As counsel to numerous professional firms and associations I am asked frequently about cyber risk.  As technology advances we have more and more information stored in electronic devices and in the so called “cloud.” Cyber risk is of particular concern for professionals like CPAs and attorneys because they have confidential client information like Social Security Numbers and financial information. There is no prohibition to maintaining our data electronically and particularly in the cloud, however, we must be aware of the risks and take reasonable precautions to protect our data and particularly our clients’ confidential information.  As professionals we must remember that our clients trust us and we have to make sure that trust is not misplaced.

Clients have an increased expectation that we are available 24/7 and that we have all their information at our fingertips to answer their questions and respond to their concerns. Therefore, we are more and more dependent on technology and storing more and more information, which is available remotely. This makes our data subject to increased cyber risk.  The first question is, are we prepared for the risk? Generally, the answer is that firms are
not.  They are not fully aware of the risk and are not prepared for it.  The second question is, are we prepared to respond to a breach of our data?  Again, generally, the answer is that firms are not.

Any size firm is subject to cyber risk.  The statistics are alarming.  Identity theft and security breaches are on the rise.  The cost to respond to a breach has been reported up to $204 per record with an average cost of $2.4 million per breach.  The cost to respond to a cyber-breach can be staggering.  The damage from a cyber-breach can be tremendous. Ignoring just the financial cost of responding, there may also be bad publicity, loss of productivity, and loss of reputation.

Now, I generally don’t use text messaging for work but where are those messages stored and how safe are they? 
When we are using technology we need to evaluate the risk and what if any safeguards are in place.  I just assume Verizon has those text messages secured on their end but what about my phone? If my phone is stolen everything that I have texted and not deleted is open for reading.  But do I have access to wipe the phone’s memory remotely? 
These are questions we need to know about all our devices.  Do we have an inventory of all the devices that are subject to cyber risk?  (Every server, desktop, laptop, iPad, cell phone etc.)  And not just company owned devices, but also personal devices that have access to company data.  Do we have an inventory of the types of data on each device? (Documents, emails, contact information, texts etc.)  Do we have an inventory of what data of each type on each device?  Without all this information, we can’t fully appreciate the cyber risks involved.

Of course, there is insurance available to help with some of the risk.  From a professional firm’s standpoint, insurance is about spreading or lessening risk.  There are several types of policies available and I suggest any firm consult with their insurance broker about the type of insurance that might work best for them. Fortunately, this type of insurance is not expensive, because although incidents are on the rise, there is a relatively low incident rate.  Unfortunately, as touched on above, the losses can be extremely high, so be careful that your policy will cover the full extent of the loss.

 The reality is that professional firms need to spend time addressing their cyber risk.  They need to catalog their data and determine action plans to prevent the loss of data and to respond to any loss. I recommend you address these issues immediately in consultation with your computer experts, your insurance broker, and your attorney.

Since posting this blog, the following exchange took place in LinkedIn which you may find helpful:

Jeffrey - it is far less costly and much more effective to implement appropriate (i.e., cost vs countermeasures; reduction of risk to an acceptable level) information system security policies, procedures and countermeasures than purchase insurance policies. Properly implemented, an adequate IS security program will obviate the need of additional insurance and go much further to prove prudent managerial action (for litigation). This is not just a technical issue as most incidents involve human behavior (both authorized insiders as well as non-authorized  outsiders). Also - there is a slight (but very important) differences in implementing risk mitigation for information system incidents versus disaster recovery planning. The IS security profession has been around for several decades and some very well-regarded professional certification systems are now key (e.g., CISSP, GIAC). There are even a couple LinkedIn groups for this.

My Response
Thanks for the additional information.  I completely agree that appropriate information system security policies, procedures and countermeasures must be implemented.  But I'm not sure there is an acceptable risk level.  This is particularly true for associations and depends upon what confidential information an organization or company maintains.  That is why I think everything should be assessed and considered.

Further comment
If there is no acceptable level of risk, no firm has enough resources nor are there enough countermeasures available.   Here is synopsis of information system controls viewed to be critical: 

http://www.sans.org/critical-security-controls/

My Response
That is an excellent list! Thank you for sharing it.  I think we agree on this.  My point is that there is no one level of risk that is acceptable across the board and each company must assess the risk.  There are far too many variables.   Even if a company does everything listed, there remains a risk. For some companies I believe that risk is too great to not purchase insurance but that is why a complete assessment is needed.  From everything I have read on the subject the data cannot be completely protected if it is to be accessible and usable.  At that point, what confidential information is contained in the data will certainly be a factor.  Lawyers and CPAs whom I represent maintain social security numbers and a lot of other extremely confidential information.  A data breach would be extremely expensive and the firm should decide ahead of time
what risk they will take and whether they will insure it. 
Unfortunately, Many companies do not know the risks and take no
comprehensive action.

 


Comments

This is an very well written blog post. I'm grateful for finding your excellent blog post,This I'll be sure to bookmark it and come back to read more of your helpful facts.

Reply
01/14/2016 04:21

the news of good and thank you so much

Reply

I've read your post and I got extra information

Reply
01/28/2016 02:05

All visitors to your blog is definitely happy to get that information such as your post these uptodate

Reply
02/25/2016 02:30

Adventure not only in the real world, the adventure in cyberspace like me who have always pay a visit moved from one site to another site with the aim to get news or information that is accurate, useful and add my insights.

Reply
02/29/2016 01:49

Let us support this site by providing constructive comments though spicy, hehehe.

Reply
02/29/2016 02:28

Give support to this web by way of your participation in the comments field that has been provided.

Reply
03/10/2016 02:29

Fast or slow every effort must deliver results, hope all that are here quick business or hopes come true at the right time. Aminn ...

Reply
04/01/2016 05:38

Try to understand the contents of the news that is shared over and pick up on the meaning / positive lessons from the news content.

Reply
05/03/2016 02:40

Yuhuuuu, I like to surf through browsing on this website, because all of my attention a very interesting article to read it. I wait there latest posts

Reply
05/16/2016 00:18

Fast or slow every effort must deliver results, hope all that are here quick business or hopes come true at the right time. Aminn ...

Reply
05/29/2016 06:58

Wow, that's very interesting. I like this post.

Reply
07/28/2016 00:47

http://ziuma.com/diskusi-Kertas-Slip-Gaji-Thermal-Lebih-Nyaman-dan-EkonomisBecause I love to read, I was a frequent visitor to this site because it presents many articles are interesting to observe. Therefore, I always leave the comments for my support the this site.

Reply
08/01/2016 03:33

Ten years of the great nike air max 90 essential ministry are celebrated and ensured.

Reply
08/02/2016 00:58

Although the motley Indonesian citizens (RAS), but we should not be hostile to each other and therefore we must work together to support each other. Thanks for the information that was shared.

Reply
08/03/2016 02:51

Yuhuuuu, I like to surf through browsing on this website, because all of my attention a very interesting article to read it. I wait there latest posts

Reply

Because I am hobby reading, every day I was browsing the Internet, and many sites I visit. My purpose only seek knowledge in order not to say outdated. Well today, I met you the chance presented many interesting things, It makes me feel at home for a long time here. Thanks yes sir!

Reply
08/24/2016 00:01

really happy to visit every day on this blog, because the news / article is always updated.

Reply
08/26/2016 03:04

With me leaving a comment on any news story I've read, that's the evidence that the news that you post interesting to observe.

Reply
08/31/2016 00:24

Very fun can still be met with this website because it provides information such as the news unique. For that I say thank you had shared the information. as a quid from me, this comment column will be my fill. Greetings all yes.

Reply
09/14/2016 02:32

Just by surfing through blogs / sites, we can explore the wide world. Keep spirit to all bloggers.

Reply

The world was only the area of ​​Moringa leaves that in the virtual world, every incident in the west end there or otherwise be easily heard or known to the rest of the world

Reply
10/06/2016 00:47

Tell me everything you have experienced in an article, because your experience could be useful to others.

Reply
10/19/2016 00:43

The world of internet is a very effective medium to find any information about anything. Therefore, I say thank you so much to the creative hands that help improve the functioning of the Internet

Reply
10/31/2016 01:04

Never out of date as a child Tarzan hehehe. so as not outdated, frequently visiting these sites because many news you up todate here.

Reply
11/06/2016 23:31

Filling in the comment column should dilaraskan with the article above are a creative and realistic. Besides filling in the comments must be constructive, so that this site could be better in the future. Thank you for your participation.

Reply
11/15/2016 04:30

The development of the IT world today is extraordinary and when taken from the positive side be able increase the knowledge of all the people in the world effectively. The development is also marked by the many extraordinary sites like this site. Thank you for the admin of this site.

Reply
11/20/2016 22:16

A work of art should be appreciated and rewarded at every piece of art such as articles that have been posted on this blog is to give a comment to the article. Your article is incredible

Reply
12/01/2016 22:51

no need to expect anything to others, as long as we are happy to be an admin on a site. Passion for writing and keep submitting your creativity

Reply
12/07/2016 23:48

Whose name news or articles that must kayak above tuch, can only be beneficial to the general public. Admin This blog is superb and very kreatif.Thanks yes

Reply
12/27/2016 23:45

Thank you very much for posting a discourses that is interesting to read

Reply
01/08/2017 23:33

Give support to this web by way of your participation in the comments field that has been provided.

Reply
02/08/2017 03:28

Try to think more positively and give suggest to any information or news in this

Reply
02/08/2017 03:30

Try to create a blog like this, because a lot of people are getting information such as news shared here.

Reply
02/23/2017 22:59

Only by leaving streaks in the comments field is the same as you have been giving support to a blog / website.

Reply
03/05/2017 23:03

Hi all who visit here, do not forget to comment on the news or articles that you have read as an expression of your support for this site.

Reply
03/31/2017 00:28

Things that you may never know, there might be one among some news posted here. So check out all the news on this blog.

Reply
04/05/2017 04:45

Want to get the news or whatever you are looking for, please visit the blog / site every day, because the article is always up to date.

Reply
04/12/2017 00:54

Sorry sir, if only to say thank you for his creativity in the form of posting articles that can help provide interesting information. Continue along your creativity. I support with prayer.

Reply
04/25/2017 02:48

Sorry sir, if only to say thank you for his creativity in the form of posting articles that can help provide interesting information. Continue along your creativity. I support with prayer.

Reply

Sorry sir, if only to say thank you for his creativity in the form of posting articles that can help provide interesting information. Continue along your creativity. I support with prayer.

Reply
05/22/2017 00:35

Take advantage of everything for good purposes that we all get the blessing of what we do as well as by commenting on this site to provide motivation to an admin to update the news. Thank you for everything.

Reply



Leave a Reply