z

Professional services firms are becoming increasingly reliant on technology, to perform both internal and external functions, whether essential or non-essential. But with cyberattacks a growing fact of life, it is now a question of 'not if, but when' firms suffer a business-critical event. Addressing this exposure is a challenge that all professional services firms must meet.

You can find out more about how to protect your practice and your clients against cyberattacks by joining our free webinar with the ACCA on 19 June at 12.30pm BST.

Accounting firms are an attractive target

Irrespective of the nature of its business, every practice has assets of value which can be leveraged by cybercriminals or exposed to an indiscriminate computer virus.

According to the most recent Cyber Security Breaches Survey, 39% of micro and small businesses across the UK have identified a cyberattack, with 82% of those reporting phishing attempts, and 25% identifying a more sophisticated attack type such as a denial of service, malware, or ransomware attack.

Nevertheless, accountancy firms represent a particularly attractive target for cybercriminals, due in large part to the sheer volume of confidential and sensitive client information which such practices typically hold. Clients' financial details, tax returns, identification numbers, asset investments, corporate strategies, and intellectual property all constitute desirable information, and may relate to private individuals and businesses alike.

Where a firm's cybersecurity is breached, the consequences can be significant. For instance, the release of client information could lead to devastating financial loss for individuals and bring significant damage to a firm's reputation.

In one example with which Lockton is familiar, a recent malware attack on a global provider of accounting software had a profound effect on a broad range of their business platforms. The firm was forced to take some of its cloud-based software applications offline. Service to most of their customer applications and platforms was restored over a six day period, after which a full investigation was undertaken. The firm's accounting clients experienced major interruptions and delays of their own whilst their own clients' data could not be accessed.

Where firms are then found to have been negligent in their handling of data and cybersecurity measures, they may be the subject of lawsuits from clients.

Preventing business-critical cyberattacks

Given the potentially devastating impact of a cybersecurity breach, it's vital that firms take effective steps to prevent their occurrence.

As a preventative measure, firms must ensure that appropriate attention and investment be given to the levels of cybersecurity. This may include privileged access management, patching management, and SIEM (Security Information and Event Management) systems, as well as tools such as multi-factor authentication (MFA).

There must also be focus on ongoing risk management. Having suitable controls in place is essential to ensuring basic and common incidents can be avoided. These fall into three categories:

  1. Preventative controls – improving weaknesses in information systems to prevent the business from experiencing a cyberattack in the first place.

  2. Detective controls alert businesses to attempts to infiltrate their networks and warn them when a cyberattack occurs.

  3. Corrective controls – used after a cyber incident to minimise the impact and help to restore functionality as quickly as possible, for example with back-ups.

The extent to which firms are adequately prepared is likely to be dependent on size. Smaller firms typically lack the budget or resources to implement strong perimeter and internal defences, and thus represent low-hanging fruit for threat actors. This is reflected in the fact that 96% of all cyberattacks are directed at small and medium-sized businesses. Such firms are also more likely to pay ransom demands in the absence of appropriate advice or guidance.

On the other hand, while they are more likely to have strong cybersecurity measures in place, larger firms will represent a more valuable target for cybercriminals. Where such firms do suffer from cyberattack, the scale of the damage will be significantly greater.

Cyber insurance – a worthwhile investment

For all firms establishing financial and operational resilience is essential. An option to mitigate the risks that cyberattacks present is to take out comprehensive cyber insurance.

Doing so is not without cost. In the continuation of a trend more than a year in the making, premiums and self-insured retentions have ticked up, while limits continue to reduce. This is in line with a growing number of claims within the sector, and a rising average cost. As a result, many firms have deemed cyber protection too expensive relative to other forms of cover, such as professional indemnity insurance (PII).

But with cyberattacks occurring with increasing frequency, firms who choose to forego cyber protection must beware the significant gaps in their exposure. Contrary to popular belief, it remains the case that many traditional policies may not respond to a cyber incident. Where a policy does respond, it may only respond to third-party liabilities, and not first-party costs.

As a result, when faced with a cyber breach, affirmative cover under a standalone cyber policy may be vital. Such policies offer protection for businesses against risk relating to IT infrastructure and activities, including both malicious attacks and some types of inadvertent incident which cause harm to a business's network or data.

Policies will also offer partial reimbursement for the costs of responding to a cyber event, as well as resulting liabilities to third-parties.

Another significant benefit of a cyber policy is the breach response services provided, whereby the insured gets immediate access to an expert breach response team, including IT forensics, lawyers, PR and crisis management consultants, and ransom negotiators.

To minimise premiums, firms should instead focus on scrutinising their own exposures, with a view to providing underwriters with greater assurances around their cybersecurity controls.

For more details on our products and services, please visit our Global Cyber and Technology page, or contact:

Jack Bassett, Assistant Vice President Global Cyber & Technology

T: +44 (0)20 7933 1610

E: jack.bassett@lockton.com