WHAT SHOULD YOUR CPA FIRM DO TO PROTECT ITSELF AND ITS CLIENTS FROM CYBER CRIME?<br />Cyber-crime is a catch-all phrase that encompasses hacking into computers, creating and spreading computer viruses, perpetrating online fraud schemes, and stealing trade secrets and other intellectual property. Cyber-crime lawsuits are on the increase, making insurance more important than ever. <br />As a CPA’s you also work as forensic accountants, meaning it is their job to detect fraud or other crime in the financial world. Some certified public accountants even use their expertise to design helpful computer software for to assist in detecting Cyber Risks.<br />By law, a CPA has the duty to protect our client data. It’s important that we understand our physical security risks, know what risk points exist for exposure of client data and enforce a plan WISP (Written Information Security Plan) to keep key systems properly updated and staff up to date on security best practices. <br />So what is a Cyber Risk? <br />A Cyber-risk began as an industry-specific need, mainly for e-commerce and Internet-related companies, but has now become main stream. New viruses, hackers, and denial of service (DoS) attacks, attempt to steal company information and sell it to the highest bidder. Computer network security and risk management issues is no longer the exclusive domain of companies doing business over the Internet, and today risks are not limited to outside threats or Internet access. <br />
Many CPA companies now realize that just having a website may carry additional, unforeseen risks.
Large percent of cyber attacks come from within the corporation by improper use of USB drives, incorrect downloading and Email procedures and disgruntle employees.
In general, traditional insurance-- property, commercial liability, and crime-tend to focus on tangible damage to physical property and do not address cyber-risk.
Traditional business interruption policies focus on damage caused by fire or flood and do not consider Cyber attacks at all.
Cyber-insurance policies require higher premiums and deductibles because of challenges such as lack of quantifiable data on cyber-risk.
Depending upon the size of the company and the coverage required, premiums can run into the hundreds of thousands of dollars.
If an insurer's assessment does not find appropriate levels of computer network security, the policy may be denied unless the applicant meets the insurer's recommended security specifications. Additional services, such as yearly vulnerability assessments, which monitor and alert management about potential problems, are also offered. In meeting an insurer's standards, companies should be wary of investments in expensive, tactical, one-time solutions that aren't in line with their short-or long-term objectives.
Types of Cyber-Coverage need to be addressed by your companies:<br />
Liability First-party liability - Covers a company’s own losses due to damage to availability, integrity, and confidentiality of company data, intellectual property, and other privacy infringement-related issues. .
Business interruption, income, and expenses - These policies cover a company's loss of revenue and additional expenses caused by DoS attacks, viruses, hackers, and fraud. They may also cover a company's losses incurred as a result of disruption caused by the computer systems of others relied on.
Product or service failure - This cyber-coverage covers legal actions attributable to the failure of a product or service.
Extortion - Such a policy covers ransom for valuable information.
Crisis management - This coverage applies to expenses to facilitate recovery of losses, as well as to support public relations efforts to communicate with constituents.
Insurers also offer packages that may include coverage for criminal reward as well as loss of revenue. <br />What Is the Right Risk Management Mix? <br />Because insurance will not avoid a lawsuit nor will it put a company back in business immediately, cyber-insurance usually requires additional investments in controls and infrastructure before a policy is underwritten. Because small and medium-size companies need to use their resources wisely, they are especially at risk. <br />A company needs to determine its acceptable level of business risk. Although buying insurance may reduce the company's risk, this solution should be in line with the company's own goals and risk assessment. Many small and medium-sized businesses may decide to forego cyber-insurance because of cost considerations, but often these determinations are not made based on a business-driven risk management strategy. <br /> “So how do you keep your firm and your clients protected? Here are some things to consider”<br />Server SecurityIf your servers are located in your office, new legislation, like the freshly minted (as of March 1, 2010) Massachusetts 201 CMR 17, requires that they be behind a secure locked door with restricted access and locks on the server cases, cabinets, drive chassis and server console screen. Or if your servers are hosted offsite at a data center, it’s best to ensure that all of the physical security requirements are being met based on your needs.<br />Confidential DataIn theory, CPA firms securely shred everything. In practice, someone could likely find a wealth of information they shouldn’t have access to just by going dumpster diving. Does your firm actively enforce a confidential data policy that addresses paper copies of confidential data?<br />Password SecurityIt is important to educate your firm on the importance of using secure passwords and keeping them secure by not writing them down. <br />Microsoft PatchesStaying up to date with Microsoft patches is a critical step in ensuring your firm’s security. We recommend using automated patch management like IBM for Internet Security solutions<br />Web SiteAnother thing to consider is what information you post on your Web site. A CPA firm love to publish everyone’s name, phone number and e-mail address, which are helpful for the general public, but makes it one step easier for someone to get into your network. <br />If you find this concerning, consider including a contact number and generic e-mail address for each department to add one more layer of protection for your firm.<br />Voice Mail SystemSecure passwords are important here too. You don’t want someone calling your office after hours, figuring out how to get a password prompt and then gaining access to someone’s voice mail because they used something like 1111, 1234, or 0000 as their password. This is another reason not to post everyone’s number online.<br />ISP RouterThe Internet Service Provider’s “managed router” is one of the most overlooked pieces of the network. It’s a nondescript box in the closet with blinking lights that few people understand. Somehow ignorance makes way for comfort. Most firms assume that because the ISP set it up, it must be configured correctly. Not true. <br />FirewallWhen is the last time your firewall was updated? Firewalls are found both in the server room and as a piece of software on your PC.<br />We also recommend using intrusion detection and prevention systems to protect your firm in addition to firewalls. Where firewalls passively block known attacks, these solutions are proactive in nature and will provide reporting on the number and types of attacks that are attempted<br />
Remote AccessIn this day and age, the convenience of anytime, anywhere access to data poses new security threats that firms need to consider and address. Our duty to keep client data secure now extends far beyond the walls of the office and staff in the field to our employees’ homes and cell phones as well. It’s a good idea to develop a written policy for remote access.
EncryptionMost states have breach notification laws, and nearly all of them waive the requirement for notification where data has been encrypted. Whole disk and USB-stick encryption are the two most common places where encryption can be used. Imagine all of the free press you could get just by having an auditor lose their USB-memory stick.
We encourage you to consider this list, as well as additional policies like third-party connection, acceptable use, and incident report, to ensure your firm is adequately protected on all fronts. Above all, make sure your firm actively enforces the policies and standards you establish because, no matter what kind of security you have in place, your firm is only as safe as your weakest line of defense<br />Data loss, ID theft top malpractice concerns!<br /> “We have even seen CPA client information stolen via dumpster diving."<br />In a rough economy, when liability claims against accountants tend to rise, it's especially critical for CPA firms to know exactly what their policy covers and to make any necessary adjustments. <br />"The hard issue right now is data loss, and every carrier is addressing it differently,” "For example, the American Institute of CPAs program and CPA Gold have both put out a cyber-security endorsement to their policies as a rider. Travelers took a different approach and just made changes to their base policy. Philadelphia has an endorsement which is sold as an additional premium, while some have not addressed the issue but are examining it to determine their position." <br /> “The issue of data loss is becoming commonplace:” <br />"We're seeing it on a weekly basis with potential claims coming in as a result of stolen laptops, security breaches, and the like. It can result in significant costs to accounting firms just to notify current and past clients when something like this happens believe us the last thing you want is to send out a letter to 3,000 people that they may be victims of a security breach because of you." <br /> <br />