don’t be the next victim! paul johnson, senior manager risk advisory services wipfli llp
TRANSCRIPT
![Page 1: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/1.jpg)
Don’t Be the Next Victim!Don’t Be the Next Victim!
Paul Johnson, Senior Manager Risk Advisory Services
Wipfli LLP
![Page 2: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/2.jpg)
Agenda
2
• Threat landscape• Latest attacks & breaches• Recent regulatory activities• NIST cybersecurity framework• Countermeasures• Q&A
![Page 3: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/3.jpg)
Notable Data Breaches & Vulnerabilities
3
![Page 4: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/4.jpg)
Business Has Changed
4
Big DataMobile apps
Compliance
BYOD
Outsourcing
![Page 5: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/5.jpg)
Threats Have Changed$
5
2013 cost of cybercrime Increase in mobile malware
Percentage of investigation due to web application exploit
investigations
Investigations that involved outsourced
provider
400%
63%
48%
+500B
![Page 6: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/6.jpg)
HHS-OCR Data Breach List is Growing…
6
![Page 7: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/7.jpg)
Verizon 2014 Data Breach Report
7
![Page 8: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/8.jpg)
Breach Detection Concerns205 days – Median number of days that hackers were present on a victim’s network before being discovered. Longest presence: 2,982 days.
69% - Victims notified by external entity (e.g. law enforcement)
Source: Mandiant M-Trends 2015
8
![Page 9: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/9.jpg)
How Do Attacks Occur
9
• 52% used some form of hacking
• 76% exploited weak or stolen credentials
• 40% incorporated malware • 35% involved physical attacks • 29% employed social tactics • 13% involve privilege misuse
![Page 10: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/10.jpg)
Ransomware – Manufacturing Company
1. Employee clicked on e-mail from UPS.
2. Network outage – all data was encrypted.
3. President contacted demanding $300 ransom using Bitcoin as payment method.
4. All backups were encrypted because system was not set up properly.
5. Ransom was up to $3,000 after 72 hours passed.
10
![Page 11: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/11.jpg)
- Targeted Hacking Attack
11
Anthem was the target of a very sophisticated external cyber attack. These attackers gained unauthorized access to Anthem’s IT system and obtained personal information from current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data.
– System administrator’s security credentials were compromised.
– Phishing attacks and malware were likely used in the attack.
– Database was the main target of reconnaissance efforts.
![Page 12: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/12.jpg)
- Targeted Hacking Attack
12
Marking another high-profile data breach, hackers broke into UCLA Health System's computer network and may have accessed sensitive information on as many as 4.5 million patients, hospital officials said..
The intrusion is raising fresh questions about the ability of hospitals, health insurers and other medical providers to safeguard the vast troves of electronic medical records and other sensitive data they are stockpiling.
The revelation that UCLA hadn't taken the basic step of encrypting this patient data drew swift criticism from security experts and patient advocates, particularly at a time when cybercriminals are targeting so many big players in healthcare, retail and government.
http://www.latimes.com/business/la-fi-ucla-medical-data-20150717-story.html
![Page 13: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/13.jpg)
- Computer Theft
13
Sunglo Home Health Services notified customers/patients of a data breach when their facility was broken into and stole one of their company lap tops. The laptop contained patient information including Social Security Numbers and personal health information.
Currently the company does not know the number of affected patients.
![Page 14: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/14.jpg)
Veterans Affairs Hospital, SD – Insecure Disposal
14
The VA Hot Springs hospital notified patients of a data breach when files containing their Social Security numbers along with additional personal information were thrown in a trash bin without being shredded.
The incident took place in May and the 1,100 patients that were affected were not notified until July 29, 2015. Reportedly, an employee discarded a box of patient files in a dumpster. The box of files was found two days later by another employee who removed them from the trash.
![Page 15: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/15.jpg)
– Insider Breach
15
UC Irvine Medical Center has notified patients of a data breach when an employee reviewed patient records without authorization.
The information this individual may have gained access to included names, dates of birth, gender, medical record numbers, height, weight, Medical Center account number, allergy information, home addresses, medical documentation, diagnoses, test orders/results, medications, employment status, and names of your health plan and employer.
![Page 16: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/16.jpg)
What does all this mean?
16
Threat landscape is changing with the adoption of newer technologies.
Health Information has become a valuable commodity.
Attacks are becoming more numerous and sophisticated.
Healthcare organizations face steep challenges to keep pace with protecting against with emerging threats.
![Page 17: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/17.jpg)
HIPAA – OCR Audits
17
OCR Audit Program FactsBooz Allen Hamilton: Developed audit protocols.KPMG: Performed trial program audits.PWC: Evaluating audit program results and feedback for future improvements.Phase 1 audits occurred between 2011 – 2012.Phase 2 audits have been postponed (starting up this fall).
![Page 18: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/18.jpg)
Phase 2 – OCR Audits
18
Have selected a pool of covered entities eligible for audit. Health care providers selected through National Provider
Identifier (NPI) database. Clearinghouses & Health Plans from external databases
(e.g., AHIP). Random selection used when possible within types. Wide range (e.g., group health plans, physicians and
group practices, behavioral health, dental, hospitals, laboratories).
![Page 19: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/19.jpg)
Phase 2 – Pre-Audit Survey
19
Questions address size measures, location, services, best contacts.
OCR will conduct address verification with entities this spring.
Entities will receive link to on‐line screening “pre‐survey” this summer.
OCR plans to contact 550‐800 entities. OCR will use results of survey to select a projected 350
covered entities and 50 business associates to audit (BA pool determined by audited covered entities).
Important Note: OCR will most likely contact a C-level individual in the organization.
![Page 20: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/20.jpg)
Phase 2 – Projected Entities to be Audited
20
![Page 21: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/21.jpg)
Phase 2 – Audit Expectations
21
![Page 22: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/22.jpg)
Phase 2 – Audit Expectations
22
Covered EntitiesWill target source of a high number of compliance failures in the pilot audits:
• Risk Analysis/Assessments
• Breach notification (content and timeliness of notifications)
• Privacy Rule – patient notice of privacy practices and access to PHI
Business Associates
•Risk Analysis/Assessment and risk management
•Breach reporting to covered entities
![Page 23: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/23.jpg)
OCR isn’t the only one to be concerned with…
23
State Attorney Generals (provided training by OCR). Food and Drug Administration (medical device audits). Centers for Medicare and Medicaid Services (Meaningful
Use audits). Whistleblowers. Class Action Lawsuits. Federal Trade Commission.
![Page 24: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/24.jpg)
Regulatory Landscape – Wrap up
24
Phase 2 - OCR Audits are starting. They will not be friendly audits!
Others are getting into the enforcement game.
As the frequency and severity of healthcare data breaches continue to increase, so will the scrutiny of healthcare organization’s privacy and security practices.
![Page 25: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/25.jpg)
NIST Cybersecurity Framework
25
Executive Order 13636 - February 12, 2013Information Sharing and Collaboration
Develop a baseline framework of cybersecurity standards and best practices - National Institute of Standards and Technology (NIST).Establish consultative process.Identify high priority infrastructure.Incentives for voluntary participation.Review / assess regulatory requirements.Incorporate privacy and civil liberties.
![Page 26: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/26.jpg)
NIST Cybersecurity Framework
26
![Page 27: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/27.jpg)
NIST Cybersecurity Framework
27
Five Key Functions
Identify: Understand digital resources and associated risks.
Protect: Processes & technology designed to reduce risk.
Detect: Enabling rapid detection to reduce exposure to risk.
Respond: Taking action to stop or remediate an attack.
Recover: Ensure business continuity or restoration after security event.
![Page 28: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/28.jpg)
NIST Cybersecurity Framework - Tiers
28
4 Levels of Cyber Risk Management Sophistication
Tier 1 (Partial) Management processes not formalized and ad hoc. Viewed as "something that IT handles,“ little to no collaboration on issues with external organizations.
Tier 2 (Risk Informed) Management is of high-level concern but still mostly in IT department. Initial policy created and considers role in the larger industry response to risk.
Tier 3 (Repeatable) Coherent policies and practices understood and implemented across the organization. Connected to larger industry effort to address risk and benefits from shared information.
Tier 4 (Adaptive) Management is continuously improving by applying lessons learned from personal and 3rd-party experiences. Has made risk management part of corporate culture and actively contributes risk information to larger industry efforts.
![Page 29: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/29.jpg)
NIST Cybersecurity Framework in Action
29
![Page 30: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/30.jpg)
How to Use the NIST Cybersecurity Framework
30
1. Prioritize and Scope – Business mission and priorities.
2. Orient – System and assets, regulatory requirements, risk approach.
3. Create a Current Profile.4. Conduct a Risk Assessment.5. Create a Target Profile.6. Determine, Analyze and Prioritize Gaps.7. Implement Action Plan.
![Page 31: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/31.jpg)
Last Word about the NIST Cybersecurity Framework
31
Framework is quickly being adopted across a variety of industries.
Can serve as a dashboard for communicating with senior management and business partners.
Detailed controls frameworks (e.g., NIST 800-53, HITRUST) map to the NIST Cybersecurity Framework.
![Page 32: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/32.jpg)
Countermeasures
32
Countermeasures will focus on the four (4) categories of threats:
– Physical Theft and Loss.
– Web Attacks & Crimeware.
– Miscellaneous Errors.
– Insider and Privilege Misuse.
![Page 33: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/33.jpg)
Countermeasures – Physical Theft and Loss
33
• Keep track of your assets– Laptops
– Desktops
– Servers
– Portable media
– Other
![Page 34: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/34.jpg)
34
Countermeasures – Physical Theft and Loss
• Use encryption and authentication when possible:– Use strong passwords
that change periodically.
– Use PINs for devices that support it.
– Use AES 256-bit encryption or better.
![Page 35: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/35.jpg)
35
Countermeasures – Physical Theft and Loss• Be aware of
surroundings.
• Keep possession of sensitive devices at all times (e.g., cell phones).
• Lockdown devices in public areas.
• Use tracking software.
![Page 36: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/36.jpg)
36
Countermeasures – Physical Theft and Loss• Review business partner
controls for physical security:
– What do their policies and procedures say?
– What are their safeguards?
– Who reviews them?
– Will they report any losses to you in a timely manner?
![Page 37: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/37.jpg)
37
Countermeasures – Web Attacks & Crimeware• Browser considerations:
– Update browsers regularly.
– Disable Java when possible.
– Update the device OS as well!
![Page 38: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/38.jpg)
38
Countermeasures – Web Attacks & Crimeware• Use these security
programs:– Firewall– Intrusion detection/prevention– Malware detection/prevention– Spam filter– Web content filter
• Keep them current!
![Page 39: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/39.jpg)
39
Countermeasures – Web Attacks & Crimeware
• Use two-factor authentication• Passwords:
– Do not re-use passwords.– Use complex passwords.– Change them regularly.– Use a password keeper.
• Use multiple e-mail accounts. • Social media – don’t overshare.
![Page 40: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/40.jpg)
40
Countermeasures – Web Attacks & Crimeware
• Consider single purpose devices for critical functions (e.g., wire transfer, ACH transactions, Internet banking).
• Consider which mobile devices to use for which activities based on threat targets.
• Monitor key systems and network traffic for suspicious changes in configuration or behavior.
![Page 41: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/41.jpg)
41
Countermeasures – Web Attacks & Crimeware
• Train your staff:
– Latest threats and how to spot them.
– Countermeasures deployed.
– How to report potential incidents.
![Page 42: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/42.jpg)
42
Countermeasures – Miscellaneous Errors• Turn on egress firewall
rules.• Look for data
exfiltration (e.g., data loss prevention tools).
• Lock down ports on your computers.
![Page 43: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/43.jpg)
43
Countermeasures – Miscellaneous Errors• Ensure strong change
controls for web technologies:– Test security controls for
each change.– Periodic search for
sensitive information.– Employ oversight controls
for publishing(verifying data publishedis appropriate).
![Page 44: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/44.jpg)
44
Countermeasures – Miscellaneous Errors• Spot check mailings:
– Does sensitive information show through the mailing envelope address window?
![Page 45: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/45.jpg)
45
Countermeasures – Miscellaneous Errors• Proper disposal of:
– Hard drives.– Portable media.– Paper.– Other devices
(e.g., tablets,mobile phones, printers, scanners,copiers, iPods, others?)
![Page 46: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/46.jpg)
46
Countermeasures – Insider & Privilege Misuse• Keep track of your data:
– Application list.
– Electronic and physical documents/locations.
– Devices storing it.
![Page 47: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/47.jpg)
47
Countermeasures – Insider & Privilege Misuse• Review user access
permissions regularly: – Terminated users.
– Transfers.
– Business partner access.
– Inactive users.
• Consider separation of duties.
![Page 48: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/48.jpg)
48
Countermeasures – Insider & Privilege Misuse
• Watch for suspicious activity:– Review access logs.
– Look for data exfiltration.
– Review privileged access.
• Publish anonymous results of audits.
![Page 49: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/49.jpg)
Last Word about Countermeasures
49
• Consider this list your tool box:– Determine what is appropriate for your unique
environment.
– Consider other controls as well based on threats applicable to you.
– You likely won’t be able to completely eliminate a threat, nor should you.
• This is a risk management process!
– References• http://www.counciloncybersecurity.org/critical-controls
• http://www.consumer.ftc.gov/articles/0272-how-keep-your-personal-information-secure
![Page 50: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/50.jpg)
Session Wrap-up
50
In this session we discussed…
– Threat landscape.
– Latest attacks & breaches.
– Recent regulatory activities.
– NIST cybersecurity framework.
– Countermeasures.
![Page 52: Don’t Be the Next Victim! Paul Johnson, Senior Manager Risk Advisory Services Wipfli LLP](https://reader030.vdocuments.net/reader030/viewer/2022032605/56649e745503460f94b74d7d/html5/thumbnails/52.jpg)
Disclaimer
52
This information is provided solely for general guidance and informational purposes and does not create a business or professional services relationship. Accordingly, this information is provided with the understanding that the authors and publishers are not herein engaged in rendering legal, accounting, tax, or other professional advice and services. As such, it should not be used as a substitute for consultation with professional accounting, tax, legal, or other competent advisers. Before making any decision or taking any action, you should obtain appropriate professional guidance.