Professional services firms, including accountants, are high risk targets as they act as “aggregators” of sensitive information and cyber risk and incidents remain a regular feature in news headlines around the world. This is most recently illustrated by the colossal breach of the IT systems of Panamanian law firm Mossack Fonseca (see our article on the Panama Papers for more detail of this). The threat is so wide ranging that tackling the subject and deciding how to mitigate the risk can be a real challenge for professional service firms, including accountants.
In some ways the term "cyber" has been helpful in raising awareness of technology-linked risks but at the same time this amorphous term can be confusing when it comes to identifying what the related risks are. If national governments and global financial institutions have yet to agree the scope of cyber risk (there is no comprehensive framework for the risk assessment of cyber catastrophes), then there should be a healthy dose of sympathy for a typical accountancy firm trying to do the same.
One simple view of “cyber risk” is to break it down into two concepts: operational and informational risk.
Operational cyber risk arises out of a firm's unprecedented reliance on electronic systems and the devastating effect on business that can occur when those systems are interrupted or interfered with. In January, Lincolnshire County Council lost access to its systems for over a week following a fairly unsophisticated cyber attack.
In February 2016, as part of a seminar on cyber business interruption, we considered a case study involving a fictional law firm called Uber Law which fell victim to a malware attack and suffered 3 days of interruption as it had to rectify 300 infected computers. You can watch a summary of the case study here, and the entire seminar here.
The financial losses suffered by professional service firms due to operational cyber risks are typically not insured under their industry's Minimum Terms, driving demand for new dedicated cyber coverages either as standalone policies or as an “add-on” to existing policies.
Informational cyber risk arises out of the legal and commercial risks attaching to data and information. Accountancy firms are no different to any other company in holding ever increasing volumes of electronic data. While many firms will have already taken steps to ensure the security of the data that they hold, the ever-changing cyber environment means that it can be challenging for firms to keep up with new developments and the associated risks. As a result, cyber security measures should be reviewed and updated regularly.
The massive data breach suffered by Mossack Fonseca grabbed headlines around the world and demonstrated the informational risk that professional service firms carry not only for their clients, but their clients’ clients. For many years, cyber security commentators have warned how professional services firms, including accountants, are high risk targets as they act as “aggregators” of sensitive information.
The Panamanian breach and other high profile data breaches in the UK have served to highlight how unacceptable it is for companies not to have a clear understanding of what data they hold, what they are doing with it, and how it is secured. One security commentator remarked that Mossack Fonseca showed an “astonishing” disregard for security.
When considering the operational and information aspects of cyber risk, it quickly becomes clear that cyber is a risk that can only be mitigated and not eliminated. Therefore, companies should also prepare and rehearse for cyber and data breach incidents, and consider purchasing cyber insurance coverage.
Ensuring that the following precautions are in place and up to date may help minimise the risk of a data attack:
- Ensure there is appropriate vetting of employees with access to confidential data;
- Require employees to change passwords frequently;
- Use additional layers of IT security for those accessing data remotely such as home workers;
- Ensure IT is properly managed and overseen by senior IT members responsible for an efficient and modern system (adopting the best security practices available);
- Ensure appropriate IT education is given to staff;
- Restrict those employees/officials who can access the entire internal system;
- Spread data across multiple infrastructures to limit the impact of a leak;
- Prepare a response plan that will respond in the event the system is attacked; and
- Review your IT policy and cyber security measures regularly to ensure that they are up to date and effective.