Other guidance

Issued: 13 August 2019

Last modified: 20 October 2022

The Tax Practitioners Board (TPB) has received information that cyber criminals may be targeting tax practitioners and their practices in an attempt to harvest personal information, commit identity fraud, or to launch ransomware and other malicious attacks.

Losses resulting from cyber attack

If you are the victim of a cyber-attack, you can face some serious losses which can include first party and third party losses.

First party losses may include:

  • business interruption losses
  • the costs of repairing and restoring systems, or improving cyber security
  • reputational damage
  • extortion costs, such as paying ransoms to hackers in order to return valuable company data.

 

Third party losses may include:

  • liability in negligence for failing to properly protect client information
  • fines imposed by regulators such as ASIC on companies or individual directors.

 

Ways to protect your practice

Have sufficient IT controls

It is important to ensure that you have sufficient IT controls in place to protect the security and confidentiality of your client records and therefore assist you in meeting your obligations under the Code of Professional Conduct (Code). 

As a minimum, we consider the following to be best practice:

  • install and maintain anti-virus software on your workplace computers
  • deploy firewalls on your workplace computers and/or workplace networks
  • ensure that your computer operating systems and programs always have the latest security patches
  • protect client records or files using encryption where possible
  • regularly change your passwords
  • consider using a second form of authentication (for example, SMS) to protect your online accounts (for example, email) where possible.

You may wish to seek expert advice from an IT security provider to determine what software suits your commercial needs while meeting your Code obligation to protect client confidentiality.

Consider additional PI insurance cover

We recommend you assess the risk of cyber-attack and consider whether you need to take out additional professional indemnity (PI) insurance cover to assist with first party losses arising from a cyber-attack.

For further information refer to:

Learn more about cyber security

Cyber security is a complex and evolving subject. You can undertake cyber security awareness training via an online course, a webinar or through professional or technical reading.

We will recognise cyber security awareness training that you undertake as  relevant continuing professional education for your registration purposes.

For further information refer to:

Further information

The Australian Taxation Office, in consultation with the TPB and several professional and industry associations, has developed some useful cyber security tips: