With cybersecurity threats coming from all directions, it’s crucial for CPA firms and their staff to be aware of how the risk exposures impact the firm as well as the client. When there is a claim, it is important to understand how cyber insurance coverages respond and it’s vital to engage with qualified legal and technical experts to produce the best possible outcomes for your firm.
Cyber coverages are therefore divided along two lines:
- First party, which refers to losses directly suffered by the policyholder (or insured) firm.
- Third party, which refers to damages alleged by clients or other third parties for which the policyholder firm may be liable.
A single incident may give rise to both damages suffered by the firm (first-party losses) and damages allegedly suffered by others that blame the firm (third-party losses). The insurance coverages will respond according to which party is bearing losses or alleging damages.
First-party exposures have become increasingly problematic for CPA firms. Here are a few major reasons why:
- Cyber criminals are targeting CPA firms and tax professionals with greater frequency because of the abundance of client data found on the firms’ computers. If they are successful in gaining access to the firm’s information there can be costly measures that need to be taken by the firm.
- By inducing a recipient to click an innocent-looking link or attachment, hackers penetrate a firm’s computer system to access client data, read email messages, and commandeer email and other programs. A common scam is to change bank account and routing numbers on client tax returns so that refunds are deposited into the scammers’ bank accounts instead of the clients’ accounts. The costs to complete the forensic analysis, fix the problems, and notify all possible clients would be first-party exposures to the firm. Hackers also use a firm’s tax software programs to falsify and submit tax returns that generate large tax refunds routed to the hackers’ own bank accounts, a third-party exposure to the same hack.
- Ransomware attacks and demands against a CPA firm also generate losses borne by the CPA firm. Ransom demands can be expensive, and paying them does not guarantee that files encrypted by the malware will be restored. Rebuilding the firm’s previous work takes time, as information and data need to be gathered, reentered and reconstructed. Such activity is in addition to other data breach expenses if an investigation determines that client data has been compromised.
- If a firm’s client data has been compromised, there can be a significant cost to the firm associated with complying with the notification requirements to each potential party whose information may have been compromised.
Third-party exposures often arise when a hacker has penetrated the firm’s or client’s computer system and once inside can cause all manner of losses for which the firm may be blamed. For example:
- By using client information, or by commandeering the client’s email accounts, scammers can make purported client email look legitimate and trustworthy, tricking someone at the firm into clicking an attachment or link, which then downloads a virus or malware. Once malware is downloaded, it can enable a hacker to gain remote access to the firm’s computer network, read email messages, and obtain information about other clients and use the information to steal funds.
- “Spear phishing” targets a specific firm, or person within a firm, by using client information or a client email account to make fraudulent messages look legitimate. If the hacker squats in both the client’s and the firm’s email accounts, messages going back and forth between the client and the firm can be manipulated on both ends, making it extremely difficult to determine that a “man-in-the-middle” attack is in progress.
- Client data can also be mined by hackers to perpetrate large-dollar thefts. A common technique is to identify high-end clients who have given bill-paying or wire authority to firms providing business management services. A hacker posing as a client will email a request from the client’s email account for a wire transfer of funds into an account controlled by the hacker. If the account is in another country, the transferred funds are usually irretrievable. They may also request a new vendor be added and start sending fraudulent bills to be paid to this new fake vendor.
Loss Prevention Tip: Have controls in place and always confirm the legitimacy of an email message before clicking an attachment or link, or taking any action. Call for verbal confirmation, and receive confirmation by an actual phone call—not by email or voicemail. Email and other electronic systems may also be compromised and unreliable in an incident. Voicemail can be hacked as well, making it just as unreliable as email. To further minimize fraudulent wire transfer exposure, the firm should establish written protocols with clients for handling client funds, especially as related to handling wire transfer requests. Consider establishing dollar thresholds above which verbal consent would be required if clients do not want to be “bothered” to approve each request. In addition, document who the authorized client representative(s) would be for providing such consent if/when the client is not available.
Scammers have also been known to use many ruses, posing as (for example):
- Tax software companies recommending that tax preparers update their software
- The user’s computer “security” system requiring a password
- Potential clients soliciting professional services
- Legal and technical experts
Loss Prevention Tip: If an email message asks the recipient to click a link or attachment, go directly to the website for information rather than clicking on links provided in the message, or call for confirmation that the email is legitimate and not a scam.
First-Party Cyber Coverage
In the event a firm’s computer system appears to have been breached by malware, a mobile device goes missing, or anything appears to have compromised the firm’s data security, a number of steps need to be taken. A complete cyber insurance program will coordinate these steps and may provide coverage for some or all of the related expenses. Each cyber policy is different so reviewing the coverage language is critical. Examples include:
- Investigation – The cyber risk adviser or attorney with the cyber insurance carrier coordinates an investigation to verify whether the incident is a breach as defined by current state and/or federal laws.
- IT forensics – An IT forensics expert investigates the incident as part of determining whether or not there was a security breach and if client confidential information was accessed. IT forensics experts also respond to ransomware events to assist in decrypting and restoring files as well as eradicating malware from the system.
- Notification letters – If the incident is determined to be a breach, counsel may be appointed to investigate the need for, and preparation of, notification letters to clients.
- Call centers – Clients who receive notification letters may have additional questions about the breach, and a call center will initially handle those questions.
- Credit monitoring services – Clients may demand such services in a post-breach environment.
- Media relations – Media relations firms may be hired in such situations to help protect the firm’s reputation. If state laws require law enforcement to be notified in the event of a theft, media reports may affect the firm’s public image and reputation.
- Cyber extortion or terrorism – A policy may be purchased to pay money to terrorists or extortionists to retrieve locked or stolen critical data.
Such losses incurred by the insured firm are generally considered “first party” and subject to the first-party policies or endorsements.
Third-Party Cyber Coverage
If a client alleges damages arising from an insured firm’s act, error, or omission, for which the insured may be liable, the damages typically would be addressed under third-party coverage included in the CAMICO Accountants Professional Liability (APL) insurance policies—not the CPA’s cyber coverage.
In the cyber area, one common example is the fraudulent wire transfer executed because of a hacker hijacking the client’s or insured’s email account and prompting the CPA firm to transfer client funds into an account controlled by the hacker. Claims sometimes carry substantial third-party exposure, and once funds are transferred, they are usually not recoverable. Even if the client was hacked due to their lack of cybersecurity, the CPA firm can be held at least partially responsible for the transfer of money because they had the last chance to stop the fraudulent transfer.
CAMICO includes third-party cyber coverage in its APL policy, including damages caused by fraud of others (not fraud of an insured), social engineering, phishing, and other forms of misrepresentation. CPA firms should be wary of any APL policy that carries an exclusion for claims arising from such damages.
An information security plan/program, including an incident response plan (IRP), should be in place to satisfy provisions of state and federal regulations. For example, the IRS requires tax return preparers to comply with the Gramm-Leach-Bliley Act’s (“GLBA”) Safeguards Rule, which establishes minimum requirements for protecting sensitive client data. One such requirement is to have in place a written information (data) security plan (ISP), and to periodically review the effectiveness of the program and reassess the risk factors as well as any material changes to the firm’s operations.
An ISP has many benefits, not the least of which is that it will help a firm use its resources wisely and efficiently to plan for a breach and thus reduce firm expenses when a breach occurs. Stand-alone cyber coverage is available to our policyholders who desire a higher level of coverage. Contact CAMICO for more information at 1.800.652.1772.
The information provided in this article is a general overview and not intended to be a complete description of all applicable terms and conditions of coverage. Actual coverages and risk management services and resources may vary and are subject to policy provisions as issued. Coverage and risk management services may vary and are provided by CAMICO and/or through its partners and subsidiaries.