Growing BusinessSAFEGUARDS

  • Back to quick summary
  • Risk Management for Accounting Firms

    Game Plan


    Data and Security Breaches

    Virtually every business collects and stores personal information on both employees and clients. But accountants may have more sensitive data in their computers and file cabinets than just about any other service provider, making the protection of that data critical to the survival of their business.

    A loss or compromise of client data may expose a CPA to:

    • Claims for damages. A client or a third party can bring direct claims to cover costs associated with any damage caused by the breach, and cross-claims in the form of individual or class action lawsuits for indemnification against the firm for damages as a result of the data exposure.
    • Compliance costs. According to Symantec’s 2013 Cost of a Data Breach study, the average cost to a business of each compromised record is $159. Some of this is to comply with state notification laws (currently 46 states have such laws), along with forensic investigation, and credit monitoring services.
    • Reputation damage. Accountants depend on absolute trust from their clients. A perception of unprofessionalism can result in clients heading for the exit and an immediate loss of revenue. It can take years to restore client confidence and rebuild a reputation.

    Mitigation Measures

    • Follow best practices for creating strong passwords for all electronic files. Consider using a password management program  to generate and store passwords. According to the Verizon RISK Team 2012 Data Breach Investigations Report, about three-quarters of network and computer intrusions by hackers were due to weak passwords.
    • Encrypting client data not only makes it harder for others to get their hands on the information, it can put your clients’ minds at ease and increase trust. This is especially important for data stored on mobile devices, which are more prone to theft.
    • Install antivirus programs on all computers, including laptops, and keep the software up-to-date. Train employees on how to avoid becoming a victim of malware and phishing scams, and how to protect laptops from theft.
    • Back-up with the 3-2-1 rule. Maintain three copies (original and two backups) of all important data and documents. Use at least two different types of storage media (hard drives, thumb drives, cloud servers, paper). Keep one backup offsite, preferably in a cloud-based remote data center.
    • Paper records should always be under lock and key. Restrict access to an as-needed basis.
    • Get insurance. At a minimum, it is prudent for any small business to have a Business Owner’s Policy. However, because there are unique risks that come with collecting and storing sensitive data, accountants would be wise to consider additional coverages, such as insurance solutions for data breach and data loss protection. This Coverage Identifier can help you learn about the types of insurance accounting firms typically use to protect their businesses.