Like ducks to the pond, wealthy individuals share lots of personal and financial information with accountants in February, March, and April. They discuss their kids’ medical costs, regular and irregular income, and readily enter their Social Insurance Numbers and banking information into endless forms. All your most sensitive and confidential information is replicated, archived and stored on file. Details like that new medication you’ve started taking, or those drapes for the living room which you consider a home office expense.
We share pretty much everything with our accountants. Any question they ask, we’ll answer in the medium they decide is most favourable. We’ll record our answers on paper, by email, by drop box, or even by thumb drive. We’ll provide anything they need, faithfully.
Perhaps you don’t need to know why your accountant needs all these details, but you do need to know how their firm is going to keep all your records safe.
How long do accountants keep your records on file?
How do they dispose of records when they reach the end of their usefulness?
If you emailed all those records, does the accountant keep them in their massive email inbox? Or are those emails sorted into archive files, client files, your own client file? Who else has access to this email archive system? If your accountant works from home, as many do these days, is your personal information stored on the same computer their 10-year-old child uses to play Minecraft?
If the accountant is using some kind of file sharing systems like Dropbox, OneDrive, or SmartVault then you don’t have to worry about email interceptions, but these systems are public facing and are vulnerable to password attacks and similar exploits. Something secure today may not be secure tomorrow, so how long is your confidential information, like the legal fees related to that alleged DUI last year, going to be kept in the file sharing system? If they do delete stuff, how is it deleted? I recall how you thought those spicey post-convention hotel room snaps were deleted, but your tach-savvy partner found them in the Deleted folder on your phone.
Bad actors know accountants have all this juicy information, and they also know they’re usually too busy calculating refunds to do IT Security. Cybercriminals are very aware of how accountants sometimes make payments on behalf of their customers and thus will have all their banking information. It follows that accountants are among the most frequently targeted professions and cybercriminals’ favourite prey.
Before You Sign with a New Accounting Firm
Ask them if they’ve ever been attacked. Was the attack successful? What systems were impacted? Were the accountant’s clients impacted? What precautions did the firm take before or after the attack? Did the accountant notify any clients? And… Critically… What kind of insurance does the accountant hold and maintain to make those impacted clients whole again? Get it in writing. Maybe the firm you are using today was recently hacked, and they just didn’t tell you. Maybe they limited disclosure to only those who were impacted, believing a full disclosure would impair their prospects. If that’s the case, the hunters may still be in their blinds waiting for next season’s ducks.
This tax season, before you submit the receipt for that hentai-themed hotel room on that supposed business trip you took with your spouse, maybe it’s time to ask your accountant to open their IT kimono and share their security details with you. The simplest and most telling question you can ask is, does your accounting firm have full-time, qualified, IT support?If they don’t have IT support, tell them to hire an IT consultant right away. Kearns Technology Inc. in Toronto has cyber security experts on staff ready to help lock things down, this hunting season, and all year long.
