Is Your CPA Firm Prepared for a Cyberattack? It Needs to Be

Of all industries, financial services may just have some of the highest regulatory requirements, along with healthcare. This makes a lot of sense, too… consider how much sensitive data CPA firms are privy to as a part of their daily operations and processes. While every business today needs to prioritize its cybersecurity, this is especially the case for these firms.

Here, we’ll discuss why and how a CPA firm can keep the data it houses secure.

Why Your Firm Needs to Secure Its Data

As you might imagine, experiencing a security breach isn’t a good thing for any kind of business - and especially not accountants. As we touched on above, CPAs have possession of a great wealth of sensitive data, including the financial and personally identifiable data of their clients and their businesses. As a result, there are a few legal requirements that different levels of government put on companies - including accounting firms - that compels them to act swiftly if they experience a data breach.

For example, the Sarbanes-Oxley Act of 2002 was passed in order to ensure that there was a federal requirement that holds companies accountable for their compliance standards.

On the state level, Massachusetts released a set of Data Security Regulations that advised businesses how they should prevent a data breach in 2010, which were supplemented by Bill H.4806 - An Act Relative to Consumer Protection from Security Breaches when the governor signed it into law as Chapter 444 of the Acts of 2018. This act places some pretty steep requirements on businesses in terms of their responsibilities after experiencing a breach. Section 8 in particular commands that a business needs to notify the state attorney general, as well as any agencies (state and consumer reporting) of quite a few details, including:

• The nature of the breach/unauthorized acquisition
• How many residents of Massachusetts were impacted at the time of notification
• The name and address of the person or agency that experienced the breach
• The name and title of the person or agency reporting the breach, and their relationship to the person or agency that experienced the breach
• The person responsible, if known.
• The kinds of personal information were compromised, including social security numbers, driver’s license numbers, financial account numbers, and any payment card data.
• The plans that the person or agency has to respond to the incident.

While a CPA may not have a need to collect all of this data, there is certainly a need for some of it (as we mentioned above). It isn’t as though a cybercriminal needs all of this data in order to take advantage of the clients who entrusted their data to their accountant - the data that the accountant needs to fulfill their responsibilities is plenty. 

What Can Be Done to Avoid Cybersecurity Issues for CPAs

In addition to the cybersecurity basics that we always recommend, like ensuring your solutions are properly updated and that your entire team is maintaining password best practices, a CPA needs to implement some more advanced security controls to truly reinforce their data’s protection. For a better idea of how to protect your data, here's five security steps every CPA must take.

Part of Massachusett's Data Security Regulations (201 CMR 17.00) includes a requirement for any business that keeps personal information about residents of Massachusetts to develop and maintain a Written Information Security Program (WISP). A WISP often requires businesses to make a few preparations prior to dealing with a data breach, such as:

• Assigning an individual to be responsible for the security program’s maintenance.
• Identifying any security risks that can be reasonably predicted.
• Protecting all forms of personal information by restricting access to it.
• Overseeing third-party service providers confirm that they are compliant with all regulations.

Admittedly, this can seem like a lot - especially when you consider how much preparation this actually entails. One thing to consider is what to do when you lose access to your client's data to due cyber-activity such as ransomware?  A ransomware attack can shut down your office and put your client's data at risk, regardless of what profession you're in.

Datalyst is here to help. We have the experience needed to prepare your firm’s IT so that you remain compliant with regulatory requirements, and the training resources to prepare your staff to do the same. Ready to learn more? Reach out to us directly by calling (774) 213-9701.