Bansley & Kiener LLP, a CPA and advisory firm based in Chicago, agreed earlier this year to a $900,000 settlement of a class action suit that accused the firm of mishandling a data breach of PII in 2020, waiting a year to inform the plaintiffs whose employers had contracted with the firm to manage payroll, pension, health insurance and other benefits. Bansley & Kiener did not admit any guilt. That settlement would be a hefty penalty for a firm with annual revenue around $9 million, according to public records.
With databases filled with records on PII, IP and highly sensitive corporate documents, accountants, attorneys, engineers and other professional firms are increasingly targeted by cyber criminals. In the American Bar Association’s 2021 Legal Technology Survey Report, 25% of the respondents said their law firm had been breached at some time. The report also found that many law firms "are not using security measures that are viewed as basic by security professionals.”
Estimate of Probable Costs from a Ransomware Attack on a Professional Services Firm of Bansley & Kiener’s Size
For the purposes of analysis, let’s consider Bansley & Kiener’s cyber incident a ransomware attack; the firm’s announcement letter to clients in December, 2021 said that an attacker encrypted some systems in December, 2020, the firm restored from back-up but learned in May, 2021, that information on 274,000 persons had been exfiltrated.
Using the RiskLens My Cyber Risk Benchmark tool, we can estimate the effect of a ransomware attack on a professional services organization of Bansley & Kiener’s size:
- $693,000 for Primary Response Costs
- $298,000 for Lost Revenue
- $147,000 for Fines & Judgments
- $1.138 million Total
Note that the typical Fines & Judgments costs come out lower than Bansley & Kiener’s $900,000 settlement, perhaps because attorneys could make a strong case for negligence over that one-year gap between discovery of the incident and informing the plaintiffs.
Professional Services Sector Cyber Incidents Count
The authoritative 2022 Verizon DBIR reports that the Professional Services industry category was hit with 681 data breaches in 2021, placing it slightly below Finance for the second-worst record among 21 industries surveyed.
Most Probable Cyber Risks by Incident Frequency for Law Firms, CPAs, and Other Professional Services Firms
The RiskLens data science team estimates risk for companies in an industry category based on the cyber events history plus a wide range of parameters such as revenue, number of employees and number of database records.
In RiskLens modeling (shown in the charts below):
- Ransomware for a typical professional services firm comes in as a relatively low risk (compared to other forms of attack), a 0.6 percent chance of occurring in a year.
- The cost of a ransomware attack for those firms is relatively high compared to most other industries, at $1.1 million.
Database Size and Security Posture Make a Difference
Adjusting the parameters on the My Cyber Risk Benchmark tool gives clues on how to reduce cyber loss exposure.
For instance, reducing the number of records in a database, but leaving the other settings the same for a professional services company shows big improvement for a ransomware event
- 100K - 1M Records = $991K Loss
- 10K - 100K Records = $563K Loss
To rate security posture, the Benchmark tool incorporates grading by SecurityScorecard. Here’s how the annual probabilities of a ransomware attack go up for a professional services firm as security grades go down, suggesting the value of controls investments.
- A = 0.3%
- C = 0.6% (Bansley & Kiener’s SecurityScorecard grade)
- F = 1.1%