Published in MA Society of CPAs' SumNews (November 2020)

Accountants are prime targets of cyber crime. You are an enticing target because you possess large quantities of sensitive personal, financial, and tax information highly valuable for identity and financial theft, and you have the information and credentials necessary for criminals to generate fraudulent tax refunds in the names of your clients. Moreover, you are a vulnerable target because, unlike large institutions, you have less time and money to invest to ensure that all your security controls are strong enough to repel sophisticated cyber attacks.

Additionally, accountants face increasing regulatory pressure to adopt best-in-class protections for client information. Such pressure emanates not only from our home state (in the form of M.G.L. Chapter 93H and 201 C.M.R. Chapter 17), and from the Internal Revenue Service (in the form of I.R.S. Publication 4557), but also other states (like New York and California) and foreign jurisdictions (like the European Union and United Kingdom), which impose their laws on Massachusetts accountants who possess information about clients who are residents of those states and countries. Fines and penalties for failing to comply with these regulations are substantial, and typically follow a breach that was already painful enough.

It is imperative that accountants stay ahead of the cyber security curve. Ransomware, phishing, and malware exploit the tiniest of gaps, resulting in the exposure of sensitive client information or crippling your business during the busiest of tax seasons. To reduce these risks, accountants must operationalize cyber security by: (a) conducting annual risk assessments with outside cyber security professionals, (b) identifying and mitigating all existing and potential vulnerabilities and threats, (c) implementing appropriate written policies and procedures, and (d) providing topical training to employees several times per year.

However, in addition to those routine processes, accountants also need to ensure that you have implemented advanced safeguards that can repel sophisticated cyber attacks. Simply put, your risk exposure means that you need to up your game. The following are a few examples of advanced controls that accountants should be implementing.

  1. Advanced Threat Detection: Anti-virus/anti-malware is old news, and largely ineffective against modern ransomware and malware. The current standard is to implement an application that detects anomalous activity, prevents the activity from occurring further, and quarantines infected data and systems. In fact, having multiple such applications may be necessary to ensure protection against sophisticated attacks.
  2. Multi-Factor Authentication: Passwords alone are not a particularly effective safeguard, because people too often use weak passwords that can be readily cracked, and use the same password on multiple accounts, enabling hackers to steal credentials for multiple systems by attacking one weak account. Multi-factor authentication requires both a password as well as another means of authentication, such as a device that is registered with the account, a code sent to a device registered with the account, or a biometric unique to the person permitted to access the account. Multi-factor authentication is not cutting-edge technology. However, accountants often do not have it implemented on all network and cloud applications that contain client information, such as email, tax preparation and filing systems, cloud storage accounts, and data transmission applications.
  3. Encryption: Encrypting data transfers and electronic devices is not optional. Accountants must transmit sensitive information only via secure file transfer protocol (SFTP) links or portals or encrypted email. Similarly, you must ensure that data is encrypted on all laptops, tablets, smartphones, USB/external drives, and other devices that are mobile. For example, employees should use only firm owned and managed laptops with encrypted hard drives, the firm should deploy a mobile device management (MDM) applications that manages client information on tablets and smartphones, and firm computers should scan and encrypt all USB/external drives connected to them.
  4. Vendor Management: Your client information is only as secure as your weakest vendor. Accountants and accounting firms rely on vendors to provide critical services, including tax preparation and filing systems. You need to conduct appropriate due diligence to ensure that every vendor that receives client information has adopted cyber security safeguards at least as protective as the controls you are required to implement. You also need to enter into a data security agreement with each such vendor to contractually solidify those safeguards as well as impose appropriate obligations and liability in the event of a breach.

 

Implementing the controls necessary to repel sophisticated cyber attacks can seem like a daunting task, particularly for individuals who are not trained in this area. However, ignoring the problem will not make it go away, and only invites a disaster. Effective cyber security can be accomplished by partnering with outside experts, and then committing to assessing your risk and implementing advanced safeguards to protect yourself and your client information.

Cam Shilling founded and chairs McLane Middleton's Information Privacy and Security Practice Group. The group assists businesses and private clients to improve their information privacy and security compliance, and address any security incident or breach that may arise.  He can be reached at cameron.shilling@mclane.com .

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.