KPMG Security Assessment Leak: Client Audit Data Exposure and Its Implications
Incidents involving the potential exposure of security assessment and audit data at Big Four firms including KPMG illustrate a specific and serious risk for professional services organisations: the data you produce for clients — security assessments, audit findings, vulnerability reports, strategic recommendations — is itself extraordinarily sensitive and is a target for attackers. If a consultancy's own security assessment of a client's infrastructure is compromised, attackers gain a detailed roadmap of vulnerabilities to exploit.
Security assessment reports, audit findings, and vulnerability data are among the most valuable targets for attackers in professional services.
Why Client Assessment Data Is a High-Value Target
Professional services firms produce work product that, in the wrong hands, is weaponisable. A security assessment report details every vulnerability in a client's infrastructure. An M&A due diligence report reveals confidential financial information before a transaction closes. A legal advice memorandum can undermine a litigation position. This means that attackers targeting the professional services supply chain are not always after the firm's own data — they are after the work product the firm produces for its clients.
Controls for Protecting Work Product
Professional services firms must treat their work product with the same sensitivity as client data. Specific controls for assessment and advisory outputs include: document classification and labelling on all work product; access controls limiting who can access each client matter; encrypted transmission to clients using secure document portals rather than email attachments; contractual confidentiality provisions covering how clients may store and transmit sensitive advisory documents; and secure deletion of work product at the end of defined retention periods.
Frequently Asked Questions
How should professional services firms classify and protect client assessment data?
Security assessments, vulnerability reports, and audit findings should be classified at the highest sensitivity level and treated accordingly: encrypted at rest and in transit; accessible only by the engagement team and named client contacts; transmitted via secure document portals; and subject to a short retention period once the engagement is complete. Physical printouts should be treated as confidential documents and securely destroyed.
Protect your client work product
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.