Page 362 - JoFA_2022
P. 362
security solution to provide continuous monitor- Firms should frequently
ing, collection, and analysis of data; to detect
unauthorized access, suspicious activity, and
changes as they occur; and to remove malware. review and test their
■ Encrypt mobile devices, such as laptops, tablets,
and cellphones, as they are easy targets for theft
or loss. Enable remote disabling and wiping cyber risk management
to remove sensitive data if the device is lost or
Apply the principle of least privilege and limit protocols.
stolen.
■
access to sensitive data on a need-to-know basis.
Limit administrator privileges to trusted IT staff
and key personnel. Perform routine access re- identify external resources, such as the firm’s
views to ensure that access remains appropriate. cyber liability insurer, breach counsel, and
■ Avoid using the autofill email addresses function forensic and IT experts, that will help guide the
and/or implement a “delayed send/confirm” firm’s response.
function to potentially catch a misdirected email ■ Assess insurance coverage. Responding to a data
before it is sent. security incident can be expensive. CPA firms
■ Phishing is one of the most common entry should understand the coverage parameters of
points for cybercriminals. As such, implement their current policies and how coverage would
anti-phishing tools and simulate phishing at- apply in the event of a data security incident.
tacks to test firm personnel’s security awareness.
■ Exercise extreme care when handling client or ADDITIONAL RESOURCES
firm money. Never assume that an email request Understanding and implementing data security
is legitimate, regardless of the sender, amount, controls may seem daunting. Work with your IT
or tone. Pause, pick up the phone, and call professional to help understand the regulatory re-
the requester at a trusted number to validate quirements applicable to your firm and implement
the request. security measures appropriate for your business.
■ Practice sound data management and hygiene. Leverage additional resources such as the free
Understand how data is received by the firm, AICPA resources mentioned on this webpage. Visit
what data is received, what protections are re- the U.S. Cybersecurity and Infrastructure Security
quired by law or regulation, where data is stored, Agency’s Cyber Essentials page or the Federal
how long it is stored, and how it is disposed of. Trade Commission’s Cybersecurity for Small Busi-
Implement security measures wherever sensitive ness page for additional resources to help businesses
data is stored, and move or purge unnecessary implement cybersecurity practices.
or outdated client data in accordance with the
firm’s data retention policy. The risk of a data Karen Nakamura, CPA, is a risk control consulting
security incident, and the cost of responding director at CNA. For more information about this
to one, can increase significantly if a firm has article, contact specialtyriskcontrol@cna.com. ■
not implemented appropriate data manage-
ment processes. Continental Casualty Company, one of the CNA insurance companies, is
the underwriter of the AICPA Professional Liability Insurance Program.
■ Training is one of the keys to successfully
Aon Insurance Services, the National Program Administrator for the
managing data security risk. Set the tone from AICPA Professional Liability Program, is available at 800-221-3023 or
the top and remind all firm personnel of the visit cpai.com.
This article provides information, rather than advice or opinion. It
significant impact that a cyber incident can have
is accurate to the best of the author’s knowledge as of the article date. This ar-
on the firm and, consequently, the need for sus- ticle should not be viewed as a substitute for recommendations of a retained
tained vigilance by all. Have a clear “think before professional. Such consultation is recommended in applying this material in
you react” policy and train and test personnel on any particular factual situations.
Examples are for illustrative purposes only and not intended to
how to respond to potential threats.
establish any standards of care, serve as legal advice, intended to constitute
■ Develop, routinely test, and update an incident a contract, or acknowledge any given factual situation is covered under any
response plan that provides a road map in the CNA insurance policy. The relevant insurance policy provides actual terms,
coverages, amounts, conditions, and exclusions for an insured. All products
event of a data security incident. The plan should
and services may not be available in all states and may be subject to change
delineate specific steps the firm will follow and without notice.
journalofaccountancy.com September 2022 | 5
