|Editor's Note: We generally don't post guest articles on this blog, but in light of the increasing cyber security threats to accounting professionals who work online, we're making an exception.
This article is by Jock Wols, Founder & CEO of Risk Desk, a specialty insurance broker servicing professionals, and PT Pro, an online platform offering professional liability (E&O) insurance solutions. His years of experience seeing the effects of cyber attacks is invaluable insight that we all should heed. Please take notes and share this information that is largely ignored in our profession. It can literally make or break your practice because cyber attacks are no longer a question of if they will happen, but when.
Not a week goes by without a headline related to a major cybersecurity incident. While the largest incidents grab most of the attention, cyber threats do not discriminate against the industry or size of an organization. Forget the notion you are “too small” to have anything of value. Every single business, including a part-time bookkeeper or solo practitioner, is at risk from a cyber threat.
In fact, as a bookkeeper or accounting professional, you are an increasingly favorable target given the type of services you offer and sensitive information you work with. Whether or not the perception is true of your specific business, you are a target. According to the Verizon 2018 Data Brach Investigations Report, 58% of victims are categorized as small businesses.
In this article I will introduce cyber risk to you and what you can do to better manage your exposure.
Cyber Risk 101
Often the loss of personally identifiable information, such as credit card details or social security numbers, through a hacking event is associated with a cyber security incident. Unfortunately, cyber risk is not limited to a “simple” for information. The type of cyber threats vary, each carrying a different set of objectives and levels of sophistication.
A cyber security incident will lead to a financial loss and can represent either or both of the following:
First Party Liability
Expenses you incur to rectify the incident. Examples include, but are not limited to:
- breach notification costs,
- credit monitoring,
- identity monitoring,
- forensic investigation,
- data restoration and recreation,
- extortion payments,
- fraudulent transfer of funds,
- loss of income.
Third Party Liability
Damages to another party you are liable for as a result of the cyber security incident. Examples include, but are not limited to:
- loss, theft or unauthorized use of information in your care, whether from an employee, client or vendor,
- denial of service,
- failure to prevent a cyber security incident,
- failure to notify or warn about a data breach,
- violation of federal, state or local laws.
Typically, a system breach is associated with a loss of information that leads to forensic, notification and monitoring costs of the impacted individuals. To illustrate the breadth of the cyber threats that impact you as a professional, we share two actual claim examples reflecting two common cyber threats professionals face.
Phishing is a social engineering attack by a bad actor posing as a legitimate institution or individual with the purpose to obtain sensitive information.
|An accountant received an e-mail purporting to be from a client instructing the accountant to transfer $670,000 in funds to an account purportedly controlled by the client. However, the email turned out to be fraudulent. The accountant transferred the money, and the fraud was not discovered for 4 business days. All of the money was lost.|
Malware is computer code that infiltrates and compromises a system, designed for a variety of purposes, including stealing or encrypting information, hijacking the computer or monitoring user activity.
|A small business was the victim of a sophisticated ransomware attack designed to “lock” the firm's equipment, software and databases. The hackers demanded $58,000 to unlock files. The firm paid the ransom and unlocked the equipment. However, some damage was done, which required some of the data to be restored by a specialty IT firm costing $53,150.|
An often-understated risk is the impact of a cyber security incident on your clients or customers. Do your clients rely on you to safeguard their information? Do they expect you to deliver the services in a timely manner? Is their business adversely impacted by you failing to render the services you promise to perform? It is important not to underestimate the operational consequences a cyber security incident has on your ability to run your business.
What about the security of my online tools?
I am often asked whether the security included in online tools you use as a virtual bookkeeper or accountant is enough protection. The answer is, it depends on who suffers the cyber security incident.
If the vendor, who provides the software, suffers the cyber security incident that impacts your business activities, then you can take recourse against the vendor. In that scenario the cyber security incident is not your fault. However, if the cyber security incident occurs through your system, enabling the bad actor accessing to the information in the vendor's software, then you are liable.
What if there's a breach?
The most severe consequence of a cyber security incident could lead to the closure of your business. The financial loss can be severe as is the reputational damage you would suffer. Your professional duty to safeguard your client's information may lead to legal liability, which could result in costly and lengthy litigation. Lastly, you are exposed by breach notification legislation. These requirements differ for each State. Failure to comply can lead to fines and penalties.
How can I protect myself?
The Ponemon Institute's 2018 State of Cybersecurity in Small & Medium Size Businesses found that a staggering 47% of respondents say they have no understanding of how to protect their companies against cyber attacks! While awareness of cyber risk continues to increase, the biggest challenge is identifying the actions you can take to manage the exposure.
Recommendations often point toward conducting a cyber risk assessment or engaging a consultant or IT professional. In reality, for a solo accounting professional, such recommendations are not practical. Start by keeping it simple: Self-assess as best you can. Then make improvements through ongoing education to build up your best practices and periodically review your processes.
Cyber threats are best managed in two ways: (1) reducing risk through education and (2) transferring risk through insurance.
Utilize online resources, content and cyber security courses to develop a best practices approach to cyber risk. Staying informed is an important part of developing an awareness of existing and new cyber threats.
Insurance is a valuable tool to both manage the potential financial loss as a result of a cyber security incident, as well as navigating the complex maze of handling a claim. The coverage options are extremely varied as the cyber threats continue to rapidly evolve. You'll want to be clear on the coverage you purchasing as not all policies are equal.
- Professional Liability Policy
At the very least, request a cyber coverage enhancement for your professional liability policy. However, coverage is typically very basic with low limits.
- Cyber Liability Policy
A customized cyber liability policy typically provides broader coverage. A major advantage is the expert cyber claims support at your disposal to handle and resolve a cyber security incident.
A cyber security incident is scary for any entity and it is critical to respond quickly. An insurance policy is invaluable as all it takes is a phone call to report the claim and initiate the incident response. In the absence of an insurance policy, having the contact information of an expert on hand is very helpful.
- Step back and conduct a basic self-assessment of your existing processes.
- Make a commitment to education and best practices.
- Get a quote for insurance coverage, either for a standalone policy or a cyber enhancement on your professional liability policy.
- Conduct basic research for an expert who could help in the event of a cyber security incident.
Join Us This Month in TFB Premium
We've declared August Bookkeeper Cyber Security Month! As such, our Premium Members get the highly effective online class that shows you exactly how to avoid 95% of the vulnerabilities that cyber attackers look for. You even get a handy checklist and worksheet so you can get results quickly (and save money too).
Join us this month for Cybersecurity for Bookkeepers – 2019 Update in the TFB Premium Membership.