned as much through the email hacking incidents that targeted Sony Pictures and the Democratic National Committee. Consumer email products are easily exploited; their flaws are widely known because of major email services’ ubiquity.
Second, small businesses often have outdated, insecure software that can be exploited at the operating system level. Many small businesses still run operating systems such as Windows XP or Vista. since Microsoft no longer creates security updates for these systems, hackers are on the lookout for office networks that use this software. Small businesses can reduce their risk by upgrading to newer, more secure operating systems.
Finally, social engineering is always a problem no matter what size firm you have. But small firms may not invest in the cyber security training necessary to educate their employees to the dangers of clicking on links found in emails, downloading malware through insecure websites on the internet or on social media, or responding to requests for information from socially-engineered emails designed to scare a person or tap into their desire for a good deal.
Fortunately, it’s easy to deter hackers. Most hackers who target small businesses do so because the amount of time and effort required is minimal. Hacking into a machine that runs Windows XP or unpatched operating systems and does not have basic cybersecurity software is easy for an experienced hacker. The most important steps for a firm are to keep its software current with security updates, and install and run software that security experts recommend on a regular basis (Microsoft has “Patch Tuesday” every week). CAMICO’s experts are more than willing to refer policyholders to cybersecurity experts.
Another step CAMICO recommends is installing a secure client web portal which will archive and store all of your clients’ personal documents and data. It will also lower your staff’s administrative burden. There will be much less processing, sorting, and filing work for them to suffer through, and important electronic documents will be much harder to misplace in extended email threads. CAMICO can recommend a number of companies that provide excellent, secure web portal services.
Even if you’re not found liable for hacking attacks, you can still lose plenty in litigation without insurance.
Even if you’re careful about your clients’ data, you might still be held legally liable for any data loss from hacking. To that end, it’s critical to obtain a strong, well-designed insurance policy for cyberattacks. Your clients will try their best to recoup losses from hacking, and they’re unlikely to be able to do so from the hackers. Unfortunately, that means they might try to hold you accountable, even if you’re not at fault. Liability insurance is the best way to prevent that sort of scapegoating, and CAMICO is expert at defending CPAs in both cyber cases and lawsuits without merit.
Cyber insurance is now emerging, but defending against hackers and the fallout from their actions will only become more important for accounting professionals like you.