Cybersecurity

It’s a startling reality: a cyberattack occurs every 14 seconds,1 costing an average of $3.92M per breach in the U.S.2

The threat of cybercrime

How finance and accounting professionals can lead the way

Cybersecurity: Why it matters

It’s a startling reality: a cyberattack occurs every 14 seconds,¹ costing
an average of $3.92M per breach
in the U.S.²

Cybercrime disrupts businesses and governments, damages reputations and drains resources. Unfortunately, opportunities for cybercriminals have grown thanks to the open nature of the internet, increasing volumes of
e-commerce and the quick shift to remote working brought on by the COVID-19 pandemic.

What are you doing to protect your clients or organizations? There's a lot accounting and finance professionals can do in the fight for better cybersecurity.

Why should CPAs care about cybersecurity? This video explains.

Don’t assume cybersecurity is solely the job of IT professionals. Organizations are looking to protect their client, customer and financial data, and CPAs are uniquely suited to lead the charge.

With the right skills and training, you can be well-equipped to advise businesses on cybersecurity best practices, perform cybersecurity readiness assessments, and help them develop or strengthen their cybersecurity risk management programs.

Read on to learn more about the opportunities in cybersecurity and how you can hone your skills through our free CPE Digital Mindset Pack and other learning resources.

AICPA^® members :
access cybersecurity learning
through the free CPE
Digital Mindset Pack.

What is cybersecurity and what’s at stake?

Cybersecurity is the protection of computers, networks and information from theft, damage or unauthorized access.

Cyber thieves, or ‘bad actors,’ infiltrate a business’ systems and gain access to customer data to steal their financial details (or even their identity) and commit fraud.

Some common tools and techniques used by criminals include:

Malware (malicious software) attacks

Malware threatens a business’ ability to operate. Types of malware include:

Worms — A standalone software takes control of business systems and equipment without the operator’s knowledge
Viruses — A piece of code spread by an infected host file replicates itself and corrupts a computer’s system or deletes data
Ransomware — A cyber thief blocks users’ access to files and demands a ransom to regain access

Information theft and fraud

Cyber thieves may also send scam emails to employees in hopes of gaining access to a person’s personal or financial data. Types of email scams include:

Phishing — This scam dupes employees into thinking an email is from a trusted source so they click on an infected link that downloads malware.
Whaling — A variation on phishing, which targets one big fish — often the CFO. The email might appear to come from the CEO or a regulator, looking like an urgent demand to pay a supplier or settle a fine.

Cyberattacks are bad business.
The implications of a data breach
can be long-lasting.

A cyberattack on a business can:

Damage brand reputation
Erode customer and stakeholder loyalty
and trust
Slow productivity
Cause significant financial loss

A large-scale cyberattack can cause even greater harm: massive economic damage, geopolitical tensions and widespread loss of trust in industries.

With so many potential threats, it’s vital that CPAs understand what cybersecurity is, the solutions available, and how to establish a strong security framework for mitigating risks and keeping information safe.

Article ▶

A 6-point security checkup
for working from everywhere

The rise of cybercrime and the opportunity for CPAs

Cybercrime is the fastest growing crime in the U.S.³ and is estimated to cost $6T⁴ in damages by 2021. There are many reasons for this increase:

Accelerated digitalization

As people and businesses increasingly move their personal lives and business operations online, more opportunities are created for cybercriminals.

Move to remote work

Data breaches increased by 273% in the first quarter of 2020, compared to the same time last year.⁵ COVID-19 quickly forced employees to work remotely and introduced vulnerabilities, as staff logged into their work emails from unsecure home networks. Many employers also didn’t have cybersecurity risk measures in place and had not fully educated staff on best practices.

Complexity of supply chains

Today’s intertwined supply chains make an ideal breeding ground for cybercrime. In fact, 40% of security breaches are indirect attacks that target weak links in the supply chain.⁶

Sophistication of cyber attacks

Cyber thieves are finding new, innovative ways to hack into systems. Employees can unintentionally compromise data and systems by falling for sophisticated scams, such as phishing and whaling.

Benefits of a strong
cybersecurity program

Organizations need to make cybersecurity a strategic priority. Long-term consequences of cybercrime, such as large financial hits or a decline in customers’ trust, can take years from which to recover.

A strong cybersecurity program:

Protects client and customer information
Increases customer and stakeholder confidence
Improves productivity (viruses slow systems)
Prevents significant financial loss
Contributes to favorable brand reputation

CPAs’ role in
cybersecurity

As a CPA, you can play a critical role in protecting your organizations and clients with a strong cybersecurity risk management program. What makes you qualified to lead cybersecurity efforts?

Your expertise in risk management
Your knowledge of financial data flows
Your understanding of systems and controls
Your intelligence in IT and technology
Your experience using cybersecurity tools and frameworks
Your position as a trusted adviser

Protecting businesses from cybercrime

There are many things you can do to protect your company from cybercrime.

The following are some best practices for developing a cybersecurity roadmap and assembling a cross-functional team to prevent, detect, manage and mitigate cyber risks.

Plan

Seek executive buy-in. An informed and involved CEO is critical for a strong cybersecurity culture.
Conduct a risk assessment to identify weaknesses in systems and controls.
Conduct a pen test to take a look at your business from the perspective of a potential attacker.
Invest in tools to increase visibility into all applications, data and devices and how they are connected.
Explore the benefits of cyber insurance.
Appoint a head of cyber and data security with sufficient resources and budget.

Prepare

Give cyber-awareness training to all staff and carry out regular tests like phishing or fake invoices.
Create a comprehensive set of security policies and incident response plan
Perform continuous monitoring to comply with external regulation and internal polices
Ensure antivirus software is up to date and that trusted software patches or updates are installed.
Back up files securely and regularly.
Be prepared for the inevitable: from time to time, cyberattacks will get through.

Detect

Prioritize incidents based on business impact.
Monitor activity to identify risk events.
Consult with insurance carriers and legal (internal/external) specializing in data security regulatory requirements and state and federal law.
Perform necessary technical investigations (assessment, network, system and device forensics)
Identify initial cause (patient zero) and coordinate the required specialists to help restore operations.
Determine the likelihood of misuse and damage as a result of the data compromised.
Summarize threat analysis results and finalize the incident report.

Respond

Track, document and measure impact.
Focus on rapid and effective incident response.
Respond to all data breaches in a timely, transparent and cost-effective manner to maintain and restore customers’ trust.
Develop a corporate mindset that is open about mistakes, eager to learn, and quick to make changes.
Maintain transparency and report the incident to all appropriate parties.

Tools and best practices

Even with the right controls in place, every organization could experience a data breach at some point. Here are the basics that every organization should follow.

Conduct a risk assessment to identify weaknesses in systems and controls.
Create a comprehensive set of security policies.
Follow best practices including:
- Configuring systems to require strong passwords

- Regularly patching computer systems
- Implementing multi-factor authentication for
remote access
Conduct regular security awareness training for staff.

Hire a CPA firm

If your company doesn’t have the staff or expertise to adequately address all the steps required for a robust cybersecurity program, consider hiring an independent CPA firm. Whether your organization is designing a new cybersecurity program or needs an assurance report on one already in place — CPAs skilled in information management and technology can assist.

For more guidance and quick tips, watch this collection of short cybersecurity videos.

Tool ▶

AICPA cybersecurity risk management reporting framework

Use our risk framework to help you communicate and report on the effectiveness of your organization or clients’ cybersecurity programs. The framework provides a common language for organizations to describe their cybersecurity risk management efforts (in the description) and for CPAs to report on those efforts.

How CPAs can help with clients’ cybersecurity needs

The cybersecurity market is
expected to grow to $248 billion
by 2023.⁷ Boards of directors and audit committees want greater assurance and transparency that the companies they serve are establishing effective cybersecurity risk management programs.

Regardless of your firm’s cybersecurity expertise, you can play a role in protecting your clients from cybersecurity threats.

Firms with limited
cybersecurity knowledge

If your practice is not yet ready to make cybersecurity a key practice area, you can still show concern for your clients by asking about what kinds of protections they have in place, staff training programs, privacy and security policies, response plans and other controls that help mitigate risks. You can also connect them with experts who can help them put together an effective cybersecurity risk management program. If your firm is looking to grow its knowledge of cybersecurity, consider upskilling staff or partnering with a firm that has this expertise.

Firms with knowledge and experience in cybersecurity

If your firm specializes in information technology, you may be well-equipped to step in and provide advisory services including:

Readiness assessments and gap analysis
Cybersecurity or information security risk assessments
Vulnerability assessments and penetration testing
Application security and database security assessments
Information security policy development
Data classification process design and consulting
User life cycle management consulting
Social engineering and awareness training
Security incident response program development and testing
Disaster recovery plan consulting

Cybersecurity Assurance Services

If your firm is already offering advisory services or other third-party reporting examinations, offering SOC for cybersecurity examination services would be a next step.

Using the AICPA’s SOC for Cybersecurity framework, you can provide assurance over the effectiveness of controls over an organization’s cybersecurity risk management program, helping build trust and transparency for customers, investors and leadership.

Benefits of a SOC for cybersecurity examination include that it:

Provides an independent, entity-wide assessment of an organization’s cybersecurity risk management program
Helps reduce uncertainty and build resilient organizations by evaluating the effectiveness of existing cybersecurity processes and controls
Permits flexibility by not constraining management to a particular security management framework or control framework
Results in general use report

Strong cybersecurity and transparency about how data is used go a long way toward customer loyalty and trust. CPAs can help their organizations and clients get their cybersecurity on track for a more secure future. For more resources to help you get started on the path to learning all things cybersecurity, check out the resources and tools on the next page.

How-to Guide ▶

The benefits of SOC for cybersecurity

Explore more resources

Resources

A CPA’s introduction to cybersecurity

Cybersecurity Advisory. Where Did Our Data Go?

What do CPAs need to know about cybersecurity?
This 30-second video explains.

COVID-19 decisions create data dilemma for businesses

Chartered Global Management
Accountant^® (CGMA^®)

CGMA is the most widely held management accounting designation in the world. It distinguishes more than 150,000 accounting and finance professionals who have advanced proficiency in finance, operations, strategy and management. In the United States, the vast majority also are CPAs. The CGMA designation is underpinned by extensive global research to maintain the highest relevance with employers and develop competencies most in demand. CGMA designation holders qualify through rigorous education, exam and experience requirements. They must commit to lifelong education and adhere to a stringent code of ethical conduct. Businesses, governments and not-for-profits around the world trust CGMAs to guide critical decisions that drive strong performance.

cgma.org

Association of International Certified
Professional Accountants

The Association of International Certified Professional Accountants^® (the Association) is the most influential body of professional accountants, combining the strengths of the American Institute of CPAs^® (AICPA^®) and the Chartered Institute of Management Accountants^® (CIMA^®) to power opportunity, trust and prosperity for people, businesses and economies worldwide. It represents 650,000 members and students in public and management accounting and advocates for the public interest and business sustainability on current and emerging issues. With broad reach, rigor and resources, the Association advances the reputation, employability and quality of CPAs, CGMA designation holders and accounting and finance professionals globally.

aicpa-cima.com

Association of International Certified Professional Accountants

aicpa.org
aicpa-cima.com
cgma.org
cimaglobal.com

For information about obtaining permission to use this material other than for personal use, please email mary.walter@aicpa-cima.com. All other rights are hereby expressly reserved. The information provided in this publication is general and may not apply in a specific situation. Legal advice should always be sought before taking any legal action based on the information provided. Although the information provided is believed to be correct as of the publication date, be advised that this is a developing area. The Association, AICPA, and CIMA cannot accept responsibility for the consequences of its use for other purposes or other contexts.

The information and any opinions expressed in this material do not represent official pronouncements of or on behalf of the AICPA, CIMA or the Association of International Certified Professional Accountants. This material is offered with the understanding that it does not constitute legal, accounting or other professional services or advice. If legal advice or other expert assistance is required, the services of a competent professional should be sought.

The information contained herein is provided to assist the reader in developing a general understanding of the topics discussed but no attempt has been made to cover the subjects or issues exhaustively. While every attempt to verify the timeliness and accuracy of the information herein as of the date of issuance has been made, no guarantee is or can be given regarding the applicability of the information found within to any given set of facts and circumstances.

Founded by AICPA and CIMA, the Association of International Certified Professional Accountants powers leaders in accounting and finance around the globe.

© 2020 Association of International Certified Professional Accountants. All rights reserved. AICPA and American Institute of CPAs are trademarks of the American Institute of Certified Public Accountants and are registered in the US, the EU and other countries. The Globe Design is a trademark of the Association of International Certified Professional Accountants and licensed to the AICPA. 2006-20126

Footnotes:

1 Cybersecurity Ventures 2019 Cybersecurity Market Report

2 IBM and Ponemon Institute The Cost of a Data Breach, 2019

3 Protect against the fastest-growing crime: cyber attacks

4 Cybercrime Damages $6 Trillion By 2021

5 Cybercrime ramps up amid coronavirus chaos, costing companies billions

6 Lessons from leaders to master cybersecurity execution

7 Cybersecurity Market worth $248.3 billion by 2023