McGowanPRO Professional Liability Blog / Resources / Articles

Be very wary of emails requesting transfers of funds from hacked accounts.

We've recently seen two phishing scams that have resulted in fraudulent client fund transfers. While the amounts are typically not large (under $50,000), in both cases there were multiple transfers. The losses are different but the claims are essentially identical.

Each of our insureds received an email requesting transfer of funds, and in both cases the email requested that monies be wire transferred from their accounts to a Wells Fargo account. These fraudulent emails included significant identifiable personal details and signatures on faked transfer forms. Signatures were verified against signatures from other valid transfers and determined to be authentic -- so they thought.

In one case the bank asked for a phone number to verify the transfer as the transfer form was slightly hard to read (red flag). An email was sent to the hacked account requesting a cell number to verify the transfer. In an email response the sender asked if they could call the bank to verify, and this was allowed as the caller had the correct banking information, social security number and other personal identifying information details to convince the bank to move forward and transfer the funds.

Both of our insureds' clients have been asked to be made whole, and we are in the process of determining the liability associated with each claim.

With one of these claims, the bank clearly has some liability as it did not follow proper protocol and allowed a deviation of standards by accepting a “call in” as opposed to the “bank calling out.”

(Side note: both of these clients are longstanding, very profitable accounts, and our insureds are trying to mitigate damages to maintain the relationship.)

OK, now that you have read the claim summary what’s next? Your office needs to take steps to reduce your liability while protecting and safeguarding your clients’ bank accounts.

Here are several steps that you should incorporate into your due diligence internal controls:

1. Email requests must be verified by a second means of verification. In many cases a text message to a cell phone can insure some protection. The theory is that hacked email accounts are usually done from a far (Russia, China, West Africa), and the hackers would not be in possession of the cell phone. Additionally, the text message could include a request for an additional identification password that may not be known by hackers (for example, frequently we see questions like name of their dog or name of their high school). Also often emails have been hacked weeks before the owner becomes aware, and the hacker waits to gather information to be used fraudulently. On the other hand if your cell phone is missing for more than four hours you start to panic and take steps to prevent misuse.

2. Be suspicious and examine emails closely, looking for ‘red flags’ such as misspelled words, forms that appear to be scanned and are slightly illegible, salutations that are not consistent with other email correspondence. In some cases a word seems out of place or used incorrectly. In other cases our insureds received numerous follow-up emails asking for details on when exactly when the transfer was completed which showed a level of desperation.

3. Include internal protocol procedures stipulating that your employees to have a second person review and sign off. If possible include the key person in the office that has the relationship with the client, as they may have more personal knowledge of the client and sense a fraudulent request.

4. For larger transfers, elevate the due diligence, requiring absolute second live verification before transfer of funds.

5. Consider adding language to the engagement letter that states you will make every effort to verify transfers, and in cases where you are unable to verify the validity of the transfer you will refuse until satisfied that it is an authentic request.

By incorporating these preventative measures, you could thwart criminal fraud and you are building your defense should the fraud occur.

North American Professional Liability Insurance Agency, LLC (NAPLIA) is pleased to announce an exclusive Errors and Omissions insurance program designed specifically for accounting and consulting firms called CPA ProSecure.

CPA ProSecure is underwritten by The Rockhill Insurance Group a wholly owned subsidiary of the State Auto Group, rated A-Excellent by A. M. Best. State Auto Group. Founded in 1921, it is one of only 59 companies to have an A.M. Best rating of “A” for 75 years. State Auto has provided 96 consecutive quarters of dividends.

NAPLIA insures 1000’s of accounting firms in all 50 states. John Raspante, CPA, MST, CDFA heads up our Risk Management team, and Ralph Picardi our Hot-line Attorney/CPA heads up our legal team. Both regularly assist all clients in best practices, claims mitigation and engagement letters as well as website reviews.

“We sat down last year and created a wish list of the important features we wanted to enhance in our professional liability program. We used this as the foundation for CPA ProSecure. We chose Rockhill Insurance because they embraced our vision and supported our desire to provide a more comprehensive program.” – Stephen Vono, CFO/Principal

NAPLIA offers “more than just a policy” See our website for additional resources: 
http://www.CPAProSecure.com

NAPLIA has partnered with leading legal professionals for the development of sample engagement letters that are essential to your practice as well as articles and resources for your company's risk management.

http://www.engagementletters.com

Professional liability claims faced by CPAs will never be eradicated, but they can be reduced if solid risk management and constant adherence to professional standards are followed. Follow these techniques to help lessen exposure in the increasingly litigious environment in which CPAs practice.

Read the entire article

Much has been written regarding the exception from the hardship distributions rules resulting from retirement plan distributions and loans that have resulted from Hurricane Sandy.  IRS announcement 2012-44 fully addresses the rules governing these hardship distributions and loans. CPAs need to make their clients aware of this relief , but equally as important make them aware of the misconceptions ,and the tax impact of such a distribution. Many professional liability claims originate from the failure to clearly explain and document to clients the projected tax effect of retirement plan distributions.

This article addresses the IRS announcement and several misconceptions associated with the announcement. 

Creative Playthings Franchising, Corp v. James A. Reiser, Jr., 463 Mass. 758 (2012)

The Supreme Judicial Court, Suffolk County, Duffly, J., held that limitations period in a contract shortening the time within which claims must be brought was valid and enforceable under Massachusetts law, under certain conditions. A limitations period in a contract shortening the time within which claims must be brought is valid and enforceable under Massachusetts law, if the claim arises under the contract, and the agreed-upon limitations period is subject to negotiation by the parties, is not otherwise limited by controlling statute, is reasonable, is not a statute of repose, and is not contrary to public policy.

Nancy Reimer, attorney for LeClairRyan of Boston, stresses the relevance of this ruling for CPA's. Attorney Reimer suggests Accounts include a provision in their engagement letters limiting the time in which a claim can be brought to 2 years, or less depending on the circumstances of the engagement. Reimer stated, "We typically include clauses like this in letters we draft and have not had any issues with them, but now we have a definitive ruling from the SJC as to their validity."

Reimer further clarified that contract limitations are determined on a state by state basis.  Although this ruling is great for Massachusetts, not all states concur.  Florida, for example, has a statute stating a party can not limit the SOL period.

The Computer Crime and Security Institute has estimated that as many as 43% of US businesses experience some level of cyber security incident.  The cost of a cyber incident to your firm can be calculated in claims and lost wages.  In addition, with more than 46 states having State Security Breach Laws, client notification costs can be significant ($5 - $10 per client).

What can't be measured is the cost to your brand.  According to Ponemon Institute 2010 global costs of a data breach, the value of brand and reputation can decline 17% - 31% after a breach.  In addition, it can take over a year for an organization to recover it's corporate image.

Having a formal security breach plan in place can assist you in informing your clients the steps you have taken to protect their data in the event of a loss.

For more information download our White Paper on Information Security & Cyber Liability: Essential Steps to Protecting your Firm

Email has become the De facto tool for professional and personal communication.  However, the ease with which we use email also creates significant exposure to our firms.  The use of "E-discovery" is increasing in the courts, and many firms wait until it is too late to address important internal policies.

Roman Kepczyk, CPA.CITP does a great job in this article to outline the exposures created by email and the importance of a solid email retention policy. 

In addition, see NAPLIA's resources on Record Retention here. 

One of NAPLIA’s long-term clients recently received a competitive quote from another agency for their accountant’s professional liability insurance. The quote was $170.00 lower than their existing premium. Despite a discussion with the client regarding policy differences and the benefits of their existing program, the insured elected to go for the minimal premium savings.

They stated they were comfortable with the new agent’s representation of the coverage “being equal”.

Two months into the policy, one of the accountant’s laptops, which contained confidential client information, was stolen from their office. The theft occurred over a weekend and was not discovered until Monday morning.

The accountant called his new agent and was informed that there was coverage in place, but to a limited extent. The agent provided the accountant with the carrier’s toll free hotline to get additional information and support. The additional information amounted to a single piece of advice; secure local legal representation, at the accountant’s expense, to determine the extent of the security breach.

At a loss, our former client remembered the discussion with our office regarding Identity Theft coverage and called our office.

Although no longer a client, NAPLIA was able to assist the accountant with the following:

• NAPLIA provided the accountant with their specific state’s security breach laws.
• Upon review of the relevant state security breach law, NAPLIA determined that under the relevant circumstances, they were only required to notify any client whose personal information was not encrypted in a reasonable manner. 
• NAPLIA provided a sample security breach letter that the accountant could use to send to these clients.
• NAPLIA provided the accountant free access to our Attorney / CPA to assist him with additional questions.
• NAPLIA explained the difference between “first party” and “third party” liability relevant to a client data breach.
• NAPLIA reviewed their current policy and determined their first party coverage was limited to $1,000.

In hindsight, the accountant requested that we review the difference in coverage between the policy they had with NAPLIA and their new policy.

The policy they left with NAPLIA provided $25,000 for first party Cyber Liability in comparison to the $1,000 with their new policy.

The accountant had moved their coverage to save $170, and within two months realized that NAPLIA’s resources and service alone negated the premium savings. In addition, the new policy was not “equal” to their previous coverage leaving them with significant exposures.

The moral of this real story is to understand that not all polices are the same and coverage does indeed matter more than premium savings.

Historically, malpractice insurers have stressed the importance of record retention policies for CPA, and other professional, firms and the need to consistently apply those policies.

The advent of Electronic Discovery ( e –discovery ) has clearly muddied the waters.  Just the financial costs alone, arguably, will cause plaintiffs to settle early in litigation.

The Pippins v.KPMG LLP case is a grim reminder of the need to have consistent, written record retention policies that are clearly articulated to clients , preferably in engagement letters or stand-alone letters.

CPA’S should review state boards of accountancy rules and regulations, the AICPA rules, taxing authority rues, and other regulatory bodies such as the SEC and GAO.  

See NAPLIA Resources on Record Retention