« Busted: 3 spooky investing myths | Main | The trait that will prevent robots from stealing your job »

If you’re hacked, what’s your cybersecurity liability?

Cybersecurity liabilityCybersecurity attacks are inevitable. That’s the unfortunate reality. In fact, in a special report, Cybersecurity Ventures projects cybercrime’s global cost will reach $6 trillion by 2021. Now more than ever, organizations and accounting firms of all sizes need to be vigilant about protecting data and responding to threats.

What’s your liability?

That’s a big question we hear from firms regardless of whether or not they’ve been attacked. There are actually no uniform federal laws on business cybersecurity. But there is a patchwork of state rules. Under certain state laws, CPAs can face liability for cybersecurity breaches that expose personal information. Most states have rules for handling breach notifications and for what remediation measures need to be taken. Breach requirements depend on where the client resides – not where your firm is located. We encourage you to learn the dynamic requirements of states that apply to you.

Meanwhile, federal circuit courts are split as to what constitutes sufficient standing to sue in cyber breach cases. Some courts hold that companies may be liable for damages if client or employee data is stolen, even if the theft causes no harm; instead, it’s sufficient to merely allege that the information was compromised. This broad interpretation will only further increase the risk of cyber liability claims.

Take preventative action now

If someone sues your firm because of a data breach, you may have a stronger case if you can show that you’ve taken reasonable measures to help prevent an attack or theft. Setting up systems to assist in prevention is an important aspect of managing cybersecurity risk.  Here are three tips to get you started.

  • Start with an assessment. What are your cybercrime defenses? Do you have gaps in your data security procedures? Do you have controls in place? How do you document incidents when they happen? What is your response plan when incidents occur?

Mapping where you stand today and where your vulnerabilities might be is the best way to understand your next steps. The AICPA’s cybersecurity risk management reporting framework helps you assess existing risk management programs. The Private Companies Practice Section cybersecurity toolkit can also help you understand the most common cybersecurity threats.

  • Implement best practices. At a minimum:
  • Use encryption wherever appropriate to protect sensitive data. This includes laptops, desktops and mobile devices. Failing to do so threatens your data and your reputation.
  • Train employees to recognize threats and safeguard equipment and data.
  • Develop and practice your response plan for various situations such as a ransomware attack, hack or ID theft.
  • Back up your data so you’ll still have access to it if it’s lost or stolen.
  • Keep your equipment physically secure in your office and on the road.

Once again, the AICPA’s cybersecurity risk management reporting framework helps you consider the key elements of an agile, proactive approach to threats.

  • Get an outsider’s perspective. What better way to learn your firm’s vulnerabilities than to hire an expert for penetration testing? Through a penetration test, a third-party consultant will perform a test tailored to your firm’s needs and budget. They’ll provide insights on your firm’s vulnerabilities and educate you about solutions for protecting your practice. A consultant can also help you implement regular drills that test your firm’s response in the case of various attack scenarios.

Learn more

These are just a few steps to get you started in protecting private data — and your firm’s reputation. To learn more about mitigating and managing cyber risk:

  • Contact your professional liability insurance broker who can help you better understand risk control and risk transfer.
  • Access the AICPA’s new cybersecurity risk management reporting framework, which can help you assess risk and controls within your firm or within your clients’ organizations.
  • Attend “Beat the Breach,” on Nov. 1 at noon ET. This free webcast featuring Shark Tank star and cybersecurity expert Robert Herjavec discusses cybersecurity trends and best practices. Register now.

Stanley D. Sterna, J.D., Vice President, Aon Insurance Services, specializes in accounting professional liability.

Gretchen McCole, Vice President, Aon, Professional Firms, represents the accountants’ specialty and the AICPA Insurance Programs teams.

Cybersecurity liability courtesy of Shutterstock


Comments are moderated. Please review our Comment Policy before posting.


Subscribe in a reader

Enter your Email:

CPA Letter Daily