McGowanPRO Professional Liability Blog / Resources / Articles

Why CPAs Should Consider Cyber Insurance

Posted by Gary Sutherland on Fri, Sep 22, 2017 @ 12:04 PM


CPAs keep vast troves of valuable personal data that cybercriminals are itching to get their fingers on.

So far, the most notorious CPA breaches have culminated in identity thefts that led to fraudulent tax returns. Those cases became the bane of recent tax seasons when victims tried to file their taxes with the IRS and found that a hacker had used their personal data to file a fraudulent return and get an illicit refund.

An IRS-led crackdown slashed those kinds of cases in half last year, USA Today reported, but that still amounted to 787,000 fraudulent returns processed in 2016 alone. And the crackdown is not exactly good news for CPAs. After all, the news headlines about tax-return fraud make CPAs an inviting target.

Why cybercriminals want to breach CPA firms

Let’s quickly review the kinds of private data CPAs have in their computer systems:

  • Full names and addresses
  • Social Security numbers
  • Telephone numbers
  • Bank account and routing numbers
  • Employment, income, and expense information
  • Brokerage information
  • Confidential client communications


It’s difficult to imagine what cybercriminals could not do with all this data. With names, addresses, and Social Security numbers, hackers can use phishing, malware, and other tactics to break into people’s home computers, access their logins to their banks and financial providers, and clean them out.

Another cybercriminal favorite, information on the financial condition of CPA clients is extremely valuable. And private email or text-message conversations between CPAs and clients can wreak havoc if they are made public. When these kinds of confidential information fall into the wrong hands, there’s no telling how much damage can be done. But it’s safe to say the liabilities could cripple many CPA organizations — if they lack cyber insurance.

Ransomware Underscores Risks CPAs Face

Ransomware is the most serious and insidious cyber threat to emerge in recent years. Cybercriminals using a range of tactics sneak into organizations’ computer networks, take up residence and wait for a vulnerable moment to strike — encrypting systems and demanding a ransom in return for decrypting them.

If undetected, these breaches can give cybercriminals widespread access to computer networks and the sensitive data within them. So, your CPA firm could pay the ransom to get your systems back online and still face the risk that private client data now belongs to cybercriminals.

What’s more, many ransomware attackers these days refuse to unlock computer systems after they get their money, potentially creating ruinous downtime for organizations that depend heavily on their computer networks.

Regulatory demands are expanding

New York State created new cyber security rules in 2017 for organizations that report to the state’s Department of Financial Services (DFS). Generally, CPA firms are not covered (yet), but given that many CPAs work with financial companies, they still need to be familiar with the regulations.

As CPA Journal put it: “In order to counsel these businesses, CPAs must understand the new regulations and their impact. In addition, it makes sense for CPA firms to be proactive in adopting the new regulations, as the profession itself is likely to be included in future regulatory efforts.”

New York’s rules provide a broad outline for safer cyber security practices. According to CPA Journal, New York’s rules require covered companies to:

  • Assess current risks to create a cybersecurity program and put cybersecurity policies in place.
  • Create a plan to dispose of nonpublic information they don’t need anymore.
  • Review and limit access privileges.
  • Ensure third-party service providers are secure.
  • Assign a chief information security officer (CISO).
  • Train employees and monitor authorized users.
  • Craft an incident-response plan.
  • Establish multifactor authentication.
  • Conduct penetration testing and vulnerability assessments.
  • Establish security policies for applications developed in-house.
  • Encrypt data at rest and in transit.
  • Establish an audit trail.

These kinds of practices reflect the principles of sound cyber hygiene that every company that any firm would be well advised to follow (and may well have to if more states adopt the rules). Also, companies that implement programs and policies to secure private data can potentially reduce their overall liability in a breach (though this depends on the facts of an individual lawsuit).

With cyber risk rising every day, a comprehensive network-security program is just one component of a sound risk-management program. Another crucial component is a cyber insurance policy that can protect your organization if it becomes the target of litigation.

A cyber insurance policy for CPAs can cover legal liability from:

  • Theft, loss, or unauthorized disclosure of private data or third-party corporate information.
  • Failure to comply with state breach notice laws.
  • Failure to comply with the insured’s privacy policies.
  • Failure to administer an identity theft prevention program required by governmental regulation.
  • Unauthorized access, theft, or destruction of data.
  • Denial of service attacks and virus transmission involving the insured’s computer systems resulting from computer security breaches.

All these risks underscore why professionals like CPAs should look into cyber coverage from McGowanPRO. We can help CPAs in organizations of all sizes get the right cyber coverage for their exact needs.

 If you would like to speak to a professional advisor concerning your company’s exposure to cyber risks, please contact Rob Ferrini at McGowanPRO. 508-656-1327 or 

Tags: cpas, CPA Alert, risk management, cyber

VIDEO:  Engagement Letters as a Life Preserver with Stephen Vono

Posted by Gary Sutherland on Wed, Mar 02, 2016 @ 01:24 PM

Stephen Vono, Partner, NAPLIA was interviewed by Accounting Today on the importance of Engagement Letters for CPA firms.

Watch the video on the Accounting Today website.

For sample engagement letters, visit



Tags: cpas, risk management, engagement letters

You are who Google says you are

Posted by Gary Sutherland on Mon, Oct 26, 2015 @ 03:03 PM

 Recently, while attending a conference in Las Vegas, I went to one of the sessions on social media.

The tag line was:  “You are who Google says you are”

The audience was made up of some heavy users, several novices and the majority of folks like me, interested not but not always sure of the business benefits.

LinkedIn was the most talked about form of social media with 90% of the audience having a profile.

However, discussions were framed around not just using LinkedIn as an on-line business card create your profile and leave… but rather a networking group and prospective lead generator. Advance LinkedIn searches were shown and how to query to find prospects in a variety of ways.

They used several key words examples and narrowed it down to locations within 50 miles then used the industry tab to create a more focused targeted approach.

Within 30 seconds the search criteria produced valuable results that could be used as a prospecting tool. The search can be saved an exported to your CRM database system.

To wrap up the message on LinkedIn “do not be idle”

  • Join groups
  • Check to see what your competitors are doing
  • Add content and share
  • Prospect
  • Add new connections

The next item on the agenda was websites and to ask the “why” questions.

Why do you want people to find your website?

In best practices all of the below would be included, but without asking the “why” question is it relevant?

  • Learn who we are and what we do
  • Answer common questions or concerns
  • To add value to existing clients
  • Wow potential clients
  • Provide content or education
  • Give consumers a confidence in your abilities
  • Provide them with a “click bait” (an action point to generate interactive actions on behalf of the consumer)

Many websites templates look like everyone else’s, just flat static information and no call to action touch points.

Consider that the first impression of your web site happens in under 10 seconds, potential visitors will move on to the next website if you cannot answer the “why” questions.

NAPLIA is dedicated to continually adding valuable resources to our website that we share through LinkedIn.  Please visit our site often and like our company page or join one of our LinkedIn groups.   We'd love to hear from you!


Tags: cpas, NAPLIA, social media policy, Linkedin

Trends in Claims Made Against Accountants

Posted by Alison Simons on Fri, Sep 18, 2015 @ 02:03 PM

Claim Statistics Review:

Over the last 20 plus years, claims against accountants have, in many ways, stayed the same.

Tax claims still represent over 50% of all claims.

The largest dollar claims involve “failure to detect” which includes theft, fraud and deliberate misstatements of income or expenses.

However, when you review claims statistics sometimes certain trends or percentages stand out.



  1. Tax Services
Improper tax advice or treatment:
  • Individual 55%
  • Corporate 61%

One interesting trend, math errors are down from 10% to under 5%

2.) Audits

75% of claims come from the failure to detect theft, fraud, misstatements of revenue and/or expenses

About 25% of audit claim errors are in reports issuance or are classified as other. 

3.) Compilations

Failure to detect accounts for more than 60% of all claims

4.) Reviews

Failure to detect accounts for almost 70% of all claims

5.) Bookkeeping (BK)

25% of all BK claims come from failure to detect fraud or theft.

Just under 10% of claims come from theft by the CPA Firm.

 6.) Personal Financial Planning (PFP)

Not surprisingly, 71% of PFP claims result from improper advice or product sales, but 6% of claims involve theft by a CPA at the firm. 

7.) Trustee and Non Trustee Services

About one third of the time (33%) claims relate to breach of fiduciary duties. The most difficult breach of fiduciary claims are were the agreement or engagement is not well delineated or established.


Higher Risk Areas

Insurance Companies that defend accountants’ claims usually have areas of practice or practice concerns that they consider higher risk, and these change over the years. The services currently considered higher risk are:

  1. Business valuations
  2. Professional services for entertainment clients “A” rated*
  3. Non Trustee clients that have significant investment components
  4. Firms with very weak internal controls for data breach and data compromise

*“A” rated clients are considered to be clients that pay greater than $250,000 in annual fees.

Insurance companies may ask additional questions in these areas and may consider premium adjustments.

Business valuations, where CPA’s have addition designations continue to have far fewer claims than  firms that provide the same services without.

Suit for fee claims continue to decline as accounting firms now know the inherent risks of these actions. It is a tough decision, you have done the work and the client refuses to pay….Just remember that 50% of the clients that are sued do countersue the accounting firm.


Notable Claims

In the last 16 years we have seen several thousand claims, potential claims, and subpoenas.  Some may say we have seen everything including the kitchen sink for alleged damages.

However, sometimes even we are surprised the accusations:

Claim 1.) The cocaine dealer sued his accountant for their failure to advise him that his activities were illegal and that he was supposed to report his illegal income on his tax returns.

Claims 2.) The business “cash” client who alleged that his accountant taught him to only make cash deposits under $10,000 to avoid detection.

Claim 3.) The client who lived in a 17 room home with water views, had several expensive cars and huge travel expenses while only declaring income of under $50,000, claims his accountant show have known and advised him “to be careful”.

In conclusion, although claims statistics percentages haven’t changed significantly in the last twenty years, some statistics do stand out. Failure to detect claims in review, compilations and bookkeeping are eye opening. When asked who steals in the CPA firm, our answer is most often, the partner/owner, very rarely is it an employee of the firm.  One other tread is that the CPAs who have worked in their profession 12 more or years are more likely to be sued then less experienced accountants. 

Tags: cpas, fraud, CPA Alert

Announcing CPA ProSecure: New Errors and Omissions Insurance Program for Accounting Firms

Posted by Alison Simons on Wed, Aug 05, 2015 @ 01:04 PM

CPS logo

North American Professional Liability Insurance Agency, LLC (NAPLIA) is pleased to announce an exclusive Errors and Omissions insurance program designed specifically for accounting and consulting firms called CPA ProSecure.

CPA ProSecure is underwritten by The Rockhill Insurance Group a wholly owned subsidiary of the State Auto Group, rated A-Excellent by A. M. Best. State Auto Group. Founded in 1921, it is one of only 59 companies to have an A.M. Best rating of “A” for 75 years. State Auto has provided 96 consecutive quarters of dividends.

NAPLIA insures 1000’s of accounting firms in all 50 states. John Raspante, CPA, MST, CDFA heads up our Risk Management team, and Ralph Picardi our Hot-line Attorney/CPA heads up our legal team. Both regularly assist all clients in best practices, claims mitigation and engagement letters as well as website reviews.

“We sat down last year and created a wish list of the important features we wanted to enhance in our professional liability program. We used this as the foundation for CPA ProSecure. We chose Rockhill Insurance because they embraced our vision and supported our desire to provide a more comprehensive program.” – Stephen Vono, CFO/Principal

NAPLIA offers “more than just a policy” See our website for additional resources:

Tags: accountants, cpas, errors & omissions, NAPLIA, professional liability

Hurricane Sandy relief through retirement plan hardship distributions and loans

Posted by Tom Henell on Tue, Dec 18, 2012 @ 01:12 PM

Much has been written regarding the exception from the hardship distributions rules resulting from retirement plan distributions and loans that have resulted from Hurricane Sandy.  IRS announcement 2012-44 fully addresses the rules governing these hardship distributions and loans. CPAs need to make their clients aware of this relief , but equally as important make them aware of the misconceptions ,and the tax impact of such a distribution. Many professional liability claims originate from the failure to clearly explain and document to clients the projected tax effect of retirement plan distributions.

This article addresses the IRS announcement and several misconceptions associated with the announcement. 

Tags: accountants, cpas, IRS

Massachusetts Supreme Court holds that limitation periods may be shortened by contract

Posted by Tom Henell on Tue, Dec 11, 2012 @ 10:19 AM

Creative Playthings Franchising, Corp v. James A. Reiser, Jr., 463 Mass. 758 (2012)

The Supreme Judicial Court, Suffolk County, Duffly, J., held that limitations period in a contract shortening the time within which claims must be brought was valid and enforceable under Massachusetts law, under certain conditions. A limitations period in a contract shortening the time within which claims must be brought is valid and enforceable under Massachusetts law, if the claim arises under the contract, and the agreed-upon limitations period is subject to negotiation by the parties, is not otherwise limited by controlling statute, is reasonable, is not a statute of repose, and is not contrary to public policy.

Nancy Reimer, attorney for LeClairRyan of Boston, stresses the relevance of this ruling for CPA's. Attorney Reimer suggests Accounts include a provision in their engagement letters limiting the time in which a claim can be brought to 2 years, or less depending on the circumstances of the engagement. Reimer stated, "We typically include clauses like this in letters we draft and have not had any issues with them, but now we have a definitive ruling from the SJC as to their validity."

Reimer further clarified that contract limitations are determined on a state by state basis.  Although this ruling is great for Massachusetts, not all states concur.  Florida, for example, has a statute stating a party can not limit the SOL period.

Tags: accountants, cpas, engagement letter, engagement letters

Email Retention- Does your firm have a policy?

Posted by Tom Henell on Mon, Jun 04, 2012 @ 03:33 PM

Email has become the De facto tool for professional and personal communication.  However, the ease with which we use email also creates significant exposure to our firms.  The use of "E-discovery" is increasing in the courts, and many firms wait until it is too late to address important internal policies.

Roman Kepczyk, CPA.CITP does a great job in this article to outline the exposures created by email and the importance of a solid email retention policy. 

In addition, see NAPLIA's resources on Record Retention here

Tags: accountants, cpas, file retention, email retention

War Story: Why Coverage Matters (Client Identity Theft)

Posted by Tom Henell on Tue, Apr 24, 2012 @ 01:33 PM

One of NAPLIA’s long-term clients recently received a competitive quote from another agency for their accountant’s professional liability insurance. The quote was $170.00 lower than their existing premium. Despite a discussion with the client regarding policy differences and the benefits of their existing program, the insured elected to go for the minimal premium savings.

They stated they were comfortable with the new agent’s representation of the coverage “being equal”.

Two months into the policy, one of the accountant’s laptops, which contained confidential client information, was stolen from their office. The theft occurred over a weekend and was not discovered until Monday morning.

The accountant called his new agent and was informed that there was coverage in place, but to a limited extent. The agent provided the accountant with the carrier’s toll free hotline to get additional information and support. The additional information amounted to a single piece of advice; secure local legal representation, at the accountant’s expense, to determine the extent of the security breach.

At a loss, our former client remembered the discussion with our office regarding Identity Theft coverage and called our office.

Although no longer a client, NAPLIA was able to assist the accountant with the following:

  • NAPLIA provided the accountant with their specific state’s security breach laws.
  • Upon review of the relevant state security breach law, NAPLIA determined that under the relevant circumstances, they were only required to notify any client whose personal information was not encrypted in a reasonable manner. 
  • NAPLIA provided a sample security breach letter that the accountant could use to send to these clients.
  • NAPLIA provided the accountant free access to our Attorney / CPA to assist him with additional questions.
  • NAPLIA explained the difference between “first party” and “third party” liability relevant to a client data breach.
  • NAPLIA reviewed their current policy and determined their first party coverage was limited to $1,000.

In hindsight, the accountant requested that we review the difference in coverage between the policy they had with NAPLIA and their new policy.

The policy they left with NAPLIA provided $25,000 for first party Cyber Liability in comparison to the $1,000 with their new policy.

The accountant had moved their coverage to save $170, and within two months realized that NAPLIA’s resources and service alone negated the premium savings. In addition, the new policy was not “equal” to their previous coverage leaving them with significant exposures.

The moral of this real story is to understand that not all polices are the same and coverage does indeed matter more than premium savings.

Tags: accountants, Data Breach, cpas, identity theft

Electronic Discovery impact on Record Retention Policies

Posted by Tom Henell on Fri, Mar 30, 2012 @ 11:09 AM

Historically, malpractice insurers have stressed the importance of record retention policies for CPA, and other professional, firms and the need to consistently apply those policies.

The advent of Electronic Discovery ( e –discovery ) has clearly muddied the waters.  Just the financial costs alone, arguably, will cause plaintiffs to settle early in litigation.

The Pippins v.KPMG LLP case is a grim reminder of the need to have consistent, written record retention policies that are clearly articulated to clients , preferably in engagement letters or stand-alone letters.

CPA’S should review state boards of accountancy rules and regulations, the AICPA rules, taxing authority rues, and other regulatory bodies such as the SEC and GAO.  

See NAPLIA Resources on Record Retention

Tags: record retention, accountants, cpas, NAPLIA