ICAEW.com works better with JavaScript enabled.

Cyber risk: genuine threat or overhyped?

Many of you might be tired and weary of hearing about GDPR, data protection and cyber risk. Opt-in, opt-out, updated terms and conditions… the fact that so many businesses have taken different approaches to the way they manage personal data adds to the continuing uncertainty surrounding this area

June 2019


It remains, however, a live and growing issue. This article won’t give you chapter and verse on data protection and cyber risks, nor assess whether your business is compliant, but it will hopefully give you a better understanding of how these things could affect you and your business.

With the accelerating pace of technological developments comes developing threats and challenges. Cyber Security Ventures has estimated that global cyber-crime costs will reach $6 trillion dollars by 2021.

Technological crime is on course to rival global crime from drug trafficking and other organised crime. Data breaches and cyber-attacks are regular headline news… TalkTalk (2015), Tesco Bank, Panama Papers, Facebook, and so on.

So, does size really matter and what does this mean to you? The London Society of Chartered Accountants (LSCA) includes members in practice, business, not-for-dividend and public sector, many of whom will be (or will advise) smaller organisations.

These headline attacks may seem remote to many SMEs and they might feel like they are less susceptible to cyber-attacks. However, SMEs may be more vulnerable as they are likely to have less sophisticated IT security (and a smaller budget).

Rather than being less appealing, they can have a wealth of good quality clients and hold significant and commercially sensitive information that are key targets of cyber criminals. It’s likely this has been under-reported as previously SMEs did not have to report breaches and so they were less visible.

However, GDPR means that there is now an obligation on all businesses to report breaches or face significant fines.

To those in private practice, when you think of cyber-attacks and data breaches, it’s not often you will think “accountants”, but the need to remain alert and vigilant is paramount. Accountants are data aggregators, so they are high risk because they hold confidential and sensitive information and client monies.

This puts the profession squarely at risk of first and third party cyber fraud, data breaches, and related GDPR consequences. Bluefin Professions ran a webinar on this topic for the ICAEW’s Practice Radar (available from here), which gives direct claims examples and a helpful insight in to how cyber-crime can directly affect accountants.

Implications of an attack can be severe to accountants in all fields: reputational damage, regulatory risk, and bottom line exposure. The answer will always be, first and foremost, the implementation of risk management to help prevent things going wrong. But if (or when) they do go wrong, what then? And where are the gaps? Those in private practice often rely on their professional indemnity insurance (PII) to cover claims from clients. Other businesses will hope property, public, and employers’ liability insurances might provide some coverage.

However, most insurances do not usually provide cover for the losses suffered by the business itself in investigating claims, nor business interruption costs or other “own business” losses. Wider cover is available, as a “belt and braces” approach.

Bluefin Profession’s advice to ICAEW members is to review the protection they have and take the necessary precautions needed to protect their business and clients from this evolving and increasingly sophisticated threat.

Patrick Hearn is Head of Professions at Bluefin Professions, an ICAEW Member Reward Partner for PI and office insurance

Liked this? Read these:


London Accountant

Go to London Accountant for more features, news and opinion.
Follow us on Twitter @ICAEW_London and join us on LinkedIn: LSCA and Croydon.
Subscribe to ‘regional updates’ to receive more articles.