WIXLIB

IDENTIFY THEFTIdentity theft typically occurs when a cybercriminalsuccessfully steals personally identifiable information(PII). According to NIST’s Guide to Protecting theConfidentiality of Personally Identifiable Information,PII is any information about an individual an agencymaintains, including (1) any information that can be usedto distinguish or trace an individual‘s identity, such asname, Social Security number, and date and place of birth,mother‘s maiden name or biometric records; and (2) anyother information that is linked or linkable to an individual,such as medical, educational, financial and employmentinformation. This type of cybercriminal does not reallybenefit unless there is a financial reward for the effort orsome type of damage that can be done with the data.Consequently, identity theft serves as a gateway to othercybercrimes, such as tax-refund fraud, credit-card fraud,loan fraud and other similar crimes.Some examples of the malicious purpose behind identitytheft include: O pening a line of credit Purchasing goods or services Renting or buying a house or apartment Receiving medical care O btaining employment O btaining prescriptions Committing traffic infractions or felonies Auction and wage-related fraud E xtortionTHE CRIME’S COURSEAccording to the Identity Theft Resource Center (ITRC),identity theft complaints ranked first in 2014 in theFederal Trade Commission’s (FTC) list of complaints.In fact, identity theft was the FTC’s No. 1 complaint6 Identity theft can go undetected for asignificant period of time — 50% ofidentity thefts go undetected for atleast one month, and 10% remainundetected for two or more years.for 15 consecutive years. A 2016 Javelin Strategy &Research survey shows identity-fraud victims were atthe second-highest level in six years, having stolen 112 billion in the past six years.Identity theft can go undetected for a significant periodof time — 50% of identity thefts go undetected for atleast one month, and 10% remain undetected for twoor more years. It also is becoming more common forcybercriminals to steal PII, hold that information for sometime and then use it. They partly take this approach tobuild a mass of PII that can later be used to commit amassive crime.These circumstances can escalate financial or reputationaldamage that may follow, and add to the challenge ofapprehending the perpetrator. In addition, victimsspend an average of 200 hours of work over six monthsto reestablish their identity, making time lost in somecases as damaging as the financial or reputationaldamage itself.THE CHALLENGE FOR CPAsThe opportunity for identity theft lies in PII, the samesource as tax-refund fraud. This information can be foundin multiple locations across the internet, such as socialmedia, phone registries, school records, etc. There alsois an active black market for PII, which is relatively easyto steal through social engineering, dumpster diving,phishing and credit-card skimming.TOP CYBERCRIMES WHITE PAPER: HOW CPAs CAN PROTECT THEMSELVES AND THEIR CLIENTS

As CPAs, we hold PII in our records such as client dataand records, and thus, have an obligation to protect it.Entities need to exercise due diligence in protecting PIIbecause it is not only good customer service, but alsominimizes lawsuits or violations of state and federal laws.Forty-seven states, the District of Columbia, Guam,Puerto Rico and the Virgin Islands have laws regardingsecurity breaches of PII.If a breach occurs, the costs for failing to comply are high,and include legal action. For example, the Massachusettslaw, known as MASS 201, allows the Massachusettsattorney general to sue any company that has a securitybreach if the company is found to be noncompliant withthe law’s requirements. This law has given rise to MASS201 compliance audits in Massachusetts, ensuring thatentities have taken reasonable precautions to protect thePII of Massachusetts’ citizens.DATA THEFTSensitive data, including unencrypted credit-cardinformation a business stores, PII, trade secrets,intellectual property, source code, customer informationand employee records, all attract cybercriminals’attention. This cybercrime overlaps with previousPII discussions, identity theft and security breaches.The cost to its victims can be detrimental, and involvepublic-image damage and financial costs related to lossof business, legal fees and increasing security measures.THE CRIME’S COURSEThe crime occurs when a cybercriminal gains accessto and steals sensitive data. It can be as simple ascopying an entity’s customer data files onto a flashdrive and selling it to a competitor or using confidentialor proprietary information to compete with the entity’sbusiness.Sometimes, these crimes target governments orother large organizations with more resources. Oftenreferred to as an advanced persistent threat (APT), acombination of malicious methods are used to firstinfect an organization’s networks. Then, the threat agentproceeds to monitor activity and siphon data in anundetected manner over an extended period of time.(Source: Page H-4 Footnote 82 NIST SP 800-39 ManagingInformation Security Risk: Organization, Mission, andInformation System View.)A prime example of an incident involving APT is theUnited States Office of Personnel Management (OPM)breach that was discovered in 2015. In one of the moreconvoluted breaches to make the headlines, it involvednot only the OPM, but also two other governmentcontractors, resulting in several breaches over a periodlasting longer than a year. The series of breaches inducedthe loss of background investigation records and affected21.5 million people and their personnel data, as wellas the data of 4.2 million current and former federalemployees. Unfortunately, it’s not the sheer magnitude ofvictims that makes this particular incident so devastatingbut, instead, the extremely sensitive nature of the data.(Source: FCW, “Full dollar cost of OPM breach stilla giant unknown.”)THE CHALLENGE FOR CPAsCybercriminals could easily target CPA firm data. MostSMBs don’t have the resources to recover from thepublicity fallout that follows a data theft incident. As seenwith the OPM breach, once access is gained, the resultscan be catastrophic.TOP CYBERCRIMES WHITE PAPER: HOW CPAs CAN PROTECT THEMSELVES AND THEIR CLIENTS 7

RANSOMWAREUnstolen data is not necessarily safe from cybercriminalswho use ransomware, a type of malware that, onceinstalled, restricts access to files or entire systems untilextortion payment is received. In addition to siphoningdata from your firm, cybercriminals now hold your datahostage in exchange for a hefty sum of money.THE CRIME’S COURSEThe crime begins when users click on a malicious linkand unknowingly install ransomware on their systems.The malicious link can be in an email, website or bundledwith software.Once the ransomware installs, it can takethe form of scareware, which coercesusers to pay for unencrypted files orto unlock access to systems.One of the more publicized instances occurred ina February 2016 ransomware attack on HollywoodPresbyterian Medical Center. Initially, the news reportsstated the cybercriminals demanded 3.6 million. Thehospital defied these demands and was denied accessto various servers and systems for 10 days, severelyimpacting its operations. Ultimately, the hospitalnegotiated, and, for 17,000, the cybercriminalsdelivered the key codes. (Source: Los Angeles Times,“Hollywood hospital pays 17,000 in bitcoin to hackers;FBI investigating.”THE CHALLENGE FOR CPAsRansomware can be a lucrative line of work forcybercriminals. Rendering sensitive data unavailableto its users, and demanding large sums of money,is a crime that likely will not diminish in the nearfuture. Cybercriminals often will select targets whoseorganizations will fail to function immediately withoutaccess to certain types of data.Once the ransomware installs, it can take the form ofscareware, which coerces users to pay for unencryptedfiles or to unlock access to systems. (Source: PC World,“How to Rescue Your PC From Ransomware.”)8 TOP CYBERCRIMES WHITE PAPER: HOW CPAs CAN PROTECT THEMSELVES AND THEIR CLIENTS

WHAT YOU CAN DOCPAs need to make timely,informed decisions about theeffective controls that canprevent cybercrimes fromoccurring, and detect, at theirearliest stages, crimes thatalready have transpired.CPAs need to make timely, informed decisions about the effectivecontrols that can prevent cybercrimes from occurring, and detect, attheir earliest stages, crimes that already have transpired. Once crimesare detected, it is equally important that CPAs respond deftly. Forexample, reliable backups are one way to respond to ransomware.In addition to raising awareness of the four cybercrimes detailed here,this white paper offers three ways to mitigate risk.1. CONDUCT A SECURITY AUDIT AND ASSESS CONTROLSA Computer Security Institute (CSI) survey ranked internal cybersecurityaudits as the strongest weapon in preventing and detectingcybersecurity vulnerabilities. An effective internal security auditidentifies cybersecurity risks and assesses the severity of each type ofrisk. For optimal results, CPAs should audit their clients’ privacy andsecurity policies and controls.Following the audit, preventive controls need to be instituted for themajor risks that were identified. Some best practices that can helpmanagement develop those controls include:Proactively patching vulnerabilities, including vulnerable software sing least-access privileges and other sound logical access controlsUto help remediate crimes perpetrated internally; for external threats,sound perimeter controls such as firewalls, intrusion preventionsystems (IPS) and intrusion detection systems (IDS) are critical toprotection onitoring systems, technologies and access with associatedMcontrols varying based on the threat level (also a detectionstrategy); for example, use various logs created by technologiesfor those activities Data backups, including offline versionsTOP CYBERCRIMES WHITE PAPER: HOW CPAs CAN PROTECT THEMSELVES AND THEIR CLIENTS 9

2. RETAIN BUSINESS INSURANCEIn an age of financially motivated cybercrimes, everyentity should have sufficient business insurancecoverage, such as business continuity/disaster recoveryor cyber insurance, to recover financial losses. Executivemanagement team members, especially the CFO, mustevaluate the entity’s insurance coverage to ensure itcould recover estimated losses from any cybercrime.Reviewing coverage should be done on a reasonableperiodic basis. Leaders also might consider enlistingservice providers that offer forensic, cleanup and restorefunctions after certain crimes have been committed.start before a breach occurs is with reasonable securitycontrols defined by the information security professionas best practices or principles. Best practices includeemployee training.Remediation measures and controls that apply to onecybercrime often apply equally well to others, whichresult in multiple cybercrimes being addressed with asingle countermeasure. This further supports the positionthat the measures and controls entities take once acybercrime occurs are the same measures and controlsthat should have been in place before the breach.3. CREATE AN INCIDENT RESPONSE PLANDespite not being preventative, one useful correctionremediation is to develop an incident response plan. Theplan would require employees with the necessary levelof knowledge and serving in key positions within theentity to answer the following questions relating to thecybercrimes identified in this white paper: W hich of these crimes are potential risks? W hat risks would follow from each crime? How should we respond to each of these crimes? How would we fully recover from each of these crimes? o we have appropriate skill set on staff or on aDretainer contract?The manner in which an entity responds to a cybercrimeprovides valuable insight into its possible vulnerabilitiesand preventive steps that could have been taken beforethe crime occurred.Time after time, research organizations that report onbreach statistics all report that 90% of breaches couldhave been avoided if reasonable security controls hadbeen in place at the time of the incident. A good place to10 TOP CYBERCRIMES WHITE PAPER: HOW CPAs CAN PROTECT THEMSELVES AND THEIR CLIENTS

CONCLUSIONCybercrime is more prevalent, more damaging and moresophisticated than ever before. CPAs need to gain a clear andgeneral understanding of the major threats, risks, costs and othernegative factors associated with it as well as the degree to whichthese factors relate to their employer (public practice or businessand industry) and/or clients (public practice). They also need theability to identify perpetrators and learn their methodology.The proliferation of cybercrimes does not require the CPA toassume the role of cybersecurity expert. However, by becomingand remaining informed and aware of the core elements ofcybercrime and by seeking assistance from security professionalswhen necessary, CPAs can best identify preventive, detection andreparative measures. In the process, they can ensure the safety,security and future success for themselves, as well as for theindividuals and entities they serve.TOP CYBERCRIMES WHITE PAPER: HOW CPAs CAN PROTECT THEMSELVES AND THEIR CLIENTS 11

ABOUT THE AUTHORSJeff Streif, CPA, is chief financial officer at Koller Enterprises Inc. in Fenton, MO. Before joining Koller, Jeff workedon SSAE16 (SOC 1) engagements; SOC 2 engagements; PCI compliance; ITGC and application control reviews; IT riskassessments; penetration and vulnerability assessments; and data mining. Contact Jeff at jstreif@kollerenterprises.com.Lisa Traina, CPA/CITP, CGMA, is a partner at Traina & Associates, a CapinCrouse Company. Traina & Associatesprovides cybersecurity audit and consulting services to a number of industries, including not-for-profits,financial institutions; hospitals and medical practices; professional service firms; and others. Contact Lisa atltraina@capincrouse.com.Steven J. Ursillo Jr., CPA/CITP, CGMA, is a principal and director of Technology & Assurance Services for Sparrow,Johnson & Ursillo Inc., in West Warwick, RI. Contact Steve at sursillojr@sju.com.Steven co-chairs the AICPA IMTA Cybersecurity Task Force and Jeff and Lisa serve as members on that task force.12 TOP CYBERCRIMES WHITE PAPER: HOW CPAs CAN PROTECT THEMSELVES AND THEIR CLIENTS

22795-256888.777.7077 service@aicpa.org aicpa.org

CPAs who perform online banking transactions. First, the CAO, CFO, treasurer or controller often is unaware of corporate account takeovers, and the repercussions and liability that can follow. Second, there is a lack of adequate controls over the online banking process. 3. Transfer the victim's bank funds to an account the cybercriminal controls.