There has been a significant uptick of clients attempting to embed indemnification and/or hold harmless clauses in various documents executed with CPA firms (e.g., non-disclosure/confidentiality agreements, business associate agreements, data protection agreements, etc.) to shift financial liability through contractual apportionment of risk. CAMICO has also noted an increasing trend of clients pushing back on firms’ engagement letters and proposing one-sided indemnification provisions, shifting risk and exposure onto firms beyond what would be deemed reasonable for the scope and limits of the engagement.
At their core, indemnification and hold harmless provisions in most CPA/client agreements are designed to transfer liability, generally in the event of an alleged breach of contract or a party’s negligence, misrepresentation, or misconduct. At first glance, these provisions may appear to be relatively benign, but hidden in what a client may define as “standard” terms can be language that shifts unreasonable risk to the firm.
CAMICO strongly encourages CPAs to take great care in reviewing any contracts or agreements containing such language. Consider the worst possible scenario under the agreement and determine the level of risk your firm would be assuming. So, it is important that before you contractually bind your firm to an arrangement, take the time to understand all the implications of any legalese in the agreement to make an informed decision about terms and conditions that may pose a higher standard or greater liability to the firm than what would typically be anticipated. Make sure that you are comfortable with the agreement and the expectations that will fall on your firm. Be prepared to decline the client opportunity if you cannot negotiate the terms to your satisfaction.
Questions to consider when evaluating agreements with these provisions include:
- Why are you being asked to indemnify?
- What risk/exposure is the subject of the indemnification request?
- Is the indemnity request limited?
- What insurance implications should be considered?
- Would these clauses impair independence?
- Would the use of these clauses be an act discreditable to the profession?
Determining the answers to the above questions is a good starting point to evaluate risk. It is important to note that indemnification laws vary by state, so this risk discussion is limited in nature and does not address state-specific issues or recommendations. CAMICO strongly encourages you to consult with qualified legal counsel in your state if you have specific questions regarding these provisions.
Why are you being asked to indemnify?
Most people would support and agree that if a mistake is made resulting in damage to someone else, the party that made the mistake should be held responsible to “make it right.” What “making it right” looks like, of course, will depend on the facts and circumstances of a particular situation.
How this translates to the CPA/client relationship can be troublesome, given that some of the indemnity and hold harmless clauses are written to be extremely broad, and there may be many components to the underlying facts and circumstances relevant to the assessment of determining actual “fault.” For example, did the CPA solely contribute to the alleged cause of the damage as a result of their negligence, or did the client or one of its representatives contribute, in whole or in part, to the underlying cause?
Certain courts have found that hold harmless is not distinct and is the same as indemnification, while others have found the duty to hold harmless is broader than indemnification as it also requires protection against liability. Therefore, before signing a contract with indemnification or hold harmless provisions, it is extremely important to carefully read the relevant clauses. Identifying, understanding, and modifying unreasonable indemnification and/or hold harmless terms will help to avoid costly liability claims.
What exposure is the subject of the indemnification request?
It is almost never appropriate to agree to indemnify or hold harmless your client or a third party for exposures directly related to the client’s obligations. Any request that provides indemnity for your client’s failure to accurately and timely inform you of information necessary to complete your work is very risky and inappropriate. On the other hand, if the provision is properly worded such that the exposure is appropriately limited given the nature and scope of the professional services provided by the firm, that would be considered less risky. (See the example below under Is the indemnity request limited?)
Is the indemnity request limited?
Many of the indemnity and/or hold harmless clauses embedded in CPA/client agreements attempt to shift all liability from the entity to the CPA firm and have broad language that extends the CPA firm’s responsibilities beyond the professional services being performed. Such agreements/contracts, like NDAs, may be boilerplate agreements that clients use for all third-party service providers. As such, they may contain legal conditions and caveats that are inappropriate with respect to the professional services being provided by the accounting firm.
However, if the indemnification clause is mutual in nature, like the example below, in which both parties accept responsibility as outlined under the terms of the engagement and agree to indemnify any claims judicially determined to have arisen solely from the gross negligence, misrepresentation, or willful misconduct of the party, the provision is much more appropriate for the nature and scope of the CPA/client relationship.
Firm and Client acknowledge and agree that each party maintains responsibility for the work performed, and responsibilities as outlined, under the terms of this Agreement. By the signatures below, each party agrees to indemnify the other party as specified herein: (i) <Firm> agrees to indemnify Client for any claims judicially determined to have arisen solely from the gross negligence or willful misconduct of Firm, and (ii) Client agrees to indemnify Firm for any claims judicially determined to have arisen solely from the gross negligence, misrepresentation, or willful misconduct of Client.
What insurance issues should be considered?
The most important insurance issue to consider is the impact of your acceptance of indemnification and hold harmless provisions on your professional liability insurance or your cyber policy in the case of data breach–related provisions. Before you agree to any such terms, check with CAMICO or your cyber insurance company.
Also important to consider is the extent to which you can protect against indemnity risk through other insurance. For example, many business owner policies (BOPs) address the premise’s risk exposure from your personnel being in the client’s offices. If you cannot insure against the risk created by the indemnification, then consider fee/exposure leverage. Assess the size of the indemnity risk versus your fees. If the indemnification exposure is much greater than your fees, risk increases, and reward is limited.
Would these clauses impair independence?
Under ET §1228.020 of the AICPA’s Code of Conduct, a firm is prohibited from indemnifying an attest client for damages, losses, or costs arising from lawsuits, claims, or settlements that relate to an attest client’s acts. Doing so would impair the firm’s independence.
Would these clauses be an act discreditable?
Certain governmental bodies, commissions, and regulatory agencies (e.g., federal banking regulators, state insurance commissions, and the SEC) prohibit entities subject to their regulation (regulated entity) from including certain types of indemnification and limitation of liability provisions in agreements for the performance of audit or other attest services that are required by such regulators and provide that the existence of such provisions disqualifies a member from rendering such services to these entities. As such, ET §1400.060 of the AICPA’s Code of Conduct states it would be an act discreditable to the profession to perform an attest engagement when the engagement agreement contains indemnification or limitation of liability clauses prohibited by a law, regulation, or interpretation.
Risk Management Tips
Understand your risks before signing these types of agreements/contracts. As a starting point, ensure that your firm has considered the following risk management steps and has adequately provided for the potential of additional liability risks:
- Tread carefully! Firms need to approach indemnity and/or hold harmless clauses with caution; read the provisions carefully and if you don’t understand all the implications of the legalese in the agreement, do NOT sign the agreement. It is important to seek clarity so that you can make an informed decision on terms and conditions that may pose a higher standard and/or greater liability to the firm than what would typically be anticipated.
- Consult with CAMICO and/or your other risk advisors. Get assistance reviewing the agreement if you are unsure of the exposure and implications from a risk management perspective related to the indemnity and/or hold harmless language.
- Push back! You don’t have to accept the terms as they are written in an agreement, preprinted or not.
From a risk management perspective, consider limiting any indemnity and hold harmless clauses by incorporating the following four key suggestions:
- Add language clarifying that any liability would need to be judicially determined by a court of competent jurisdiction;
- eliminate any obligation that would require you to incur costs related to a claim before your fault in causing such claim has been judicially determined by a court of competent jurisdiction as noted in (1) above;
- specify that the firm is only responsible for claims that arise “solely” as a result of the firm’s gross negligence or willful misconduct; and
- confirm that the firm will assume no obligation or liability arising in whole, or in part, from the client’s own negligence, willful misconduct, or misrepresentations.
Refer to the excerpts below for example indemnity and hold harmless clauses that have been embedded in various CPA/client agreements sent to CAMICO’s Loss Prevention department for review. As you can see by the broad nature of these short provisions, as originally written, the firm would be contractually agreeing to cover fees and costs it may otherwise not be legally obligated to cover, which could jeopardize insurance coverage. Agreeing to such terms without modifications would be problematic for any CPA firm, but ultimately it is a business decision for a firm if they are willing to accept the added risk exposure.
For illustrative purposes only, CAMICO has offered suggested edits as tracked below to limit the provisions to more reasonable terms.
Example 1 – Excerpt from a Confidentiality Agreement
Firm agrees to reimburse the reasonable costs to indemnify, defend and hold harmless the Client from any and all loss, damage, liability, claims, causes of action, cost or expense (including litigation expenses and reasonable attorneys’ fees) judicially determined to be caused solely arising, directly or indirectly, from the Firm’s gross negligence, willful misconduct, or and/or its employee agents or representatives material breach caused by the or alleged breach of any of the terms of this Confidentiality Agreement.
Example 2 – Excerpt from an Engagement Letter
Firm agrees to reimburse the reasonable costs to indemnify, hold harmless and defend Client and their respective directors, officers, members, managers, employees, agents and/or representatives from and against any and all third-party claims, demands, causes of action, losses, expenses or liabilities, including costs, expenses, and reasonable attorneys’ fees (collectively, “Losses”) that are judicially determined to be arising solely out of any allegation that the Firm’s material has breached any of its representations, warranties or other obligations under this agreement.
• Educate your client. This enhanced awareness may help to convince your client that broad, all-encompassing indemnity and hold harmless clauses are not appropriate given the scope and limits of your engagement.
• Understand the insurance coverage implications. Indemnity and/or hold harmless provisions may lead to significant costs to a CPA firm, as professional liability insurance policies as well as cyber policies typically have an exclusion for claims arising out of liability assumed by the firm under a contract unless that liability would have been present regardless of the existence of the contract. Be wary of contractually binding your firm to this added significant exposure; indemnification and hold harmless provisions can be costly, especially if the language is broadly worded and the clauses have you paying for all claims, regardless of their merit.
• Consult with an attorney in your state. If you have questions regarding the efficacy and potential exposures to your firm of certain indemnification and hold harmless clauses, consult with qualified legal counsel before signing agreements containing such language, as indemnification laws vary by state. As the risk management guidance provided in this article specific to indemnification and hold harmless provisions in CPA/client agreements is limited in nature, CAMICO has not addressed state-specific nuances or recommendations.
As always, CAMICO encourages policyholders to call 800.652.1772 or email the Loss Prevention department at lp@camico.com for more information.