CAMICO’s Loss Prevention and Claims departments work with CPA policyholder firms every day on difficult risk management issues. The following Q&A highlights recent COVID-related trends that policyholders have discussed with our specialists.
Q: What cyber best practices does CAMICO recommend for remote work, given the pandemic’s “new normal”?A:
The sudden transition to accommodate employees working remotely in response to the pandemic had many CPA firms rushing to establish or update their policies and security protocols to address working remotely, given the security challenges not present in traditional office environments.
Many firms are opting to offer staff more permanent remote work arrangements. CAMICO is encouraging these firms to revisit their written policies and security protocols to assess their specific threats, risks, and vulnerabilities to ensure that appropriate safeguards are in place to address the new paradigm.
When evaluating the propriety of a firm’s policies and security protocols in light of the new remote work environment, first assume that threats will occur.
Assuming that threats will occur can be a difficult pill to swallow, especially for firms that do a good job of securing their on-premises infrastructure. However, potential vulnerabilities exist within the infrastructure and applications employees use to work remotely.
Although not meant to be all-inclusive, the following basic best practice measures for firms
continue to be extremely critical given remote work’s increased cyber exposure:
- Ensure all software has the latest security options/patches. This will help protect against malware, viruses, and hacker attacks.
- Frequently back up all important data and information and verify your backups. Regular backups reduce the likelihood that critical data is lost in the event of a cyber-attack. Protect the backups in all remote and external locations, outside of your network, where they are safe from ransomware that targets backup copies. Periodically verify that your data backup process is working properly to assure that your data will be recoverable were a crisis to occur.
- Require employees to change and strengthen passwords frequently. Systems are only as secure as the passwords used to access them.
- Use multi-factor authentication. This can add an extra level of security to help prevent an account hack, especially when employees work remotely.
And remember, even the best employees can become complacent about adhering to cybersecurity best practices when working remotely. Setting clear rules to govern how employees work remotely is an important step in managing remote access threats. Claim trends show that employees are the weakest link and the first line of defense against most, if not all, cybersecurity attacks. Special attention should be given to ensure that your firm continues to prioritize appropriate firm-wide cybersecurity awareness training.
Although not meant to be all-inclusive, firms should enforce the following basic best practice measures for remote employees:
- Maintain strong work-from-home cyber hygiene. Adhere to the firm’s policies and cyber protocols when working remotely (e.g., machine use restrictions, WiFi passwords, VPN, firewalls, properly secured router, etc.). In addition to strong WiFi passwords, the wireless router should be no more than five years old and frequently updated with the latest firmware updates.
- Slow down to avoid being yet another “phishing scam” victim. Take the time necessary to validate suspicious or unexpected email. And do not click a link, pop-up or attachment without first hovering the cursor over the link to display the URL to assess its legitimacy. If there is an urgent call to action, rather than clicking on a link, consider a different way to validate the request, such as calling to get verbal confirmation that the communication is legitimate, or going directly to the purported sender’s URL.
- Power down computers when not in use, whether in the office or when working remotely. Computers are not accessible to attacks or intrusions when powered off.
- In the event of a potential cybersecurity “incident,” immediately inform the appropriate parties within your firm. Examples include, but are not limited to, unauthorized use, malicious code, compromise of confidential client information, unauthorized disclosure or loss of information, information security breach, etc.
Remote work has inherent security risks. However, firms will certainly be better positioned to mitigate these risks by adhering to these basic best practices and proactively refining their policies and security protocols to encompass the unique security challenges of remote work arrangements.
For additional CAMICO guidance, policyholders are encouraged to access the Cyber/Data Security Resource Center on the CAMICO Members-Only Site (www.camico.com).
Q: Our firm is receiving an uptick in requests from lenders for creditworthiness verifications for clients who received loans under the Paycheck Protection Program (“PPP”). How should we respond?A:
Many lenders, in response to economic challenges precipitated by the pandemic, were stating that they needed to have the borrowers’ accountants sign financial statements supporting borrower loan applications. Government regulations do not require this step. CAMICO has historically cautioned accountants not to accommodate these requests. Accommodating these requests is not required and could violate professional standards were the accountant to provide assurances regarding a borrower’s ability to repay the debt or solvency.
Instead, CAMICO discourages accountants from communicating directly with the lender. IF the accountant were to choose to do so, then CAMICO has offered wording to specify the services performed, point out that those services did not contemplate accommodating this request, and indicating that the lender would need to rely on its own underwriting procedures. Prior to the issuance of SSARS No. 21 in October 2014, accountants would have been required to perform a compilation of financial statement engagement were they to provide financial statements in support of a lender’s request. AR-C Section 70 of SSARS No. 21 introduced the preparation of financial statement engagement. Accountants who perform this service typically do not issue a report and instead prepare financial statements with a legend appearing on each page which clearly states that no assurance is provided.
However, the preparation of financial statement engagement also permits the accountant to issue a disclaimer report. CAMICO has steadfastly discouraged accountants from using the disclaimer report option, as doing so would eliminate the anonymity associated with the typical “legend” approach which does not require a disclaimer. This scenario could be the exception that defines the rule. IF the lender insists on receiving a “financial statement signed by the borrower’s accountant,” CPAs could choose to accommodate the request by performing a preparation engagement and issue a disclaimer report. If you choose this path, you will need to obtain a signed engagement letter detailing the client’s and accountant’s mutual responsibilities. Neither the compilation report nor the disclaimer report provides assurance, but the language in a disclaimer is concise, and the engagement would not subject the firm to peer review if not already subject to peer review.
For additional CAMICO guidance related to responding to third-party requests for information or to access letter templates, refer to CAMICO’s Members-Only Site (www.camico.com).
Q: I have a long-term client pressuring me to disregard positions they are taking that are inconsistent with my understanding of the Small Business Administration’s promulgated Paycheck Protection Program (“PPP”) rules. I don’t want to become a target for a lawsuit. What should I do?A:
These are difficult times for many small businesses hit hard by the pandemic. Unfortunately, difficult times can lead to desperation among some clients and may cause honest people to push the envelope with aggressive and potentially dishonest positions. Some try to rationalize their actions as temporary measures to get their business through a rough patch and attempt to pressure the CPA to look the other way and/or become complicit. Firms should guard against being too loyal to long-term clients and potentially jeopardizing their professional skepticism.
In CAMICO’s experience, difficult economic conditions have a significant impact on CPA professional liability claims. And in the risk management world, everything and everyone is judged in hindsight. Looking at a situation in hindsight means that the history of it can be rewritten in a manner that benefits the client: “Why didn’t my CPA warn me about what was going to happen if I took such an aggressive position?” “I was relying entirely on my CPA for assistance in complying with all of the PPP-related rules… My CPA should have warned me that my use of PPP funds was not in accordance with the program’s terms and would jeopardize loan forgiveness.”
In today’s world, the common theme from a client is likely to be,
Jury research shows that the public, including clients, perceive that the CPA’s fundamental job is to “advise and warn”—to advise clients of opportunities and to warn them about risks. However, juries often conclude that if that advice or warning is not in writing, it is as if it never occurred. Consequently, defensive documentation is always a critical issue in any claim scenario. By documenting your significant communications, and in this case the needed advice and warning, you not only improve the understanding between you and the client, but also help to minimize your chances of facing litigation. If you do find yourself in a lawsuit, then the written communications will serve as documented evidence to a jury of your advice and warnings.
Some more desperate and/or aggressive clients may choose to ignore your advice and warnings and threaten to seek a more “cooperative” or “understanding” CPA. It is important for CPAs to “stay on the side of the angels.” Situations like this can be difficult to navigate and require some delicate balancing. Calling CAMICO as soon as you perceive this type of situation is critical so that we can collaborate to evaluate alternatives to minimize the risks to you and offer solutions to help you do right by your client.
Q: What advice does CAMICO offer CPA firms as we look to be creative with staff and as we work to define the “new normal”? A:
Firms across the country continue the delicate balance of managing employee safety related to COVID-19 while maintaining client servicing standards.
With cases of COVID-19 growing daily across the country, and a new Administration taking office, local and state governments are continuing to impose new and dynamic recommendations that often differ from federal recommendations, leaving it up to the firm to establish and refine these protocols as they deem appropriate.
Creativity and flexibility are paramount when creating plans for returning employees to the office. Many firms are adopting one or more of the following:
Hybrid Model
– allowing employees to work from home part-time and work in the office part-time, minimizing the number of employees in the office at any given time.
Work Pods
– establishing groups or pods of employees based on the level of interaction needed between the employees. These employees would work similar schedules so that work can be streamlined, and interaction maximized.
Staggered Shifts
– reducing the number of employees in the office at any given time while allowing some crossover for ease in communicating.
Firms should continue to monitor the advice of public health officials and be flexible and transparent with employees as the situation evolves. Guidance for employers in responding to COVID in the workplace is continually being updated by the Occupational Safety and Health Administration (OSHA), so firm management should frequently revisit those guidelines to ensure compliance. In addition to the federal OSHA guidelines, 28 states also have state-specific occupational safety guidelines, which typically impose tighter restrictions and guidelines for private sector employers. The Department of Labor’s Coronavirus Resource Center (https://www.dol.gov/coronavirus)
can be helpful in developing best practices.
In addition, given the dynamic nature of the pandemic, firms should prepare to respond to one-off exceptions, as you may have an employee who is not willing or able to adhere to all the firm-stipulated guidelines and best practices. Be proactive and determine an appropriate course of action that balances the rights and obligations of the employee with those of the other firm members. For example, there may be instances in which the reasons for non-compliance relate to health and/or religious concerns. Firms will need to tread lightly, remain flexible, and make good faith efforts to balance the interests, health and safety of all employees who may have varying levels of confidence about returning to the workplace.
This is the time to overcommunicate. Employees need to be reminded of the specific proactive measures the firm has implemented to ensure their health and safety in compliance with information promulgated by public health authorities. Communication should be frequent and detailed and include refreshers for the employees regarding their obligations to adhere to firm safety protocols.
Frequent virtual all-hands meetings, one-on-one meetings, and casual check-in calls will help firm management keep a finger on the pulse of the staff to ensure that messaging is clear and understood – employee health and safety is a top priority for the firm! The transition to a “new normal” requires a delicate touch.
CAMICO policyholders can find additional risk management information regarding the pandemic on CAMICO’s COVID-19 Resource Page, available on our Members-Only Site (log-in at www.camico.com). Please visit our Members-Only Site often for updates, as we will share new information as it becomes available.