Cyber-Risks Get Real

It was only a few years ago that cyber-liability was considered an exotic, rare issue in accountants’ professional liability. Not today. “Cyber-liability is the hottest insurance trend, and certainly, for any type of accounting practice, probably the insurance trend to which accountants should pay the most attention, assuming their needs are otherwise covered,” said John Torvi, vice president of marketing and sales at Herbert H. Landy Insurance Agency Inc. “No accountant or tax business is immune from this risk. The good news is that the availability and the cost of coverage are becoming far more favorable to small and medium-size owners, so even a mom-and-pop CPA practice can purchase a good cyber-liability policy.”

Ken Mackunis, executive vice president of Aon, the program administrator of the American Institute of CPAs’ professional liability program, agreed: “During tax season, the IRS had over 100,000 returns affected. It just reinforces how cyber-security is a real issue that is not going away.”

“CPAs have a treasure trove of Social Security numbers and other client confidential data,” he said. “Every CPA firm has to think about having the right security procedures in place at their own firm, and to do a self-assessment to identify any irregularities. That’s what the IRS is doing right now.”

“What if it weren’t the IRS, but a CPA system that was hacked?” he asked. “Make sure you have the right procedures in place and the right resources available to deal with the issue when a problem does arise. Don’t just buy a policy that reimburses you with expenses in responding to a privacy action. Make sure you have a policy that also provides support services right out of the gate, because time is of the essence. That gives time for the practitioners to focus on their practice, and bring experts in to deal with the issues.”

Mackunis cautioned that the move to the cloud has its own risks. “Practitioners are taking advantage of cloud computing, and are providing services through the cloud. The move is inevitable, and valuable in expanding the services that CPAs can provide. In managing risks in the move to the cloud, there are three key things accountants can do: make sure they perform the proper due diligence on the providers; make sure they understand the details in the vendor agreements who they are working with; and tell your clients if you’re doing it. By doing all three of these, the firm is covering itself the right way. “

“Cyber-liability has moved to the top of the list,” agreed Bill Thompson, a CPA and president of CPA Mutual. “I don’t think that most CPAs are truly aware of the danger they face every single minute their servers are not protected properly, and they don’t have password-encrypted e-mail service.”

“We’ve had the whole gamut of losses in the cyber area,” he said. “That includes stolen or lost laptops that contained confidential information. For example, an FBI agent walked into one of our client firms and insisted they allow him to copy a computer hard drive because it had been hacked, and confidential information had been used to file fraudulent returns. There have also been spoofing incidents, where a CPA was in the loop of handling clients’ money while the client was out of town.”

The scam typically includes a CPA involved in the transfer of money, who receives an e-mail from a client’s controller requesting the transfer of money to an account. A considerable amount gets wired to an offshore bank account. “It’s not protected like your credit card is,” said Thompson. “When it happens, the bank has no legal responsibility to make the client whole. It happened to one of our CPA firms, where the administrator was spoofed, and wired money to an offshore account based on e-mails that look exactly like the real thing. Our advice is to pick up the phone and make a call to confirm that the e-mail is actually from the person they think sent it.”

“When you look at Morgan, Sony, and even the IRS, how can a typical CPA firm that spends $5,000 or $10,000 a year in Internet security stop something that a company that spends millions can’t stop?” he asked. “I long for the good old days when all the files were in the file room. We had a case once where someone broke into the room and stole all the A and B files — at least you know that you’ve been broken into. Our problem today is that most of us don’t know when the system has been hacked.”

 

WHO’S RESPONSIBLE?

“We’ve also had firms that have been hacked with ransomware and had to pay a ransom in order to get back access into their system,” Thompson said. “If you were a thief and want financial information, who better than CPA firms? A lot of CPAs are using third-party providers in the cloud. We’re waiting for one of those services to get hacked because we see the cloud as a goldmine of financial information. Who will be held responsible, the CPA or the third-party provider? The CPA needs to be very careful when they sign the third-party agreements as to who will be responsible if there is a hack.”

Cherie Tolbert, vice president of independent insurance broker NFP, agreed. “The thing about a data breach is that it affects everyone, but people tend to hold the CPA to a higher standard. There’s a lot of exposure for breach of data. What we’ve seen lately is cyber-extortion, where someone hacks into the system and steals information or will shut down the system until a ransom is paid. We’ve had a lot of claims in that area. Some of this is covered in professional liability policies, but some needs to be addressed with a special cyber-liability product.”

Tolbert noted that a business interruption caused by a cyber-event might need its own coverage. “For example, extortion is taking the form of demands for bit payments — if you don’t make the bit payment they will lose work, or can’t work. A portion of their loss is the loss of business, and there’s no insurance coverage for this unless it’s purchased separately.”

Another cost of a cyber-event is loss of reputation, according to Tolbert. “There’s a public relations cost to overcome this, and all kinds of regulatory actions, fines and penalties that come when you have a privacy breach. You have to give notification, and that can be hugely costly depending on the number of people who’ve been hacked.”

“These are not normally covered under a regular policy,” she said. “Many companies will throw in a little piece that covers a privacy breach and give $1,000 or $5,000 of coverage. This can give a false sense of security when it’s virtually no coverage — it’s a bells-and-whistle type of thing, but it’s not really enough to do anything if there’s a real breach.”

The good news is that the additional coverage is relatively inexpensive, according to Tolbert. “You can buy from half a million to $10 million or more of coverage for a few thousand dollars, depending on what you do and the safeguards you have in place. In addition, these policies come with a lot of benefits, including loss prevention, so if you’re exposed to a situation you can get in touch with companies and get the process and procedures going in the right direction.”

“We’re also seeing — and selling — more insurance covering crime, which is employees stealing from the CPA employer and firm, or in the customer’s office. CPAs have their hands on someone’s money, and sometimes writing checks and paying bills gives too much opportunity and is too tempting.”

 

IN THE REAL WORLD …

Meanwhile, accountants also have to be aware of what’s going on in the non-cyber world, according to Randy Werner, loss prevention executive at Camico.

“We live in an increasingly complex world. CPAs tend to get caught up in that complexity, and it’s time to go back to basics,” she said.

“We’re starting to see an uptick in CPAs failing to provide and/or insist on engagement letters,” she said. “As the complexity of the services increases, there is a greater need for the client to have an understanding with the CPA about the services that are being offered, the role that the CPA will play in providing those services, and the responsibilities of the client. The complexity of services requires an engagement letter in nearly every engagement. Even a simple Form 1040 may have an [Affordable Care Act] issue.”

A good engagement letter defines the responsibilities and limits of each of the parties, Werner indicated. “If a firm adopts a ‘stop work’ clause in addition to a fee arbitration clause, they can avoid having the client continue to be a drain on the firm and provide a mechanism to collect if the client has stopped paying without suing the client, which often results in a countersuit for malpractice.”

Due to a natural skepticism and conservative character, CPAs are often slow to adopt technologies that will assist them and their practices with efficiencies, Tolbert observed. “For instance, there are software programs that can document conversations for the CPA without the CPA typing or writing the notes after an important conversation,” she noted.   

“I recently spoke to a CPA who had a client complaining that the CPA did not complete the audit in time and that the client lost money as a result. The CPA firm said that they had had multiple conversations with the client and the client’s business partners about the lack of cooperation causing the delay. The client was well aware of this. We discussed the CPA’s policy about documenting conversations, and he stated: ‘We don’t document our conversations with clients — it takes up too much time.’ Translation: We can’t or won’t bill for it, and we are willing to take the risk that we’ll have a claim.”

“This is a good example of the need to document important information throughout the engagement,” she emphasized. “It’s an excellent risk management skill that should be taught to all levels of professional and support staff.”

“I speak all over the country, and the response to my question of whether CPAs document their cell phone conversations with clients and third parties contemporaneously when they return to the office is 40 to 1 ‘No,’ and 30 to 1 that it is never done. The unfortunate outcome of this behavior can be an expensive claim that was completely unexpected by the CPA. An example is ‘back of the envelope’ calculations or advice in which the client invested in something that later failed based on a short conversation with the CPA while they were driving somewhere or standing in line for coffee.”

 

THEY HOLD YOU RESPONSIBLE

Werner cited the tangible property regulations and the ACA as two areas that illustrate the CPA’s duty to “advise and warn.”

“It isn’t enough to be competent and understand what you need to do for the client,” she said. “You need to provide the client with enough information to make an informed consent. Many CPAs, understandably, were caught unprepared this tax season for the repair regs issue. We’ve already had a claim where the CPA firm made the decision for the client regarding the change in method of accounting, thinking they could amend the return.”

The same is true of the ACA, she indicated. “CPAs have small-business clients that are relying on the CPA to advise them as to compliance and needs under the ACA. Many CPAs do not want the responsibility for ACA issues but have not done as good a job or in a timely manner to advise these clients to use other resources. As the risks from the ACA to the client grow over time, they will have expected their trusted advisers to be just that — to advise them and warn them of the potential risks of not complying with the regulations.”

An area that often catches the CPA unprepared is the state requirement for registration, according to John Raspante, senior vice president for risk management at North American Professional Liability Insurance Agency. “For example, an Ohio accounting firm with a client in Illinois may do audit services for the client. By failing to register with Illinois it creates exposure for the accounting firm. It can get complex, because not every state has the requirement for registration. Quite often there are claims on this. If accountants fail to register with the appropriate state board, there could be sanctions and fines against the firm. Some states have stricter results than others. New York says if you practice accounting in New York unlicensed and unregistered, it’s a class E felony; if you just do tax work, you don’t have to register, but for anything else you do.”

“But if you’re not registered and there is an allegation as to whether you’re competent or incompetent, it doesn’t look good if you’re not registered,” he continued. “A clever attorney will use this to convince juries and arbitrators that this tends to the underpinnings of negligence.”

David Dreyer, a business litigation shareholder with Chamberlain Hrdlicka, advised CPAs to know who is the client and what is the scope of the engagement. “For example, if my client is the company, and the scope of the engagement is to handle due diligence and get the books for companies that they might be interested in acquiring, be aware if a member of the board calls and has a personal issue to discuss.”

“If possible, always get a closing letter,” he said. “In an ideal world, you always begin with an engagement letter, which identifies the scope of the engagement, and end with a termination letter.”

For reprint and licensing requests for this article, click here.
Technology
MORE FROM ACCOUNTING TODAY