Accountancy firms make attractive targets for cyber criminals and are experiencing an increase in cyber-attacks. The sector has become a prime target for a number of reasons, but particularly because accountants hold large amounts of confidential and sensitive client information which has considerable value to cyber-criminals.

By their very nature, accounting firms often handle their clients most sensitive information, including financial details, tax returns, identification numbers, asset investments, corporate strategies and intellectual property and these relate to both private individuals and businesses. Any of this information, if leaked, could cause devastating financial loss and reputational damage.

Many believe that threats to the accounting sector are focused on the large firms. This is perhaps prompted by the dominating headlines regarding data breaches against high-profile businesses (e.g. Deloitte and PwC). The impression that smaller firms are not as vulnerable is far from true, and in fact traditional accountancy firms (particularly those in the small to mid-market) are seen as soft targets.

Larger organisations often have greater security budgets and resources to implement strong perimeter and internal defences, while smaller businesses may not have the internal resources to commit that same level of investment into IT security.

It is beyond doubt that accountancy firms are facing the same sort of cyber-risks as any other business. Moreover, accountants arguably have a role in advising their clients on the broader strategic and operational aspects of their businesses, necessitating a greater understanding by accountants of the current cyber-threat landscape.

Are We Really at Risk?

PwC estimates that financial institutions are over 30% more likely to be targeted than other businesses and certainly the statistics seem to reflect this.

Business and professional services consistently feature in the top five most attacked sectors. Phishing attacks - fraudulent attempts to obtain information through an electronic form of communication, whereby the criminal disguises him or herself as a trustworthy contact - are typical. The criminal often uses an email as a type of weapon to try to obtain information or to get the recipient to click on a link or download an attachment.

Beyond the exposure to external cyber criminals, professional firms are vulnerable to attack from within. Rogue employees are a major threat as are the inadvertent actions of staff (for example, involving lost or stolen devices).

The risks associated with the use of tablets, smartphones and other devices cannot be overstated – with increased access and flexibility comes a much greater security risk, from data leaks to harmful malware and viruses. Such threats present a considerable risk which needs to be understood and mitigated as much as possible.

In addition to the financial impact, the potential reputational damage must be appreciated. This sector is founded on trust and discretion - those practising have client confidentiality as a core value. Maintaining a healthy reputation is at the heart of any successful accounting firm and is a key part of its business strategy.

Loss of client data can have a devastating impact on the firm's credibility and its long-term position in the market place. Failure to protect highly sensitive client information can put an entire practice at risk.

Case studies

A Chain Reaction

A recent malware attack on a global provider of accounting software had a profound effect on a broad range of business platforms. The firm was forced to take some of its cloud-based software applications offline. Service to most of its customer applications and platforms was restored over a 6 day period and a full investigation was undertaken. The firm's accounting clients were subjected to major interruptions and delays of their own whilst their own clients data could not be accessed.

A Taxing Issue

A tax professional received an email ostensibly from a client. Far from being complete with spelling errors and other tell-tale signs which might indicate the email was fraudulent, the experienced accountant was duped. Despite having completed training on how to spot phishing emails, due to the sophistication of this particular scam (as well as the carefully timed email which coincided with a busy tax period) the accountant did not recognise the “phish” and responded to the email.

The cyber-criminal then sent a file purportedly containing the client's tax information which, once opened by the tax consultant, caused malware to spread throughout the computer system, allowing the scammer to steal private information. Confidential information was subsequently used by the criminal to access bank accounts and send further fraudulent emails to other contacts in the accountant's address book, which looked like they were coming from the advisor directly.

The Value of Data

Global accounting firm Deloitte faced a significant disruption when its email was hacked, accessing data on 350 clients. Deloitte has confirmed that since this attack, its security protocol has been subject to a comprehensive review, involving a team of cyber security and confidentiality experts.

Cyber Specific Insurance

We cannot overstate the importance of implementing a comprehensive cyber-security strategy for your accounting sector organisation. At Lockton, we act for many accounting firms throughout the UK. This gives us an excellent exposure to the cyber purchasing habits and exposures faced by the industry.

It is worth mentioning that many traditional policies may not respond to a cyber incident. Further, if a policy does respond, it may only respond to third party liabilities and not first party costs so when faced with a traditional 'cyber breach', affirmative cover under a standalone cyber policy may be vital.

A cyber policy is designed to respond to the following events, which wouldn't necessarily be met by more traditional policies:

a. Data breach from an external cyber attack

b. Reputational and financial loss from a computer system's failure due to a malicious attack

c. Regulatory defence and civil awards fines and penalties as a result of security breach (as insurable by law)

d. Breach response costs

e. Ransom request following computer systems attack

A cyber-attack can have far-reaching ramifications for the accounting sector. Understanding the risks and proactively mitigating against them is key. Our team of cyber risk experts will work with you to create a customised solution that protects and insures your business exactly where you need it, and ensures that cyber risks are integrated into your risk management process. Rebuilding confidence is vital.

Your clients' data security is in your hands. Place your business security in ours.