While companies like Quora, Marriott and Equifax have dominated the headlines recently, professional services firms have possibly more to lose when it comes to the consequences of a major cybersecurity breach. A new report by Moody’s Investors Service, a division of the credit rating agency, lists several key sectors that are at the highest risk of cyber attacks. These sectors include (among others) banks, securities firms, and financial market infrastructures, and each may soon face increased scrutiny from bank lenders with respect to their cybersecurity vulnerabilities.
For a variety of reasons, the professional services sector – a term that encompasses a range of client-centric organizations such as accounting, legal, financial advising and insurance firms – has become a prime target for cybercriminals. Due to their access to confidential and sensitive client information, and that they often represent profitable businesses or individuals, professional services firms from across the spectrum are seeing an increase in cyber attacks. According to the Financial Conduct Authority (FCA), an agency responsible for regulating the U.K.’s financial system, the number of cyber incidents reported to the organization increased by more than 80% from 2016 to 2017. Additionally, the CNA Professional Counsel reports that an estimated 80% of the largest law firms in the U.S. have experienced a malicious cyber incident.
Clearly, the statistics show an alarming trend for professional services firms – one that C-suite executives need to take seriously.
Is Your Firm Prepared?
Looking at the available data, it seems obvious that cybersecurity hasn’t been made a priority by certain business leaders. From international corporations to small and mid-size businesses, the statistics show a stunning amount of complacency when it comes to implementing and maintaining a comprehensive and effective cybersecurity strategy. A survey of 4,100 companies conducted by Chicago-based insurance company Hiscox– a sample size that included organizations based in the U.S., U.K., Germany, Spain and the Netherlands – found that seven out of 10 of these businesses were not prepared for a cyber attack. In the same survey, 45% of executives and IT professionals said they had experienced at least one cyber attack in the past year, while two-thirds claimed to have been hit by two or more attacks.
As far as the numbers go, this general trend of being unprepared clearly extends to the various sectors of the professional services industry. According to the Logicforce Q4 Law Firm Cybersecurity Scorecard, 62% of law firms do not have a dedicated information security professional, and only 41% have formally documented cybersecurity policies. The same report also found that only 48% of law firms have had their data security practices audited by at least one corporate client within the past year.
Financial and Legal Consequences
We cannot overstate the importance of implementing a comprehensive cybersecurity strategy for your organization. From the immediate damage (both financially and in terms of hours of lost productivity) to the long-term harm a breach can have on a firm’s reputation, a cyber attack can have far-reaching ramifications for professional services firms.
By their very nature, professional services firms often handle their clients’ most sensitive information. Tax returns, Social Security numbers, asset investments, corporate strategies, intellectual property – this is the kind of information that clients entrust to their professional advisors. Discretion is everything in this business. A cyber breach is just as damaging as any other breach of trust, with the potential to ruin a firm’s credibility, and by extension, its long-term viability as a business.
Outside of the financial consequences, there are a growing number of legal ramifications for inadequate cybersecurity measures. Last May the EU passed the General Data Protection Regulation (GDPR), a law that affects anyone who processes the personal data of EU-based individuals (this means the law will affect businesses worldwide). California is set to enact similar policies to penalize companies for not properly protecting a client’s information. Given that these stringent penalties ($2,500 per violation) are issued on a per-client or per-account basis, and considering that other states are following suit with their own security breach laws and that professional services firms can be sanctioned by a number of regulatory bodies (IRS, FTC, SEC, etc.) if they are found to have provided inadequate data security protections, it would behoove these organizations to have their cybersecurity protocols in order.
Get Compliant
Given the potential consequences of a breach, here are a few steps all professional services firms should take to remain protected and compliant:
1. Have a qualified third-party assess organizational risks and vulnerabilities.
Even if you are confident that your IT department has your firm covered, there are major benefits to having another set of eyes to evaluate any potential vulnerabilities within the organization. While security and technological performance are both tied to IT, having an experienced cybersecurity professional devoted to just the security aspect may reveal unforeseen vulnerabilities.
2. Establish formal cybersecurity policies and procedures.
Every business has unique security challenges and areas of vulnerability, and professional services firms are no different. The key is to get everyone, from the IT department to the C-suite, on the same page with regard to formal cybersecurity policies that account for the specific challenges faced by your firm. This means sitting down and identifying what proprietary information is most valuable to you and your clients, identifying how hackers or other bad faith actors could gain access to this information and building a set of formalized cybersecurity measures and procedures to prevent or mitigate these risks.
3. Implement cybersecurity awareness and training programs that emphasize proper “cyberhygiene” among your professionals.
Maintaining the digital security of the firm is the responsibility of every employee, not just that of the IT department. Incidents involving negligence or human error are often the root cause of a cybersecurity breach. Every employee, from the C-suite down, is responsible for exercising good judgement and following company-wide cyber protocols. As such, implementing employee training programs is a critical way of informing and reminding employees of potential threats.
While professional services firms have downplayed the importance of cybersecurity in the past, the statistics show that they do so at great risk to their clients’ data. Given the consequences of a breach, now is the time for professional services firms to invest in a comprehensive cybersecurity strategy to protect their clients’ most sensitive information and the future of their practice.
About the authors: Tom Ridge is the former U.S. Secretary of Homeland Security, former Governor of Pennsylvania; and is alliantgroup Chairman of Cybersecurity and Technology. During a long and distinguished career that has spanned the public and private sectors, Tom Ridge has established himself as an authority on a range of policy issues including cybersecurity, technology, education and economic development.
In response to the tragic events of September 11, 2001, Ridge was appointed by then-President George W. Bush as the first Director of the newly formed Office of Homeland Security. In January 2003, the Office of Homeland Security was designated by the Bush administration as an official Cabinet-level Department and Ridge was appointed the nation’s first Secretary of Homeland Security. During his tenure, Ridge worked with more than 180,000 employees to form an agency that was responsible for the security of the United States. As alliantgroup’s Chairman of Cybersecurity and Technology, Governor Ridge leverages his knowledge of cybersecurity issues for the benefit of the firm’s clients.
Frank Tirelli is the former Chairman and CEO of Deloitte Italy and Vice Chairman of Deloitte U.S., and is alliantgroup Vice Chairman of Professional Services. Tirelli is an experienced C-level executive and respected voice within the professional services industry. During his tenure with Deloitte Italy, Tirelli managed 4,500 professionals and $750 million in revenue. As the Vice Chairman for Deloitte U.S., Tirelli had direct supervision over all of Deloitte U.S.’s offices on the West Coast, managing 6,000 audits, tax and consulting professionals and $1 billion in revenue.
In his current position with alliantgroup, Tirelli plays not only an important role in advising the firm’s executive management team on strategic and client service initiatives, but is an invaluable resource to alliantgroup’s CPA and industry partners – advising them on issues such as talent acquisition, talent development and retention, leadership, succession planning and revenue growth strategies.
