Calling all CPA’s: Do you have a sense of adventure? Do you wish to lead your firm into a new era risk minimization? Join me as we begin to explore the new threat landscape of cybersecurity.
The summer of 2019 has provided a treacherous landscape for CPAs and accounting firms to navigate. Many have already been impacted by the data breaches of Wolters Kluwer’s CCH software and the outage of Cetrom one of the industry’s largest managed service providers (MSP) among other events.
As if these hacks were not scary enough, The IRS issued a reminder that under the Gramm-Leach- Bliley Act, professional tax preparers are considered to be financial institutions and their cybersecurity programs are subject to investigation by the FTC under GLB. If they are found to not be in compliance they could face significant fines and fees.
Without the proper approach and tools to address these concerns, it is likely that many firms will lose their way along the cyberthreatscape. So if your firm is concerned let’s explore a path forward.
Starting Your Cybersecurity Journey
A cybersecurity journey should begin with an assessment process. You must develop a baseline understanding of where you are today before you can begin to make intelligent decisions about where you want to go. Cybersecurity is a complex topic with both technical threats and regulatory compliance both presenting serious concerns for your firm.
If you trek bravely into the cyber jungle with no map to guide you, you will surely go in the wrong direction and perhaps into more treacherous territory allocating budget and resources to the wrong areas. Many firms who know they need to do something start buying things without a strategy. They purchase more insurance, hire a managed service provider, update the firewall, or deploy advanced technologies. While these may be great tools there needs to be a strategy behind why you would purchase and deploy one before the other.
The need for an assessment process is recommended by the IRS saying firms must:
“…identify and assess the risks to customer information in each relevant area of the company’s operation and evaluate the effectiveness of the current safeguards for controlling these risks.”
Assessment Complete: Now What?
For the more mature organization, who has been through an assessment process at least once within the last 12 months, you are ready for the next step in your security journey. Just like the explorers De Soto and Magellan documented their progress in logs and journals, so should your security practice. This will allow your security team to report back to the homeland on what progress they have made.
For many small to medium firms the biggest gap in the security practice is lack of documentation. If you do not have a documented written information security program then you are subject to the fines and penalties of GLB.
Not having a written information security program is not only a major regulatory concern but without having a formal standard to be tracked and measured, how can you understand the quality of work your security team or managed service provider is performing on a daily basis?
CPA firms are very unique making it difficult to select the proper security framework to track. In the U.S. almost every state has different data privacy regulations you must adhere to. The 50 person CPA firm has very different needs than the 500 person firm so you must select a path forward that scales to your firm. There are a number of security frameworks your firm can use. As a rule of thumb, the NIST framework is a great place to start. You may need to make minor adjustments to account for the FTC and IRS requirements.
Time to Test?
Once you have been through an assessment and created a written information security program, you are now in a position to begin to test your security practice with technical tools like vulnerability scanning and penetration testing. Many firms try to skip the assessment and documentation process and go straight to testing. If you skip steps 1 and 2 you won’t know how to use more technical tools to your benefit. What good is a compass without a map?
On the other hand, if you have performed a survey, and created a map, then using the tools makes sense. You can find enormous amounts of value in a technical assessment and this can be a great way for the security team to uncover blind spots they were unaware of. Periodic vulnerability scanning and penetration testing is a part of every health security practice. Performing tests and exercises is also required to achieve many security compliance objectives like a SOX-II certification.
The worst thing your firm can do is to keep your ships in the harbor. If you do not begin to aggressively explore this subject you will certainly face a cyber-attack or regulatory fines. Cyber-pirates are becoming more and more aggressive and they do not discriminate. The CCH and Cetrom events affected firms of all shapes and sizes. Are you and your partners ready to set sail and begin your expedition or will you leave your ships to burn?