NAPLIA's Professional Liability Blog / Resources / Articles

NAPLIA Now Offers BIZLock® Cyber Liability Coverage

Posted by Rob Ferrini on Fri, Nov 18, 2016 @ 11:43 AM

Because of the growing cybercrime epidemic, NAPLIA now offers BIZLock® Cybercrime Protection, a comprehensive cyber insurance program specifically designed for small to medium sized professional firms.

Cybercrime Creates Very Serious Exposures…

  • Incident response obligations and the associated forensic, PR, Legal and notification expenses
  • Liability arising from the Loss/theft of the personal information of others within your control
  • Cyber extortion and Ransomware (thieves lock down your system and hold it for ransom)
  • Regulatory fines and penalties
  • Payment card industry fines and penalties
  • Losses arising from the theft of Business Identifying Information or BII
  • Business interruption losses and more


Watch our 3 minute video for a quick highlight:         IFI Chalk Talk VIDEO.


Program Summary:

  • Limits from $50,000 to $1MM
  • Premiums ranging between $569 to $1999 per year (annual revenues less than $10MM)
  • Retentions/Deductibles at $1,000
  • Essential Risk management / Compliance tools
  • Incident Response On-Demand™ – Comprehensive 24/7 claims and remediation/resolution services provided by the BIZLock team and its panel of experts
  • Simple application and instant coverage, subject to qualification


Protect your business today. Click here to obtain instant pricing, limit options and actual coverage. Or, copy and paste this URL into your browser


BIZLock is quick, simple and vital to help secure your business against today’s evolving cyber risks. 


Don’t risk becoming a victim of cybercrime without having a professional solution and remedy standing behind you.  Protect yourself against cybercrime with BIZLock.


For more information-


Rob Ferrini | Program Manager | NAPLIA

Direct: 508.656. 1327 |Toll Free: 866.262.7542, ext. 1327 | Fax: 508.656.1399

Tags: cyber

Cyber Claims in 2016

Posted by Gary Sutherland on Wed, Jul 27, 2016 @ 02:36 PM

The first six months of 2016 show cyber claims increasing 56% over 2015

Hacking and Malware claims are up by 62%

Professional service firms cyber claims are about 14.5% of all cyber claims reported



*According to specialty insurer Beazley

Tags: cyber

Advice and apps to stay organized in a world full of information

Posted by Gary Sutherland on Thu, Jun 09, 2016 @ 11:57 AM

I have written before on the enormous amount of information available on a daily basis and on how hard it is to keep up with the sheer volume of content. I like many try and keep as current as I can but have also decided I can no longer fret over it, there isn’t enough time in the day.

There is one tool that I use and enjoy, it is called “getpocket”. This is an app that can sit on your browser bar and allows you to click the + feature and add the story, article, video other content to a saved folder within “getpocket” for later reading or review.

This is helpful when I see something useful but am unable to read it now but do not want to forget it or lose it.

There are two versions of “getpocket” a free version and a paid version (less than $50 per year). The paid version allows for sub folders and no pop up ads.

Speaking about apps, I have 68 phone apps, many I use frequently. My current favorites are the flashlight, local weather and a new one called “Truecaller”. Truecaller identifies incoming calls and even marks many as “SPAM”. I can also block incoming call with one easy click. 

This is a real time saver as I no longer pick up sales calls on my cell phone thinking it must be important or urgent if they are calling my cell phone.

I was curious about the number of phone apps available, and it stands at about 1.5 million different phone applications, so I guess my 68 is within reason?

I have also discovered the best time for me to read and comprehend new information is in the morning, preferably early with my coffee, probably because I have hit the 60 age group category.

Disclaimer: I have no affiliation and do not derive any benefits for the above mentioned vendors.

Tags: cyber

NAPLIA leaders present “What You Need to Know About Cybersecurity” at fi360 conference in San Diego

Posted by Gary Sutherland on Thu, Mar 31, 2016 @ 05:18 PM

For Immediate Release

April 4, 2016

Framingham, MA - North American Professional Liability Insurance Agency, LLC (NAPLIA) is pleased to announce that CEO, Gary Sutherland, CIC MLIS, and Senior Vice President, Paul Smith, AIF, will be panellists in a presentation titled “What You Need to Know About Cybersecurity” at the fi360 conference in San Diego, California on April 7, 2016.

The Cybersecurity panel presentation will discuss current best in class breach prevention tools and procedures, how to prepare for an OCIE Examination with a focus on Cyber and Privacy Liability prevention, and how insurance can be used as a defense of last resort.  Additional topics include why Cybersecurity matters, what firm leaders need to know about preventing a breach, and how to prevent a breach from shutting down your firm for good.

 “It is an honor to share our expertise in Cybersecurity at the fi360 conference, which attracts 600 financial services industry leaders.  Cybersecurity is a hot topic because it has so many facets and it can be devastating for affected firms. “ says Gary Sutherland, CEO, NAPLIA. 

The third panelist in the Cybersecurity panel presentation is Brian Edelman, CEO, Financial Computer, Inc.  The panel will be moderated by Tom Schrandt, AIF®, Vice President, Lockton Affinity, LLC.


NAPLIA has specialized in providing Fiduciary Liability Insurance to Plan Sponsors since 1998, in concert with Professional Liability, (errors & omissions) and related insurance products for Accountants, Investment Advisors, Attorneys, and other professionals. No other national agency can match our personal service and expertise in the risks associated with operating under ERISA; and no other independent agency can match our national recognition for excellence in the Qualified Plan and Investment Advisory insurance and bonding space.  Learn more at 



Tags: NAPLIA, cyber

Video: CPA Firms have a target on their back

Posted by Gary Sutherland on Mon, Mar 21, 2016 @ 09:24 AM

NAPLIA's Stephen Vono was interviewed by Accounting Today for a video on cyber security for CPA firms.  His message - you have a target on your back!


Tags: cyber, cpa

Beware of new ransomware Cryptowall 4.0

Posted by Gary Sutherland on Fri, Nov 20, 2015 @ 10:50 AM

NapliaProfesC12a-A02aT07a-Z.jpgWe read with interest a brief article on the Robinson + Cole website that "a new version of the notorious and nasty ransomware Cryptowall, dubbed Cryptowall 4.0, has hit the scene."

Cryptowall 4.0 acts differently than its previous strategy of locking a computer entirely.  It is able to change the names of specific files so you won't be able to find them on your drive.

The primary way that Cryptowall 4.0 infects a computer is through a zipfile with an attachment that looks like a resume, though presumably the file name could be different.  So, be vigiliant about downloading files from emails, particularly from senders you don't recognize or in messages that look suspicious.

It will also be a good idea to back-up your data frequently.

Read the full article

Tags: cyber

NAPLIA ebook Chapter 2:  Removing client files from the office

Posted by Alison Simons on Fri, Sep 11, 2015 @ 09:24 AM

When client files are removed from the office there is an increased risk of loss. It’s easy for an employee to misplace a USB stick, leave important documents on a train or have a company laptop stolen, and client files may then be available to (often non-traceable) third
parties. Firms should therefore only remove client files from the office when such files are necessary for reference in client meetings.

Permission for removal should always be obtained from a manager and portable devices that hold client files should always be encrypted (see guidelines in Chapter 3). Client files should not be stored on portable storage media (e.g., (USB sticks, smartphones, tablets etc.) or laptops for longer than the period of active use if such devices will be removed from the office. Client data should be deleted from such devices when no longer required.

The partner or officer responsible for information security or compliance within your firm should be advised immediately if client files are lost outside of the office. This step is critical to allow you to comply with your incident notification policies and manage any additional damage that the disclosure may cause.

Employees may be reluctant to report a loss, but a firm needs to communicate to its employees the importance for compliance under firm policies and as well as under law. One approach to minimize the risk of not reporting, at least with regards to electronic media, is for the company to only permit company-issued electronic storage media to store client files and to keep inventory of such media. This inventory documents all devices that have access to client files. Keeping the inventory up to date and running regular device checks can provide early notification of losses that may otherwise remain undetected.

Attention should also be paid to the potential for employees to remove client files at the end of their employment. Portable devices, physical documents and even hard drives may easily leave with a departing employee, either as an oversight or an act of malice. The associated risks can be minimized with measures including:

  • A departing employee checklist: This checklist ensures that all company-issued devices (and the client files that they may contain) are returned before the employee leaves the company.
  • A media sanitization policy that extends to employees’ personal devices: This provision ensures that client files are removed from devices that do not fall under the company’s direct control.

Responsibility for these measures will be more effective if assigned to a named representative. The representative will in most cases be the departing employee’s direct superior.

Check back each month for a new chapter of the NAPLIA cyber ebook.

Tags: employment, risk management, cyber

Cyber tip: How often to change passwords

Posted by Alison Simons on Thu, Aug 06, 2015 @ 03:10 PM

As an insurance agent we deal with applications every single day, yet, when I have to fill one out, I have the same reaction as my insured’s, “I hate applications”.

However there are times when an application is a good thing, like a cyber-application.

The cyber application is designed to ask risk management questions that hopefully provide some insight on cyber exposures.

For example: How often do you change passwords?

The majority of answers is anywhere from 90 days to once a year by most applicants.

So what is the best answer? Monthly

We all get careless with passwords and we are never sure if they have fallen into the wrongs hands.

Changing passwords monthly insures a better risk management landscape it also makes employees responsible for managing their passwords and not used as afterthought.

The main reason for not changing passwords is “I have so many” and “I can never remember them” however in reality this is more consistent with passwords that you may only use once in a while. To help safeguard your business network, passwords should be used every time you log on. One common error when choosing passwords is the employee uses the same login as their personal bank account or Amazon account.

This now puts the business at risk when any other of their personal accounts are hacked and the hacker goes phishing for other easy computer systems connected to that individual.

Let’s look at a recent case of password hacking. Employee Alice, Facebook account was taken over without her knowledge and they used this information to gain access to her Amazon account where her credit card information was stored. Alice’s G-mail account was the next hacking opportunity using personal information they were able guess her password using a combination of personal information and birth date.

Alice had several work e-mails in her personal account so they now went after her work e-mail, the first password used on her employer system was her Gmail account password and instantly they are now in the company’s server.

Hackers know that people re-use or use one password for many applications (log-ins). With Alice’s work e-mail account accessible a series of e-mails were sent pretending to be Alice to capture additional confidential information. Think about a co-worker sending e-mail requesting information that appears to be a legitimate e-mail, most of us would respond. In this case human resources was sent e-mail asking for her personal banking information, explaining that her direct deposit account was hacked and she need to change the account prior to the next pay period.

Fortunately there was no theft of funds and the HR person called Alice and the jig was up. However that was not the end of the story for Alice’s company. The company was concerned that their data may have been compromised and brought in an outside forensic IT company to ascertain any data breaches. Calls were also made to their attorney to review if this was a reportable event to state regulatory agencies.

All company passwords were changed and remote access from outside employees was shut off. It was several long days before the business was back to normal. Although the company escaped any real threat, there were still significant costs incurred not including lost employee time and production.

Alice was able to notify all her credit cards and banking relationships and re-establish her social media accounts. Hundreds of fake e-mails were sent posing as herself to friends and family and several months later she is still monitoring all of her accounts closely.

The moral of the story, employers need to carefully monitor passwords. Passwords should have all of the following attributes:*

  • At least 10 characters long

  • A mix of lower case, upper case, and non-alphabetic characters and numbers

  • No words found in the dictionary (English or a foreign language)

  • No more than two consecutive characters

  • No common names, terms

  • No simple pattern

In conclusion: changing passwords every 30 days helps mitigate potential access. Establishing rules against employees using work passwords for personal use is strictly prohibited. Training employees to protect and secure passwords is one way to try and avoid hacking incidents. So when the cyber applications asks the question how often do you change passwords, and the first answer is 30 days, consider reflecting on the answer from a risk prospective position.


*Taken form the Cyber and Data Security Handbook written by Eric Hess, July of 2015 for NAPLIA

Tags: Data Breach, NAPLIA, Information Security, identity theft, cyber, records

NAPLIA ebook Question 1: Destruction and archiving of old client files

Posted by Alison Simons on Tue, Aug 04, 2015 @ 09:53 AM
ebook icon

A record archival and destruction policy represents the last stage in a firm’s data lifecycle management strategy. A strong policy should cover all of the following points:

  • Identification and classification of records: The firm’s various types of records should be listed and a classification system and process should be established. Potential record types include firm records, client records and work product records. 

  • Retention/archive/destruction scheduling: Separate schedules should be established for the retention/archive/destruction of various types of records. These schedules should match with federal, state and local regulations and industry-specific requirements. Records subject to litigation holds may require special handling. 

  • Archiving of closed client matters – Paper and electronic materials should be gathered into a single file. Duplicates and materials that are not classified as records should be destroyed as part of the archiving process. 

  • Designation of destruction requirements: Destruction methods should reflect the firm’s obligations to client confidentiality. Paper documents should be shredded or incinerated and data storage devices should be physically destroyed rather than overwritten. 

  • Establishment of a destruction log: A log must be created as a permanent record of the firm’s activities. The log should include the client involved, a description of the documents being destroyed, the employee who performed the destruction and the employee who signed off on the destruction. 

  • Examination requirements: Destruction should not occur until the employee responsible for the client file has verified that the retention period has properly run for all data sets contained within the file. The employee should also verify that no litigation hold has been placed on any of the file’s components. Any parts that have been placed on a litigation hold should be separately achieved for the duration of the hold. These retention extensions should be used only in exceptional cases. The exceptions should be documented in the extended file along with the reason for the exception, the employee who authorized the exception.

A record archival and destruction policy is only effective if the firm has the required resources to ensure its consistent implementation. Effort can be spared through automation in many instances, e.g. dynamic archiving tools can automatically move older data to storage, duplicate documents can be deleted automatically prior to archiving, records can be classified and searched automatically, data can be captured automatically from applications that are being decommissioned, and destruction tools can automatically delete files, emails and documents.

Check back each month for a new chapter of the NAPLIA cyber ebook.

Tags: NAPLIA, cyber, records