Article from the Center for Accounting Transformation.
Author: Donny Shimamoto, CPA.CITP, CGMA.
When Ransomware Hits a CPA Firm: Why Every Accounting Leader Must Prioritize Cybersecurity
Imagine logging into your firm’s system one morning to find a flashing screen: Your files have been encrypted. Pay $200,000 in Bitcoin within 72 hours or lose everything. For small to mid-sized CPA firms, this isn’t a theoretical horror story. It’s becoming an all-too-common reality.
The accounting profession holds a privileged position in society—as stewards of trust, guardians of sensitive financial data, and compliance advisors. But with that trust comes a target on our backs. As cyberattacks grow more sophisticated, ransomware is emerging as the top threat. According to Sophos’ State of Ransomware Report, 59% of organizations were hit by ransomware in 2024. The report also states, “One of the most notable findings in this year’s study is that 63% of ransom demands are for $1M or more, with 30% of demands for $5M or more. While a small number of respondents reported four-figure ransom demands, these are very much in the minority.”
Have you made business continuity plans (not just disaster recovery) a core part of your cybersecurity program?
Ransomware Doesn’t Discriminate
Contrary to popular belief, cybercriminals don’t just go after Fortune 500 companies. They often target smaller, less protected organizations—especially those holding personally identifiable information (PII) like Social Security numbers, tax records, and banking information. A CPA firm or finance department is a gold mine for attackers.
Yet many accountants still believe, “It won’t happen to us.” That mindset is precisely what puts them most at risk.
The Hidden Cost of Cyber Incidents
Even if a firm or finance department can recover its data through backups, ransomware attacks still carry a heavy cost: days or weeks of downtime, investigation and remediation costs, reputational damage, client/customer churn, and potential regulatory issues and legal liabilities. For firms and industries subject to regulatory oversight (like those offering assurance services, healthcare), a data breach can lead to investigations and fines.
Cybersecurity must be elevated from a “tech problem” to a strategic risk that must be addressed by firm leaders and finance executives. Cybersecurity risks need to be integrated into overall risk management plans.
Cyber Preparedness is Business Preparedness
Being ready for ransomware isn’t just about having antivirus software. It requires:
- Endpoint malware protection with proactive monitoring systems;
- Regular data backups with offline or immutable storage;
- Employee training to prevent phishing and social engineering attacks;
- Multi-factor authentication (MFA) and password managers; and
- An incident response plan that includes both technical and administrative protocols.
Additionally, organizations with hybrid or remote work models must recognize that the “home office” is now part of their network perimeter. Investing in secure remote work infrastructure for small office/home office and promoting cybersecurity hygiene among staff are essential.
If you would like to learn more about assessing how well your team has addressed your cybersecurity risks, check out SCACPA’s upcoming cyber-related courses at sc.cpa/events.
CPAs as Cyber Stewards
As organizations face more complex risks and compliance requirements, firms must step up to help their clients and finance departments must help organizations assess the adequacy of their organization’s cybersecurity risk mitigation.
Many firms are also expanding their role as advisors to include cybersecurity services for clients—especially small businesses. This is a natural extension of the CPA’s role in internal controls, risk mitigation, and compliance. Cybersecurity should be baked into advisory conversations, CAS engagements, and assurance services.
If your organization hasn’t yet incorporated business continuity planning into your cybersecurity program, now is the time. Because when ransomware hits, the only question that matters is: Were you ready?
