McGowanPRO Professional Liability Blog / Resources / Articles

Alison Simons

Recent Posts

The Investment Professional’s Guide to Errors & Omissions Insurance

Posted by Alison Simons on Mon, Sep 28, 2015 @ 01:20 PM

The Investment Advisor’s Guide to Errors & Omissions Insurance offers exclusive insight providing: 

  • Clarity to the Insurance Evaluation Process 
  • Specific Guidance and Roadmap to Improved Outcomes 
  • Risk Management Resources for your Practice

What are insurance underwriters looking for in an investment advisor’s application for errors & omissions (aka professional liability) insurance? It is a question that we are often asked, and due to the complexity of the risk, the answer is never simple.

Applicants’ unique risk characteristics are not always apparent – even to themselves.

Download ebook

The Investment Advisor’s Guide to Errors & Omissions Insurance will help you anticipate areas of underwriter concern as it relates to your specific investment practice, helping you internally evaluate your risk exposures and better define your activities and professional services.

In several chapters we have offered our opinions which are based on 20-plus years of negotiating insurance coverages and working in the investment advisory space. Naturally, we cannot promise that all insurance carriers follow the same guidelines — or treat similar information uniformly — as we make clear in the following pages.

We have tried to anticipate questions — from the most basic to the more nuanced — while digging deeper into the prevailing wisdom of current underwriting concerns and carrier tendencies. We will update this guide as newly-defined and evolving risk exposures find their way into our applications.

The object of this guide is neither based solely on the reduction of premium or pricing, nor does it suggest altering your application in any way that is not 100% accurate to circumvent the concern of adverse underwriting (because doing so could potentially void coverage). It is critically more important to make sure coverage is correct and exposures are covered without gaps; or any deficiencies are understood and assessed appropriately.

Download ebook

If you have questions about errors & omission insurance, please contact us.  We'd be glad to answer any questions or help you review a competitive quote.

Tags: errors & omissions, risk management, NAPLIA

Trends in Claims Made Against Accountants

Posted by Alison Simons on Fri, Sep 18, 2015 @ 02:03 PM

Claim Statistics Review:

Over the last 20 plus years, claims against accountants have, in many ways, stayed the same.

Tax claims still represent over 50% of all claims.

The largest dollar claims involve “failure to detect” which includes theft, fraud and deliberate misstatements of income or expenses.

However, when you review claims statistics sometimes certain trends or percentages stand out.

 

Statistics

  1. Tax Services
Improper tax advice or treatment:
  • Individual 55%
  • Corporate 61%

One interesting trend, math errors are down from 10% to under 5%

2.) Audits

75% of claims come from the failure to detect theft, fraud, misstatements of revenue and/or expenses

About 25% of audit claim errors are in reports issuance or are classified as other. 

3.) Compilations

Failure to detect accounts for more than 60% of all claims

4.) Reviews

Failure to detect accounts for almost 70% of all claims

5.) Bookkeeping (BK)

25% of all BK claims come from failure to detect fraud or theft.

Just under 10% of claims come from theft by the CPA Firm.

 6.) Personal Financial Planning (PFP)

Not surprisingly, 71% of PFP claims result from improper advice or product sales, but 6% of claims involve theft by a CPA at the firm. 

7.) Trustee and Non Trustee Services

About one third of the time (33%) claims relate to breach of fiduciary duties. The most difficult breach of fiduciary claims are were the agreement or engagement is not well delineated or established.

 

Higher Risk Areas

Insurance Companies that defend accountants’ claims usually have areas of practice or practice concerns that they consider higher risk, and these change over the years. The services currently considered higher risk are:

  1. Business valuations
  2. Professional services for entertainment clients “A” rated*
  3. Non Trustee clients that have significant investment components
  4. Firms with very weak internal controls for data breach and data compromise

*“A” rated clients are considered to be clients that pay greater than $250,000 in annual fees.

Insurance companies may ask additional questions in these areas and may consider premium adjustments.

Business valuations, where CPA’s have addition designations continue to have far fewer claims than  firms that provide the same services without.

Suit for fee claims continue to decline as accounting firms now know the inherent risks of these actions. It is a tough decision, you have done the work and the client refuses to pay….Just remember that 50% of the clients that are sued do countersue the accounting firm.

 

Notable Claims

In the last 16 years we have seen several thousand claims, potential claims, and subpoenas.  Some may say we have seen everything including the kitchen sink for alleged damages.

However, sometimes even we are surprised the accusations:

Claim 1.) The cocaine dealer sued his accountant for their failure to advise him that his activities were illegal and that he was supposed to report his illegal income on his tax returns.

Claims 2.) The business “cash” client who alleged that his accountant taught him to only make cash deposits under $10,000 to avoid detection.

Claim 3.) The client who lived in a 17 room home with water views, had several expensive cars and huge travel expenses while only declaring income of under $50,000, claims his accountant show have known and advised him “to be careful”.

In conclusion, although claims statistics percentages haven’t changed significantly in the last twenty years, some statistics do stand out. Failure to detect claims in review, compilations and bookkeeping are eye opening. When asked who steals in the CPA firm, our answer is most often, the partner/owner, very rarely is it an employee of the firm.  One other tread is that the CPAs who have worked in their profession 12 more or years are more likely to be sued then less experienced accountants. 

Tags: cpas, fraud, CPA Alert

NAPLIA ebook Chapter 2:  Removing client files from the office

Posted by Alison Simons on Fri, Sep 11, 2015 @ 09:24 AM

When client files are removed from the office there is an increased risk of loss. It’s easy for an employee to misplace a USB stick, leave important documents on a train or have a company laptop stolen, and client files may then be available to (often non-traceable) third
parties. Firms should therefore only remove client files from the office when such files are necessary for reference in client meetings.

Permission for removal should always be obtained from a manager and portable devices that hold client files should always be encrypted (see guidelines in Chapter 3). Client files should not be stored on portable storage media (e.g., (USB sticks, smartphones, tablets etc.) or laptops for longer than the period of active use if such devices will be removed from the office. Client data should be deleted from such devices when no longer required.

The partner or officer responsible for information security or compliance within your firm should be advised immediately if client files are lost outside of the office. This step is critical to allow you to comply with your incident notification policies and manage any additional damage that the disclosure may cause.

Employees may be reluctant to report a loss, but a firm needs to communicate to its employees the importance for compliance under firm policies and as well as under law. One approach to minimize the risk of not reporting, at least with regards to electronic media, is for the company to only permit company-issued electronic storage media to store client files and to keep inventory of such media. This inventory documents all devices that have access to client files. Keeping the inventory up to date and running regular device checks can provide early notification of losses that may otherwise remain undetected.

Attention should also be paid to the potential for employees to remove client files at the end of their employment. Portable devices, physical documents and even hard drives may easily leave with a departing employee, either as an oversight or an act of malice. The associated risks can be minimized with measures including:

  • A departing employee checklist: This checklist ensures that all company-issued devices (and the client files that they may contain) are returned before the employee leaves the company.
  • A media sanitization policy that extends to employees’ personal devices: This provision ensures that client files are removed from devices that do not fall under the company’s direct control.

Responsibility for these measures will be more effective if assigned to a named representative. The representative will in most cases be the departing employee’s direct superior.

Check back each month for a new chapter of the NAPLIA cyber ebook.

Tags: employment, risk management, cyber

Fraudulent Transfer Scams Plaguing CPAs & Advisors

Posted by Alison Simons on Fri, Aug 21, 2015 @ 08:56 AM

Be very wary of emails requesting transfers of funds from hacked accounts.

We've recently seen two phishing scams that have resulted in fraudulent client fund transfers. While the amounts are typically not large (under $50,000), in both cases there were multiple transfers. The losses are different but the claims are essentially identical.

Each of our insureds received an email requesting transfer of funds, and in both cases the email requested that monies be wire transferred from their accounts to a Wells Fargo account. These fraudulent emails included significant identifiable personal details and signatures on faked transfer forms. Signatures were verified against signatures from other valid transfers and determined to be authentic -- so they thought.

In one case the bank asked for a phone number to verify the transfer as the transfer form was slightly hard to read (red flag). An email was sent to the hacked account requesting a cell number to verify the transfer. In an email response the sender asked if they could call the bank to verify, and this was allowed as the caller had the correct banking information, social security number and other personal identifying information details to convince the bank to move forward and transfer the funds.

Both of our insureds' clients have been asked to be made whole, and we are in the process of determining the liability associated with each claim.

With one of these claims, the bank clearly has some liability as it did not follow proper protocol and allowed a deviation of standards by accepting a “call in” as opposed to the “bank calling out.”

(Side note: both of these clients are longstanding, very profitable accounts, and our insureds are trying to mitigate damages to maintain the relationship.)

OK, now that you have read the claim summary what’s next? Your office needs to take steps to reduce your liability while protecting and safeguarding your clients’ bank accounts.

Here are several steps that you should incorporate into your due diligence internal controls:

  1. Email requests must be verified by a second means of verification. In many cases a text message to a cell phone can insure some protection. The theory is that hacked email accounts are usually done from a far (Russia, China, West Africa), and the hackers would not be in possession of the cell phone. Additionally, the text message could include a request for an additional identification password that may not be known by hackers (for example, frequently we see questions like name of their dog or name of their high school). Also often emails have been hacked weeks before the owner becomes aware, and the hacker waits to gather information to be used fraudulently. On the other hand if your cell phone is missing for more than four hours you start to panic and take steps to prevent misuse.

  2. Be suspicious and examine emails closely, looking for ‘red flags’ such as misspelled words, forms that appear to be scanned and are slightly illegible, salutations that are not consistent with other email correspondence. In some cases a word seems out of place or used incorrectly. In other cases our insureds received numerous follow-up emails asking for details on when exactly when the transfer was completed which showed a level of desperation.

  3. Include internal protocol procedures stipulating that your employees to have a second person review and sign off. If possible include the key person in the office that has the relationship with the client, as they may have more personal knowledge of the client and sense a fraudulent request.

  4. For larger transfers, elevate the due diligence, requiring absolute second live verification before transfer of funds.

  5. Consider adding language to the engagement letter that states you will make every effort to verify transfers, and in cases where you are unable to verify the validity of the transfer you will refuse until satisfied that it is an authentic request.

 

By incorporating these preventative measures, you could thwart criminal fraud and you are building your defense should the fraud occur.

Tags: accountants, CPA Alert, Information Security, liability

NAPLIA Underwriter Hanover Insurance Group named to Forbes list

Posted by Alison Simons on Fri, Aug 14, 2015 @ 09:49 AM

Forbes most trustworthy Financial companies

Forbes assessed more than 700 publicly-traded financial institutions and honored just 50 companies.  Among the honorees is Hanover Insurance Group, an underwriter on many of NAPLIA's products. Hanover's inclusion on the list places the company among many successful and admired financial organizations in the country.  In fact, Hanover is the only national carrier to make the list.

Tags: NAPLIA

NAPLIA's Paul Smith Attends Family Office Conference in NYC

Posted by Alison Simons on Mon, Aug 10, 2015 @ 09:07 AM

Paul Smith Family Office Conference

Paul J. Smith, SVP of NAPLIA’s Investment Advisory Division, is seen below at the Family Office, Chief Investment Officers Conference, held in NYC on August 7th and 8th.

 

The Conference was part of the Wilson Conference Series, 2015,  held in connection with their Family Office Club, the world’s largest organization connecting (ultra high-net worth) single and multi-family offices around the globe.

 

Paul attended the conference to meet with attendees and discuss NAPLIA’s unique risk management expertise in mitigating Executive Liability and Cyber risk, through well designed insurance, and best practices in the Cyber space.

 

The Conference was well attended, with over 150 Family Office Executives, and 25 plus speakers from the Hedge Fund / Limited Partnership space, to respected academicians in the Alternative Investment community. 

Tags: NAPLIA

Cyber tip: How often to change passwords

Posted by Alison Simons on Thu, Aug 06, 2015 @ 03:10 PM

As an insurance agent we deal with applications every single day, yet, when I have to fill one out, I have the same reaction as my insured’s, “I hate applications”.

However there are times when an application is a good thing, like a cyber-application.

The cyber application is designed to ask risk management questions that hopefully provide some insight on cyber exposures.

For example: How often do you change passwords?

The majority of answers is anywhere from 90 days to once a year by most applicants.

So what is the best answer? Monthly

We all get careless with passwords and we are never sure if they have fallen into the wrongs hands.

Changing passwords monthly insures a better risk management landscape it also makes employees responsible for managing their passwords and not used as afterthought.

The main reason for not changing passwords is “I have so many” and “I can never remember them” however in reality this is more consistent with passwords that you may only use once in a while. To help safeguard your business network, passwords should be used every time you log on. One common error when choosing passwords is the employee uses the same login as their personal bank account or Amazon account.

This now puts the business at risk when any other of their personal accounts are hacked and the hacker goes phishing for other easy computer systems connected to that individual.

Let’s look at a recent case of password hacking. Employee Alice, Facebook account was taken over without her knowledge and they used this information to gain access to her Amazon account where her credit card information was stored. Alice’s G-mail account was the next hacking opportunity using personal information they were able guess her password using a combination of personal information and birth date.

Alice had several work e-mails in her personal account so they now went after her work e-mail, the first password used on her employer system was her Gmail account password and instantly they are now in the company’s server.

Hackers know that people re-use or use one password for many applications (log-ins). With Alice’s work e-mail account accessible a series of e-mails were sent pretending to be Alice to capture additional confidential information. Think about a co-worker sending e-mail requesting information that appears to be a legitimate e-mail, most of us would respond. In this case human resources was sent e-mail asking for her personal banking information, explaining that her direct deposit account was hacked and she need to change the account prior to the next pay period.

Fortunately there was no theft of funds and the HR person called Alice and the jig was up. However that was not the end of the story for Alice’s company. The company was concerned that their data may have been compromised and brought in an outside forensic IT company to ascertain any data breaches. Calls were also made to their attorney to review if this was a reportable event to state regulatory agencies.

All company passwords were changed and remote access from outside employees was shut off. It was several long days before the business was back to normal. Although the company escaped any real threat, there were still significant costs incurred not including lost employee time and production.

Alice was able to notify all her credit cards and banking relationships and re-establish her social media accounts. Hundreds of fake e-mails were sent posing as herself to friends and family and several months later she is still monitoring all of her accounts closely.

The moral of the story, employers need to carefully monitor passwords. Passwords should have all of the following attributes:*

  • At least 10 characters long

  • A mix of lower case, upper case, and non-alphabetic characters and numbers

  • No words found in the dictionary (English or a foreign language)

  • No more than two consecutive characters

  • No common names, terms

  • No simple pattern


In conclusion: changing passwords every 30 days helps mitigate potential access. Establishing rules against employees using work passwords for personal use is strictly prohibited. Training employees to protect and secure passwords is one way to try and avoid hacking incidents. So when the cyber applications asks the question how often do you change passwords, and the first answer is 30 days, consider reflecting on the answer from a risk prospective position.

 

*Taken form the Cyber and Data Security Handbook written by Eric Hess, July of 2015 for NAPLIA

Tags: Data Breach, NAPLIA, Information Security, identity theft, cyber, records

Employment Practices Liability Insurance (EPLI) by the numbers

Posted by Alison Simons on Thu, Aug 06, 2015 @ 03:00 PM

According to Advisen only 20% of companies with less than 50 employees have EPLI insurance but it does increase to 32% when companies employee between 50 and 200.  

The Equal Employment Opportunity Commission (EEOC) handled more than 100,000 complaints in 2013 and 89,000 in 2014.

43% were for retaliation and federal wage lawsuits continue to dominate the court systems.

EPLI covers businesses against claims by workers that their legal rights as employees of the company have been violated.

EPLI provides protection against many kinds of employee lawsuits, including claims of:

  • Sexual harassment

  • Discrimination

  • Wrongful termination

  • Breach of employment contract

  • Negligent evaluation

  • Failure to employ or promote

  • Wrongful discipline

  • Deprivation of career opportunity

  • Wrongful infliction of emotional distress

  • Mismanagement of employee benefit plans

Tags: Employment Practices Liability, EPLI

Announcing CPA ProSecure: New Errors and Omissions Insurance Program for Accounting Firms

Posted by Alison Simons on Wed, Aug 05, 2015 @ 01:04 PM

CPS logo

North American Professional Liability Insurance Agency, LLC (NAPLIA) is pleased to announce an exclusive Errors and Omissions insurance program designed specifically for accounting and consulting firms called CPA ProSecure.

CPA ProSecure is underwritten by The Rockhill Insurance Group a wholly owned subsidiary of the State Auto Group, rated A-Excellent by A. M. Best. State Auto Group. Founded in 1921, it is one of only 59 companies to have an A.M. Best rating of “A” for 75 years. State Auto has provided 96 consecutive quarters of dividends.

NAPLIA insures 1000’s of accounting firms in all 50 states. John Raspante, CPA, MST, CDFA heads up our Risk Management team, and Ralph Picardi our Hot-line Attorney/CPA heads up our legal team. Both regularly assist all clients in best practices, claims mitigation and engagement letters as well as website reviews.

“We sat down last year and created a wish list of the important features we wanted to enhance in our professional liability program. We used this as the foundation for CPA ProSecure. We chose Rockhill Insurance because they embraced our vision and supported our desire to provide a more comprehensive program.” – Stephen Vono, CFO/Principal

NAPLIA offers “more than just a policy” See our website for additional resources: 
http://www.CPAProSecure.com

Tags: accountants, cpas, errors & omissions, NAPLIA, professional liability

NAPLIA ebook Question 1: Destruction and archiving of old client files

Posted by Alison Simons on Tue, Aug 04, 2015 @ 09:53 AM
ebook icon

A record archival and destruction policy represents the last stage in a firm’s data lifecycle management strategy. A strong policy should cover all of the following points:

  • Identification and classification of records: The firm’s various types of records should be listed and a classification system and process should be established. Potential record types include firm records, client records and work product records. 

  • Retention/archive/destruction scheduling: Separate schedules should be established for the retention/archive/destruction of various types of records. These schedules should match with federal, state and local regulations and industry-specific requirements. Records subject to litigation holds may require special handling. 

  • Archiving of closed client matters – Paper and electronic materials should be gathered into a single file. Duplicates and materials that are not classified as records should be destroyed as part of the archiving process. 

  • Designation of destruction requirements: Destruction methods should reflect the firm’s obligations to client confidentiality. Paper documents should be shredded or incinerated and data storage devices should be physically destroyed rather than overwritten. 

  • Establishment of a destruction log: A log must be created as a permanent record of the firm’s activities. The log should include the client involved, a description of the documents being destroyed, the employee who performed the destruction and the employee who signed off on the destruction. 

  • Examination requirements: Destruction should not occur until the employee responsible for the client file has verified that the retention period has properly run for all data sets contained within the file. The employee should also verify that no litigation hold has been placed on any of the file’s components. Any parts that have been placed on a litigation hold should be separately achieved for the duration of the hold. These retention extensions should be used only in exceptional cases. The exceptions should be documented in the extended file along with the reason for the exception, the employee who authorized the exception.

A record archival and destruction policy is only effective if the firm has the required resources to ensure its consistent implementation. Effort can be spared through automation in many instances, e.g. dynamic archiving tools can automatically move older data to storage, duplicate documents can be deleted automatically prior to archiving, records can be classified and searched automatically, data can be captured automatically from applications that are being decommissioned, and destruction tools can automatically delete files, emails and documents.

Check back each month for a new chapter of the NAPLIA cyber ebook.

Tags: NAPLIA, cyber, records