Tackle cyber risks for your clients and your firm

October 8, 2019

Being your clients’ trusted advisor means anticipating their needs and being prepared to offer advice and solutions to address them. That’s especially true in the area of cybersecurity, because many smaller organizations lack critical tools to defend themselves against cyber risks. A total of 67% of small and medium-size businesses faced a cyber attack in the last 12 months, according to a Ponemon Institute survey1, and 58% suffered a data breach. Only 28%, though, thought they had highly effective tools to mitigate threats, vulnerabilities and attacks. There are several steps CPAs can take to solve cyber concerns for their clients—and in their own firms.

Become familiar with cyber services

The options for firms include:

  • Cybersecurity advisory services. CPAs help clients build their cybersecurity programs by spotting internal risks to their organizations and developing strategies to prevent breaches or data theft. If you’d like to learn more, there’s a wealth of tools to help you get started in the PCPS Exploring Cybersecurity toolkit, including resources you can use in building a niche and implementing your services. 

  • System and Organization Controls (SOC) for Cybersecurity. This newest form of SOC engagement assesses a client’s cybersecurity risk management program. It requires specialized skills, but training is available, including the AICPA SOC for Cybersecurity Certificate Program, which can offer you the education you need along with the chance to differentiate yourself in the market. CPAs with the proper skills will benefit from significant opportunities in this growing market.

Identify potential clients

This would include virtually any business that maintains personal or confidential information or that is active in the cloud, so it’s a wide market. When I was in practice, my own six-person firm specialized in real estate-related businesses, and one good prospect for us would have been property management companies, which manage rentals and store the personal information on thousands of residents. Virtually any business that takes credit cards should also be actively addressing the serious and ever-changing threats to their cybersecurity, as well. 

Get ready to offer services

Education in this area is a good investment, given the demand for cybersecurity expertise. The AICPA Cybersecurity Fundamentals for Finance and Accounting Professionals Certificate is a good place to start. Use it to educate yourself or your staff so that you’re familiar with the problems and solutions and have the knowledge you need to talk to clients about their concerns.

Of course, it’s also possible to serve clients even if you don’t want to build your own practice in-house. When you partner with firms that do have the necessary expertise, you can provide clients with valued services without having to invest in creating a new niche.  

Analyze procedures in your own firm

If a majority of small and medium-sized businesses are experiencing breaches and other types of attacks, then it’s important to recognize that the risks to your own firm are very real. Start by taking an inventory of the steps your firm takes to protect against cyber risks. I bet you’ll find some areas for improvement.

As you consider how to tackle them, don’t make this mistake I made in my own practice: Since I was knowledgeable about technology, I thought I could put myself in charge of cybersecurity. While we were fortunate to avoid any breaches, I did realize pretty quickly that I probably was not going to be able to keep up with all of the new risks we could be facing. That’s when we decided to move to the cloud. The hosting services were better equipped to implement and maintain robust security, and that was a great relief to me. You, too, may find that outsourcing this concern is a good choice for your practice. Of course, even if you move to the cloud, you still need to have strong internal security at the local level.  

Stay vigilant

Whether you are offering client services in cybersecurity or not, it’s important to remain aware of the newest risks to your firm and your clients’ organizations and the latest solutions to prevent or address them. Your professional liability insurance carrier can be a great resource for information and ideas. Keep in mind that AICPA Professional Liability Insurance policyholders have access to CNA’s new eRisk Hub® Cyber Risk Portal, which offers news and advice from industry experts, as well as educational materials and risk management tools. Reach out to your carrier for help in minimizing your own risks and your clients’.

Carl Peterson, CPA, CGMA is the Association’s Vice President of Small Firm Interests. Have questions for Carl? Contact him directly at carl.peterson@aicpa-cima.com or 651-252-4618. And be sure to sign up for Carl’s Small Firm Update webcasts. The next one will take place on December 12 at 2:00 to 3:00 PM ET.

1 https://www.securitymagazine.com/articles/89586-nearly-70-percent-of-smbs-experience-cyber-attacks