CPA firms are becoming increasingly concerned about clients who have lax cybersecurity in place, making them vulnerable to ransomware attacks like the ones that have been in the news lately.
In early July, between 800 and 1,500 businesses around the world were reportedly affected by a ransomware attack centered on Kaseya, a provider of widely used technology management software. The incident follows other high-profile ransomware attacks in recent months against Colonial Pipeline and JBS Foods from hackers thought to originate in Russia who demanded millions of dollars in payments in exchange for unencrypting their victims’ data and computer systems.
“Business owners are starting to put more focus on cybersecurity and recognize that it’s a very big part of all the other business risks that they’re already managing,” said Mark Spaak, director of security and support services at Rehmann, a Top 100 Firm based in Troy, Michigan, that provides cybersecurity services and has been helping clients protect themselves from ransomware vulnerabilities. “It’s something that needs to be accounted for. Oftentimes what a lot of business owners miss when it comes to cybersecurity is the impact that it can have on your brand and your reputation. If you’ve been involved in some type of a cyberattack, and especially if you have sensitive data types that you manage, you may have to disclose that. There could potentially be penalties and fines. You may have to issue credit-monitoring services for your clients. And it can have a lot of impact on your reputation, your brand and your business, not to mention the operational downtime. It’s not just about securing the data, but it’s also about how long you can afford to be down as a business owner before it’s very impactful to your operations and you can’t recover.”
He pointed to the Kaseya attack and the risks associated with managed service providers. “When you think of our customers that work with managed service providers, one of the things that we talk about is third- and fourth-party risk,” said Spaak. “Oftentimes what a lot of clients overlook in these types of situations is having a strong vendor management program. What tools and software do they use? Who are the partners that they use to deliver their services to their customers? How do they manage patching? How do they manage vulnerability? How responsive are they?”
He sees vendor management as a priority: “It’s understanding what access your service provider has. What stopgaps do they have in place to prevent or protect from these types of supply chain attacks?”
The ‘big tool in the toolbelt’
Companies are looking for cyber liability insurance to help them deal with ransomware attacks, but the premiums for those are rising. “More and more business owners are starting to sign up for cyber liability insurance,” said Spaak. “And likewise, cyber liability insurers have wised up to what’s happening in the industry. Many business owners that are going to be reviewing their cyber liability policy this year are seeing a 40% increase in their renewal fee. What that really indicates is that insurers have really stacked up the losses and they’re now having to shore up and increase their fees.”
He is starting to see insurers demand their customers sign documents attesting to their cybersecurity. “You’re now filling out one- and two-page attestation statements that are basically saying, ‘Tell us about the security posture of your organization. Do you have some type of email protection? Do you have some type of endpoint detection and response? Are you using multifactor authentication?’ And if you’re not doing some of these basic what we like to call cyber hygiene practices, then either the underwriter is not going to write the insurance, or they’re going to charge you a premium amount on top of whatever the base fee would be,” said Spaak.
Doing regular and thorough backups, while storing the results offsite, has become more important than ever in the current environment.
“It’s not only just having a backup position, but it’s also ensuring that it’s offsite, meaning my backup does not exist at my company,” said Spaak. “It’s offsite somewhere, which means it’s been replicated offsite and it’s what we call ‘air gapped.’ What that effectively means is that the same credentials that would be used to access the client environment are not used to access the backup systems, so they’re completely segmented and they’re completely segregated from each other.”
“The real big tool in the toolbelt, if you will, is having a good, resilient backup position,” he continued. “When we talk about ransomware attacks, we talk about these types of things where you’ve got a ransomware gang that’s holding 1,500 businesses hostage. What is your backup position at that point? That’s really your ‘get out of jail free’ card, and if you have a good backup, it’s been tested and you know that you can recover from it, then that gives you an additional option. Far too often we see that businesses have their backup onsite, which means the attacker got into the environment, and not only did they encrypt the end points, but they also encrypted the backup as well, which means, at that point, the customer has no leverage. They have no additional negotiating power. And at that point, they either have to choose to pay the ransom, which law enforcement does not recommend, or they have to walk away from the data and rebuild their business. And that’s often very, very impactful.”
Ransomware attackers in some cases are using the financial and insurance information they find on their victims’ computer systems to find out how much the victim can pay for the ransom. “They’re understanding what their assets and annual revenue are, and based upon those numbers, they’re able to estimate fairly well what they think they should be able to charge and be able to get back,” said Spaak. “Of course, there are always risks with that. If you choose to pay the ransom, will you actually get the key? Will the key actually work? Can you decrypt your data quick enough to actually get back online and get operations restored? But then here’s the big challenge: Let’s say that happens. Do you trust your environment now? So now you have an infected environment that has been encrypted, and most of the time these threat actor groups have multiple points of entry. They’ve gotten in and they’ve established what we call ‘persistence.’ They want to make sure that they get paid, and so they’re going to establish persistence so that if they need to go back into the environment through another door, then they have that access to be able to do that. So, even if you unencrypt all of your systems and you get your systems back online, do you trust your systems at that point?”
Those who decide not to pay may find they’re under threat even if they have backups. “We’re seeing a lot of threat actor groups that are exfiltrating the data and they’re doing double extortion, which means I’ve locked your files,” said Spaak. “You can’t get into your files without paying the ransom, but if you don’t pay the ransom, I’m now going to extort you by posting your information and making it available in dumps that people can get, and now you still have a big problem on your hands because maybe you’ve lost intellectual property. Maybe you’ve lost sensitive information where you might be subject to fines and regulatory fees.”
Rehmann’s cybersecurity team sometimes works with its accounting team as well to help clients. “On the technology side, we do work with our accounting partners and there’s lots of opportunity that we will work together for,” said Spaak. “We can come in and we can consult on [the different technologies they have] and we can start to establish an information security program. We really want to understand where all the data is. Where’s that data stored, how is it secured and protected, who has access to that data? Do we have the appropriate controls in place? We can take a look at, for instance, the [National Institute of Standards and Technology] cybersecurity framework, or we may take a look at the CIS [Center for Internet Security] top 18 controls. There are a number of different frameworks to basically evaluate what is your position relative to what are the best practice recommendations.”
The firm offers a “cyber ready” program that helps clients establish governance, risk and compliance controls in their information security program. “If you really don’t have a program in place, it’s very difficult to know what you’re managing against and what you’re managing toward,” said Spaak. “That’s why it’s very important to make sure that you’ve established that program and you’re maintaining it over time. That really helps business owners to make educated decisions about where they need to invest in cybersecurity protections and then ultimately get that return on investment. We want to realize the return on the investments that we’re making. How is the security in the business? How is it making my business position stronger? … There’s a lot of advantage to making these investments.”
Security at home
At the same time, Rehmann needs to be careful about safeguarding its own cybersecurity to protect sensitive client information from hackers and ransomware attacks.
“Rehmann does maintain a full information security program,” said Spaak. “Rehmann does have a chief information security officer within the firm and his role is to make sure that we’re managing that information security program and understanding the risks within the business. And we are taking all the appropriate steps to make sure that we are securing our environment as best as we can. Rehmann Technology Solutions is also a managed service provider and we are a managed security service provider, so what that means is that we offer not only technology assistance for end user support, service support, patching, those sorts of things, but we also do offer managed security as well. A lot of the solutions that we’re talking about, whether it be endpoint detection and response or multifactor authentication or compliance as a service, those are all services that Rehmann offers to their clients, not only on the accounting side, but we also cover health care, finance, manufacturing, etc. So we cover a number of different business verticals getting those services. It’s very important that we’re staying on top of it as well and being as proactive as we can be and taking all the appropriate measures.”
He recommends that clients have an incident response plan in case they get attacked. “Having an incident response plan and testing it can significantly reduce your cost exposure when dealing with an incident,” said Spaak. “We find that a lot of organizations do not have that incident response plan in place. We need to recognize now that we’ve got insurance providers involved, we may have internal legal counsel involved, and we may have a forensic firm or an IT provider involved. What are the steps that I need to take? What is the order in which I need to do it to make sure that we execute well and what are the steps to move into our disaster recovery plan? One of the things that our cyber ready program aims to do is to help companies establish an incident response plan. … I always recommend that you work with your insurance carrier and get on the phone with your agent and have that conversation and say, ‘What does it look like if we were impacted by an incident? What are the steps that I need to follow and what does that look like so that you understand what to expect of your carrier? What are the obligations that you have to make sure that you can have as smooth as possible of a situation if it were to come up?’”
He also recommends that companies put in place multifactor authentication to better protect their passwords, especially on privileged accounts.
The Securities and Exchange Commission has been getting involved and may require better cybersecurity from companies as ransomware attacks proliferate. Insurers are also beginning to require that customers put cybersecurity safeguards in place as well, or else they may charge higher premiums.
“Those attestation statements that are coming out are asking that question, and if the business owner can’t answer that question, then they’re going to be dealing with a situation where they’re either going to be rejected or they’re going to have to pay a premium amount,” said Spaak. “Or one of the other things that I’ve seen as well is insurance underwriters write a smaller policy. They limit their risk, so that forces the business owner to go out and find additional insurance. They end up having to stack insurances to get all of the coverage that they believe they need to have for their organization. It’s getting a little dicey on the insurance side, and that’s why it’s just so important to have an information security program to make sure that you’re being proactive. If you can show the things that you’re doing within the organization, it’s going to help you with all of those conversations.”