CPA's Guide to Cyber Security

CPA firms are at greater risk for cyber attacks or compliance requirements -- because of the nature of their work

Why CPA Firms are at Risk

  • Single access point
  • Data in a variety of places 
  • Compliance obligations

Risk to Clients

Business clients of CPA firms often face many of the same cybersecurity risks and compliance obligations outlined previously. Larger businesses will likely already have a baseline cybersecurity program in place. For smaller companies that are trying to maximize revenue and limit overhead costs, a cybersecurity program can be difficult to justify. However, from a CPA firm's standpoint, if a small- or medium-sized client suffers a cybersecurity breach, it may cause that client to go out of business. In other cases, some clients may be asked by their customers to sign a cybersecurity contract addendum in order to do business with them, which would then obligate the client to ensure that certain security measures have been implemented in their environment. In many instances, there's an incentive for CPA firms to recommend to their clients implementing at least some basic cybersecurity elements if they don't already have an adequate program in place.

Policies and Practices every CPA Firm Should Have in Place

  • Risk assessment 
  • Account for sensitive data 
  • Require strong passwords 
  •  Update software
  • Audit security measures
  • Monitor problems 
  • Hold 3rd party vendors accountable 
  • Ongoing employee training
  • Developed indecent response plan
  • Limited number of administrators
  • Develop a tested continuity plan

Why CPA Firms should Assist with CyberSecurity

  1. CPA's are specialist in risk
  2. CPA's understand business
  3. CPA's realize the importance of securing client information
  4. CPA'S design, implement, and assess controls 
  5. CPA's are often hold leadership positions within the organization


Cybersecurity is a growing concern for businesses of all types, and CPA firms should be considering the impact of cybersecurity on their own operations as well as their clients'. Firms that invest the time and effort to plan and prepare will be well-positioned to defend against cyberattacks, and those who devote attention to providing cybersecurity capabilities to clients may also find opportunities to increase revenues while helping clients protect their organizations as well.



Screen Shot 2019-07-25 at 1.42.40 P0op-p9


Related Articles