Sometimes the highest and best value that CPAs can provide to their clients and employers is to prevent problems from occurring or to recognize events that could have a negative impact. Accountants do not have to be information technology experts to help organizations recognize the risks from criminal uses of cyber tools, and probably understand better than anyone else the huge financial costs of technology risks. As an example, based on reports from multiple sources, the Equifax breach could cost the company up to $700 million (“Equifax to Pay up to $700 Million Over Data Breach,” The Trusted Professional, http://bit.ly/31cLvNe) in settlements from the 2017 disaster that released private information of more than 140 million Americans.
Technology risk requires daily attention, and this month’s column presents three resources with interesting information, tools, and tips to help equip CPAs to recognize potential problems.
WEF: Global Risks Report
The World Economic Forum (WEF) has issued a “Global Risks Report” for many years to identify and analyze a large number of risks, which are categorized as Economic, Environmental, Geopolitical, Societal, and Technological. The most recent report for 2018 is available on the WEF’s dedicated webpages at http://reports.weforum.org/global-risks-2018/. As a broad, worldwide study, the report carries a fairly negative tone, but many aspects of the information can be quite interesting and useful to business advisors. Readers can explore the results on the website and freely download a 70-page PDF.
The annual report addresses a wide variety of issues, but highlights from the webpages that may be most interesting to CPAs and advisors include a section on “Global Risks of Highest Concern for Doing Business,” located under ‘Explore the survey results” (http://bit.ly/2YHQNTe). Unemployment or underemployment is the highest ranked risk, followed by fiscal crises and failure of national governance. Failure of critical infrastructure and cyberattacks make the list in the seventh and eighth positions.
In the report, a useful Appendix A provides short descriptions of the four to eight specific risks the WEF groups under each of the five categories. “Technology” includes large-scale cyberattacks, massive incidents of data fraud and theft, breakdown of critical information structure, and adverse consequences of technological advances. Focusing on topics that are of most interest to CPAs, the report indicates that cyber breaches reported by businesses almost doubled from 2012 to 2017 and were averaging 130 incidences per organization per year by 2017. In 2016, more than 350 million new pieces of malware were released. Financial costs have been increasing at more than 27% each year, with the largest costs coming from ransomware, a type of malicious software program that locks electronic files and demands a ransom to release them.
FBI Cyber Crime
The Federal Bureau of Investigation is the principal U.S. agency for investigating cyberattacks against public and private organizations, companies, and individuals, and leads the National Cyber Investigative Joint Task Force (NCIJTF). The FBI’s Cyber Crime site (https://www.fbi.gov/investigate/cyber) provides information on FBI and NCIJTF priorities, as well as public educational information. The FBI site does not provide downloadable documents on its highly practical information, but readers could easily create their own or just bookmark the website.
The FBI materials include an interesting explanation of ransomware attacks: they are often initiated through an otherwise legitimate looking email that may contain an attachment or a hyperlink. Clicking on the electronic document or link releases malware that begins encrypting files on local drives, any attached or backup drives, and other computers on the same network as the compromised device. Users may not be aware that they have been attacked until they receive the ransom note that demands payment in exchange for a decryption key.
Not surprisingly, the FBI does not recommend paying a ransom. Instead, the FBI endorses a focus on prevention with several very specific suggestions. Readers are encouraged to read the complete list, but a couple of “teaser” examples include employing patched operating systems and backing up files regularly in a system that is not connected to other computers or networks. The FBI also makes a very interesting suggestion that even the least technology-oriented CPA can assist clients in pursuing: develop a business continuity plan for the organization to be able to continue operations post-cyberattack. An additional list of “How to Protect your Computer” items serves as a good reminder of commonsense practices.
The FBI’s Internet Crime Complaint Center (IC3; https://www.ic3.gov/default.aspx) provides a mechanism for victims or third parties to report cyber crimes. IC3 publishes an excellent “Internet Crime Report” every year. The 2018 report’s hot topics of particular interest to CPAs include business email compromise, payroll diversion, and tech support fraud.
SecurityIntelligence (https://securityintelligence.com/) provides news, analysis, research, podcasts, and webinars related to cyber-security. Resources cover a variety of topics, from application security to data protection to risk management. Its news stream includes a weekly security roundup and a security tip, and it is a great place to check for updates on the latest scams.
More Cybersecurity Resources
DHS Cybersecurity and Infrastructure Security Agency (CISA)
DOJ Computer Crime and Intellectual Property Section (CCIPS)
FBI Internet Crime Complaint Center (IC3)
SecurityIntelligence conducts a “Cost of a Data Breach” study annually as a risk management benchmarking tool. The 2019 survey summarizes interviews of more than 500 organizations in 14 industries across 16 countries and regions, and the report includes multiyear trends as well as current results. After a free sign-up, users can view the complete 2019 report online or download the 76-page PDF. A neat calculator comes with the report access and allows the user to narrow down the data (https://ibm.co/2YGlVme). A 29-minute podcast about the report and a related article provide highlights for readers who don’t want to commit to the registration (https://ibm.co/2YMpIyF).
The 2019 results reveal that the United States has the unpleasant distinction of having the highest average cost of a data breach, at over $8 million. Key findings indicate that lost business is one of the largest costs of a data breach, malicious cyberattacks (as opposed to system glitches or human error) were the most common and most costly, small businesses face disproportionately larger costs than larger entities, and automation of security significantly lowers costs after a data breach. In addition, to no one’s surprise, the likelihood of experiencing a data breach is increasing. The 2019 report includes the long-term effect costs of data breaches, which continue for years after an incident. After registering for the full report, users can access a calculator to estimate their own cost of a data breach based on 17 risk factors and more than two dozen cost factors.
Cost information is helpful for insurance and other risk mitigation purposes, of course, but the 2019 report also provides several recommendations to help minimize financial costs. The most important suggestion is the creation and maintenance of an incident response team and regular testing of the incident response plan. Offering identity protection to customers is shown to help reduce customer turnover after an incident. Commonsense professionalism in maintaining governance, risk management, and compliance programs also plays a role in lowering data breach costs. Other recommendations are much more technical, such as using data classification and retention programs, or automating detection and containment systems.