How Forensic Accountants Partner with Cybersecurity Teams When a Data Breach Occurs

Written by Scott Wilson

security rsa banking tokenUncovering one of the most famous hacking episodes in history started with a $0.75 accounting discrepancy.

In 1986, a remote user of a minicomputer at the Lawrence Berkeley National Laboratory used up 9 seconds of processing time. Each department and outside user of the timeshare system was billed by the second for computer time, but for some reason, the accounting system couldn’t link that particular 9 seconds—and the associated $0.75 charge—to any known user account.

It was a mystery that a junior system administrator at the lab was assigned to solve. Not imagining it was anything more than a glitch in the bookkeeping, Clifford Stoll (an astronomer, not an accountant or even a computer administrator by training) dove headfirst into a trail of numbers that eventually lead to a West German national working as a hacker for Soviet intelligence agencies who had happened to pass through the National Library in his hunt for military secrets.

The hunt for the now-infamous Cuckoo’s Egg hacker, as he would come to be known, wasn’t performed by forensic accountants, but it did foreshadow the importance of accounting in cybersecurity investigations. Today, forensic accountants are some of the first people who get the call when malicious intrusion is suspected in a computer network.

In A World of Ones and Zeroes, Forensic Accountants Make the Numbers Add Up

Everyone knows that the world of accounting has been permanently and drastically changed by information technology. The humble spreadsheet, when introduced in the 1980s, did more to revolutionize the field than any technological breakthrough since cuneiform impressions of sales and inventory records were first pressed into clay tablets in protoliterate Mesopotamia.

If you’re interested in learning how to become a forensic accountant today, you’d better put your nerd hat on.

But accounting has had a big impact on tech security, too. Forensic accounting and cybersecurity work have entered a partnership that is helping define modern cybersecurity and put black hat hackers behind bars.

For Forensic Accountants, An Old Role Becomes Prominent Again

Forensic accountants have had a role in fraud investigation and law enforcement stretching back long before the investigation of computer crime. For all that Al Capone had his hands deep into murder, extortion, and smuggling rackets, few people remember that it was tax evasion that brought him down. The G-men who investigated the case were former accountants.

Today, forensic accounting takes a lot more than a head for numbers and a knowledge of GAAP. You have to understand how the ones and zeros that store all those numbers flow through the processors and storage systems that hold them, and be able to visualize how that data could be manipulated through backdoors.

Although forensic accountants are not directly responsible for security, they provide an important service to investigators attempting to unravel the complicated steps that lead to a data breach. They may be asked to verify that the information within breached systems has not been tainted. Hackers sometimes attempt to cover their tracks by altering logs and other records.

How Cybersecurity and Forensic Accounting Experts Determine Economic Damages in Cyber Attacks

anonymous hackerThe Cuckoo’s Egg incident had one big advantage over many modern hacking incidents: it came with a well-established dollar amount attached to it. True, it was only $0.75, but everyone knew and agreed on the number.

It’s no longer that simple today. Modern loss calculation in cyber incidents is evolving into its own forensic accounting and cybersecurity specialty. Determining damages is a notoriously difficult part of accountability in cybersecurity cases. Check out any top ten list of the most expensive hacks in history: none of them agree.

That’s because digital goods don’t come with intrinsic values. And when they are stolen, the owner hasn’t really lost them—only a copy has been taken. It’s enough to give cybersecurity experts ulcers.

That’s where forensic accountants come in.

  • What’s the value of a patient record? In a 2006 attack on the Veteran’s Administration, forensic accountants pegged the cost of losing 26.5 million records at $500 million, or just under $20 per record.
  • How about an email address? In the 2011 Epsilon hack, and unknown number of addresses from corporate clients like Target, Best Buy, and JP Morgan was estimated to cost up to $4 billion.
  • What about a credit card number? In 2014, Home Depot lost around 56 million customer card numbers… which were valued at only $1 apiece, for a total of $56 million in value.

Even skilled forensic accountants have a tough time agreeing on cybersecurity losses!

Forensic Accountants Break New Ground in Calculating The Costs in Cybersecurity Incidents

This is where old-fashioned accounting groundwork comes into play in cybersecurity incidents.

By investigating historical numbers and tying them together, forensic accountants can help cybersecurity pros figure out losses and justify or dispute them in court.

That means sifting through old financial statements, interviewing clients and staff, and reviewing budgets and financial forecasting data. Often, cybersecurity pros have to jump in here to help forensic accountants with the big data analysis that is crucial in analyzing this data.

Sponsored Content

Once they establish those baselines, forensic accountants can break down the costs of cybersecurity breaches in different buckets:

  • Reputational damage – No company who holds private information of customers wants to be seen as lax when it comes to cybersecurity. So when Big 3 credit reporting firm Equifax exposed some of the most private and critical financial data for nearly 20 percent of American consumers in a 2017 hack, you can bet they lost a lot of the trust that helped earn them business. Those costs to reputation have to be calculated and quantified.
  • Operational costs – Some hacks aren’t about breaching data stores, but rather about damage and disruption. Ransomware attacks shut down entire systems and keep businesses from doing business—sales don’t get made, customers don’t get served, employees draw pay for sitting around twiddling their thumbs. All of that has a dollar value attached.
  • Cost of breach investigation – Cybersecurity and forensic accounting pros don’t work for free. When you have to bring in the big guns to investigate a hack, their salaries and equipment becomes part of the costs to be calculated.
  • Cost of compensation and notification – In 2002, California became the first state in the nation to require companies that safeguard customer data to notify those customers in the event of a breach. That doesn’t happen for free! State and federal regulators can also levy fines if they determine companies were lax in their cybersecurity procedures. Capital One forked over $80 million in penalties in 2020 for a 2018 data breach affecting more than 100 million Americans.
  • Legal costs – Forensic accountants also play an important part when the inevitable lawsuits over fiduciary breaches start to roll in in the wake of a cybersecurity incident. When virtual goods and services are taken or disrupted, it takes some serious calculating to establish plausible harm to real-world bank accountants.

Ransomware Responses Put Forensic Accountants in The Hot Seat in Real-time Cybersecurity Incidents

The rise of ransomware attacks has put a new wrinkle in the forensic accounting and cybersecurity relationship. In these incidents, it’s no longer enough for forensic accountants to show up afterward and slowly total up the damages. Instead, corporate leaders need instant analysis: is the attack costing the company more than it would cost just to pay the ransom?

Ransomware payment decisions sometimes have to be made in hours, with enormous consequences.

In April of 2021, a cyberattack hit a major East Coast gasoline supplier, Colonial Pipeline. The company halted fuel transfer operations as a precaution. There were runs on gas stations to get the last of the dwindling supply.

The heat was on for Colonial accountants and executives. What was the cost of the disruption? The hackers were demanding $4.4 million in bitcoin. Was it less than what the company was spending to mollify regulators, frustrated customers, and PR firms dealing with its name in the headlines?

Within hours, they decided it was, and forked over payment.

But FBI experts in cybersecurity and forensic accounting had the last laugh in the Colonial Pipeline attack. Through careful tracing of the supposedly anonymous cryptocurrency payment, they were able to find and recover much of the money before it went into hacker’s bank accounts.

Forensic Accounting and Cybersecurity Investigations Take New Tools and Techniques

hmtl codingForensic accounting differs from standard auditing in that there’s a presumption of malfeasance. It’s the job of the forensic accountant to prove that the numbers are accurate. This requires a deep dive into source data—nothing is taken on faith.

Most major accountancy firms today recognize the importance of this specialty area by incorporating dedicated cybersecurity teams. Their role is to recognize the implications introduced into accounting information systems by the technology used to manage them.

This means that forensic accountants require a special set of skills over and above the usual. Some of them may be exactly what you expect, while others may be a little surprising:

  • Data systems design and use– Forensic accountants often have to understand the underpinnings of database and network systems to account for the information stored in them.
  • Programming– Not all forensic accountants need formal training in coding, but most will find it useful to have an understanding of the rules and logic of programming languages.
  • Interviewing– Forensic accountants often interview subjects in the course of investigations and have to be skilled at getting answers to their questions.
  • Writing and communication– Reports and documentation are an important part of the job, and they’ll be viewed by non-accountants, which means that clarity and precision are at a premium.
  • Creativity– The best forensic accountants, like other types of investigators, need to be able to think outside the box to crack cases.

It’s also common for forensic accounting positions to require applicants have a clean criminal record. Working with sensitive investigations and data means former felons need not apply.

Accounting and business continue to forge ahead with automation and new tech like blockchain. It’s only going to increase then need for forensic accounting and cybersecurity services in the future.