In today's digital landscape, it is no surprise that there appears to be a new cybersecurity story in the news every week, from attacks on major infrastructure to small companies being held for ransom. The risk of cyber threats continues to grow for CPA firms, along with other professional services firms, as all are considered prime targets for cybercriminals given the wealth of sensitive client data, financial information, and/or legal documents they maintain.
Don't be lulled into a false sense of comfort that your firm (or your clients) are too small or too large to be attacked. Camico is seeing an uptick in the number of cyber-related claims impacting CPA firms of all sizes and, unfortunately, the severity of these cyber crimes and ransomware attacks have grown in recent years.
Some of the more frequent categories of loss for CPA firms related to cyber claims include:
- Social engineering;
- Funds transfer fraud;
- Theft of data;
- Loss of laptop or data stick
- Unauthorized use of networks;
- Failure to protect client confidential information shared with a third-party service provider;
- Computer system cloud hack;
- Lost profits related to cyber events; and,
- Ransom attacks.
Identifying key cyber risks and best practices to mitigate risk exposures is important to safeguard confidential information, maintain client trust and ensure your firm's continuity. One of the important concepts people must be aware of when evaluating their cybersecurity exposures is the difference between first-party risks and third-party risks. First-party risks are damages and losses you incur from a cyberattack or security breach of your firm, whereas third-party risks often arise when a hacker has penetrated the firm's (or client's) computer system causing damages to a client or other third party as a result of the cyber incident for which the firm may be blamed in whole or in part.
As you would expect, first-party cyber exposures have become increasingly problematic for CPA firms as cyber criminals are targeting CPA firms and tax professionals with greater frequency because of the abundance of client data found on CPA firms' computers. If they are successful in gaining access to a firm's information infrastructure, there can be costly measures that need to be taken by the firm such as hiring IT forensic experts to determine the extent of the breach, consulting with attorneys who specialize in data breach laws and notification obligations, and providing credit monitoring to those impacted by the breach.
What may be surprising to some CPAs, however, is the increase in third-party cyber exposures that are impacting firms. These situations often arise when a client has been hacked, and the hacker has penetrated the client's computer system and, once inside, causes all manner of losses for which the CPA firm may be blamed. Unfortunately, many of these incidents tend to be high-dollar claims against the CPA firm. These claims typically include allegations that the firm failed to detect red flags associated with communications executed by the hacker, falling below the standard of care by initiating wire transfers (later determined to be fraudulent) without "proper" client authorization, failure to "warn and advise" clients of the potential risks/threats of cyber attacks, and the list goes on.
Consider this real-life scenario: a client of the CPA firm was hacked, and the hacker penetrated and commandeered the client's email account. The hacker emailed several requests to the CPA firm to wire funds to a new account — a classic "man in the middle" attack. After receiving each request, a CPA firm staff member emailed the client to verify the wire transfer instructions. As the hacker had full control of the client's email account, the hacker was able to respond back to the CPA firm to verify the payments to the hacker's overseas bank account.
Such outcomes have become all too common. With the increased number of claims related to fraudulent wire transfers, the best risk management practice in the absence of any written protocols to the contrary is to verbally confirm all wire transfer requests with the client and not rely on email or voicemail confirmations.
Unfortunately, technological advances have permitted sophisticated scammers to create AI versions not only of people's voices, but also realistic avatars of scam targets so that you can't trust your ears or your eyes on virtual calls (e.g., Microsoft Teams). Ideally, you and your client will have a code word and/or phrase to confirm the authenticity of the person you are speaking to.
Cyber insurance protects against financial losses related to data breaches or other covered cyber events. Cyber insurance coverage is basically divided along two lines:
- First-party, which refers to losses directly suffered by the policyholder (or insured) firm in response to a firm's data breach or other covered cyber event, and
- Third-party, which refers to damages alleged by clients or other third parties that the negligence of the CPA firm contributed in whole or in part to the third party's cyber-related loss. Camico's professional liability policy generally will cover third-party cyber claims subject to applicable policy terms, conditions and exclusions.
It is possible that a single cyber incident may give rise to both damage suffered by the firm (first-party losses) and damages allegedly suffered by others that blame the firm (third-party losses). The relationship between the first and third parties can be formed in many ways. It can be contractual (for example, engagement letters), built through tort law, common law or other ways. CPA firm clients are third parties, and others may become a third party based on the nature of an incident. Clients may have insurance of their own, making them a first party with their own cyber insurance carrier.
First-party insurance typically covers the direct costs of actions needed after a firm has had a data breach, extortion, ransomware attack or other hacker malfeasance against the firm. Third-party cyber-liability insurance, on the other hand, covers the costs of dealing with the claims of other parties that seek to hold your firm at least partially responsible for damages that they have incurred because of a cyber incident. Sometimes, the line between first-party damage and third-party damage becomes blurred — especially if a firm and its client have both been breached, and forensic analysis cannot conclusively establish either the sequence of events leading up to the breach and/or how the breach occurred.
Understanding the difference between first-party and third-party risks is essential when seeking cyber insurance. Ideally, every CPA firm should have some degree of insurance coverage for both first-party and third-party risks as the CPA firm faces exposure to many accusations and lawsuits in the event of a compromise or data breach impacting its clients' data. For example, everyone faces risks of inadvertently forwarding a malware-infected email message that subsequently wreaks havoc after being opened by a recipient, or of their computers and networks being breached and subsequently exploited by hackers to serve as launching pads from which to target others.
Relying on only one type of cyber insurance that may be limited to either first- or third-party coverage may leave businesses exposed to significant financial and legal risks. Whereas investing in both first-party and third-party cyber insurance ensures greater protection against today's growing cyber threats.
