In late 2017, one of the "big four" auditors was hacked:
"A bombshell report on Monday revealed [...] a major cyber attack that compromised [auditor's] email system and certain client records. The news is a major black eye for one of the world’s “big four” accountancy and consulting firms."
"sources claimed the hackers accessed the entirety of the firm’s internal email database, and all administrative accounts. Worse, it appears the hackers transferred or copied a significant amount of that confidential data"
"Those messages may have revealed their client’s secret corporate strategies or sensitive intellectual property. Meanwhile, all of those email addresses would provide crooks with ample opportunities for spear-phishing scams targeted at top executives."
Imagine you're the CEO, COO, CFO or board member of a large company and you see an article like the one referenced, but listing your auditor as the one hacked. Are you concerned that sensitive internal data may now be at risk? What about employee or customer data? Will your competitors find out?
It Was Predictable
Even the best, brightest tech companies and banks have been hacked and breached. No matter how much time and expertise is available, every perimeter has openings. Zero-day exploits. Missing or delayed patches. System mis-configurations. Forgotten security modules. Missing IP restrictions. Human error.
The reality is, auditors are targets. Criminals know they are awash in sensitive client data. And despite having a lot of great capabilities, they likely spend more effort on their clients behalf, not their own. (The auditor mentioned by name has a huge cyber security practice, for example - it didn't save them.)
Auditing is also a reality for the large or regulated enterprise. Every quarter at least two sets of disclosures have to leave the corporate perimeter to ensure audited results are available for board meetings. The first is to the pre-audit team. The second is to the audit team proper. Most of the data provided to the second group becomes public in time. But the discussions and broad disclosures to the first team usually don't - and never, ever stop being sensitive.
They Don't Need Copies
From the perspective of a financial officer, neither pre-audit or audit teams require copies of the disclosures. They only need to see the documents, record them, and likely enter key data items into their own internal system. Defending that system is their problem, not yours. Your sensitive documents, with your corporate logo - among other things - should never, ever be copied and stored in their system.
Financial & Reputation Impact
The cost of data breaches reached record highs in 2019. That said, it likely isn't an issue for auditors. They rarely review large amounts of raw data such as customers data with Personally Identifiable Information (PII) or Personal Healthcare Information (PHI), and if there was a need to do that, they would likely sign an Business Associate Agreement (BAA) or other agreement covering specific data sharing.
Damage to a company's reputation, though, can be severe, impacting sales, stock performance, hiring, partnerships and more. A survey by another big four firm showed that 87% of consumers will take their business to a competitor if they don’t trust a company to handle their data responsibly.
Enter The CFO
As a result of this emerging reality, CFOs at the most risk-aware companies have expanded their roles to include managing financial risk due to data breaches. Five key steps for they can take to secure their company for their shareholders:
1. Tweak The Budget
A key transformation is to direct budget flows to reduce risk around sharing with auditors and other critical external parties. The CFO can play a critical role bridging the reality of cash and spending with the rising costs of cleaning up after breaches by partnering with Chief Information Security Officer (CISO) and IT teams to set the right level of cyber-insurance coverage, and ensure essential resources are funded.
2. Design For Compliance
CFOs can organize support managers by reviewing data sharing scenarios, pushing them to determine sensitivity and upside of sharing - and align goals around containment and trace-ability. This helps understand the cost of security provided, and highlights risk areas.
3. Represent Employees
Internal data breaches usually impact employees professional and personal lives - to say nothing of business unit performance. These collectively impact company performance, stock price and reputation. Having the CFO take charge of the communication and response to incidents like breaches shows how seriously the company and board take them, and helps re-assure employees they won't be left to fend for themselves.
4. Prepare Questions
One of the most important reasons for the CFO to expand their role to include cyber security is communication. They are front-line communicators regarding financials and risk. Few people in the organization are better equipped to speak to the impact and response to data breaches.
Critical questions to answer before a breach occurs include:
Stay In Control
Fine-Grained Sharing Controls
The e-Share platform allows users to share sensitive and/or regulated data to external recipients using nothing more than a browser - no plug-ins required - in view or edit-online-only modes, so copies can't be saved and copy/paste is disabled. Alternately if auditors must have copies of data you can require watermarking with the recipient's email and IP address to ensure you can trace any unauthorized release.