Can an Accounting Firm Help with Cybersecurity? 

By Meghan Watson, Team Leader of WithumSmith+Brown’s Management Consulting Services On Aug 1, 2016

For an effective cybersecurity program, a business needs to coordinate efforts throughout its entire information system, all of which has a likely impact on the organization’s accounting function. As such, involving the accounting department as well as a CPA firm can be incredibly productive.

The most difficult challenge in cybersecurity is the ever-evolving nature of security risks themselves. As a result, national organizations are recommending more proactive and adaptive approaches to cybersecurity. The National Institute of Standards and Technology (“NIST”) recommends a shift toward detection, continuous monitoring and real-time assessments. The National Cyber Security Alliance (“NCSA”) recommends a top-down approach and focuses cyber-risk assessments on five key areas:

•  Identifying the most valuable information requiring protection;
•  Identifying threats and risks facing that information and their likelihood of occurrence;
•  Assessing the impact on your business should data be compromised;
•  Assessing the ability to recover from such an event;
•  Detecting nefarious activities (i.e. breach) on your network.

While specialized skills and in-depth knowledge of the latest technologies and trends in cybersecurity can be critical, your accounting firm likely understands the nuances of your business – as well as the processes and controls in place regarding your assets – and can provide valuable information as you begin to address the above activities.

For years, accounting firms have been drafting management letter comments related to internal controls. Internal controls are not just about technology, but are also heavily rooted in people and process. The threat of a cyber event (or being hacked) expands the scope and significance of those internal controls and also escalates the related risks if they are not working properly. And what happens if your business is not as prepared as you think? Recently, a company experienced a cyber attack only to find out that the cyber insurance claim was denied for failure to meet policy requirements around internal controls.

Assessing your ability to identify, protect, detect, respond and recover from a security incident and to take action to achieve your targeted level of readiness going forward is important to your bottom line.

 

 

Related Articles: