McGowanPRO Professional Liability Blog / Resources / Articles

Forbes assessed more than 700 publicly-traded financial institutions and honored just 50 companies.  Among the honorees is Hanover Insurance Group, an underwriter on many of NAPLIA's products. Hanover's inclusion on the list places the company among many successful and admired financial organizations in the country.  In fact, Hanover is the only national carrier to make the list.

Paul J. Smith, SVP of NAPLIA’s Investment Advisory Division, is seen below at the Family Office, Chief Investment Officers Conference, held in NYC on August 7^th and 8^th.

The Conference was part of the Wilson Conference Series, 2015,  held in connection with their Family Office Club, the world’s largest organization connecting (ultra high-net worth) single and multi-family offices around the globe.

Paul attended the conference to meet with attendees and discuss NAPLIA’s unique risk management expertise in mitigating Executive Liability and Cyber risk, through well designed insurance, and best practices in the Cyber space.

The Conference was well attended, with over 150 Family Office Executives, and 25 plus speakers from the Hedge Fund / Limited Partnership space, to respected academicians in the Alternative Investment community. 

As an insurance agent we deal with applications every single day, yet, when I have to fill one out, I have the same reaction as my insured’s, “I hate applications”.

However there are times when an application is a good thing, like a cyber-application.

The cyber application is designed to ask risk management questions that hopefully provide some insight on cyber exposures.

For example: How often do you change passwords?

The majority of answers is anywhere from 90 days to once a year by most applicants.

So what is the best answer? Monthly

We all get careless with passwords and we are never sure if they have fallen into the wrongs hands.

Changing passwords monthly insures a better risk management landscape it also makes employees responsible for managing their passwords and not used as afterthought.

The main reason for not changing passwords is “I have so many” and “I can never remember them” however in reality this is more consistent with passwords that you may only use once in a while. To help safeguard your business network, passwords should be used every time you log on. One common error when choosing passwords is the employee uses the same login as their personal bank account or Amazon account.

This now puts the business at risk when any other of their personal accounts are hacked and the hacker goes phishing for other easy computer systems connected to that individual.

Let’s look at a recent case of password hacking. Employee Alice, Facebook account was taken over without her knowledge and they used this information to gain access to her Amazon account where her credit card information was stored. Alice’s G-mail account was the next hacking opportunity using personal information they were able guess her password using a combination of personal information and birth date.

Alice had several work e-mails in her personal account so they now went after her work e-mail, the first password used on her employer system was her Gmail account password and instantly they are now in the company’s server.

Hackers know that people re-use or use one password for many applications (log-ins). With Alice’s work e-mail account accessible a series of e-mails were sent pretending to be Alice to capture additional confidential information. Think about a co-worker sending e-mail requesting information that appears to be a legitimate e-mail, most of us would respond. In this case human resources was sent e-mail asking for her personal banking information, explaining that her direct deposit account was hacked and she need to change the account prior to the next pay period.

Fortunately there was no theft of funds and the HR person called Alice and the jig was up. However that was not the end of the story for Alice’s company. The company was concerned that their data may have been compromised and brought in an outside forensic IT company to ascertain any data breaches. Calls were also made to their attorney to review if this was a reportable event to state regulatory agencies.

All company passwords were changed and remote access from outside employees was shut off. It was several long days before the business was back to normal. Although the company escaped any real threat, there were still significant costs incurred not including lost employee time and production.

Alice was able to notify all her credit cards and banking relationships and re-establish her social media accounts. Hundreds of fake e-mails were sent posing as herself to friends and family and several months later she is still monitoring all of her accounts closely.

The moral of the story, employers need to carefully monitor passwords. Passwords should have all of the following attributes:*

• At least 10 characters long

• A mix of lower case, upper case, and non-alphabetic characters and numbers

• No words found in the dictionary (English or a foreign language)

• No more than two consecutive characters

• No common names, terms

• No simple pattern

In conclusion: changing passwords every 30 days helps mitigate potential access. Establishing rules against employees using work passwords for personal use is strictly prohibited. Training employees to protect and secure passwords is one way to try and avoid hacking incidents. So when the cyber applications asks the question how often do you change passwords, and the first answer is 30 days, consider reflecting on the answer from a risk prospective position.

*Taken form the Cyber and Data Security Handbook written by Eric Hess, July of 2015 for NAPLIA

North American Professional Liability Insurance Agency, LLC (NAPLIA) is pleased to announce an exclusive Errors and Omissions insurance program designed specifically for accounting and consulting firms called CPA ProSecure.

CPA ProSecure is underwritten by The Rockhill Insurance Group a wholly owned subsidiary of the State Auto Group, rated A-Excellent by A. M. Best. State Auto Group. Founded in 1921, it is one of only 59 companies to have an A.M. Best rating of “A” for 75 years. State Auto has provided 96 consecutive quarters of dividends.

NAPLIA insures 1000’s of accounting firms in all 50 states. John Raspante, CPA, MST, CDFA heads up our Risk Management team, and Ralph Picardi our Hot-line Attorney/CPA heads up our legal team. Both regularly assist all clients in best practices, claims mitigation and engagement letters as well as website reviews.

“We sat down last year and created a wish list of the important features we wanted to enhance in our professional liability program. We used this as the foundation for CPA ProSecure. We chose Rockhill Insurance because they embraced our vision and supported our desire to provide a more comprehensive program.” – Stephen Vono, CFO/Principal

NAPLIA offers “more than just a policy” See our website for additional resources: 
http://www.CPAProSecure.com

A record archival and destruction policy represents the last stage in a firm’s data lifecycle management strategy. A strong policy should cover all of the following points:

• Identification and classification of records: The firm’s various types of records should be listed and a classification system and process should be established. Potential record types include firm records, client records and work product records. 

• Retention/archive/destruction scheduling: Separate schedules should be established for the retention/archive/destruction of various types of records. These schedules should match with federal, state and local regulations and industry-specific requirements. Records subject to litigation holds may require special handling. 

• Archiving of closed client matters – Paper and electronic materials should be gathered into a single file. Duplicates and materials that are not classified as records should be destroyed as part of the archiving process. 

• Designation of destruction requirements: Destruction methods should reflect the firm’s obligations to client confidentiality. Paper documents should be shredded or incinerated and data storage devices should be physically destroyed rather than overwritten. 

• Establishment of a destruction log: A log must be created as a permanent record of the firm’s activities. The log should include the client involved, a description of the documents being destroyed, the employee who performed the destruction and the employee who signed off on the destruction. 

• Examination requirements: Destruction should not occur until the employee responsible for the client file has verified that the retention period has properly run for all data sets contained within the file. The employee should also verify that no litigation hold has been placed on any of the file’s components. Any parts that have been placed on a litigation hold should be separately achieved for the duration of the hold. These retention extensions should be used only in exceptional cases. The exceptions should be documented in the extended file along with the reason for the exception, the employee who authorized the exception.

A record archival and destruction policy is only effective if the firm has the required resources to ensure its consistent implementation. Effort can be spared through automation in many instances, e.g. dynamic archiving tools can automatically move older data to storage, duplicate documents can be deleted automatically prior to archiving, records can be classified and searched automatically, data can be captured automatically from applications that are being decommissioned, and destruction tools can automatically delete files, emails and documents.

Check back each month for a new chapter of the NAPLIA cyber ebook.

The NAPLIA CPA Alert is a regularly resource to provide our CPA, Accounting, and Bookkeeping clients with up to date information on topics that may directly impact their business.

Now, you can access these CPA Alerts via our new Linkedin Group.

Simply join here ! 

In addition to  your professional liability (errors & omissions) insurance, education is the foundation of a strong Risk Management strategy.  NAPLIA is leading the industry in providing our clients with sample engagement letteres, topical articles, White Papers, and more.

Historically, malpractice insurers have stressed the importance of record retention policies for CPA, and other professional, firms and the need to consistently apply those policies.

The advent of Electronic Discovery ( e –discovery ) has clearly muddied the waters.  Just the financial costs alone, arguably, will cause plaintiffs to settle early in litigation.

The Pippins v.KPMG LLP case is a grim reminder of the need to have consistent, written record retention policies that are clearly articulated to clients , preferably in engagement letters or stand-alone letters.

CPA’S should review state boards of accountancy rules and regulations, the AICPA rules, taxing authority rues, and other regulatory bodies such as the SEC and GAO.  

See NAPLIA Resources on Record Retention