Cyber Risk Challenges for CPAs

Cyber Risk Challenges for CPAs

Protection| Insurance| Cyber Insurance
March 01, 20257 min read

Cyber Risk Challenges for CPAs

Certified public accountants (CPAs) use multiple digital tools to provide professional services. This technology can improve efficiency and data management, but it can also be targeted by cybercriminals, especially since CPAs process high-value data. If successful, a cybersecurity incident can lead to significant financial losses, compliance issues and a loss of trust among clients. To mitigate these risks, CPAs and their staff must implement measures to secure the sensitive information they manage.

Read on to explore why cybercriminals target CPAs and their firms, examines the most common types of cyberattacks against CPAs and offers practical suggestions for strengthening cyber defenses. It also highlights key regulatory requirements and discusses the role of cyber insurance in managing cyber risks.

Why Cybercriminals Target CPAs

CPAs are an attractive target for cybercriminals because of the type of data they typically work with, including financial information, tax records and personally identifiable information. CPAs have access to clients’ financial and banking systems, making these professionals a gateway for more significant intrusions. Additionally, many smaller CPA firms have limited cybersecurity budgets, making them more susceptible to cyberattacks. The shift to remote work has also created more hacking opportunities through vulnerabilities including insecure network connections and devices.

Common Cyberattacks Used Against CPAs

While there are several types of cyberattacks, the following are commonly used against the CPA firms:

  • Phishing and vishing attacks involve cybercriminals deceiving users into providing sensitive information (e.g., passwords) through fraudulent emails, texts, calls, voicemails websites or links. CPAs and their assistants often utilize digital tools to process sensitive data and receive confidential communications, making them susceptible to such attacks.

  • Ransomware attacks are when cybercriminals access a firm’s computer system or network, encrypt the files and demand a payment in exchange for providing a decryption key. This attack can be effective against CPAs because they often have strict filing deadlines, making business interruptions extremely costly to a practice’s finances and reputation. This pressure may prompt some firms to pay the ransom quickly, against the FBI’s recommendation, in an attempt to avoid further losses.

  • Business email compromise (BEC) is when a malicious actor impersonates a legitimate individual (e.g., a partner or client) or hacks into that person’s email account and fraudulently requests sensitive information or money from the target (i.e., a CPA) through the redirection of payments. BEC schemes are used against CPA firms because large payments often occur electronically and funds are moved digitally, so these requests may not raise a concern and can go unnoticed.

  • Insider threats are employees with access to sensitive information who misuse their privileges to steal data or sabotage internal systems. Their motives may include financial gain or revenge, and their malicious activity may be more easily hidden and hard to detect.

  • Third-party vendor attacks happen when a cybercriminal infiltrates a business’s third-party vendor and leverages that breach to access the business’s data. CPAs often rely on third-party vendors in their practices, which increases the chance of a cybercriminal targeting a less secure partner.

  • Credential stuffing is when threat actors use stolen credentials to try to gain access to multiple accounts. This scheme exploits password reuse and can be automated for large-scale attacks to enable cybercriminals to access several accounts. As CPAs often use various platforms that contain sensitive data, credential stuffing may allow cybercriminals to broaden their attack targets.

Cybersecurity Best Practices for CPAs

Although cyberthreats and attack methods are numerous and evolving, there are several measures CPAs can take to protect their computer systems and networks. These include the following:

  • Robust authentication protocols create a first line of defense against cyber intruders. Multifactor authentication, including app-based codes or biometric options, adds layers of security by requiring verification beyond a password. CPAs should also ensure proper password management by using unique, complex passwords for each platform, ideally secured in a secure password manager. Firms should have access controls in place to limit who can view or access sensitive information, and they should have strong policies that address security for networks and devices for remote employees.

  • Employee and client education on cyberthreats, including how to recognize and prevent them, strengthens a CPA firm’s cybersecurity. Training sessions for staff, including phishing simulation exercises, can create a security-conscious culture. Educating clients about the risks of transmitting unsecured sensitive data may also help protect their information.

  • Data encryption, both at rest and in transit, transforms data into an unreadable, encoded format so cybercriminals cannot use it without the proper key. Additionally, secure data storage, either in the cloud or externally, allows firms to efficiently recover data without paying a ransom after a ransomware attack, and the data can be quickly reloaded onto systems to minimize downtown and service interruptions. Lastly, firms should use a virtual private network (or VPN) when accessing public Wi-Fi and securely dispose of both physical and digital sensitive documents.

  • Regular software updates and patch management can best position software programs, systems and devices to defend against cybercriminals. These practices can ensure their cyber defense systems are up to date against the latest threats.

  • Vendor management minimizes third-party risk by ensuring CPA firms conduct thorough security assessments of their vendors, verify compliance with industry standards and ensure contractual agreements include data protection clauses. Selecting vendors with robust cybersecurity practices can reduce the risk of a breach spreading through interconnected systems.

  • Incident response planning and testing allow CPA firms to proactively fortify their cyber defenses by having policies and procedures to respond to cyberattacks. These plans should outline steps for detecting, containing and recovering from cyber incidents. They should include communication protocols, designated response roles and escalation procedures. Regularly testing these plans through simulated attack drills allows employers to find and repair weaknesses and ensures teams are prepared to respond quickly.

Regulatory Cybersecurity Requirements for CPAs

CPAs must consider regulatory obligations that mandate strong cybersecurity practices. Laws like the Gramm-Leach-Bliley Act and various state data protection regulations require CPAs to implement security measures to protect sensitive data. Noncompliance with these regulations can lead to penalties, lawsuits and even license jeopardy, highlighting the importance of integrating cybersecurity measures and continually monitoring their effectiveness. Meeting regulatory requirements is essential for CPAs to maintain both legal compliance and client trust.

The Role of Cyber Insurance in Mitigating Risk

Even with robust cybersecurity measures, cyber incidents can still happen, as no system is completely immune to attacks. Cyber insurance is specifically designed to cover financial losses that result from cybersecurity events, so it helps mitigate a firm’s exposure to cyber-related damages. It can also provide financial assistance to cover data recovery, legal liabilities and business interruptions that arise due to cyberattacks. However, cyber insurance complements, rather than replaces, strong cybersecurity practices.

CPA firms should review their insurance coverage; cyber insurance can fill gaps left by other policies (e.g., commercial property insurance, general liability insurance), which typically do not cover cyber-related events. A CPA firm should assess its risk profile, existing cyber defenses and how cyber insurance can fit within its broader insurance portfolio. Firms should also familiarize themselves with the difference between first-party and third-party coverage, described as follows:

  • First-party coverage provides financial assistance for direct losses incurred following a cyberattack. Such losses may include expenses to repair systems following a cyber incident and crisis and public relations management services.

  • Third-party coverage provides financial assistance for lawsuits and liabilities for third-party losses that arise from a data breach. It can also pay for related regulatory fines and penalties.

Many cyber insurance policies provide access to a vendor panel with legal counsel, public relations firms, IT specialists and other experts who are experienced in managing cyber incidents. This can help CPA firms respond quickly and effectively to mitigate the impact of a cyber incident on their finances, reputations and operations.

Cyber insurance policies vary in coverage, limits and exclusions, so it is advisable to consult a licensed insurance professional for assistance in selecting a policy that best fits a firm’s specific needs.

Conclusion

CPAs face significant cyber risks due to the high-value data they handle and the increasing complexity of cyberthreats. Implementing strong cybersecurity protocols, along with a cyber insurance policy, can help CPAs manage these exposures and protect their data, finances and reputations. By taking proactive steps to secure their systems and educate their teams, CPA firms can better mitigate their risks in today’s evolving cyber landscape.

Contact us today for more information.

Back to Blog