By this point, every CPA knows that CCH was attacked by malware in early May, causing a mass outage of its platform for several days and leaving a large swath of the accounting world unable to prepare returns or bill clients.

No doubt CCH could have done many things to prevent the attack—but so could have Target, Equifax, Adobe, and Sony. The truth is that no matter how great security is, breaches still happen, and it was only a matter of time until one happened to one of the large accounting players. It’s also only a matter of time until one happens to your firm.

This is not to say that CPA firms should not try to prevent these attacks. But the most important lesson to take from the CCH attack is that every firm needs to have a plan of action in the event an attack happens anyway. A great prevention plan is vital, but a great reaction plan is just as important.

It’s fairly evident that CCH did not have a reaction plan, or they did not put it into practice, because the attack left its customers in the dark for two days; in addition, no one in the company knew what was going on for long periods of time. This reaction exacerbated the problem, made customers angry and upset, and caused chaos internally and externally. As a result, CCH looked like it didn’t know what it was doing, which is never a good look for a technology company trusted by thousands of CPAs.

What to Do?

What can CPA firms do to get a reaction plan in place? First, it’s absolutely vital to have a cyberinsurance policy with adequate coverage for the cost of an attack. Second, firms need to constantly be working on prevention, which includes having a technology security plan, constantly testing the system for vulnerabilities, and training employees to look out for suspicious e-mails and malware. Most attacks occur through e-mail phishing schemes, and attackers grow more sophisticated every day. Google has released a great phishing quiz that anyone can take to see how good they are at seeing whether an email is legitimate or not (

Finally, CPA firms have to develop a postattack response plan that ranges from what to do if someone clicks on the wrong email to a worst-case scenario (e.g.,“hackers have stolen all of our tax returns and have all of our clients’ personal information”). Cyberinsurance carriers often can help formulate these plans.

Cybersecurity is not just for the large firms anymore; an attack can happen to anyone at any time, so it’s imperative that CPA firms prepare for the worst-case scenario. An attack is bad enough on its own; not knowing how to respond just makes the situation that much worse.

Jason L. Ackerman, CPA/CGMA, CFP is an accountant with Bernard N. Ackerman (BNA) CPAs, PA, in Rock Hill, S.C.