Cyberattacks on the World’s largest Audit firms

 

In 2017, Deloitte, one of the Big 4 accounting firms, was
the victim of a cyberattack that compromised the personal information of
thousands of its employees and clients. The attack also caused the firm to lose
access to some of its data and systems.

 

The attack was carried out by a group of hackers known as
Clop. The hackers used a phishing email to trick an employee into clicking on a
malicious link. Once the employee clicked on the link, the hackers could access
the employee’s computer and the firm’s network.

 

The hackers were able to steal the personal information of
thousands of Deloitte employees and clients, including names, addresses, Social
Security numbers, and dates of birth. They also stole financial information,
such as bank account numbers and credit card numbers.

 

The attack caused significant disruption to Deloitte’s
operations. The firm had to take its systems offline and hire third-party
contractors to help with the recovery process.

 

The Mazars cyberattack

 

In 2020, the accounting firm Mazars was also the victim of
a cyberattack. The attack successfully stole sensitive financial information
from the firm’s clients.

The attack was carried out by a group of hackers known as
REvil. The hackers used a phishing email to trick an employee into clicking on
a malicious link. Once the employee clicked on the link, the hackers could
access the employee’s computer and the firm’s network.

 

The hackers could steal sensitive financial information
from Mazars’ clients, including financial statements, tax returns, and banking
information. The hackers also stole intellectual property from some of Mazars’
clients.

The attack caused significant disruption to Mazars’
operations. The firm had to take its systems offline and hire third-party
contractors to help with the recovery process. The episode also damaged Mazars’
reputation.

 


What
is the Impact of cyberattacks?

Cyberattacks
can have a significant impact on audit firms. These impacts can include:

  • Financial losses: Cyberattacks can lead to financial losses for
    audit firms, as they may have to pay ransoms, fines, or legal fees.
  • Reputational damage: • Reputational
    damage:  Cyberattacks can damage the reputation of audit firms, as
    clients may lose confidence in their ability to protect their data. This
    could lead to a loss of revenue as clients move their business to another
    audit firm.
  • Operational disruptions: Cyberattacks can disrupt the operations of
    audit firms, as they may have to take systems offline or hire third-party
    contractors to help with the recovery process.
  • Regulatory fines: Audit firms may be fined by regulators for
    failing to protect their data from cyberattacks.

 

 

 

 

How
can large audit firms prevent cyberattacks?

The
SBL syllabus focuses on best practices to improve cybersecurity, and many of
these ideas were applied in large audit firms.  

Therefore,
these firms must proactively protect their data and systems from potential
threats. Here are some best practices that the Big 4 audit firms could follow
to prevent or mitigate cyberattacks, which apply to any large organisation.

1.   
Review and update their
cybersecurity policies and procedures:

The
Big 4 audit firms should have a comprehensive and clear cybersecurity policy
that establishes rules and guidelines for handling sensitive customer and
employee information. The policy should cover data classification, encryption,
access control, backup, recovery, incident response, and compliance. The policy
should also be regularly reviewed and updated to reflect the changing threat
landscape and regulatory requirements.

For
example, Deloitte has developed a global cybersecurity policy that defines its
cybersecurity vision, principles, roles and responsibilities, governance
structure, risk management approach, and reporting mechanisms. Deloitte also
conducts annual cybersecurity reviews to assess its compliance with the policy
and identify areas for improvement.

2.   
Centralise their cybersecurity
management:

The
Big 4 audit firms should have a centralised cybersecurity team that oversees
and coordinates all aspects of their cybersecurity strategy. The team should
include experts from different domains such as IT, legal, risk, audit, and
business. The team should also have clear roles and responsibilities for each
member and communicate effectively with other stakeholders within and outside
the firm.

For
example, PWC has established a global cybersecurity leadership team comprising
senior executives from various functions such as IT security, risk assurance,
legal services, forensics, consulting, and business development. The team is
responsible for setting the strategic direction for PWC’s cybersecurity
initiatives, overseeing the implementation of cybersecurity programs and
projects across regions and lines of service, managing cybersecurity incidents
and crises, and engaging with external partners such as clients, regulators,
vendors, and industry associations.

3.   
Assess and monitor their
cybersecurity risks:

Audit
firms should conduct regular cybersecurity audits to identify and evaluate
their current cybersecurity posture and potential vulnerabilities. They should
use various tools and frameworks to assess their internal and external risks
and measure their performance against industry standards and best practices.
They should also monitor their networks and systems for any signs of suspicious
or malicious activity and respond promptly to any incidents or alerts.

For
example, EY has developed a proprietary cybersecurity assessment tool called EY
Cybersecurity Assessment Framework (CAF) that helps its clients measure their
cybersecurity maturity across five domains: strategy and governance, identity
and access management, data protection, threat detection and response, and
resilience.

4.   
Implement multi-layered security
controls:

The
Big 4 audit firms should implement multiple layers of security controls to
protect their data and systems from different types of cyberattacks. These
controls should include technical measures such as firewalls, antivirus software,
encryption, authentication, authorisation, patching, and backup, as well as organisational
measures such as training, awareness, policies, procedures, and governance. The
firms should also adopt a defence-in-depth approach that assumes that any layer
of security can be breached and provides redundancy and resilience in case of a
breach.

 

For
example, KPMG has implemented a multi-layered security architecture that
consists of four layers: perimeter, network, endpoint, and data. The perimeter
layer protects the firm’s external boundaries from unauthorised access using
firewalls, VPNs, and proxies. The network layer secures the internal
communication and traffic using segmentation, encryption, and intrusion
detection and prevention systems. The endpoint layer safeguards the devices and
applications used by the firm’s employees and clients using antivirus software,
patch management, and device management. The data layer ensures the firm’s
data’s confidentiality, integrity, and availability using encryption, access
control, backup, and recovery.

5.
Engage external experts for independent assurance:

The
Big 4 audit firms should consider engaging external experts, such as
independent cybersecurity experts, to perform assurance examinations on their
cybersecurity risk management programs. These examinations can provide an
objective and credible assessment of the design and effectiveness of the firm’s
cybersecurity policies, procedures, controls, and performance. They can also
provide valuable insights and recommendations for improvement.

Cybersecurity
is not only a technical issue but also a strategic one that requires constant
attention and investment from the firm’s top management. The Big 4 audit firms
should recognise the importance of cybersecurity as a competitive advantage and
a business enabler in the digital age.

Conclusion

In
the SBL exam, you may be asked to recommend appropriate Cybersecurity measures
to a fictional company. The ideas discussed in this article are valuable for
generating critical points in the exam. So, learn the techniques from this
article and suggest solutions relevant to the case study you are presented with.
.