Despite the information available about common cyber scams and ways to manage cyber risk, some accounting firms are still falling for preventable threats.
In one month, CPA Mutual investigated claims involving social engineering — that is, fictitious emails sent with requests to wire money or perform some other response — that accounting firm employees have fallen prey to. These scams can result in data breaches, payments to fake accounts and ransomware or malware infiltrating the accounting firm’s systems.
As hackers get more sophisticated and artificial intelligence helps their schemes seem more real, accounting firms can’t claim that they are too small or too sophisticated for these types of security breaches. Awareness must begin at the employee level and extend to outside vendors, which remain the primary means for security breaches. In the past year, cyber claims by members of CPA Mutual resulted in just under $200,000 in monetary damages. Damage values are up 76 percent from 2017 and are expected to continue to increase in 2019.
Claims prevention is always the best course, as is investing in cyber liability coverage. Some accounting firms still rely too much on internal IT or third-party vendor security, thinking they won’t experience a cyber loss. However, it can still happen.
The risk of relying on outsourced security is that third-party vendors have access to sensitive data at the accounting firm and are vulnerable to security breaches themselves. Accounting firms must be very careful about the contracts they establish with IT vendors to protect themselves in the event that the vendor experiences or causes a data breach.
For example, the third most frequent cyber attack that businesses have experienced in the last 24 months is from a third party’s misuse or sharing of the company’s confidential information. The top culprit behind attacks still involves employees falling for phishing scams (67 percent), according to the Ponemon Institute. A recent survey from Tenable asked more than 2,400 IT and cybersecurity professionals in six countries about top threats. The second most common involved malware.
Cyber liability policies cover many of the legal costs and fees associated with a data breach claim. However, each one is different; cyber crime may be excluded, and some don’t cover your cloud provider or other vendors that may access your system. Insurance policies also can’t restore reputations and trust.
Cyber threats are only expected to get more sophisticated. A recent article by the MIT Technology Review noted that companies will need to focus on smarter encryption methods as well as training to detect future scams like false video and voice communications that look and sound like a legitimate person but are not.
At the very least, awareness of threats, more staff training and insurance coverage can help manage the impacts of employee-error and third-party cyber threats. And, as always, think before you click.
Bill Thompson, CPA, helps CPAs navigate the minefield of professional liability issues that they face on a daily basis. He understands practical risk management for CPAs and risks faced in the profession. In addition to overseeing the day to day operations of the insurance company, Bill is responsible for underwriting, reinsurance negotiations and placement, coverage and policy issues, claims settlements and risk management assistance for our member firms. Bill is and has been a licensed CPA since 1981. He is a member of the American Institute of CPAs (AICPA), the Florida Institute of CPAs (FICPA), the Professional Liability Underwriting Society (PLUS), the National Risk Retention Association (NRRA), Vermont Captive Insurance Association and the Captive Insurance Companies Association (CICA). He frequently presents on topics related to liability claims and the importance of risk management.