As counsel to numerous professional firms and associations, I am frequently asked about cyber risk. As technology continues to advance, we have more and more information stored in electronic devices and in the so called “cloud.” Cyber risk is of particular concern for professionals, including CPAs and attorneys, because they maintain confidential client information like Social Security numbers and financial information. There is no prohibition to maintaining data electronically and particularly in the cloud; however, we must be aware of the risks involved and take reasonable precautions to protect data, particularly our clients’ confidential information. Our clients have placed their trust us, and it is our duty to assure that this trust is not misplaced.

Clients have an increased expectation that we are available 24/7 and that we have all their information at our fingertips to answer their questions and respond to their concerns. Therefore, we are increasingly dependent on technology and are increasing storing information available to us remotely, making our data subject to increased cyber risk. The first question is: Are we prepared for the risk? Generally, the answer is that many firms are not. They are not fully aware of, nor prepared for, the risks at stake. The second question is: Are we prepared to respond to a breach of our data? Again, generally, the answer is that most firms are not.

All sized firm are subject to cyber risk. The statistics are alarming. Identity theft and security breaches are on the rise. As reported by Ponemon Institute in its April 2012 Global Cost of a Data Breach, the cost to respond to a breach has been reported up to $204 per record with an average cost of $2.4 million per breach. The cost to respond to a cyber-breach can be staggering. The damage from a cyber-breach can be tremendous. Setting aside the considerable financial cost of responding, there may also be bad publicity, loss of productivity, and loss of reputation.

While I generally do not use text messaging for work, the question remains: Where are text messages stored and how safe are they? When using technology we need to evaluate the risk and determine if safeguards are in place. In my case, I assume that Verizon has my text messages secured on its end, but what about those same messages on my phone? If my phone is stolen, everything that I have texted but not deleted is open for reading. Do I have remote access to wipe my phone’s memory? These are questions that we should ask about our own devices. Do we have an inventory of all the devices—every server, desktop, laptop, iPad, and cell phone—that are subject to cyber risk? And not just company-owned devices, but also personal devices that have access to company data. Do we have an inventory of the types of data—documents, emails, contact information, and texts—on each device? Do we have a current inventory of what data of each type—lists of the files, emails, etc.—is on each device? Without complete information, we cannot appreciate the full implications of cyber risks involved.

Of course, insurance is available to help with some of the risk. From a professional firm’s standpoint, insurance is about spreading or lessening risk. And while several types of policies are available, a firm should consult with its insurance broker to determine the type of insurance that best fits. While cyber risk incidences are on the rise, cyber risk insurance is not expensive because there is a relatively low incident rate. Unfortunately, the losses can be exceedingly high, so be careful that your policy is written to cover the full extent of the loss.

The reality is that all professional firms need to address cyber risk by cataloging its data, establishing action plans to prevent the loss of data, and determining how to respond to a loss. To be prepared, I recommend that you address these issues immediately by consulting with your computer experts, your insurance broker, and your attorney.