• Managing the Risk of Sharing Audit Data

    A guide for CFOs, COOs, General Counsel, Risk Managers and Board Members

    In late 2017, one of the "big four" auditors was hacked:

    "A bombshell report on Monday revealed [...] a major cyber attack that compromised [auditor's] email system and certain client records. The news is a major black eye for one of the world’s “big four” accountancy and consulting firms."


    "sources claimed the hackers accessed the entirety of the firm’s internal email database, and all administrative accounts. Worse, it appears the hackers transferred or copied a significant amount of that confidential data"


    "Those messages may have revealed their client’s secret corporate strategies or sensitive intellectual property. Meanwhile, all of those email addresses would provide crooks with ample opportunities for spear-phishing scams targeted at top executives."


    Imagine you're the CEO, COO, CFO or board member of a large company and you see an article like the one referenced, but listing your auditor as the one hacked. Are you concerned that sensitive internal data may now be at risk? What about employee or customer data? Will your competitors find out?

    It Was Predictable

    Even the best, brightest tech companies and banks have been hacked and breached. No matter how much time and expertise is available, every perimeter has openings. Zero-day exploits. Missing or delayed patches. System mis-configurations. Forgotten security modules. Missing IP restrictions. Human error.

    It's Inevitable

    The reality is, auditors are targets. Criminals know they are awash in sensitive client data. And despite having a lot of great capabilities, they likely spend more effort on their clients behalf, not their own. (The auditor mentioned by name has a huge cyber security practice, for example - it didn't save them.)


    Auditing is also a reality for the large or regulated enterprise. Every quarter at least two sets of disclosures have to leave the corporate perimeter to ensure audited results are available for board meetings. The first is to the pre-audit team. The second is to the audit team proper. Most of the data provided to the second group becomes public in time. But the discussions and broad disclosures to the first team usually don't - and never, ever stop being sensitive.


    They Don't Need Copies

    From the perspective of a financial officer, neither pre-audit or audit teams require copies of the disclosures. They only need to see the documents, record them, and likely enter key data items into their own internal system. Defending that system is their problem, not yours. Your sensitive documents, with your corporate logo - among other things - should never, ever be copied and stored in their system.


    Financial & Reputation Impact

    The cost of data breaches reached record highs in 2019. That said, it likely isn't an issue for auditors. They rarely review large amounts of raw data such as customers data with Personally Identifiable Information (PII) or Personal Healthcare Information (PHI), and if there was a need to do that, they would likely sign an Business Associate Agreement (BAA) or other agreement covering specific data sharing.


    Damage to a company's reputation, though, can be severe, impacting sales, stock performance, hiring, partnerships and more. A survey by another big four firm showed that 87% of consumers will take their business to a competitor if they don’t trust a company to handle their data responsibly.

    Enter The CFO

    As a result of this emerging reality, CFOs at the most risk-aware companies have expanded their roles to include managing financial risk due to data breaches. Five key steps for they can take to secure their company for their shareholders:


    1. Tweak The Budget

    A key transformation is to direct budget flows to reduce risk around sharing with auditors and other critical external parties. The CFO can play a critical role bridging the reality of cash and spending with the rising costs of cleaning up after breaches by partnering with Chief Information Security Officer (CISO) and IT teams to set the right level of cyber-insurance coverage, and ensure essential resources are funded.


    2. Design For Compliance

    CFOs can organize support managers by reviewing data sharing scenarios, pushing them to determine sensitivity and upside of sharing - and align goals around containment and trace-ability. This helps understand the cost of security provided, and highlights risk areas.

    3. Represent Employees

    Internal data breaches usually impact employees professional and personal lives - to say nothing of business unit performance. These collectively impact company performance, stock price and reputation. Having the CFO take charge of the communication and response to incidents like breaches shows how seriously the company and board take them, and helps re-assure employees they won't be left to fend for themselves.


    4. Prepare Questions

    One of the most important reasons for the CFO to expand their role to include cyber security is communication. They are front-line communicators regarding financials and risk. Few people in the organization are better equipped to speak to the impact and response to data breaches.


    Critical questions to answer before a breach occurs include:

    • What is our governance approach for data? For sharing data with external recipients?
    • How much data have we shared already? With who? What control do we have over that data?
    • Do we allow anonymous sharing?
    • What agreements are required to share sensitive information? In bulk? How many partners who currently receive data from you have signed these agreements? How often are they updated?
    • Do we have the ability to terminate an external parties access to shared data?
    • Who will take ownership in the event of a breach? Who will lead remediation? Communication around it?
    • How much training do we provide to employees regarding data security?
    • Do we have adequate cyber security insurance?
    • Given our current sharing volume, if our #1 partner was breached, what would the impact and fines likely be? And how would we respond?
    5. Prepare Answers
    After a breach, CFOs should focus on stabilizing financial markets, addressing shareholder concern and making clear that the company is resolving the issue. Critical disclosures to answer at this stage include:
    • How many records were breached? What type of information was in them?
    • Was the responsible party the company? A partner like auditor? A customer?
    • Was data ex-filtrated from the breach location, or accessed there.
    • Is the breached data still available? Why? If so, when will it be removed?
    • What service(s) is the company providing to impacted employees and partners?
    • Does the company have sufficient insurance to avoid a severe financial outcome from this breach?
    • What is being done to ensure the breach does not recur, while allowing the business activity that presumably required sharing to continue? In particular, what training changes are we making to ensure staff is aware of this type of risk in future?

    Stay In Control

    e-Share, formerly nCryptedCloud, has been delivering solutions to the external sharing problem for the large and regulated enterprise for 5+ years. Our 100% cloud platform was designed from the ground up to make it easy to share sensitive information with external parties without giving away copies and leaving sensitive information exposed. Read how one of our customer's auditor was hacked, and because they used e-Share, they had zero exposure.
    Integrated & Enterprise Class
    e-Share is incredibly easy to adopt through integration with Microsoft Office, Outlook, Teams, Google GSuite and more. Employees who want to share don't have to learn a new system. So they'll actually use it. You can add e-Share to your existing tools in a few hours, and the experience delivered is 100% cloud, fully re-branded to use your sub-domain and certificate, and enterprise friendly with SSO, auto-provisioning, full audit, out of box support for eDiscovery and retention systems - and much more.
    Immediate Visibility
    By integrating with Dropbox, Box, OneDrive and Google Drive, e-Share's administrative portal instantly shows what files are shared, who shared them, and the status of the share. Every touch of every file is audited, and authorized administrators and managers can search and filter activity history anytime.

    Fine-Grained Sharing Controls
    The e-Share platform allows users to share sensitive and/or regulated data to external recipients using nothing more than a browser - no plug-ins required - in view or edit-online-only modes, so copies can't be saved and copy/paste is disabled. Alternately if auditors must have copies of data you can require watermarking with the recipient's email and IP address to ensure you can trace any unauthorized release.

  • To see e-Share products protect sensitive audit data, please schedule a demo!

This Privacy Policy provides our policies and procedures for collecting, using, and disclosing user information. Users can access the e-Share (also doing business as nCrypted Cloud LLC) software and service (the “Software and Service”) through our web site www.e-share.us (the “Site”), applications on devices, through APIs, and through third-parties. A “Device” is any computer used to access the e-Share Software and Service, including without limitation a desktop, laptop, mobile phone, tablet, or other consumer electronic device. This Privacy Policy governs your access of the e-Share Software and Service, regardless of how you access it, and by using our Software and Service you consent to the collection, transfer, processing, storage, disclosure and other uses described in this Privacy Policy. All of the different forms of data, content, and information described below are collectively referred to as “information”.


The Information We Collect and Store

We may collect and store the following information when running the e-Share Software and Service:


Information You Provide to e-Share

When you register an account, we collect some personal information, such as your name, and email address. You may also ask us to import your contacts by giving us access to your third-party services (for example, your email account). When you invite others to join e-Share by using our referral page, we send them a one-time email for that referral. You may also provide us with your contacts’ email addresses when sharing folders or files with them. We may also receive Personal Information (for example, your email address) through other users, for example if they have tried to share something with you or tried to refer e-Share to you.


Automatically Collected Information

We automatically receive certain types of information when you interact with our Web pages, services and communications. For example, it is standard for your Web browser to automatically send information to every Web site you visit, including ours. That information includes your computer’s IP address, access times, your browser type and language, and referring web site addresses. We may also collect information about the type of operating system you use, your account activity, and files and pages accessed or used by you.


Log Data

When you use the Software and Service, we automatically record information from your Device, its software, and your activity using the Software and Service. This may include the Device’s Internet Protocol (“IP”) address, browser type, the web page visited before you came to our website, information you search for on our website, locale preferences, identification numbers associated with your Devices, your mobile carrier, date and time stamps associated with transactions, system configuration information, metadata concerning your files, and other interactions with the Software and Service.


Use of Personal Information

In general, we use your personal information to process your requests or transactions, to provide you with information or services you request, to inform you about other information, events, promotions, products or services we think will be of interest to you, to facilitate your use of, and our administration and operation of, the web site and services and to otherwise serve you and our users. For example, we may use your personal information:

    to request feedback and to enable us to develop, customize and improve the Web site and our publications, products and services;
    to conduct marketing analysis, to send you surveys or newsletters, to contact you about services, products, activities, special events or offers from e-Share or our partners and for other marketing, informational, product development and promotional purposes;
    to send you a welcoming email and to contact you about your use of the web site and services;
    to respond to your emails, submissions, comments, requests or complaints;
    to perform after-sales services;
    to anticipate and resolve problems with our service;
    to respond to customer support inquiries, for assistance with our product and service development;
    and to inform you of updates to products and services from e-Share that better meet your needs;
    to store contacts you enter or upload into your contacts list for your private use and viewing;
    to send emails to users you invite (and contacts you invite to become users) to collaborate and access your files;
    to enable you to communicate, collaborate, and share files with users you designate;
    to contact you if you win a contest; and
    for other purposes about which we notify you.


Service Providers, Business Partners and Others

We may use certain trusted third party companies and individuals to help us provide, analyze, and improve the Software and Service (including but not limited to data storage, maintenance services, database management, web analytics, payment processing, and improvement of the Software and Service’s features). These third parties may have access to your information only for purposes of performing these tasks on our behalf and under obligations similar to those in this Privacy Policy.


e-Share Community

Our Software and Service offers publicly accessible community services such as forums. You should be aware that any information you provide in these areas may be read, collected, and used by others who access them. Your posts may remain even after you cancel your account. For questions about your Personal Information on our Software and Service, please contact support@e-share.us. Our Site includes links to other web sites whose privacy practices may differ from those of e-Share. If you submit personal information to any of those sites, your information is governed by their privacy statements. We encourage you to carefully read the privacy statement of any web site you visit.


Changing or Deleting Your Information

If you are a registered user, you may review, update, correct or delete the Personal Information provided in your registration or account profile by changing your “account settings.” If your personally identifiable information changes, or if you no longer desire our service, you may update or delete it by making the change on your account settings. In some cases we may retain copies of your information if required by law. For questions about your Personal Information on our Software and Service, please contact us support@e-share.us. We will respond to your inquiry within 30 days.



We follow generally accepted standards to protect the information submitted to us, both during transmission and once we receive it. No method of electronic transmission or storage is 100% secure, however. Therefore, we cannot guarantee its absolute security. If you have any questions about security on our website, you can contact us at support@e-share.us.


International Users Outside of The EU

This Website is controlled, operated, and administered by e-Share from its offices within the United States of America and this Policy is provided in accordance with and subject to applicable U.S. law. If you are based outside the United States and decide to access this Website or e-Share Software and Service from your location outside of the United States, you hereby consent to the transfer of your information to the United States, and its storage and use in accordance with this Policy.


EU-US Privacy Shield Framework

e-Share complies with the EU-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries. e-Share has certified that it adheres to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability. If there is any conflict between the policies in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit www.privacyshield.gov.


Privacy Shield Independent Recourse Mechanism

In compliance with the EU-US Privacy Shield Principles, e-Share commits to resolve complaints about your privacy and our collection or use of your personal information. European Union individuals with inquiries or complaints regarding this privacy policy should first contact e-Share at: support@e-share.us. If you do not receive timely acknowledgement of your complaint, or if your complaint is not satisfactorily addressed, you can also submit your complaint to Privacy Trust, an independent third party. Visit https://www.privacytrust.com/drs/e-share to file a complaint. Finally, as a last resort and in limited situations, EU individuals may seek redress from the Privacy Shield Panel, a binding arbitration mechanism.


Accountability For Onward Transfer

e-Share is potentially liable when transferring your Account Data, referred to in this section as “Privacy Shield Data”, to a third party. e-Share will not share your Privacy Shield Data with third parties unless you have consented to the disclosure or in those situations where we are the data processor and have been instructed to do so by the data controller. e-Share may share your data with service providers solely for the purposes of rendering service to e-Share to facilitate the rendering of service to you. nCrypted Cloudwill ensure that third parties and service providers have adequate Privacy Shield Data protection measures in place through service agreements that adhere to the EU-US Privacy Shield principles or are based on the EU Standard Contractual Clauses.


Enforcement And Liability

e-Share is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) to ensure compliance with the EU-US Privacy Shield principles outlined in this Privacy Policy. Under certain limited conditions, you may have the possibility of invoking binding arbitration before the Privacy Shield Panel to be created by the U.S. Department of Commerce and the European Commission.



Your personal Information may be disclosed as we believe to be necessary or appropriate in order to: (a) comply with a law, regulation or compulsory legal request; (b) respond to requests from public and government authorities; (c) protect our rights and property; (d) allow us to pursue available remedies or limit the damages that we may sustain.


Contacting Us

If you have any questions about this privacy policy, please contact us at support@ncryptedcloud.com.


Changes to This Policy

We may change this Policy from time to time. If we make any changes to this Policy, we will change the “last updated” date above. If there are material changes to this Policy, we will notify you more directly. We encourage you to check this Policy whenever you use our Web Sites and Services to understand how your personal information is used.