Third Party Vendor Risk Management is One of the Biggest Challenges Accounting Firms Face

Accounting firms are very attractive targets for hackers due to the huge amounts of sensitive and confidential information in their care, custody, and control. By hacking into the network of even one accounting firm, a cyber criminal can gain access to information on hundreds or thousands of companies and individuals. But, direct attacks on accounting firm systems are not the only way a cyber criminal can succeed. Indirect attacks can be just as powerful and often times easier!

Third party vendor risk management is one of the biggest challenges accounting firms, of all sizes, face today. Given the current privacy regulatory environment, the possibility of a data breach presents significant financial and reputational risks. As digital connections between accounting firms and vendors continue to increase, the risk of a breach via those connections, increases as well. Accounting firms – like all companies – have a host of business vendors they rely on such as law firms, payroll companies, advertisers and marketers, travel agencies, etc. All of these vendors are likely connected, digitally, to the firm’s network and the firm is likely sharing data with them all. It could be employee data, client data, or a combination of both.

In May 2019, a company named Wolters Kluwer, which serves the legal, tax and accounting, finance, and healthcare markets, suffered a breach of its applications, specifically CCH Axcess™. The CCH Axcess™ product is a cloud-based tax preparation, compliance, and workflow management solution used by accounting firms throughout the U.S and abroad. Many high-profile accounting firms used CCH Axcess™ to conduct their business and therefore were directly impacted by the breach.

Firms cannot outsource their responsibility to protect personal and confidential information in their care, custody, or control. Firms will be held accountable for decisions relating to their choice of third-party vendors and outsource service providers. Accordingly, it is crucial for firms to implement a robust third-party vendor risk management program. Below are some tips and considerations:

STEP 1: THE LAY OF THE LAND

The first step, of course, is getting your arms around what you have. Questions to ask:

1. How many third-party vendors or business partners do we have?
2. Which ones do we share client or employee sensitive/confidential information with?
3. How much data is shared?
4. How is it shared?
5. Exactly what kind of data is being shared – medical information, financial information, corporate information?

STEP 2: CONTRACT REVIEW

Look at the contracts you have in place with your vendors. Refresh your recollection regarding the specific terms of your agreements.

1. Do the agreements set forth what happens if there is a breach of the vendor’s system that impacts our data – data for which we are considered the owner?
2. Are they required to notify us within a certain time frame?
3. If there is a breach, do we want the vendor to notify our employees and clients directly, or would we rather be involved in that communication?
4. Do the agreements mandate the vendor be in compliance with relevant state, federal, and foreign privacy laws?

STEP 3: DUE DILIGENCE 

Review your vendor selection process. And, perhaps more importantly, the level of ongoing due diligence you’re conducting relative to these vendors. The cyber threat environment changes every day. Ongoing due diligence is a key component of any third-party vendor risk management program.

STEP 4: INSURANCE

Note whether you currently require your vendors to maintain cyber insurance. Also ask:

1. Does our firm carry comprehensive cyber insurance with dependent business interruption coverage?
2. Do we conduct annual or periodic updates of vendors insurance programs?

Our Cyber and Accounting Firm Practice Groups are available to answer any questions you may have about cyber insurance or third party vendor risk management.

This material is for informational purposes only and not for the purpose of providing legal or insurance advice. Insurance coverage, and the terms and conditions relating to such coverage, will vary. EPIC is not a law firm and does not provide legal advice. If such advice is needed, consult with a qualified adviser.