The Generally Accepted Accounting Principles (GAAP) that accountants use to measure their clients’ fiscal health are built upon worst-case scenario assessments. For example, GAAP standards generally require debits to be charged against a company’s cash reserves as soon as possible but allow increases to be recorded only after products are shipped or cash is received.
Given this training, CPAs should be cognizant of the worst case scenarios with respect to the losses that their accounting practices and businesses will suffer in the event of a cyber attack that compromises client financial information. A recent cyber attack on a California CPA firm is illustrative.
In mid-2016, Wheeler & Eggers, CPAs, LLP discovered that hackers had breached the firm’s information systems network and had used stolen information to file 45 fraudulent tax returns in the names of the firm’s clients. The firm was fortunate to discover the incident within a few days after it happened, and it quickly notified the affected parties of the data breach. The firm also retained information technology consultants who were able to remove malware from the firm’s network and to install and implement more robust network firewalls and computer security protections. The firm also reported the breach to several regulatory agencies and provided complimentary credit-monitoring services to its clients.
Wheeler & Eggers has not disclosed the costs that it incurred to issue notices, retain consultants, and procure credit-monitoring services. One recent report estimated that a single cyber attack would expose a small business to average losses of $41,000. That estimate refers to direct costs associated with a data breach and does not include consideration of things like the time that a CPA firm’s personnel spend on responding to a cyber attack. More critically, a data breach that leads to client losses will harm a firm’s reputation and erode the trust that clients place in the firm to handle their confidential and proprietary information.
As ruinous as these direct and indirect losses can be, perhaps the greatest magnitude loss will come from third-party liabilities that result from litigation filed by a CPA firm’s clients as well as other parties affected by client losses. Approximately 30 percent of the lawsuits against accounting firms are filed by investors, shareholders, business partners, and other third parties whose stakes in a client are impaired when the client’s business is harmed. If a cyberthief uses information from a data breach to file a fraudulent tax return for a CPA firm’s client and that client suffers a substantial loss that affects the client’s valuation, the client’s investors may have a valid cause of action against the CPA firm on account of its failure to better protect the client data.
In addition to their appreciation of worst-case scenario assessments, CPAs are also experts at cost-benefit analyses. If the likelihood of a risk’s coming to fruition is high, the costs of protecting against that risk are justifiable. Regardless of their size, all CPA firms are very likely to experience one or more cyber attacks because of the value of the client financial information that they manage and maintain. Thus a CPA firm’s costs to implement strong protection against cyber attacks are verified by the benefits that those protections will generate.
Most experts recommend a three-prong strategy for accounting firms:
- Retain information technology consultants who are familiar with the accounting firm’s business model and practices and who can develop a robust protection strategy for the firm’s network;
- Prepare and practice a response plan that will be followed when the accounting firm experiences a cyber attack;
- Procure an insurance policy from a knowledgeable cyber insurance company that understands the accounting firm’s business and that can provide the right amount of insurance to protect against direct losses, third-party liabilities, regulatory fines, and other costs and expenses that the accounting firm will incur as a result of a cyber attack.
The increase in the number and sophistication of cyber attacks against accounting firms is now as much a certainty as death and taxes. Cyber attacks cannot be prevented but a CPA firm can insure against the losses that cyberattacks create with this combination of strategies.