McGowanPRO Professional Liability Blog / Resources / Articles

Why CPAs Should Consider Cyber Insurance

Posted by Gary Sutherland on Fri, Sep 22, 2017 @ 12:04 PM


CPAs keep vast troves of valuable personal data that cybercriminals are itching to get their fingers on.

So far, the most notorious CPA breaches have culminated in identity thefts that led to fraudulent tax returns. Those cases became the bane of recent tax seasons when victims tried to file their taxes with the IRS and found that a hacker had used their personal data to file a fraudulent return and get an illicit refund.

An IRS-led crackdown slashed those kinds of cases in half last year, USA Today reported, but that still amounted to 787,000 fraudulent returns processed in 2016 alone. And the crackdown is not exactly good news for CPAs. After all, the news headlines about tax-return fraud make CPAs an inviting target.

Why cybercriminals want to breach CPA firms

Let’s quickly review the kinds of private data CPAs have in their computer systems:

  • Full names and addresses
  • Social Security numbers
  • Telephone numbers
  • Bank account and routing numbers
  • Employment, income, and expense information
  • Brokerage information
  • Confidential client communications


It’s difficult to imagine what cybercriminals could not do with all this data. With names, addresses, and Social Security numbers, hackers can use phishing, malware, and other tactics to break into people’s home computers, access their logins to their banks and financial providers, and clean them out.

Another cybercriminal favorite, information on the financial condition of CPA clients is extremely valuable. And private email or text-message conversations between CPAs and clients can wreak havoc if they are made public. When these kinds of confidential information fall into the wrong hands, there’s no telling how much damage can be done. But it’s safe to say the liabilities could cripple many CPA organizations — if they lack cyber insurance.

Ransomware Underscores Risks CPAs Face

Ransomware is the most serious and insidious cyber threat to emerge in recent years. Cybercriminals using a range of tactics sneak into organizations’ computer networks, take up residence and wait for a vulnerable moment to strike — encrypting systems and demanding a ransom in return for decrypting them.

If undetected, these breaches can give cybercriminals widespread access to computer networks and the sensitive data within them. So, your CPA firm could pay the ransom to get your systems back online and still face the risk that private client data now belongs to cybercriminals.

What’s more, many ransomware attackers these days refuse to unlock computer systems after they get their money, potentially creating ruinous downtime for organizations that depend heavily on their computer networks.

Regulatory demands are expanding

New York State created new cyber security rules in 2017 for organizations that report to the state’s Department of Financial Services (DFS). Generally, CPA firms are not covered (yet), but given that many CPAs work with financial companies, they still need to be familiar with the regulations.

As CPA Journal put it: “In order to counsel these businesses, CPAs must understand the new regulations and their impact. In addition, it makes sense for CPA firms to be proactive in adopting the new regulations, as the profession itself is likely to be included in future regulatory efforts.”

New York’s rules provide a broad outline for safer cyber security practices. According to CPA Journal, New York’s rules require covered companies to:

  • Assess current risks to create a cybersecurity program and put cybersecurity policies in place.
  • Create a plan to dispose of nonpublic information they don’t need anymore.
  • Review and limit access privileges.
  • Ensure third-party service providers are secure.
  • Assign a chief information security officer (CISO).
  • Train employees and monitor authorized users.
  • Craft an incident-response plan.
  • Establish multifactor authentication.
  • Conduct penetration testing and vulnerability assessments.
  • Establish security policies for applications developed in-house.
  • Encrypt data at rest and in transit.
  • Establish an audit trail.

These kinds of practices reflect the principles of sound cyber hygiene that every company that any firm would be well advised to follow (and may well have to if more states adopt the rules). Also, companies that implement programs and policies to secure private data can potentially reduce their overall liability in a breach (though this depends on the facts of an individual lawsuit).

With cyber risk rising every day, a comprehensive network-security program is just one component of a sound risk-management program. Another crucial component is a cyber insurance policy that can protect your organization if it becomes the target of litigation.

A cyber insurance policy for CPAs can cover legal liability from:

  • Theft, loss, or unauthorized disclosure of private data or third-party corporate information.
  • Failure to comply with state breach notice laws.
  • Failure to comply with the insured’s privacy policies.
  • Failure to administer an identity theft prevention program required by governmental regulation.
  • Unauthorized access, theft, or destruction of data.
  • Denial of service attacks and virus transmission involving the insured’s computer systems resulting from computer security breaches.

All these risks underscore why professionals like CPAs should look into cyber coverage from McGowanPRO. We can help CPAs in organizations of all sizes get the right cyber coverage for their exact needs.

 If you would like to speak to a professional advisor concerning your company’s exposure to cyber risks, please contact Rob Ferrini at McGowanPRO. 508-656-1327 or 

Tags: cpas, CPA Alert, risk management, cyber

NAPLIA Now Offers BIZLock® Cyber Liability Coverage

Posted by Rob Ferrini on Fri, Nov 18, 2016 @ 11:43 AM

Because of the growing cybercrime epidemic, NAPLIA now offers BIZLock® Cybercrime Protection, a comprehensive cyber insurance program specifically designed for small to medium sized professional firms.

Cybercrime Creates Very Serious Exposures…

  • Incident response obligations and the associated forensic, PR, Legal and notification expenses
  • Liability arising from the Loss/theft of the personal information of others within your control
  • Cyber extortion and Ransomware (thieves lock down your system and hold it for ransom)
  • Regulatory fines and penalties
  • Payment card industry fines and penalties
  • Losses arising from the theft of Business Identifying Information or BII
  • Business interruption losses and more


Watch our 3 minute video for a quick highlight:         IFI Chalk Talk VIDEO.


Program Summary:

  • Limits from $50,000 to $1MM
  • Premiums ranging between $569 to $1999 per year (annual revenues less than $10MM)
  • Retentions/Deductibles at $1,000
  • Essential Risk management / Compliance tools
  • Incident Response On-Demand™ – Comprehensive 24/7 claims and remediation/resolution services provided by the BIZLock team and its panel of experts
  • Simple application and instant coverage, subject to qualification


Protect your business today. Click here to obtain instant pricing, limit options and actual coverage. Or, copy and paste this URL into your browser


BIZLock is quick, simple and vital to help secure your business against today’s evolving cyber risks. 


Don’t risk becoming a victim of cybercrime without having a professional solution and remedy standing behind you.  Protect yourself against cybercrime with BIZLock.


For more information-


Rob Ferrini | Program Manager | NAPLIA

Direct: 508.656. 1327 |Toll Free: 866.262.7542, ext. 1327 | Fax: 508.656.1399

Tags: cyber

Cyber Claims in 2016

Posted by Gary Sutherland on Wed, Jul 27, 2016 @ 02:36 PM

The first six months of 2016 show cyber claims increasing 56% over 2015

Hacking and Malware claims are up by 62%

Professional service firms cyber claims are about 14.5% of all cyber claims reported



*According to specialty insurer Beazley

Tags: cyber

Advice and apps to stay organized in a world full of information

Posted by Gary Sutherland on Thu, Jun 09, 2016 @ 11:57 AM

I have written before on the enormous amount of information available on a daily basis and on how hard it is to keep up with the sheer volume of content. I like many try and keep as current as I can but have also decided I can no longer fret over it, there isn’t enough time in the day.

There is one tool that I use and enjoy, it is called “getpocket”. This is an app that can sit on your browser bar and allows you to click the + feature and add the story, article, video other content to a saved folder within “getpocket” for later reading or review.

This is helpful when I see something useful but am unable to read it now but do not want to forget it or lose it.

There are two versions of “getpocket” a free version and a paid version (less than $50 per year). The paid version allows for sub folders and no pop up ads.

Speaking about apps, I have 68 phone apps, many I use frequently. My current favorites are the flashlight, local weather and a new one called “Truecaller”. Truecaller identifies incoming calls and even marks many as “SPAM”. I can also block incoming call with one easy click. 

This is a real time saver as I no longer pick up sales calls on my cell phone thinking it must be important or urgent if they are calling my cell phone.

I was curious about the number of phone apps available, and it stands at about 1.5 million different phone applications, so I guess my 68 is within reason?

I have also discovered the best time for me to read and comprehend new information is in the morning, preferably early with my coffee, probably because I have hit the 60 age group category.

Disclaimer: I have no affiliation and do not derive any benefits for the above mentioned vendors.

Tags: cyber

NAPLIA leaders present “What You Need to Know About Cybersecurity” at fi360 conference in San Diego

Posted by Gary Sutherland on Thu, Mar 31, 2016 @ 05:18 PM

For Immediate Release

April 4, 2016

Framingham, MA - North American Professional Liability Insurance Agency, LLC (NAPLIA) is pleased to announce that CEO, Gary Sutherland, CIC MLIS, and Senior Vice President, Paul Smith, AIF, will be panellists in a presentation titled “What You Need to Know About Cybersecurity” at the fi360 conference in San Diego, California on April 7, 2016.

The Cybersecurity panel presentation will discuss current best in class breach prevention tools and procedures, how to prepare for an OCIE Examination with a focus on Cyber and Privacy Liability prevention, and how insurance can be used as a defense of last resort.  Additional topics include why Cybersecurity matters, what firm leaders need to know about preventing a breach, and how to prevent a breach from shutting down your firm for good.

 “It is an honor to share our expertise in Cybersecurity at the fi360 conference, which attracts 600 financial services industry leaders.  Cybersecurity is a hot topic because it has so many facets and it can be devastating for affected firms. “ says Gary Sutherland, CEO, NAPLIA. 

The third panelist in the Cybersecurity panel presentation is Brian Edelman, CEO, Financial Computer, Inc.  The panel will be moderated by Tom Schrandt, AIF®, Vice President, Lockton Affinity, LLC.


NAPLIA has specialized in providing Fiduciary Liability Insurance to Plan Sponsors since 1998, in concert with Professional Liability, (errors & omissions) and related insurance products for Accountants, Investment Advisors, Attorneys, and other professionals. No other national agency can match our personal service and expertise in the risks associated with operating under ERISA; and no other independent agency can match our national recognition for excellence in the Qualified Plan and Investment Advisory insurance and bonding space.  Learn more at 



Tags: NAPLIA, cyber

Video: CPA Firms have a target on their back

Posted by Gary Sutherland on Mon, Mar 21, 2016 @ 09:24 AM

NAPLIA's Stephen Vono was interviewed by Accounting Today for a video on cyber security for CPA firms.  His message - you have a target on your back!


Tags: cyber, cpa

Beware of new ransomware Cryptowall 4.0

Posted by Gary Sutherland on Fri, Nov 20, 2015 @ 10:50 AM

NapliaProfesC12a-A02aT07a-Z.jpgWe read with interest a brief article on the Robinson + Cole website that "a new version of the notorious and nasty ransomware Cryptowall, dubbed Cryptowall 4.0, has hit the scene."

Cryptowall 4.0 acts differently than its previous strategy of locking a computer entirely.  It is able to change the names of specific files so you won't be able to find them on your drive.

The primary way that Cryptowall 4.0 infects a computer is through a zipfile with an attachment that looks like a resume, though presumably the file name could be different.  So, be vigiliant about downloading files from emails, particularly from senders you don't recognize or in messages that look suspicious.

It will also be a good idea to back-up your data frequently.

Read the full article

Tags: cyber

NAPLIA ebook Chapter 2:  Removing client files from the office

Posted by Alison Simons on Fri, Sep 11, 2015 @ 09:24 AM

When client files are removed from the office there is an increased risk of loss. It’s easy for an employee to misplace a USB stick, leave important documents on a train or have a company laptop stolen, and client files may then be available to (often non-traceable) third
parties. Firms should therefore only remove client files from the office when such files are necessary for reference in client meetings.

Permission for removal should always be obtained from a manager and portable devices that hold client files should always be encrypted (see guidelines in Chapter 3). Client files should not be stored on portable storage media (e.g., (USB sticks, smartphones, tablets etc.) or laptops for longer than the period of active use if such devices will be removed from the office. Client data should be deleted from such devices when no longer required.

The partner or officer responsible for information security or compliance within your firm should be advised immediately if client files are lost outside of the office. This step is critical to allow you to comply with your incident notification policies and manage any additional damage that the disclosure may cause.

Employees may be reluctant to report a loss, but a firm needs to communicate to its employees the importance for compliance under firm policies and as well as under law. One approach to minimize the risk of not reporting, at least with regards to electronic media, is for the company to only permit company-issued electronic storage media to store client files and to keep inventory of such media. This inventory documents all devices that have access to client files. Keeping the inventory up to date and running regular device checks can provide early notification of losses that may otherwise remain undetected.

Attention should also be paid to the potential for employees to remove client files at the end of their employment. Portable devices, physical documents and even hard drives may easily leave with a departing employee, either as an oversight or an act of malice. The associated risks can be minimized with measures including:

  • A departing employee checklist: This checklist ensures that all company-issued devices (and the client files that they may contain) are returned before the employee leaves the company.
  • A media sanitization policy that extends to employees’ personal devices: This provision ensures that client files are removed from devices that do not fall under the company’s direct control.

Responsibility for these measures will be more effective if assigned to a named representative. The representative will in most cases be the departing employee’s direct superior.

Check back each month for a new chapter of the NAPLIA cyber ebook.

Tags: employment, risk management, cyber

Cyber tip: How often to change passwords

Posted by Alison Simons on Thu, Aug 06, 2015 @ 03:10 PM

As an insurance agent we deal with applications every single day, yet, when I have to fill one out, I have the same reaction as my insured’s, “I hate applications”.

However there are times when an application is a good thing, like a cyber-application.

The cyber application is designed to ask risk management questions that hopefully provide some insight on cyber exposures.

For example: How often do you change passwords?

The majority of answers is anywhere from 90 days to once a year by most applicants.

So what is the best answer? Monthly

We all get careless with passwords and we are never sure if they have fallen into the wrongs hands.

Changing passwords monthly insures a better risk management landscape it also makes employees responsible for managing their passwords and not used as afterthought.

The main reason for not changing passwords is “I have so many” and “I can never remember them” however in reality this is more consistent with passwords that you may only use once in a while. To help safeguard your business network, passwords should be used every time you log on. One common error when choosing passwords is the employee uses the same login as their personal bank account or Amazon account.

This now puts the business at risk when any other of their personal accounts are hacked and the hacker goes phishing for other easy computer systems connected to that individual.

Let’s look at a recent case of password hacking. Employee Alice, Facebook account was taken over without her knowledge and they used this information to gain access to her Amazon account where her credit card information was stored. Alice’s G-mail account was the next hacking opportunity using personal information they were able guess her password using a combination of personal information and birth date.

Alice had several work e-mails in her personal account so they now went after her work e-mail, the first password used on her employer system was her Gmail account password and instantly they are now in the company’s server.

Hackers know that people re-use or use one password for many applications (log-ins). With Alice’s work e-mail account accessible a series of e-mails were sent pretending to be Alice to capture additional confidential information. Think about a co-worker sending e-mail requesting information that appears to be a legitimate e-mail, most of us would respond. In this case human resources was sent e-mail asking for her personal banking information, explaining that her direct deposit account was hacked and she need to change the account prior to the next pay period.

Fortunately there was no theft of funds and the HR person called Alice and the jig was up. However that was not the end of the story for Alice’s company. The company was concerned that their data may have been compromised and brought in an outside forensic IT company to ascertain any data breaches. Calls were also made to their attorney to review if this was a reportable event to state regulatory agencies.

All company passwords were changed and remote access from outside employees was shut off. It was several long days before the business was back to normal. Although the company escaped any real threat, there were still significant costs incurred not including lost employee time and production.

Alice was able to notify all her credit cards and banking relationships and re-establish her social media accounts. Hundreds of fake e-mails were sent posing as herself to friends and family and several months later she is still monitoring all of her accounts closely.

The moral of the story, employers need to carefully monitor passwords. Passwords should have all of the following attributes:*

  • At least 10 characters long

  • A mix of lower case, upper case, and non-alphabetic characters and numbers

  • No words found in the dictionary (English or a foreign language)

  • No more than two consecutive characters

  • No common names, terms

  • No simple pattern

In conclusion: changing passwords every 30 days helps mitigate potential access. Establishing rules against employees using work passwords for personal use is strictly prohibited. Training employees to protect and secure passwords is one way to try and avoid hacking incidents. So when the cyber applications asks the question how often do you change passwords, and the first answer is 30 days, consider reflecting on the answer from a risk prospective position.


*Taken form the Cyber and Data Security Handbook written by Eric Hess, July of 2015 for NAPLIA

Tags: Data Breach, NAPLIA, Information Security, identity theft, cyber, records

NAPLIA ebook Question 1: Destruction and archiving of old client files

Posted by Alison Simons on Tue, Aug 04, 2015 @ 09:53 AM
ebook icon

A record archival and destruction policy represents the last stage in a firm’s data lifecycle management strategy. A strong policy should cover all of the following points:

  • Identification and classification of records: The firm’s various types of records should be listed and a classification system and process should be established. Potential record types include firm records, client records and work product records. 

  • Retention/archive/destruction scheduling: Separate schedules should be established for the retention/archive/destruction of various types of records. These schedules should match with federal, state and local regulations and industry-specific requirements. Records subject to litigation holds may require special handling. 

  • Archiving of closed client matters – Paper and electronic materials should be gathered into a single file. Duplicates and materials that are not classified as records should be destroyed as part of the archiving process. 

  • Designation of destruction requirements: Destruction methods should reflect the firm’s obligations to client confidentiality. Paper documents should be shredded or incinerated and data storage devices should be physically destroyed rather than overwritten. 

  • Establishment of a destruction log: A log must be created as a permanent record of the firm’s activities. The log should include the client involved, a description of the documents being destroyed, the employee who performed the destruction and the employee who signed off on the destruction. 

  • Examination requirements: Destruction should not occur until the employee responsible for the client file has verified that the retention period has properly run for all data sets contained within the file. The employee should also verify that no litigation hold has been placed on any of the file’s components. Any parts that have been placed on a litigation hold should be separately achieved for the duration of the hold. These retention extensions should be used only in exceptional cases. The exceptions should be documented in the extended file along with the reason for the exception, the employee who authorized the exception.

A record archival and destruction policy is only effective if the firm has the required resources to ensure its consistent implementation. Effort can be spared through automation in many instances, e.g. dynamic archiving tools can automatically move older data to storage, duplicate documents can be deleted automatically prior to archiving, records can be classified and searched automatically, data can be captured automatically from applications that are being decommissioned, and destruction tools can automatically delete files, emails and documents.

Check back each month for a new chapter of the NAPLIA cyber ebook.

Tags: NAPLIA, cyber, records