Early 20th-century bank robber Willie Sutton apocryphally said he robbed banks because that’s where the money was. Using that same logic, cybercriminals are bypassing individual companies, instead hacking accounting and tax professionals.
“It is a big concern for us,” said Mike Lindstrom, partner with Eide Bailly LLP, a Boise-based accounting firm, and chair of the federal and state tax committee for the Idaho Society of CPAs.
Exactly what tax professionals do to protect themselves isn’t always easy to determine. “Talking about security is sensitive because no one wants to disclose details that could help the bad guys,” said Lisa Patterson, senior communications manager for the corporate office of H&R Block.
That said, organizations on both the state and federal level are working to raise awareness of the issue. For example, the week of Dec. 3-7 is National Tax Security Awareness Week.
“Tax professionals continue to be a target of cyber criminals because of the information they have,” said Renee Eymann, public information officer for the Idaho State Tax Commission, which, like many similar state organizations, partners with the federal Internal Revenue Service (IRS) to raise awareness of the issue. “Our agency is part of the Security Summit, a partnership between the IRS, state tax agencies and the tax community, including tax preparation firms, software developers, payroll and tax financial product processors, tax professional organizations and financial institutions.”
For each day of National Tax Security Awareness Week, the summit will focus on a single issue that poses a threat to individuals, businesses and tax professionals and provide tips for better protecting sensitive data from cybercriminals, Eymann said. In addition to being posted to the National Tax Security Awareness Week website, the IRS will send out information on Twitter from the account @IRStaxsecurity.
The Idaho State Tax Commission doesn’t track how many accounting and tax professionals have been hacked, Eymann said, but according to the 2018 Cost of a Data Breach Study, conducted annually by the Ponemon Institute, the financial services industry is the business sector with the highest frequency of data breaches. And financial services is second only to health care as the industry with the highest cost of data breaches, at $206 per capita.
Moreover, cybersecurity incidents can have higher repercussions in financial services compared with some other industries, according to the report. “Companies in certain industries are more vulnerable to churn when customers can easily take their business to another competitor,” the report noted. “Customers also have high expectations for the protection of their data in highly regulated industries, such as health care and financial services. When these organizations have a data breach, customers’ trust will decline and they will try to find a substitute.”
In addition to National Tax Security Awareness Week, the Security Summit also promotes events such as Tax Security 101, held over 10 weeks this summer, to alert accounting and tax professionals to cybersecurity issues such as using passwords, encrypting data, and detecting “phishing” attempts to break into a system by pretending to be a legitimate email message.
The Federal Trade Commission also requires all professional tax preparers to create and enact security plans to protect client data.
Ironically, the IRS itself has been the victim of several cybersecurity incidents. A May audit by the Treasury Inspector General for Tax Administration found that the IRS hasn’t accurately cataloged all the components of its highest value hardware and software systems, doesn’t have a clear count of who has privileged access to those systems, and likely isn’t patching software vulnerabilities on its highest value assets within the 30-day timeframe required for federal agencies.
Earlier this month, the IRS failed to add more than 11,000 compromised Social Security numbers to a list it uses to help protect taxpayers from identity theft. Consequently, 79 of those Social Security numbers were reportedly used to file phony tax returns in an effort to receive refunds during the 2016 and 2017 tax years.