Accounting Security and What to Do if Your Firm Is Hacked

Get the key components of a breach incident response plan, plus best practices for communicating the breach to employees, clients and other vested parties.

minute read

Last Updated July 5, 2023


Accounting Security Should Be Priority #1

Accounting firms are being targeted by cybercrimi­nals for the significant amount of PII (personally identifiable information) and financial data which the firms have been entrusted with by their clients.

The size of the firm doesn’t matter to the hacker groups.

While larger firms may provide a bigger payday, medium and smaller firms are often easier targets and at higher risk. They often don’t have the accounting security defenses, cyber training, or technical resources to protect their firm from being hacked.

All it takes is one employee inadvertently clicking on a compromised link in a phishing email or text message, plugging in an infected USB thumb drive, reusing a compromised password, or not updating their computer or WiFi router timely, and the hackers are on their way to taking control of the firm’s computer systems and data. When that happens, your firm better be prepared.

Firms will benefit from having a written incident response plan which they have walked through previ­ously with firm owners, as the worst time to plan a breach response is after it has occurred.

The focus of the plan should be on minimizing damage and providing a measured, thoughtful response that shows the firm has taken back control.

To help firms get started, we outline the key components of breach incident response below and considerations in communicating the breach to employees, clients, and other vested parties.

Get the CPA Cybersecurity Checklist to help guide your accounting security planning.

Accounting Security Includes a Breach Incident Response Plan

Incident Response Team

The incident response team should include firm owners, IT personnel, key vendors, and cybersecurity resources.

This includes external accounting security expertise with forensic skills to identify and remediate the breach, law enforce­ment contacts and legal resources to ensure the firm responds appropriately to regulatory requirements, and the skills of a public relations firm may be required to communicate the plan.

If the firm has cybersecurity insurance, the provider may already have many of these resources available to the firm. The firm should work with the provider to document these contacts.

Incident Response Plan

The incident response plan should be written in a concise step-by-step format that is readily available to key stakeholders (i.e., a PDF on their smartphone or hardcopy in the firm manager’s office.)

While preven­tion should be one of the primary responsibilities of the firm’s IT security team, policies must be in place to detect a possible breach and to notify the security team of anomalies so they can be investigated.

This includes educating employees on warning signs that they may have been hacked.

If the IT team identifies that a potential breach incident has occurred, they will invoke procedures to stop the intrusion and contain the dam­age as much as possible.

This will most likely require the assistance of external cybersecurity and forensic exper­tise, who will have the depth of experience in eradicat­ing various threats and solutions necessary to prevent a recurrence.

This is particularly important if the firm’s files are encrypted with ransomware requiring backups to be restored that may also be infected with malware.

The firm should work with attorneys that understand the regulatory and reporting requirements (such as public notification, credit reporting, etc.), as well as the local FBI office, before communicating the incident.

As cyber threats continue to evolve, it is important for the firm to review, update, and walk through their incident response plan at least annually.

Find out how accounting firms can get the security help they desperately need.

Incident Communications

The final phase of the incident response plan is commu­nicating the breach information publicly, which should be done in a coordinated, measured way, so it is obvious that the firm has taken control of the situation.

Consider the following when creating your response plan:

1. Timely Response

One of the first questions that firm owners will need to respond to is, “When did you first become aware of the breach?”

Studies have shown that the quicker and more thoroughly a firm responds to a cyber breach, the smaller the financial consequences.

Consequently, it is imperative that the firm have an incident response plan and team in place to respond quickly to a breach.

2. Transparency

Being truthful and accurate in communicating breach information is important to sustain trust with employees and clients throughout the breach event.

After the cause and extent of the breach have been identified, and the firm has implemented a plan to remediate the damage (including steps to ensure that it will not happen again), these steps should be laid out in a comprehensive factual manner.

The message should also include the legal and regulatory requirements for impacted clients and remuneration that the firm will provide to those that have been impacted.

3. Controlled Message

Controlling the message to provide a consistent response is critical as incomplete or conflicting information creates speculation and uncertainty.

The incident response plan should identify a central representative who will deliver the message to firm personnel, clients, and the media, if necessary, so they are all getting the same information as close to the same timeline as possible.

4. Confident Remediation

One of the most important components of incident communication is outlining the steps the firm has taken to remediate the breach.

This would include the response and solutions the firm has implemented, as well as the training of firm personnel to minimize the possibility that this type of breach could occur again.

The firm must also be able to lay out how they are meeting the regulatory requirements of notification and assisting clients and other parties potentially impacted by the breach.

Get the CPA Cybersecurity Checklist to help guide your accounting security planning.

Prepare for a Cyber Attack

While no one wants to be hacked, the reality is that it is more likely a matter of “when” rather than “if” the firm will experience a cyber event.

Having a qualified team in place, either independently identified or organized through your cyber insurance carrier, will ensure you can respond quickly.

And finally, being prepared for such an accounting security breach event with a written incident response plan will mini­mize the financial and reputational damage the firm will experience.

Find out how accounting firms can get the security help they desperately need.

A version of this content originally appeared in the Thomson Reuters Accounting and Auditing Newsletter.

Recommended For You

5+ Facts About Cloud Data Security

Subscribe to our blog

Get Rightworks articles delivered straight to your inbox.