4 minute read
SCAMMER TIME WHY CYBER RISK MANAGEMENT SHOULD BE A PRIORITY FOR YOU THIS YEAR
BY JAMES HARRISON
Data
breaches, like taxes, are inevitable. No business or organization is immune. Managing cyber risks and staying compliant with government and industry standards has not only become an essential business practice, but possibly a matter of survival for most organizations, including Utah businesses and CPA firms.
The High Cost of a Data Breach
Forty-three percent of all cyberattacks target small businesses, with damages ranging from extended downtime to breach containment and response costs, legal defense, reputational damage, and loss of customers. Not taking this seriously can have devastating consequences.
The cost of recovering from even a small data breach can range from $50,000 to well over $100,000 — and that’s for minor breaches and no regulatory fines and penalties. Keeping recovery costs that low is a best-case scenario. The Ponemon Institute reported in its annual study that the average cost of recovering from a data breach incident has skyrocketed to over $4 million per incident nationwide. Sadly, 60% of small businesses that suffer a data breach permanently close their doors within six months of an attack.
New Customer Privacy Expectations
Businesses and consumers alike are getting smarter when it comes to protecting their confidential information. They are starting to ask of those they do business with, “What are you doing to keep my information safe?”
Businesses that take these new data privacy expectations seriously, including obtaining cybersecurity compliance certifications, will build trust with customers and will thrive in coming years. A growing number of CPA firms are now promoting this type of certification in marketing materials and client pitches as a competitive differentiator.
It’s not just customers demanding better data security and privacy. Under various federal and state laws, as well as industry standards, businesses of all types and sizes must meet minimum data security and privacy requirements to protect against the exposure or theft of customer and employee data.
Compliance with these regulations should be a top priority for CPA firms and all businesses to not only assure customers their data is safe, but to avoid potential fines and penalties levied as a result of a data breach incident.
Federal Laws
Well-known examples of federal data security laws in the financial sector include GLBA, FFIEC, and FINRA/SEC regulations that require financial services companies, including CPA firms, to implement a written information security plan with specific policies and minimum safeguards to protect confidential data. These laws come with stiff penalties from $10,000 to $100,000 per violation.
It’s worth noting that cybersecurity regulations are updated with new requirements from time to time. For example, in November of 2021, the Federal Trade Commission (FTC) tightened its cybersecurity requirements under the GLBA Safeguards Rule. There is also a push in Congress currently to pass a new consumer data privacy law that will impact most if not all businesses in the U.S in the coming year or so.
Utah Laws
Along with all other states, Utah has enacted various data security and privacy laws to protect consumers from negligent care of their personal information. From the older Protection of Personal Information Act to the more recent cybersecurity laws, entities doing business in Utah are required to put reasonable procedures in place to protect personal and confidential information and to provide notice to persons if their personal information is compromised through a security breach.
The Utah Cybersecurity Affirmative Defense Act (May 2021) represents a significant change in incentives designed to compel compliance with Utah’s cybersecurity laws. In brief, the act provides a business with an affirmative defense to legal action taken by the state against the entity in the wake of a breach.
Rather than punishing an entity for negligence, the sct encourages preventative action and compliance before a breach occurs. It’s designed to motivate entities to overhaul and raise their security standards and practices with a written cybersecurity plan that includes formalized security and privacy policies that reasonably conform with a specific framework such as GLBA, HIPAA or NIST.
The Utah Consumer Privacy Act (UCPA), effective December 31, 2023, grants Utah residents new data privacy rights and creates new obligations for how businesses collect and use their personal data. The UCPA places data security obligations on businesses that process Utah residents’ personal data, requiring them to, among other things, “establish, implement, and maintain reasonable administrative, technical, and physical data security practices.”
These laws do not fully define what constitutes reasonable data security practices, but you can look to both federal and industry standards for guidance.
Accounting Industry Standards
Within the accounting industry itself, the AICPA’s System and Organization Controls (SOC) cybersecurity standard details the recommended information security controls for both general business and accounting firms, including assessment and reporting on the maturity of an organization’s cybersecurity program.
This AICPA standard, along with all the various federal and state cybersecurity laws can create a complex web of overlapping best practices that are virtually impossible for the average CPA firm or small business to implement and maintain.
UACPA Guidance on Cybersecurity Compliance
To simplify this, and help UACPA members successfully understand, implement, and get compliant with the latest cybersecurity regulations and standards, the UACPA has partnered with Utah-based cybersecurity company INVISUS and is announcing a new cybersecurity compliance education initiative for 2023.
This will include guidance on the core areas of cyber risk management such as governance, human resources, technical safeguards, business continuity, data privacy, breach response, and more.
Watch for more information and details this year, and together we’ll help you better safeguard against data breaches, build greater trust with your customers, and create legal -defensibility for your business. n
James Harrison is the founder and CEO of Utah-based cybersecurity company INVISUS, an industry pioneer in cybersecurity and identity theft protection since 2001. As chief strategist and product visionary, he leads the development of the company’s innovative security solutions and is a featured author, speaker and trainer. INVISUS is a leader in cyber risk management, data breach prevention and cybersecurity compliance.
