Page 361 - JoFA_2022
P. 361

PROFESSIONAL LIABILITY SPOTLIGHT


                          Cybersecurity risk:


                          Constant vigilance required




                          By Karen Nakamura, CPA



                             PA firms are under constant threat of a cyber-  of its data. Fortunately, the firm had a sound
         Intruder alert   Cattack based upon the abundance of confiden-  backup recovery process in place and was able
         66%              tial and sensitive client data they receive, use, and   to restore its data and regain system access.
                          store. The transformation of how firms do business
                                                                      However, unbeknownst to the firm, the at-
                          — including the movement to cloud-based ap-
                                                                      tacker left a backdoor into the firm’s system and
         The share of     plications and data storage, an increasingly mobile   perpetrated another, more severe, ransomware
         cyber incidents   workforce, and the expansion of service offerings   attack. This time, the attack resulted in the firm’s
         experienced by   that give firms greater access to client information   being unable to complete client services. Client
         CPA firms in the   and funds — has, likewise, increased the number   data was exposed, and the firm had to notify
         AICPA Professional  of entry points for a cybercriminal. Meanwhile,   affected individuals. Moreover, the attack was
         Liability Insurance  the cyberthreat landscape continues to evolve, with   an embarrassment to the firm and a blow to its
         Program in 2021   schemes becoming increasingly sophisticated and   reputation.
         that were caused   difficult to detect.
         by external                                                PREVENTIVE MEASURES
         breaches of a    FORMS OF ATTACK
         network or email                                           Not all threats emanate from outside the firm. CPA
         or a ransomware   Cyberattacks come in many forms, as these recent   firms can also face threats as a result of their failure
         event.           experiences illustrate:                   to properly and timely address their own system
                                                                    vulnerabilities. As such, firms should frequently re-
         Source: CNA Accountants   A small CPA firm unknowingly had malware   view and test their cyber risk management protocols
         Professional Liability Claim   introduced to its system, likely from an infected   to help prevent, detect, and contain data security
         Database, underwritten
         by Continental     email attachment or malicious website. This   incidents. Consider the following strategies, which,
         Casualty Company.   malware was designed to alter the tax overpay-  among others, can help diminish the likelihood and
         Copyright © 2022.    ment instructions on client tax returns to be   impact of an attack:
         All rights reserved.
                            e-filed, redirecting refunds to the hacker’s   ■    Use multifactor authentication, which requires
                            account outside the United States. The attack   two or more pieces of evidence (factors) to ac-
                            was discovered when a CPA followed up on a   cess a system, wherever possible, especially when
                            number of client calls regarding delayed refunds.   the data being accessed is highly sensitive.
                            As the clients were unable to recover the stolen   ■    As ransomware attack victims often learn too
                            amounts, several brought suit against the CPA   late, an automatic, routinely scheduled system
                            firm for the lost refunds.                backup that replicates data to a secure location
                                                                      off-site or in the cloud can help protect data if
                            A midsize CPA firm performed client ac-   systems are compromised by an attack or simply
                            counting services for a small restaurant group,   fail. Maintain an offline backup so it, too, is not
                            including payment of vendor invoices and other   compromised in the event of an attack. Perform
                            disbursements as directed by the client. An en-  periodic restoration tests to help ensure backed
                            gagement team member received email instruc-  up information can be accessed when needed.
                            tions from the client directing him to process   ■    Keeping your systems secure is an ongoing ef-
                            wire transfers to various client vendors. The   fort. Accordingly, implement patch management
                            team member completed the transfers without   protocols to identify, acquire, install, and test
                            additional verification only to later discover that   necessary patches, or code changes, to fix bugs,
                            the email was fraudulent. The client demanded   close security holes, and add necessary features.
                            payment from the CPA firm for the lost funds.   Create a plan for when testing and patches will
                                                                      be implemented to avoid unnecessary system
                            A large CPA firm lost network access and   downtime.
                            received a ransomware demand for the return   ■    Install an endpoint detection and response

         4    |   Journal of Accountancy                                                         September 2022
   356   357   358   359   360   361   362   363   364   365   366