Canada | Fraud

CPAs need to pay more attention to cybersecurity, experts say

As hackers become more sophisticated in their tactics, CPAs have a role to play in preventing attacks and acting as trusted advisers

A Facebook IconFacebook A Twitter IconTwitter A Linkedin IconLinkedin An Email IconEmail

Software programmers analyzing html code and database, brainstorming script ideas to develop new security systemMany cyberattacks could be avoided if extra diligence was applied in gathering, communicating and transferring data (Getty Images/valentinrussanov)

With cyberattacks occurring more and more frequently, knowing the ins and out of cybersecurity is becoming a pressing concern—including for CPAs.

By gaining a familiarity with this area, CPAs at all levels can not only broaden their expertise in risk management and fraud prevention, but they can capitalize on that expertise to explore future leadership opportunities.

“Cybersecurity will have to be part of a CPA’s core skills in future,” says Will Xiang, CPA, vice-president, cybersecurity, data analytics and privacy at Richter.

Here are some realities that CPAs should keep in mind when considering their role in the cybersecurity realm.


CPAs already have the inherent skills to be trusted advisers in cybersecurity, says Marc Tassé, FCPA, professor at University of Ottawa, faculty of law and business school.

“CPAs are often said to be the gatekeepers of the company because they are there to protect its value, as well as the private information and data they collect. Whenever there is a cyberattack, there can be large financial and reputational consequences for the organization.”

Austin Creighton, senior manager, cybersecurity practice at Grant Thornton, has a similar view. “Cybersecurity has become everyone’s responsibility,” he says. “This is especially true for CPAs, as they have access to very sensitive financial and accounting data.”

Executives also turn to CPAs to obtain relevant budget support for preventing cyber attacks (i.e., where the company needs to invest for prevention purposes) and to make cost/benefit decisions if and when an incident occurs.


Cyberattacks can take many forms—many of which could be managed by applying extra diligence when gathering, communicating and transferring data. “CPAs should always be suspicious and never try to speed up processes with clients,” says Tassé. “You should always fact check and validate. You have to be especially vigilant because you don’t meet clients in person as you used to. When you are communicating virtually, make sure you are dealing with the right parties—not the scammer.”

For example, if you receive an email requesting a change to banking information, Tassé says you should call the sender to verify if they requested it. Tassé adds that failing to follow these simple procedures can have dire consequences, as the City of Ottawa found out when a hacker posing as the city manager tricked an unsuspecting financial staff member into wiring more than $100,000.


Personal “cybersecurity hygiene habits” can also help reduce risk, says Creighton. “As the world becomes more interconnected and relies more on digital communications, CPAs are very much a part of that transition, so they need to build really strong practices around cybersecurity in order to protect their personal, client, and/or company data.”

Creighton advises that CPAs follow several key practices:

  • Use strong password management. Use passphrases rather than simpler passwords. They should be 16 characters using a combination of lower and upper case and symbols. “Passphrases should be unique for extremely sensitive accounts,” says Creighton. “Sometimes I suggest things like turning the letter O to zeros and the letter S to dollar signs to create a more complex credential that can be easy to remember.”
  • Use multi-factor authentication when working remotely and connecting to the office environment or any other sort of system. “A lot of organizations trying to obtain cybersecurity insurance are turned down because they don’t use multi-factor authentication,” says Creighton.
  • Avoid using public wi-fi whenever possible. “CPAs tend to be on the road a lot,” says Creighton. “If you are using a public wi-fi, make sure you need a password to connect. Otherwise, any information you send or receive on public Wi-Fi could be vulnerable and hackers may be able to intercept your valuable personal or company information.”
  • Always keep your devices up to date. This is very important and easy to do.
  • Be careful with personal assistant devices (e.g., Alexa or Google Home). These devices can capture and record information, so keep them away from areas where you are having sensitive conversations.

Most organizations should be providing security awareness training on a regular basis. But as Creighton notes, CPAs should have access to elevated security training that might cover specific areas such as locking down spreadsheets or storing and encrypting files in file sharing situations.


Experts generally agree that, going forward, CPAs will have to have strong knowledge of cyber risk management. “They’ll also need to understand the implications for data flow and finances,” says Xiang.

This is especially true at a time when organizations are turning increasingly to automation, he adds. “If you are going to do that, then you are going to increase your cybersecurity risk. CPAs don’t need to be programmers, but they should know about cybersecurity and managing that risk.”

That knowledge can also be an invaluable resource for career development. “Accountants are generally seen as trusted advisers and rational thinkers who can present the best way to protect organizations,” notes Tassé. “There is now a strong demand for cybersecurity services in the marketplace, and we are seeing firms building new advisory and management service competencies around fraud and financial crime prevention.”

For those interested in diversifying their skillsets in the area, Xiang recommends exploring certifications in some of the technology tools in the cyber space. For CPAs less familiar with the latest innovation, he suggests first focusing on the fundamentals, such as risk management and setting up controls around cyber and IT. “Then layer on the technical knowledge as needed,” he says. “A lot of CPAs are very interested and curious but there may be a mismatch of knowledge depending on their exposure on the job.”

Tassé notes there a number of free or low-cost online courses available through sites such as Coursera or edX) on the basics of cybersecurity, as well as chats and forums.

On the positive side, new CPAs are much better prepared as cybersecurity has become embedded in many curriculums, says Tassé. “For the most part they understand how cyber fraud is committed. They understand the internet and are up on all the latest issues. For example, our curriculum at the University of Ottawa includes a course specifically focused on fraud prevention.”

Xiang believes cyber expertise can play a key role as CPAs move on in their careers and take increasingly senior roles. “Cybersecurity expertise may be a job requirement in the future. In five or six years, it very well may be that if you don’t have that expertise, it will be all that much harder to ramp up to get it.”


Learn about cybersecurity and privacy themes that directors should keep on their radar, and why it’s important for CPAs and finance leaders to gain a familiarity with the subject. Plus, check out CPA Canada’s extensive tech resources on subjects such as AI and machine learning and brush up on your knowledge with its data management foundations and advanced data management certificates .


Learn about cybersecurity and privacy themes that directors should keep on their radar, and why it’s important for CPAs and finance leaders to gain a familiarity with the subject. Plus, check out CPA Canada’s extensive tech resources on subjects such as AI and machine learning and brush up on your knowledge with its data management foundations  and advanced data management certificates.