Cyberattacks on the World’s largest Audit firms
In 2017, Deloitte, one of the Big 4 accounting firms, was the victim of a cyberattack that compromised the personal information of thousands of its employees and clients. The attack also caused the firm to lose access to some of its data and systems.
The attack was carried out by a group of hackers known as Clop. The hackers used a phishing email to trick an employee into clicking on a malicious link. Once the employee clicked on the link, the hackers could access the employee’s computer and the firm’s network.
The hackers were able to steal the personal information of thousands of Deloitte employees and clients, including names, addresses, Social Security numbers, and dates of birth. They also stole financial information, such as bank account numbers and credit card numbers.
The attack caused significant disruption to Deloitte’s operations. The firm had to take its systems offline and hire third-party contractors to help with the recovery process.
The Mazars cyberattack
In 2020, the accounting firm Mazars was also the victim of a cyberattack. The attack successfully stole sensitive financial information from the firm’s clients.
The attack was carried out by a group of hackers known as REvil. The hackers used a phishing email to trick an employee into clicking on a malicious link. Once the employee clicked on the link, the hackers could access the employee’s computer and the firm’s network.
The hackers could steal sensitive financial information from Mazars’ clients, including financial statements, tax returns, and banking information. The hackers also stole intellectual property from some of Mazars’ clients.
The attack caused significant disruption to Mazars’ operations. The firm had to take its systems offline and hire third-party contractors to help with the recovery process. The episode also damaged Mazars’ reputation.
The BDO cyberattack
In 2022, the accounting firm BDO was the victim of a cyberattack that compromised the data of some of its clients.
The attack was carried out by a group of hackers known as Conti. The hackers were able to steal the data of some of BDO’s clients, including names, addresses, and Social Security numbers. The hackers also stole financial information, such as bank account numbers and credit card numbers.
What is the Impact of cyberattacks?
Cyberattacks can have a significant impact on audit firms. These impacts can include:
How can large audit firms prevent cyberattacks?
The SBL syllabus focuses on best practices to improve cybersecurity, and many of these ideas were applied in large audit firms.
Therefore, these firms must proactively protect their data and systems from potential threats. Here are some best practices that the Big 4 audit firms could follow to prevent or mitigate cyberattacks, which apply to any large organisation.
1. Review and update their cybersecurity policies and procedures:
The Big 4 audit firms should have a comprehensive and clear cybersecurity policy that establishes rules and guidelines for handling sensitive customer and employee information. The policy should cover data classification, encryption, access control, backup, recovery, incident response, and compliance. The policy should also be regularly reviewed and updated to reflect the changing threat landscape and regulatory requirements.
For example, Deloitte has developed a global cybersecurity policy that defines its cybersecurity vision, principles, roles and responsibilities, governance structure, risk management approach, and reporting mechanisms. Deloitte also conducts annual cybersecurity reviews to assess its compliance with the policy and identify areas for improvement.
2. Centralise their cybersecurity management:
The Big 4 audit firms should have a centralised cybersecurity team that oversees and coordinates all aspects of their cybersecurity strategy. The team should include experts from different domains such as IT, legal, risk, audit, and business. The team should also have clear roles and responsibilities for each member and communicate effectively with other stakeholders within and outside the firm.
For example, PWC has established a global cybersecurity leadership team comprising senior executives from various functions such as IT security, risk assurance, legal services, forensics, consulting, and business development. The team is responsible for setting the strategic direction for PWC’s cybersecurity initiatives, overseeing the implementation of cybersecurity programs and projects across regions and lines of service, managing cybersecurity incidents and crises, and engaging with external partners such as clients, regulators, vendors, and industry associations.
3. Assess and monitor their cybersecurity risks:
Audit firms should conduct regular cybersecurity audits to identify and evaluate their current cybersecurity posture and potential vulnerabilities. They should use various tools and frameworks to assess their internal and external risks and measure their performance against industry standards and best practices. They should also monitor their networks and systems for any signs of suspicious or malicious activity and respond promptly to any incidents or alerts.
For example, EY has developed a proprietary cybersecurity assessment tool called EY Cybersecurity Assessment Framework (CAF) that helps its clients measure their cybersecurity maturity across five domains: strategy and governance, identity and access management, data protection, threat detection and response, and resilience.
4. Implement multi-layered security controls:
The Big 4 audit firms should implement multiple layers of security controls to protect their data and systems from different types of cyberattacks. These controls should include technical measures such as firewalls, antivirus software, encryption, authentication, authorisation, patching, and backup, as well as organisational measures such as training, awareness, policies, procedures, and governance. The firms should also adopt a defence-in-depth approach that assumes that any layer of security can be breached and provides redundancy and resilience in case of a breach.
For example, KPMG has implemented a multi-layered security architecture that consists of four layers: perimeter, network, endpoint, and data. The perimeter layer protects the firm’s external boundaries from unauthorised access using firewalls, VPNs, and proxies. The network layer secures the internal communication and traffic using segmentation, encryption, and intrusion detection and prevention systems. The endpoint layer safeguards the devices and applications used by the firm’s employees and clients using antivirus software, patch management, and device management. The data layer ensures the firm’s data’s confidentiality, integrity, and availability using encryption, access control, backup, and recovery.
5. Engage external experts for independent assurance:
The Big 4 audit firms should consider engaging external experts, such as independent cybersecurity experts, to perform assurance examinations on their cybersecurity risk management programs. These examinations can provide an objective and credible assessment of the design and effectiveness of the firm’s cybersecurity policies, procedures, controls, and performance. They can also provide valuable insights and recommendations for improvement.
Cybersecurity is not only a technical issue but also a strategic one that requires constant attention and investment from the firm’s top management. The Big 4 audit firms should recognise the importance of cybersecurity as a competitive advantage and a business enabler in the digital age.
In the SBL exam, you may be asked to recommend appropriate Cybersecurity measures to a fictional company. The ideas discussed in this article are valuable for generating critical points in the exam. So, learn the techniques from this article and suggest solutions relevant to the case study you are presented with..