CPA Firms Insure Liability for Cybersecurity

IMGCAP(1)]CPAs typically collect and store information about their clients which may open them up to liability if any of the information is compromised, according to Rickard Jorgensen, president of Jorgensen & Company.

“The information is generally of a personal nature, and it includes things like Social Security numbers and credit card details, because when an accountant compiles information for a tax return they have to make inquiry about the personal financial status of their clients,” he said. “And if they hold this information in an Internet-connected system or on a portable device, they are exposed to either theft of that data or cyber-attacks involving extortion.”

“Recently Home Depot was hacked,” he said. “Anybody who used a bank debit card was threatened with exposure of their banking details. At the moment these attacks are aimed at retailers or banks that maintain a significant amount of customer data, but it won’t be long before CPAs and tax preparers are going to be subjected to the same nefarious attention. Anyone who holds data, any professional service firm that keeps records of clients’ personal data, will become a target.”

“Right now, all we hear about are the most publicized events,” Jorgensen noted. “Sony, Bank of America and Home Depot are just three of the firms whose data has been compromised. We’re seeing an increasing number of professional firms that have encountered these situations. And we have seen claims in our own professional liability program regarding loss of data on laptops via leaving them in a bar, having a car broken into and burglaries.”

There are things a firm can do to protect itself, according to Jorgensen. “These are commonsense things, like changing and protecting your password, updating your software, making sure you have a decent firewall, and not allowing people into your server rooms.”

Employees’ remote access to your severs exposes your business to a security breach, Jorgensen said. “Make sure you control the access.”

Establish a record retention policy and stick to it, Jorgensen advised. “Reducing what you retain reduces your exposure,” he explained. “This should include data that can be destroyed or redacted and password protected. For instance, when checks are received, your accounting department should record receipt and never store a copy of the check in the client file or other location.”

Most small companies do not have the internal resources to manage and maintain relevant cyber exposures, according to Jorgensen. “The firm should consider outside IT help to provide key components of their cyber liability strategies,” he said. “In addition, it is beneficial to inquire about best practices of other similar businesses as yours.”

The insurance industry is just starting to develop adequate products that address these risks, Jorgensen observed. “So you have to be quite careful in finding the right protection. We’re just learning as we go along. You will find policies that are full of holes and some overlapping with other professional liability policies.”

“Conventionally, what’s been happening is that accountants will add a rider to their professional liability insurance,” Jorgensen said. “The problem with that is that it will erode the insurance for normal CPA activities of audit, attest and tax, so it’s wise to look at the possibility of buying independent insurance that will respond and not remove coverage with the main firm activities endorsement. If there’s a $2 million claim against you and you have to practice for the next year, you have no insurance. I prefer separate coverage. It’s additional protection and it’s not a very expensive proposition. Although I like the idea that it can be part of the main policy, in truth, as a best practice, it should be separate coverage.”

For reprint and licensing requests for this article, click here.
MORE FROM ACCOUNTING TODAY