You believe your organization has taken the correct cybersecurity measures, but do your vendors? Hear from Jay Mallory, executive vice president, marketing and business development at Imagequest, and learn the proper steps in ensuring your vendors aren't putting you at risk.
Click here to listen to the podcast instead of reading the transcript.
Stewart:
I’m Marvin Stewart, the Communications, Design and Marketing Coordinator for KyCPA. You are listening to KYCPA: Behind the Numbers. We are here to talk about vendor management and how CPAs could face demands from regulated clients to verify their cybersecurity measures. So Jay, if you could just talk about yourself a little bit and transition into the topic you're talking about.
Mallory:
Sure. Yeah. My name's Jay Mallory, and I am the Executive Vice President of Business Development and Marketing for ImageQuest. ImageQuest is a managed IT security and compliance consulting company. We work mainly with regulated industry, but we work with a lot of organizations that touch regulated industry. So CPA firms are one of the verticals that we spend a lot of time having conversations with.
Stewart:
All right. So I guess we'll dive right in. What's a top regulatory trend accountants need to be aware of?
Mallory:
Well, CPA firms today aren't necessarily regulated by anyone. Now, they could be. I'm starting to see some CPA firms that are starting to maybe get into the insurance space and get to the financial services space, and if they are, there are some regulatory oversight from HIPAA, FCC, and FINRA. But I think the thing that the CPA firms need to be paying most attention to are the regulations that their clients fall under.
So for example, if I'm a CPA firm and I'm working with a medical practice or I'm working with a mortgage and title company or I'm working with a financial services organization, I need to pay particular attention to the regulatory bodies that those folks fall under. A good example could be that I'm a CPA firm, I am representing a financial services company, and I may be doing payroll for that organization. So maybe by doing payroll, or not maybe by doing payroll, by doing payroll I have access to the employees of that financial services company. I have access to all of their employee information. With that, I have access to their data. I may have access to their systems.
Many times the bad actors, they realize they might not be able to get into a company, because they've really hardened their cybersecurity. But what they might be able to do is get in through a third party, the soft underbelly, which could be the CPA firm.
Stewart:
Wow. Really?
Mallory:
Absolutely. So let's say I'm a CPA firm, and I have listed somewhere on my website some of my clients, or I'm the owner of a CPA firm and I'm on LinkedIn, and I've got a list of all my connections on LinkedIn. Doesn't take long to figure out who your clients might be, right?
Stewart:
Mm-hmm (affirmative). Yeah, you're right. All that information, we talked about that earlier.
Mallory:
Yeah, exactly. It's all out there. So yeah, if I'm trying to hack into a large healthcare organization, if I can figure out who their downstream vendors are that might have access to their information, that might be where I start. And it's not only a CPA firm. It could be a law firm. It could be a company that's providing insurance and benefits for an organization. We mentioned on the earlier podcast that the bad guys are lazy and they're looking for the low-hanging fruit, and many times those downstream vendors are the low-hanging fruit.
Stewart:
They're like they're like that segue that normally no one would think about. So I guess why focus on vendors is my question.
Mallory:
Well, I'll tell you a story. We've all heard about the Target breach, right? The Target breach is one of the largest breaches. Made the news, I believe it's been almost five years ago.
Stewart:
That's when they took a lot of people's card information, correct?
Mallory:
You got it. You got it. All the credit cards were taken. But Target spends millions of dollars a year on cybersecurity, so that's pretty hard. It'd be hard to maybe hack into Target. So what happened was, they were hacked through their HVAC companies' inability to have a program in place to protect their information. So basically what happened was, Target, all of their HVAC systems are centrally managed out of their corporate office, out of Minneapolis. And there's a central area there that, you don't go into a Target and change the thermostat. It's all centrally managed.
So their HVAC provider went in to do some work, had a laptop connected to their system. On that system there was some malware, and that malware got onto the HVAC system and bounced around all the way over to the payroll system or to the credit card system. And that's how the bad guys got into Target. They didn't hack into Target. They hacked into one of their downstream vendors.
Stewart:
And it just went up from there.
Mallory:
It went from there. Exactly right. Investigators found in that case, obviously, from the story that that HVAC company had poor security. Statistics would say that 20% of the breaches in healthcare happen from poor downstream security of the vendors. The regulators know this, and the hackers know that as well.
Stewart:
And a lot of these vendors, are they primarily... I guess in the Target instance it's a company that probably would have never thought they would need the measures that they should have.
Mallory:
That's exactly right. That's exactly right. Now, it was a different world five years ago. Today, the Targets of the world are doing their due diligence on their downstream vendors. They're taking a very, very close look at who they do business with, and many companies are starting, I don't think many companies, most companies are starting to do that. They are creating a vendor management plan, and within that plan what they will do is they will list out all of their vendors from top to bottom and they will take a close look at their cybersecurity posture.
I'm sharing personal identifiable information or I'm sharing health information or I'm sharing financial information with a downstream vendor, I want to make sure it's being protected, right? So I'm taking a close look at that. And a lot of companies are looking to reduce the number of vendors that they have, so if I'm not providing a high level of security, I might be on the chopping block.
Stewart:
I guess it's kind of like a good thing at the same time, because now it hopefully pressures other vendors to beef up their security game, because as everything's becoming more and more online, most of our information is somewhere in some system. You would never think that that would happen.
Mallory:
Absolutely. Oh, absolutely. It's out there, and just have to be diligent. And the companies that are taking this seriously, they will thrive and they will be okay. The companies that don't, that aren't taking it seriously, they're going to find themselves under a lot of pressure from their upstream vendors.
Stewart:
Yeah, I definitely think people are noticing stuff like that now, like how much like their data matters. With the whole Facebook issue that people are having, I think now cybersecurity, it's becoming more expected of people, because the hassle of getting your information stolen is just so... I've never personally had mine stolen, knock on wood here, but I think that I don't want my information stolen. The hassle is just too much.
Mallory:
Right, exactly. Exactly. And you know, we had mentioned this vendor management plan that these organizations are putting into effect. What we're seeing from our clients and potential clients are, they're receiving a letter from their clients and they're having to sign off on their cybersecurity posture. You know, have I trained my employees? Do I have IT policies in place? Do I have an incident response plan? So they're taking a much, much closer look at that, and they're not going to be doing business with those organizations if they don't have those things in place.
Now, see a lot of organizations that will tell their clients that they're doing these things. What we see as the next step from these organizations is they're going to start going out and auditing their vendors. They're going to grab a handful of vendors and come out and take a look at all of these things around cybersecurity and all these best practices. And if you're not doing it, like I said, you're probably on the chopping block.
Stewart:
Which none of us want to be on. That's also another hassle.
Mallory:
Exactly. Exactly. And you know, you think about it, if your largest client is asking you to do this and you're not willing to do it, what does that mean to your revenues, to your profit? You have to take this seriously. And if not, it can be bad for business.
Stewart:
You always want to have good cybersecurity so you have good job security, right?
Mallory:
That's right.
Stewart:
I guess many of our members have signed business associate agreements. What does that mean for them?
Mallory:
Well, it means they better be adhering to what they say they're doing. As I mentioned, the audits are coming, and the cold hard look that these organizations are taking at their downstream vendors is really starting to come into focus. And if your security posture doesn't align with their requirements, they're going to have to make a decision.
Interestingly, what we're also starting to see are a lot of the states like New York and North Carolina and California are starting to put in their own cybersecurity regulatory requirements. Just last week I was working with an organization that was representing a client out of New York. And even though they don't reside in New York, this client is asking them to adhere to the New York cybersecurity policies and regulations. So it's all rolling downhill. These state regulations are much tougher than some of the regulations we're seeing even from the government oversight.
Stewart:
So would you say that cybersecurity is becoming more like, I guess from like a... This is just another question that's kind of off the top, a little bit away from the topic, but would you say that the government policies are becoming more tightened on cybersecurity? I've personally never really heard much about the government or state side of it, so I guess I'm just asking, are states cracking down?
Mallory:
Yeah. Well, the one that everyone knows about is HIPAA, right? And HIPAA falls under Health and Human Services. And there are regulations within HIPAA that, as we've talked about in the past, they're asking you to train your employees, then they're asking you to have policies. They're asking you to do all the things that you need to be doing to make sure that you have tightened up your security around health records.
But what we're starting to see, a lot of organizations are taking that a step further and they're adding more teeth. And that more teeth is, we reserve the right to come out and audit your cybersecurity posture. So there's a framework around HIPAA, but what we're starting to see are organizations putting more teeth in that, if that makes sense.
Stewart:
Yeah So I guess with all we talked about, would a member potentially think it's an overkill with all this protection and all of this added security?
Mallory:
Well, we all have a different level of risk. Some of us are very risk averse and some are willing to take on a lot of risk. Being in the industry myself, I don't see any of this as overkill. And I think we all at the end of the day want to do right by our clients and by our customers, and with that we have an obligation to protect their information, and we have an obligation that if something happens to that information to let our clients know about it.
And sometimes that's HIPAA. The HIPAA laws say you have to notify your clients if you have a breach. You can throw tens of hundreds of millions of dollars at cybersecurity. I mean, you could throw tons of money at it, but I think at the very least you have to be doing the basics, the basics we've talked about in our earlier podcasts. That's really training your people, having a risk assessment, having documentation, and using some type of technical tools to make sure things behind the scenes are getting done.
Stewart:
Yeah. This is all really important. I definitely think that we should... Again, this is something I didn't think of personally, so I definitely think we should also keep our vendors on the same level of cybersecurity and just make sure we know who we're going through. Make sure you know who you're bringing into your organization, because as we said with the Target breach, it's crazy how something that you would never think of to happen will just happen, and that can completely ruin a lot of... I mean, I'm sure in that Target incident that people who got their credit card information stolen probably had to deal with so much that they didn't deserve. Because if I shop at Target, that means I establish a trust, especially with a card, and how simple it is to easily get your card taken sometimes.
Mallory:
Sure. And I'm sure that Target provided identity theft protection for those folks that were affected. And many times we'll see that an organization will provide one or two years of ID theft protection, and maybe that third year you're responsible for renewing that. The bad guys know that, so in a breach like a Target, they may not go after you in year one or year two, but they may go after you in year three.
Stewart:
That is insane that they'll wait that long. It'd be so out of my mind at that point.
Mallory:
That was a credit card, and I went and got a new credit card. But if my identity and my information that create a new identity was stolen, and I have ID theft protection for a couple of years, in that instance the bad guys, like I said, do know that and will wait to pounce in year three.
Stewart:
So definitely get cautious, not comfortable. Be cautious, not comfortable.
Mallory:
Exactly. Exactly. And you know, at the end of the day, really the only way to protect yourself is to freeze your credit. And if you freeze your credit and someone goes out to try to rent an apartment or get an auto loan or get a mortgage, you're going to know immediately what is going on.