Cyber Exposures: The Saga Continues.

• Author: Holl, Suzanne M.

There seems to be a new cybersecurity story in the news every day from attacks on major infrastructure to small companies being held for ransom. Therefore, it should be no surprise to anyone that CAMICO is also seeing an uplick in the number of cyber-related claims impacting CPA firms--and the severity of these cybercrimes and ransomware attacks have grown in recent years.

As you would expect, first-party cyber exposures (damages experienced by the CPA firm) have become increasingly problematic as cyber criminals are targeting firms and tax professionals with greater frequency because of their abundance of client data. If they're successful in gaining access to the firm's information, there can be cosdy measures that need to be taken by the firm, including hiring IT forensic experts to determine the extent of the breach, consulting with attorneys specializing in data breach laws and providing credit monitoring to those impacted by the breach.

What may be surprising to some CPAs, however, is the increase in third-party cyber exposures that are impacting firms. These situations often arise when a client has been hacked and the hacker has penetrated the client's computer system.

Once inside, they can cause losses for which the CPA firm may be blamed, in part or in whole.

These claims typically include allegations such as failure to detect the red flags associated with communications that were executed by the hacker, falling below the standard of care by initialing wire transfers without "proper" client authorization, failure to "warn and advise" clients of the potential risks/threats of cyberattacks, and the list goes on.

The Human Element

It's important for CPA firms to understand that cyber threats are not just an "IT problem," as the No. 1 root cause of cyber breaches continues to be the "human element." People are considered by many experts to be the weakest security link and according to the 2021 Verizon Data Breach Investigations Report, 85 percent of breaches involved a human element.

Although people may be viewed as the weakest security link, with proper training and strict adherence to firm-wide protocols, firms can and should consider their people as the first line of defense against cyber threats.

For example, firms can help to minimize the potential for innocent mistakes made by people by putting in place cybersecurity awareness education and training to alter employee risk behaviors and create a sense of shared accountability...