“We regret to inform you, but your financial data might have been stolen.” It’s a scene straight out of your worst nightmare. It’s something that giant auditing firm Deloitte and a small Connecticut-based accounting firm had to deal with when they were hacked. Data breaches affect firms of all sizes, reiterating that the need for stronger cybersecurity for accounting firms is more real — and pressing — than ever.
Why Financial Identity Protection Is Central To Cybersecurity For Accounting Firms
Michigan-based Identity Theft Risk Management Specialist and CPA Robert Listerman explains why accounting firms should be concerned about financial identify theft:
“The primary reason accounting firms should be concerned is because of the loss of reputation. Twenty percent of customers who are affected by identity theft originating from a single source will cease doing business with that entity. Forty percent will look at other competitors with the idea of possibly changing to that provider. Five percent will sue the entity who caused their identity to be compromised. Because tax and accounting professionals and other public accounting entities are held to a higher standard in terms of confidentiality, it is likely the number of clients who would move their business would be greater than 20 percent for a public accounting firm.”
Additionally, accountants and accounting firms who were proven to have disregarded data protection laws can face criminal liability according to the provisions of the Gramm-Leach-Bliley Act of 1999, more commonly known as the GLBA.
CPAs are better serving their clients, not serving time in jail. It’s vital for your firm to understand and uphold cybersecurity laws.
A 3-Step Action Plan To Protect Your Accounting Firm From Cyber Attacks
Cyber Security For Accounting Firms: Know The Applicable Laws
Any effort to strengthen cybersecurity for accounting firms starts with an understanding of the applicable laws. Every accounting firm is expected to protect it’s clients’ Personally Identifiable Information or details, which, if disclosed, “could result in harm to the individual whose name or identity is linked with this information.” In this case, this data can be stolen for financial fraud, and in some cases, can cost you THREE TIMES the damages.
The following is a list of your clients’ PII that your firm could be in custody of:
- Social Security Number
- Credit Card Number
- Bank Account Number
- Residential Address
- Residential or Mobile Phone Number
- Date of Birth
- Place of Birth
- Mother’s Maiden Name
- Financial Records
Protecting your clients’ PII is covered under the GLBA, the primary law that governs data protection among financial institutions. The GLBA has 3 main sections: the Financial Privacy Rule, the Safeguards Rule, and the Pretexting provisions. The best way to comply with the GLBA is to hire or appoint a compliance expert to make sure you got all bases covered.
Perform Regular Risk Assessments
Prevention is indeed better than cure.
Best practices for cybersecurity for accounting firms evolve. New threats emerge every day, and you need to adjust your safeguards to adapt to these new threats.
For your accounting firm, an annual risk assessment should be sufficient. You can increase the frequency if there’s an industry-wide threat or if there are abnormal activities that you observe.
At the minimum, your risk assessment should include the following:
- A review of the client information your accounting firm is currently collecting, categorizing which are regulated PII and sensitive data
- Identification of new laws and the applicable commitments and requirements that your firm need to fulfill for compliance
- Partner with a Managed Services Provider to make sure your risk is limited through making sure you are aware around cyber attacks are on the horizon, what to look out for, and make sure your systems are protected and secure.
- Any change in your firm’s practices concerning the acquisition, storage, and sharing of client data that could open new loopholes for financial identity theft
- New developments in the regulatory and business environment
- New technologies that your firm could be maximizing
Create A Written Financial Identity Protection Policy
Quoting the Egyptian Pharaohs when they give orders: “So it is written, so it shall be done.”
It’s easier for your accountants to follow cybersecurity protocols if it’s a formal memo, part of your employee handbook, or clearly outlined in your standard operating procedures. A written cybersecurity policy can also serve as your springboard in training employees to be more cybersecurity-savvy.
Speaking of training, cybersecurity for accounting firms would fail without it. According to statistics, “over 50 percent of identity theft can be traced back to unlawful or mishandling of non-public data within the workplace.”
How About Technology?
So you might be wondering: isn’t technology a crucial factor in cybersecurity for accounting firms? Some may even go as far as to say that technology is at fault for all these modern-day data espionage. However, you need to understand that it’s not technology per se, but the poor implementation of the technology.
One way accounting firms are jeopardizing their own cybersecurity is by burdening their own employees to oversee the implementation, management, and maintenance of these technologies. Between servicing your clients and fulfilling internal administrative tasks, adding cybersecurity to your accountants’ long to-do list is putting a nail to your data protection coffin. Something is bound to fall through the cracks.
It would be best to partner with a managed services provider to take care of your cybersecurity and tech management needs.