Navigating Regulations and Compliance around Business Email Compromise (BEC)

Navigating Regulations and Compliance around Business Email Compromise (BEC)

In the dynamic world of accounting, where financial precision meets digital innovation, the urgency of addressing Business Email Compromise (BEC) has never been more critical. This covert threat has elicited a resounding call to action from both the public and private sectors, leaving accounting firms with an unambiguous mandate: bolster defenses against BEC attacks to protect sensitive financial information and maintain client trust.

What is a Business Email Compromise (BEC) attack?

BEC attack is a form of identity fraud also known as social engineering, defined as “the psychological manipulation of people into performing actions or divulging confidential information”.

It is like a clever trick played by online criminals. Imagine someone you trust pretending to be you or someone you work with in emails. These sneaky attackers get into email accounts and copy the way people talk to trick others. They might ask for money, change payment details, or trick you into sharing sensitive information. They’re like digital con artists, trying to steal money or secrets by pretending to be someone they’re not. It’s not just about losing money – it can also damage relationships and your reputation.

🔍 Evident Urgency for Immediate Action

There are 2 compelling signals that resonate within the accounting industry, urging firms to proactively mitigate the risks posed by BEC attacks.

1) Elevated Fines & Penalties: Regulatory Vigor

In the USA: The Federal Trade Commission (FTC) is brandishing its regulatory authority to its fullest extent. It wields the power to impose substantial fines and penalties on accounting firms failing to safeguard clients’ financial data from breaches or inadequate cybersecurity practices. These penalties can soar to a staggering $43,792 per violation. Beyond financial repercussions, the FTC can compel firms to adopt enhanced cybersecurity measures, educate personnel about cyber threats, and conduct rigorous security assessments.

The US accounting landscape was jolted when BDO USA faced a $10 million fine from the FTC due to a breach that exposed personal data of over 400,000 individuals, including vital information such as Social Security numbers, dates of birth, and addresses.

In Australia: The Australian federal government’s proactive stance is manifested in the approval of a bill aimed at amplifying penalties for “serious” data breaches from $2.2 million to a resounding $50 million. This bill endows the Office of the Australian Information Commissioner (OAIC) with augmented powers to engage in the resolution of privacy breaches. Regulatory actions, exemplified by the fine levied on RI Advice post a data breach, emphasize the gravity of the issue.

2) Compliance Mandates: Crafting the Path Ahead

In the USA: The recently updated FTC Safeguards Rule of 2021 is charting the compliance course for financial institutions dealing with sensitive data. These updated guidelines, effective since June 9, 2023, outline pivotal data security principles that accounting entities must adhere to. Complying with the revamped Safeguards Rule within the stipulated timeframe is pivotal to evade potential penalties.

FTC Safeguards Rule Compliance has been a hot topic in the accounting industry. We at Practice Protect have been supporting our clients and the wider accounting community with resources to help firms comply. Check out our blog article about the 8 FTC requirements and our on-demand webinar on how to stay FTC compliant.

In Australia: The Australian Federal Police’s dedicated taskforce, Operation Dolos, stands as a testament to the industry’s grave concern over BEC threats. This taskforce’s singular objective is to combat transnational cybercriminals orchestrating or facilitating BEC attacks. Although impactful, the taskforce’s endeavor to fully recover funds pilfered through BEC attacks has faced hurdles, underscoring the severity of the threat.

How to defend against BEC?

Firms need to take a three-pronged approach to establish a robust defence against the threat of BEC attacks. Learn about the 3 Pillars of Cybersecurity to Safeguarding Your Business Emails

Your firm must have the right technology in place to protect email access and applications; your team needs to be well educated about the existence of BEC attacks, and how to identify and respond to them; and you need to have the right policies in place to minimise the probability of an attack succeeding, and to mitigate its impact.