McGowanPRO Professional Liability Blog / Resources / Articles

Why CPAs Should Consider Cyber Insurance

Posted by Gary Sutherland on Fri, Sep 22, 2017 @ 12:04 PM


CPAs keep vast troves of valuable personal data that cybercriminals are itching to get their fingers on.

So far, the most notorious CPA breaches have culminated in identity thefts that led to fraudulent tax returns. Those cases became the bane of recent tax seasons when victims tried to file their taxes with the IRS and found that a hacker had used their personal data to file a fraudulent return and get an illicit refund.

An IRS-led crackdown slashed those kinds of cases in half last year, USA Today reported, but that still amounted to 787,000 fraudulent returns processed in 2016 alone. And the crackdown is not exactly good news for CPAs. After all, the news headlines about tax-return fraud make CPAs an inviting target.

Why cybercriminals want to breach CPA firms

Let’s quickly review the kinds of private data CPAs have in their computer systems:

  • Full names and addresses
  • Social Security numbers
  • Telephone numbers
  • Bank account and routing numbers
  • Employment, income, and expense information
  • Brokerage information
  • Confidential client communications


It’s difficult to imagine what cybercriminals could not do with all this data. With names, addresses, and Social Security numbers, hackers can use phishing, malware, and other tactics to break into people’s home computers, access their logins to their banks and financial providers, and clean them out.

Another cybercriminal favorite, information on the financial condition of CPA clients is extremely valuable. And private email or text-message conversations between CPAs and clients can wreak havoc if they are made public. When these kinds of confidential information fall into the wrong hands, there’s no telling how much damage can be done. But it’s safe to say the liabilities could cripple many CPA organizations — if they lack cyber insurance.

Ransomware Underscores Risks CPAs Face

Ransomware is the most serious and insidious cyber threat to emerge in recent years. Cybercriminals using a range of tactics sneak into organizations’ computer networks, take up residence and wait for a vulnerable moment to strike — encrypting systems and demanding a ransom in return for decrypting them.

If undetected, these breaches can give cybercriminals widespread access to computer networks and the sensitive data within them. So, your CPA firm could pay the ransom to get your systems back online and still face the risk that private client data now belongs to cybercriminals.

What’s more, many ransomware attackers these days refuse to unlock computer systems after they get their money, potentially creating ruinous downtime for organizations that depend heavily on their computer networks.

Regulatory demands are expanding

New York State created new cyber security rules in 2017 for organizations that report to the state’s Department of Financial Services (DFS). Generally, CPA firms are not covered (yet), but given that many CPAs work with financial companies, they still need to be familiar with the regulations.

As CPA Journal put it: “In order to counsel these businesses, CPAs must understand the new regulations and their impact. In addition, it makes sense for CPA firms to be proactive in adopting the new regulations, as the profession itself is likely to be included in future regulatory efforts.”

New York’s rules provide a broad outline for safer cyber security practices. According to CPA Journal, New York’s rules require covered companies to:

  • Assess current risks to create a cybersecurity program and put cybersecurity policies in place.
  • Create a plan to dispose of nonpublic information they don’t need anymore.
  • Review and limit access privileges.
  • Ensure third-party service providers are secure.
  • Assign a chief information security officer (CISO).
  • Train employees and monitor authorized users.
  • Craft an incident-response plan.
  • Establish multifactor authentication.
  • Conduct penetration testing and vulnerability assessments.
  • Establish security policies for applications developed in-house.
  • Encrypt data at rest and in transit.
  • Establish an audit trail.

These kinds of practices reflect the principles of sound cyber hygiene that every company that any firm would be well advised to follow (and may well have to if more states adopt the rules). Also, companies that implement programs and policies to secure private data can potentially reduce their overall liability in a breach (though this depends on the facts of an individual lawsuit).

With cyber risk rising every day, a comprehensive network-security program is just one component of a sound risk-management program. Another crucial component is a cyber insurance policy that can protect your organization if it becomes the target of litigation.

A cyber insurance policy for CPAs can cover legal liability from:

  • Theft, loss, or unauthorized disclosure of private data or third-party corporate information.
  • Failure to comply with state breach notice laws.
  • Failure to comply with the insured’s privacy policies.
  • Failure to administer an identity theft prevention program required by governmental regulation.
  • Unauthorized access, theft, or destruction of data.
  • Denial of service attacks and virus transmission involving the insured’s computer systems resulting from computer security breaches.

All these risks underscore why professionals like CPAs should look into cyber coverage from McGowanPRO. We can help CPAs in organizations of all sizes get the right cyber coverage for their exact needs.

 If you would like to speak to a professional advisor concerning your company’s exposure to cyber risks, please contact Rob Ferrini at McGowanPRO. 508-656-1327 or 

Tags: cpas, CPA Alert, risk management, cyber

Trends in Claims Made Against Accountants

Posted by Alison Simons on Fri, Sep 18, 2015 @ 02:03 PM

Claim Statistics Review:

Over the last 20 plus years, claims against accountants have, in many ways, stayed the same.

Tax claims still represent over 50% of all claims.

The largest dollar claims involve “failure to detect” which includes theft, fraud and deliberate misstatements of income or expenses.

However, when you review claims statistics sometimes certain trends or percentages stand out.



  1. Tax Services
Improper tax advice or treatment:
  • Individual 55%
  • Corporate 61%

One interesting trend, math errors are down from 10% to under 5%

2.) Audits

75% of claims come from the failure to detect theft, fraud, misstatements of revenue and/or expenses

About 25% of audit claim errors are in reports issuance or are classified as other. 

3.) Compilations

Failure to detect accounts for more than 60% of all claims

4.) Reviews

Failure to detect accounts for almost 70% of all claims

5.) Bookkeeping (BK)

25% of all BK claims come from failure to detect fraud or theft.

Just under 10% of claims come from theft by the CPA Firm.

 6.) Personal Financial Planning (PFP)

Not surprisingly, 71% of PFP claims result from improper advice or product sales, but 6% of claims involve theft by a CPA at the firm. 

7.) Trustee and Non Trustee Services

About one third of the time (33%) claims relate to breach of fiduciary duties. The most difficult breach of fiduciary claims are were the agreement or engagement is not well delineated or established.


Higher Risk Areas

Insurance Companies that defend accountants’ claims usually have areas of practice or practice concerns that they consider higher risk, and these change over the years. The services currently considered higher risk are:

  1. Business valuations
  2. Professional services for entertainment clients “A” rated*
  3. Non Trustee clients that have significant investment components
  4. Firms with very weak internal controls for data breach and data compromise

*“A” rated clients are considered to be clients that pay greater than $250,000 in annual fees.

Insurance companies may ask additional questions in these areas and may consider premium adjustments.

Business valuations, where CPA’s have addition designations continue to have far fewer claims than  firms that provide the same services without.

Suit for fee claims continue to decline as accounting firms now know the inherent risks of these actions. It is a tough decision, you have done the work and the client refuses to pay….Just remember that 50% of the clients that are sued do countersue the accounting firm.


Notable Claims

In the last 16 years we have seen several thousand claims, potential claims, and subpoenas.  Some may say we have seen everything including the kitchen sink for alleged damages.

However, sometimes even we are surprised the accusations:

Claim 1.) The cocaine dealer sued his accountant for their failure to advise him that his activities were illegal and that he was supposed to report his illegal income on his tax returns.

Claims 2.) The business “cash” client who alleged that his accountant taught him to only make cash deposits under $10,000 to avoid detection.

Claim 3.) The client who lived in a 17 room home with water views, had several expensive cars and huge travel expenses while only declaring income of under $50,000, claims his accountant show have known and advised him “to be careful”.

In conclusion, although claims statistics percentages haven’t changed significantly in the last twenty years, some statistics do stand out. Failure to detect claims in review, compilations and bookkeeping are eye opening. When asked who steals in the CPA firm, our answer is most often, the partner/owner, very rarely is it an employee of the firm.  One other tread is that the CPAs who have worked in their profession 12 more or years are more likely to be sued then less experienced accountants. 

Tags: cpas, fraud, CPA Alert

Fraudulent Transfer Scams Plaguing CPAs & Advisors

Posted by Alison Simons on Fri, Aug 21, 2015 @ 08:56 AM

Be very wary of emails requesting transfers of funds from hacked accounts.

We've recently seen two phishing scams that have resulted in fraudulent client fund transfers. While the amounts are typically not large (under $50,000), in both cases there were multiple transfers. The losses are different but the claims are essentially identical.

Each of our insureds received an email requesting transfer of funds, and in both cases the email requested that monies be wire transferred from their accounts to a Wells Fargo account. These fraudulent emails included significant identifiable personal details and signatures on faked transfer forms. Signatures were verified against signatures from other valid transfers and determined to be authentic -- so they thought.

In one case the bank asked for a phone number to verify the transfer as the transfer form was slightly hard to read (red flag). An email was sent to the hacked account requesting a cell number to verify the transfer. In an email response the sender asked if they could call the bank to verify, and this was allowed as the caller had the correct banking information, social security number and other personal identifying information details to convince the bank to move forward and transfer the funds.

Both of our insureds' clients have been asked to be made whole, and we are in the process of determining the liability associated with each claim.

With one of these claims, the bank clearly has some liability as it did not follow proper protocol and allowed a deviation of standards by accepting a “call in” as opposed to the “bank calling out.”

(Side note: both of these clients are longstanding, very profitable accounts, and our insureds are trying to mitigate damages to maintain the relationship.)

OK, now that you have read the claim summary what’s next? Your office needs to take steps to reduce your liability while protecting and safeguarding your clients’ bank accounts.

Here are several steps that you should incorporate into your due diligence internal controls:

  1. Email requests must be verified by a second means of verification. In many cases a text message to a cell phone can insure some protection. The theory is that hacked email accounts are usually done from a far (Russia, China, West Africa), and the hackers would not be in possession of the cell phone. Additionally, the text message could include a request for an additional identification password that may not be known by hackers (for example, frequently we see questions like name of their dog or name of their high school). Also often emails have been hacked weeks before the owner becomes aware, and the hacker waits to gather information to be used fraudulently. On the other hand if your cell phone is missing for more than four hours you start to panic and take steps to prevent misuse.

  2. Be suspicious and examine emails closely, looking for ‘red flags’ such as misspelled words, forms that appear to be scanned and are slightly illegible, salutations that are not consistent with other email correspondence. In some cases a word seems out of place or used incorrectly. In other cases our insureds received numerous follow-up emails asking for details on when exactly when the transfer was completed which showed a level of desperation.

  3. Include internal protocol procedures stipulating that your employees to have a second person review and sign off. If possible include the key person in the office that has the relationship with the client, as they may have more personal knowledge of the client and sense a fraudulent request.

  4. For larger transfers, elevate the due diligence, requiring absolute second live verification before transfer of funds.

  5. Consider adding language to the engagement letter that states you will make every effort to verify transfers, and in cases where you are unable to verify the validity of the transfer you will refuse until satisfied that it is an authentic request.


By incorporating these preventative measures, you could thwart criminal fraud and you are building your defense should the fraud occur.

Tags: accountants, CPA Alert, Information Security, liability

Mitigating CPA Malpractice

Posted by Tom Henell on Wed, Jan 23, 2013 @ 12:51 PM

Professional liability claims faced by CPAs will never be eradicated, but they can be reduced if solid risk management and constant adherence to professional standards are followed. Follow these techniques to help lessen exposure in the increasingly litigious environment in which CPAs practice.

Read the entire article

Tags: accountants, CPA Alert, risk management, malpractice

Join our CPA Alert Linkedin Group

Posted by Tom Henell on Sun, Dec 09, 2012 @ 12:07 PM

The NAPLIA CPA Alert is a regularly resource to provide our CPA, Accounting, and Bookkeeping clients with up to date information on topics that may directly impact their business.

Now, you can access these CPA Alerts via our new Linkedin Group.

Simply join here ! 

In addition to  your professional liability (errors & omissions) insurance, education is the foundation of a strong Risk Management strategy.  NAPLIA is leading the industry in providing our clients with sample engagement letteres, topical articles, White Papers, and more.

Tags: CPA Alert, NAPLIA, Linkedin