Cyber Security & Compliance   08/29/2022

Cyber Security Should Mean Everything to Every Tax Professional

By 360 Coverage Pros

Cyber Security Should Mean Everything to Every Tax Professional

As a tax professional, cybersecurity should be a priority. This problem affects small businesses, threatens taxpayer data and requires continuous education and maintenance.

Cybersecurity for Tax Professionals

While the IRS does not yet require every certified public accountant (CPA) firm to implement a cybersecurity plan, it is vital for CPAs and all tax professionals to do so— especially those with preparer tax identification numbers and other personally identifiable information (PII). With cybercrime targeting tax professionals increasing, securing data must be a top priority. Reports of data breaches at CPA firms have increased by 80 percent since 2014, with a portion of those being ransomware attacks. Unfortunately, less than one percent of cybercrime results in arrests, according to the Third Way Cyber Enforcement Initiative.

While it is best to establish a written security plan, tax professionals should also understand the potential ramifications of a successful cyberattack, such as:

  • Operational expenses– A cybersecurity breach can be very expensive for both clients and the CPA firm. Costs for forensic discovery, remediation, determination of exfiltration of data, reporting requirements and outside counsel to protect your litigation exposure typically run between $70,000 and $300,000. A good cyber liability insurance plan, like the one offered by 360 Coverage Pros, can help alleviate these costs and protect your business.
  • Penalties– State and federal reporting and credit monitoring requirements could add hundreds of thousands of dollars to your expenses depending on the size of the breach.
  • Extortion– Breaches can also use ransomware, a type of malicious software designed to deny you access to your computer system or data until you pay a ransom, which can range between $100,000 for smaller businesses to $2.6 million for larger firms. Beyond that, paying your attacker does not guarantee the computer systems will be recoverable or operational.
  • Reputation– A loss of current and prospective clients as a result of the breach is difficult to calculate, but very likely to occur.

Among the most important aspects of your security plan should be determining which types of data are vulnerable and how to mitigate potential loss. For example, accountants may work with a wide variety of clients. Identifying and categorizing data by client type should help determine which types of cybersecurity measures need to be implemented.

It Affects Small Businesses

The importance of cybersecurity for small businesses cannot be overstated. Although two-thirds of larger companies have made cybersecurity a priority, only 30% of small businesses have implemented any cybersecurity training programs for their employees. This is particularly concerning because small businesses account for a majority of employment growth in the country and have more vulnerabilities than larger corporations. Cybersecurity training should be an ongoing process for all employees.

One of the easiest cybersecurity precautions is installing antivirus software; yet, many small businesses don't bother with this simple, crucial security measure. In fact, only half of small businesses have installed antivirus software, made their passwords stronger, backed up files to an external hard drive and enabled automatic software updates. Additionally, only a quarter have installed a virtual private network (VPN). When small business become victims of a cyber-attack or data breach, the impact can be devastating. According to Accenture’s Cost of Cybercrime Study, “43 percent of cyber attacks are aimed at small businesses, but only 14 percent are prepared to defend themselves.”

It Requires Maintenance and Education

The National Institute of Standards and Technology (NIST) developed The Framework for Improving Critical Infrastructure Cybersecurity. The NIST framework includes five functions: identify, protect, detect, respond and recover:

  • Identify– Review and document recommended changes to current standards and practices, governance model, risk assessment/management framework and supply chain risk management protocols.
  • Protect– Review and recommend opportunities to increase education and public awareness of the most prevalent threat vectors and what personnel recourse may be needed to assist in training, identity management and protective measures.
  • Detect– Investigate opportunities for centralized security capabilities, such as a cybersecurity operations center, and investigate opportunities for increased partnerships and current coordination practices.
  • Respond– Address who will respond, what is vetted with a full-scale incident response and statutory requirements and proper notification using incident management procedures.
  • Recover– Have a plan to recover from a breach through strong procedures and current practices, while auditing the issue and communicating the recovery with a long-term mitigation strategy.

Unfortunately, criminal organizations have been targeting accounting and tax professionals. The extensive data and sensitive information kept on hand makes them a lucrative target for cyber thieves. Even if you have done all that is required of you as a tax professional to prevent a cyberattack, there is no way to guarantee you won’t be hit. The only guaranteed way to protect your business is by having the best insurance coverage in place.

360 Coverage Pros Cyber Liability and Data Breach Insurance program provides small businesses and independent contractors with coverage to protect against the financial burden a data breach creates.

Ready to go over your coverage options with a cyber liability professional? Just visit or call 833.668.0037 for more information.