5 Myths CPAs Believe About Cybersecurity

The stereotypical accountant is tenacious and organized, and is able to explain complex financial matters in simple terms. These personality traits, however, can lead CPAs to the false conclusion that they and their accounting firms are immune to cybersecurity risks. For example, an accountant might conclude that only his or her client is in possession of the data and information that a hacker might want, whereas much of that data might be in the accounting firm’s possession as part of its services for its clients.

Accountants need to remain aware of at least five myths that can raise their exposure to a serious data breach and devastating financial losses and liabilities.

Here are The 5 Myths that CPAs believe with Cybersecurity:

Myth #1: Our accounting firm is not a likely cyberattack target

More than 60 percent of all cyberattacks target small and medium-sized businesses. When a cyberattacker is unable to break into a small business’s networks directly, he or she looks for bridge access through an alternate source that is easier to breach. Accounting firms that have weaker firewalls and fewer cybersecurity protections are the easiest path. Moreover, firms in the financial services industry are statistically more likely to be targets of cyberattacks than companies in other industries.

Myth # 2: Our technology and firewalls will protect us

Protective technology is only as strong as its weakest link, and an accounting firm’s employees may be the weak link that exposes the firm to losses and liabilities in a cyberattack. Technology cannot prevent an employee from inadvertently clicking on a malware link in a communication from an unknown source. Human fallibility is typically at the source of a cyberattack. An accounting firm can invest in cyber education and install multiple defenses against hacking, but accidents caused by human error will happen.

Myth #3: Hacking requires detailed technical knowledge and financial resources

Hackers are subject to the same market forces and incentives that affect other industries. As a result, rather than spending time and energy to create their own data breach tools, hackers are now able to purchase low-cost malware and other cyberattack kits on any of several Dark Web hacking marketplaces. These tools eliminate the need for in-depth training and technical knowledge and open the prospects for hacking to a larger group of cybercriminals. More potential hackers translates into higher hacking exposure risks for all entities, including accounting firms.

Myth #4: Recovering from a cyberattack will not cost a lot of money

A cyberattack on a bank results in average costs and losses of almost $2 million. Financial services firms typically spend more than $1 million to recover from a data breach. Financial losses are only part of the equation. A small Connecticut accounting firm that had fewer than ten employees suffered a data breach that exposed 900 client records. A small firm that devotes years toward building trust among its client base can lose that trust and its clients’ confidence almost overnight when client records are lost or stolen. The intangible costs of a cyberattack are never exaggerated.

Myth #5: Insuring against losses and liabilities from a cyberattack is too expensive

Cyberliability insurance rates for accounting firms are typically a function of the firm’s revenues. A typical CPA insurance company, for example, might set a premium of $1,200 on a one million dollar policy for a firm with annual revenues of $100,000. Small and medium sized businesses incur average losses of $154 per record when they experience a data breach. Accordingly, an accounting firm that loses 1,000 client records might be exposed to a $154,000 loss. An annual cyberinsurance policy premium of $1,200 is more than justified in view of the magnitude of this loss. The coverage that a cyberinsurance policy provides will also allow the accounting firm to devote more resources toward re-establishing valuable trust relationships with its clients.