« 5 Ways Not-for-Profits Can Detect and Prevent Fraud | Main | AICPA Accounting Competition Challenges Undergraduates »

5 Ways CPAs Can Add Value in the Event of a Cybersecurity Attack

Mission impossibleIt’s been 19 years since the first Mission Impossible movie sprang from 60s television and graced the silver screen. This summer, the fifth installment of the Impossible franchise premiered. When we first met Ethan Hunt, it was 1996 and the BMW Z3 made its debut as Agent Hunt’s stylish ride. Despite all the high-tech gadgetry depicted in the film, in real life, the Y2K debacle was the biggest IT security crisis businesses faced. Fast forward nearly two decades; driverless cars are a reality, and a car hacking crisis has put drivers of 1.4 million cars at risk.

Back when Mission Impossible first thrilled us with espionage and national security fantasies, cybersecurity was merely an IT concern. “It’s now a C-suite problem,” former secretary of the U.S. Department of Homeland Security, Tom Ridge, said recently at the AICPA CFO Conference in Denver.

Given the frequency of cybersecurity attacks today, it is important for CPAs to understand their role in this arena. CPAs are well equipped to strengthen the process and evaluate cybersecurity risks. Below are a few examples of where CPAs can add value: 

  1. Assess your company’s or client’s most valuable information assets and define a data classification policy. A data classification policy will provide your business with a better understanding of what type of data has the highest value to an attacker, and thus should be the most secure. CPAs can verify the appropriate level of internal controls are established and operating.
  2. Create an incident response plan. CPAs can play an instrumental role in developing a written document containing action steps for moving forward in the event of a cybersecurity breach. I discussed incident response plans more in depth in a previous blog post on AICPA Insights.
  3. Work with the IT team to ensure they have the resources to protect the company’s most valuable assets. Sometimes this requires spending money that doesn’t have a visible return; however, with the average compromised record costing $154 according to the Ponemon Institute’s 2015 Cost of Data Breach Study, even a moderate breach can quickly generate a large liability.
  4. Evaluate the insurance implications and whether purchasing supplemental cyber coverage makes sense for your organization. The cyber insurance marketplace has expanded dramatically over the last few years. Insurance can play a significant factor in mitigating the risk associated with a breach.
  5. React not only with integrity but also with agility and empathy toward those impacted. Tension often increases in the midst of a breach, and how you respond can greatly impact your organization’s reputation and long-term viability.

CPAs can take steps to ensure that they are adequately protecting their firm’s or client’s information. The AICPA has resources available to help members prepare for a potential cybersecurity breach including the Forensic and Valuation Services and Information Management and Technology Assurance team’s whitepaper entitled The Top 5 Cybercrimes. Additionally, a Top 20 Cybersecurity Checklist can be found in the IT Corner of the AICPA Private Companies Practice Section website.

Have you helped prevent a cybersecurity breach at your firm? Have you helped your firm or client in the aftermath of a cybersecurity attack?


Joel White, CPA, CGMA, Director- Internal Audit, Risk & Compliance, American Institute of CPAs

Mission Impossible image courtesy of IMDB.com



Comments are moderated. Please review our Comment Policy before posting.


Subscribe in a reader

Enter your Email:

CPA Letter Daily