Cyber-liability is on everyone’s minds as we move more deeply into the digital age. Sensitive information has been stolen from huge box stores and government agencies, and CPA firms are in the crosshairs due to the immense amount of personal data they have.
“There’s no getting around cyber-liability,” said Ron Parisi, a partner in Orchard Accounting and an attorney and former insurance company executive. “Cyber is important to practitioners because as a profession we’re going into the cloud, and whether we have in-house or cloud servers, everything is being backed up into the cloud with multiple vendor relationships. It’s difficult for CPAs to understand their risk potential. There are a lot of smaller vendors that CPAs may be using with questionable practices. It’s important to vet out who those vendors are and their practices — whether or not they meet professional standards.”
Nevertheless, accountants are generally good about encryption and data security, according to Jonathan Ziss, an attorney who specializes in the defense of CPAs. “When an auditor goes to a client and his laptop is stolen when he stops for a frozen yogurt at the mall, generally the data is encrypted so there’s no need to panic,” he said. “The big law firms have been hacked by people looking for insider trading information, so you do have to take it seriously. I’m not aware of any of the Top 100 accounting firms being hacked like the law firms, but it will happen. The real issue in terms of cyber-liability is to maintain state-of-the-art data security procedures, and make sure you have adequate insurance.”
Insurers, like the accountants they serve, are just getting their feet wet as far as cyber-liability goes, according to Ziss. “The insurance industry is as new to this risk as are their clients,” he said. “Coverages that are available are evolving themselves. The market is bringing new products all the time, so it’s important for whoever in the CPA firm is responsible to maintain a fluid dialog with their insurance advisor on cyber-coverage offerings. It’s not like car insurance where you make three decisions and you’re done.”
“Coverage for hacking has been around for quite a while, but they really don’t have a handle on it,” agreed Frederick Fisher, president of Fisher Consulting Group Inc., which specializes in professional risk management. “That’s because losses are hard to actuarily predict.”
The fact that policies are written on a claims made and reported basis adds to the problem, according to Fisher. “They require that claims must be made against you during a policy term, and in addition, the insured must report the claim promptly to the insurance company during the policy term or the grace period, if there is one,” he said. “By my count alone there have been at least 70 appellate decisions all over the U.S. where a claim was denied because it was not reported on a timely basis.”
The problem arises in the definition of a “claim,” Fisher explained. “One of the key words is ‘claim,’ and by definition in most policies that can include a lawsuit, a written demand letter, or a commencement of an administration proceeding. None of those requires receipt by the insured. The filing of a lawsuit doesn’t mean the insured knows there’s a lawsuit against him — how do you report something you don’t know about? But the policy has been triggered.”
A TERRIFYING INCIDENT
There has recently been an increase of incidents with CPA firms that seem to follow a similar pattern, according to Rick Jorgensen, president of Jorgensen & Co., a broker and managing general underwriter in the professional liability field.
“The most recent involved unauthorized access to the insured’s tax accounting systems,” he said. “The attacker ‘backed up’ and viewed client files which included personally identifiable information such as Social Security numbers, addresses, dates of birth, and financial accounts.”
“The CPA firm became aware of this because it received notification that a return submitted through UltraTax CS for electronic filing was rejected,” said Jorgensen. “The CPA accessed the UltraTax CS activity log for the client in question and discovered that an unknown user had accessed the client file. The CPA firm immediately contacted their IT provider, and then contacted its main software provider, which created a multi-page log indicating that the user backed up the UltraTax CS database and then opened and closed clients one by one from ‘A’ through ‘S.” It appears the access took place over the course of a week.”
“The only precursor to this event of which the CPA firm was aware was that a ‘cryptolocker Trojan’ was detected and removed from its server a few weeks earlier. The CPA firm has since learned that cryptolockers can carry other viruses and scripts as an undetected payload. Its server is hosted by an outside data center,” he added. “The takeaway from this is that if a CPA firm detects Trojan or other malware, even removal of this may not completely eradicate the problem, and a deeper scan may be necessary to discover the additional virus payload.”
The claim will likely cost the insurer in excess of $50,000 for notification costs, reporting to various agencies and a forensic evaluation, according to Jorgensen.
An issue that will arise with greater frequency is the advanced persistent threat, Jorgensen indicated. “An advanced persistent threat is what happens when a hacker gets into a system and stays there very quietly. It doesn’t alert detection software, but leaves software there that copies keystrokes or copies system backups. It happens incrementally, not all at once, taking little bits of data over months.”
“The issue here is that your professional liability policies should be checked to make sure that they provide coverage for this,” said Jorgensen. “If you’re buying the policy now and it says that it doesn’t cover anything that happened before the policy comes into force, then you have a problem because these threats lurk there for some time. So if the initial attack occurred months ago and takes place over a long period of time, you have to check to make sure that it’s covered.”
These attacks are becoming more and more frequent, according to Jorgensen. “We have a client that was hacked by an Eastern European group that essentially ripped off his entire system. They took copies of all the tax returns prepared over prior years, and his system didn’t flag this. Often malware detection software will figure this out, but in his case it didn’t. It’s like a cancer that just eats away at the system.”
INSURERS RESPOND
“Cyber-liability is a burgeoning area,” agreed Mark Aubrey, a claims manager for insurer Camico. “We recently added a first-party [payable to the insured] liability endorsement. It’s added on to provide first-party coverage for cyber-breach and extortion. It covers the internal cost of the breach response — everything from internal remediation with the systems to notification expenses, up to and including credit monitoring.”
“We’ve had several situations where the policyholder has access to client funds as part of the engagement, and the client’s e-mail and voicemail get hacked,” noted Aubrey. “The CPA gets instructions to wire funds to a bank account. In one situation, the policyholder called the client and left a message, and received an e-mail back, supposedly from the client, saying, ‘I got your voicemail, this transaction is authorized.’ The software translated the voicemail into a text message, which is how the hackers found out about the voicemail.”
“We’re engaged in educating our policyholders to protect themselves. Voicemail is not really reliable,” observed Aubrey. “You should either have in-person contact or direct contact in that situation. My advice would be that CPAs should stay away from handling their client funds. If they do, they should take CPE and keep up with the latest trends in business management.”
An area of liability that Aubrey is seeing more of is “dabbling,” especially in smaller CPA firms. “When a CPA dabbles in areas that they don’t have expertise in there can be a problem,” he noted. “Lately we’ve seen cases involving trust services. The policyholder might be asked by a client or friend to serve as a trustee of a trust. This can be very detailed, and if the CPA isn’t familiar with all the ins and outs, they can get themselves into trouble. We’ve seen a number of cases in the past year where CPAs that don’t typically do trust work get into a situation where they’re clearly out of their depth and end up being sued.”
Occasionally, accountants will file a return late, or incur some sort of IRS penalty, and fail to immediately notify their carrier, noted Bill Thompson, president of CPA Mutual Insurance Co. “For whatever reason, they fail to report to us in a timely manner, because they think they will get the penalties abated. They should notify us immediately any time there’s a penalty, whether or not it’s below the deductible on the policy. If they don’t, it could void their coverage. We’ve seen a number of claims like that recently and we really shouldn’t. We want to know about these things as quickly as possible because we can help the firm.”
Another liability area that Thompson suggests CPAs be aware of is clients who become rich. “Wealthy clients are much more prone to litigation if mistakes are made, whether in filing a tax return or being involved in the acquisition or sale of another business,” he said. “If I were practicing, my antennae would go up if some of my clients became a little more prosperous. They have a hard time dealing with failure, so they look for someone else to blame. Many times it’s the CPA who bears the brunt of the blame.”
OTHER AREAS OF RISK
“States are becoming increasingly aggressive in enforcing the reporting of state and local income and sales taxes, and this can lead to liability for the accountant,” said Richard Witkowski, an attorney specializing in the defense of accountants. “The failure to report foreign assets is likewise leading to serious penalties for taxpayers, and potential liability for accountants.”
Data breaches don’t always involve the cyber area. “In one case, a professional left an accounting firm and took client files with her,” said Witkowski. “Her taking the files doesn’t end the responsibility of the firm. You need client permission to release records.”
“Accounting firms have liability exposure for client information, and if that is being hacked they can be in trouble in so many different ways,” he continued. “Firms have to decide whether to avoid the risk or transfer it to an insurance policy. It’s an emerging issue.”
Mark Zyla, a CPA and valuation specialist who is a managing director at Acuitas, noted that valuation is a controversial area that invites a growing level of scrutiny by regulators. “There has been an increasing scrutiny by the Securities and Exchange Commission and the Public Company Accounting Oversight Board as to how auditors are auditing the fair value measurements performed by outside valuation specialists,” said Zyla. “The increased scrutiny highlights the potential for litigation involving auditors or valuation specialists who practice in this area.”