Your CPA Can Make a Great Risk-Manager

Cybersecurity takes a village. Here’s why that village now includes your accountant.

CPA Risk Management Cyberthreats

A new paper from the Center for Audit Quality (CAQ) is helping define CPAs’ roles in cybersecurity. What could a CPA possibly have to do with cybersecurity? The answer is: more than you think.

CAQ’s paper, “The CPA’s Role in Addressing Cybersecurity Risk,” points out that accountants are “viewed by management and boards as trusted advisors who have a broad understanding of businesses, who receive appropriate annual training, who comply with a code of ethics, and who are subject to rigorous external quality reviews.” This is greatly beneficial to the enterprise. In-house accountants can be valuable in evaluating cybersecurity practices in context of business objectives. And contracted CPAs can serve as strong risk-management advisors.

“Customers, investors, boards of directors, and even government officials want to know more about what companies are doing to address cybersecurity,” says Susan S. Coffey Executive VP of the Association of International Certified Professional Accountants. “As in a financial statement audit, a CPA’s opinion is designed to enhance stakeholders’ confidence in the cybersecurity information prepared by company management.”

Firms are starting to take this responsibility seriously—not just to advise their clients, but to also nurture those relationship by protecting themselves from growing threats. “CPA firms are especially vulnerable due to the volume of records they [work with],” writes The CPA Journal, “often containing sensitive personal and financial information.”

graph courtesy of TechTarget

“We have already seen an increasing number of ransomware attacks, or cyber extortion, in the CPAGold program,” Ricard Jorgensen, president of the insurance company Jorgensen & Company, noticed a year back. “This is happening now.” Meanwhile, The CPA Journal cites a 2016 incident on an unspecified firm, during which operations went offline for four days during the end of tax season, “because a junior staffer downloaded an infected Excel macro.”

Undoubtedly, the loss of income in those four days far exceeded the ransom. (Although, that’s on the rise, too: CSO Online reports that ransomware demands have grown from $294 to $1,077 in just a year.) Expensive interruption in productivity and tarnished reputation/lost business can cause significant financial setbacks (see chart, above).

In reaction, the accounting industry is arming up. Robert Shields, who worked for two decades in the FBI investigating cybercrimes, now works in breach forensics for the accounting firm Sikich. “Today’s public accounting firms employ individuals with CPAs as well as other credentials specifically related to information technology and security,” says the CAQ report. “Four of the leading 13 information security and cybersecurity consultants are CPA firms.”

Educating employees about the signs of malware is essential, and buying cyber insurance is important. But ultimately, deploying smarter security software with the visibility to spot malware is a must—because SIEMs, firewalls, and endpoint detectors simply aren’t spotting sneak attacks. So it’s just as important for CPA firms to actively implement this type of threat detection, as it for enterprises hiring accountants to research their cyber polices. Look past the number-crunching, and your CTA may end up becoming one of your most pivotal risk-management team members.