Get the key components of a breach incident response plan, plus best practices for communicating the breach to employees, clients and other vested parties.
Accounting firms are being targeted by cybercriminals for the significant amount of PII (personally identifiable information) and financial data which the firms have been entrusted with by their clients.
The size of the firm doesn’t matter to the hacker groups.
While larger firms may provide a bigger payday, medium and smaller firms are often easier targets and at higher risk. They often don’t have the accounting security defenses, cyber training, or technical resources to protect their firm from being hacked.
All it takes is one employee inadvertently clicking on a compromised link in a phishing email or text message, plugging in an infected USB thumb drive, reusing a compromised password, or not updating their computer or WiFi router timely, and the hackers are on their way to taking control of the firm’s computer systems and data. When that happens, your firm better be prepared.
Firms will benefit from having a written incident response plan which they have walked through previously with firm owners, as the worst time to plan a breach response is after it has occurred.
The focus of the plan should be on minimizing damage and providing a measured, thoughtful response that shows the firm has taken back control.
To help firms get started, we outline the key components of breach incident response below and considerations in communicating the breach to employees, clients, and other vested parties.
The incident response team should include firm owners, IT personnel, key vendors, and cybersecurity resources.
This includes external accounting security expertise with forensic skills to identify and remediate the breach, law enforcement contacts and legal resources to ensure the firm responds appropriately to regulatory requirements, and the skills of a public relations firm may be required to communicate the plan.
If the firm has cybersecurity insurance, the provider may already have many of these resources available to the firm. The firm should work with the provider to document these contacts.
The incident response plan should be written in a concise step-by-step format that is readily available to key stakeholders (i.e., a PDF on their smartphone or hardcopy in the firm manager’s office.)
While prevention should be one of the primary responsibilities of the firm’s IT security team, policies must be in place to detect a possible breach and to notify the security team of anomalies so they can be investigated.
This includes educating employees on warning signs that they may have been hacked.
This will most likely require the assistance of external cybersecurity and forensic expertise, who will have the depth of experience in eradicating various threats and solutions necessary to prevent a recurrence.
This is particularly important if the firm’s files are encrypted with ransomware requiring backups to be restored that may also be infected with malware.
The firm should work with attorneys that understand the regulatory and reporting requirements (such as public notification, credit reporting, etc.), as well as the local FBI office, before communicating the incident.
As cyber threats continue to evolve, it is important for the firm to review, update, and walk through their incident response plan at least annually.
The final phase of the incident response plan is communicating the breach information publicly, which should be done in a coordinated, measured way, so it is obvious that the firm has taken control of the situation.
1. Timely Response
One of the first questions that firm owners will need to respond to is, “When did you first become aware of the breach?”
Studies have shown that the quicker and more thoroughly a firm responds to a cyber breach, the smaller the financial consequences.
Consequently, it is imperative that the firm have an incident response plan and team in place to respond quickly to a breach.
Being truthful and accurate in communicating breach information is important to sustain trust with employees and clients throughout the breach event.
After the cause and extent of the breach have been identified, and the firm has implemented a plan to remediate the damage (including steps to ensure that it will not happen again), these steps should be laid out in a comprehensive factual manner.
The message should also include the legal and regulatory requirements for impacted clients and remuneration that the firm will provide to those that have been impacted.
3. Controlled Message
Controlling the message to provide a consistent response is critical as incomplete or conflicting information creates speculation and uncertainty.
The incident response plan should identify a central representative who will deliver the message to firm personnel, clients, and the media, if necessary, so they are all getting the same information as close to the same timeline as possible.
4. Confident Remediation
One of the most important components of incident communication is outlining the steps the firm has taken to remediate the breach.
This would include the response and solutions the firm has implemented, as well as the training of firm personnel to minimize the possibility that this type of breach could occur again.
The firm must also be able to lay out how they are meeting the regulatory requirements of notification and assisting clients and other parties potentially impacted by the breach.
While no one wants to be hacked, the reality is that it is more likely a matter of “when” rather than “if” the firm will experience a cyber event.
Having a qualified team in place, either independently identified or organized through your cyber insurance carrier, will ensure you can respond quickly.
And finally, being prepared for such an accounting security breach event with a written incident response plan will minimize the financial and reputational damage the firm will experience.
Join our mailing list and get all of the latest news delivered straight to your inbox.