Across South Asia, businesses are racing to go digital. Mobile banking, e-commerce and fintech are transforming economies from Colombo to Kathmandu. Yet with opportunity comes risk. Cybercrime is rising sharply, exposing vulnerabilities in outdated systems and underprepared organisations. For accountancy firms, helping clients counter the threat also creates a pathway for expanding into a growing advisory space.
Scale of the challenge
Cybersecurity incidents are not abstract possibilities. In 2024, Sri Lanka recorded more than 9,000 phishing attacks on businesses, while malware and advanced persistent threats have disrupted sectors as diverse as education and meteorology.
95% of data breaches worldwide involve human error
‘The worst threats are often the simplest,’ says Buddhi Pathiraja FCCA, director at BDO Consulting in Sri Lanka. ‘Ignorant staff, outdated systems and weak controls open the door to ransomware, phishing and data theft. And without comprehensive legislation, businesses lack the legal framework to respond effectively.’
Nepal is facing similar issues. Basanta Pandey FCCA, CFO of payments provider Fonepay, says the human factor remains the weakest link. ‘Attackers use phishing and social engineering to trick staff into giving up credentials or access,’ he says. ‘Too often, organisations respond only after an incident instead of building prevention into their culture.’
These trends echo global findings. According to IBM’s Cost of a Data Breach 2025 report, 95% of incidents worldwide involve human error. In South Asia, where digital literacy lags general literacy, the risk is especially acute.
Building resilience
So what should businesses be doing? Pathiraja stresses the basics: keep software up to date, enforce strong passwords, limit administrative privileges and maintain regular backups. Staff training is essential. Cyber insurance is becoming more common, but prevention, detection and recovery all need to be embedded in business models, she adds.
Pandey frames it in terms of four pillars: people, process, technology and culture. ‘Without a security-first culture, the rest collapses,’ he says. ‘Training, simulation exercises and engaging management teams are critical.’
‘The goal is to help clients adapt before threats overwhelm them’
In the Maldives, practitioners are taking proactive steps. Hassan Mohamed FCCA, co-founder of Crowe Maldives, explains how his firm has responded. ‘We’ve established a joint venture with cybersecurity experts and are exploring how AI can be integrated into our service processes,’ he says. ‘Our goal is to help clients adapt before threats overwhelm them.’
Practical steps
Build knowledge
- Take ACCA’s CPD modules on cyber resilience.
- Explore certifications such as CISA or CIA to strengthen credibility in IT audits.
Start with risk
- Integrate basic cyber risk assessments into existing audit and advisory work.
- Use client workshops to link cyber risks directly to financial outcomes.
Partner wisely
- Collaborate with IT specialists for technical tasks such as penetration testing.
- Develop in-house expertise in controls, compliance and risk management.
Lead by example
- Embed strong cyber hygiene in your own firm: updates, backups and staff training.
- Demonstrate best practice to clients through your internal processes.
Position strategically
- Frame cybersecurity as a business resilience issue, not just a technical one.
- Use your role as a trusted adviser to guide clients through digital change.
The role of firms
Traditionally, accountancy practices have focused on audits and reporting. But increasingly, clients look to their trusted advisers for guidance on IT risks. In both Sri Lanka and Nepal, firms are embedding aspects of IT and information security into their audit and review work.
‘Risk management audits now include cyber risk assessments and compliance checks,’ Pathiraja says. ‘Educational workshops and seminars are another way firms can raise awareness and translate technical risks into financial and operational impacts business owners understand.’
Pandey points out that firms in Nepal already act as a ‘second or third line of defence’, testing IT controls as part of their assurance role. ‘An IT audit is similar to a financial audit, but instead of financial figures, you examine information systems and controls against frameworks such as ISO 27001 or Cobit. It’s about ensuring systems are secure, resilient and compliant.’
‘Many ACCA members have transitioned into IT audit roles’
Professional opportunities
For ACCA members, it all represents a career path that may once have seemed unusual. Yet the overlap is significant. Internal controls, risk management and compliance are core accountancy skills. By supplementing these with IT training, accountants can play leading roles in cybersecurity audits.
‘Many ACCA members have successfully transitioned into IT audit roles,’ Pathiraja points out. ‘Professional firms already have the ethical framework, regulatory knowledge and multidisciplinary teams. With the right tools and training, they can be excellent IT auditors.’
Pandey agrees, adding that ACCA members can gain exemptions when pursuing ISACA’s Certified Information Systems Auditor (CISA) qualification. ‘If our skills were not relevant, such exemptions wouldn’t exist,’ he says. ‘I took this route myself, and it has opened up significant opportunities.’
Partner or self-build?
Should firms partner with IT specialists or develop their own cybersecurity services internally? Opinions differ. Pathiraja argues that building capability in-house is more sustainable and credible, given the ethical responsibilities and accountability that professional firms already carry.
Run awareness workshops for clients and staff, linking cyber risks directly to financial outcomes
Pandey prefers a hybrid model. ‘Accountancy firms are well placed to assess general controls and compliance, but for technical tests like penetration testing, partnering with certified ethical hackers is essential,’ he says.
What both agree on is that cybersecurity is now inseparable from financial resilience. For accountancy firms, adding this service line not only strengthens client relationships but also creates a competitive edge.
Entry points
For practices considering offering cybersecurity services, the entry points are clear. Start with risk assessments and IT audits, delivered in collaboration with technology partners if necessary. Run awareness workshops for clients and staff, linking cyber risks directly to financial outcomes. Explore partnerships with insurers and legal experts to provide holistic advice.
Investing in professional development is key
For individual members, investing in professional development is key. ACCA’s own CPD modules on cyber resilience provide a foundation, while certifications such as CISA and CIA build specialist credibility. Reading widely, attending webinars and engaging in industry forums will also help members stay ahead of emerging threats.
A secure future
The stakes could not be higher. South Asia’s digital economies are expanding rapidly, but unless businesses build resilience, they risk costly disruptions and reputational damage. With their unique blend of financial insight and ethical responsibility, accountants are well placed to bridge the gap between technology and business.
As Hassan puts it: ‘We are preparing to work in a world where AI and cybersecurity challenges are realities. Firms that embrace this shift will not just protect clients, they’ll also lead them into the future.’
More information
Register to attend ACCA’s annual Accounting for the Future conference to earn over 21 units of free CPD. Sessions at the virtual event include cyber risk and organisational accountability.
