McGowanPRO Professional Liability Blog / Resources / Articles

CPAs keep vast troves of valuable personal data that cybercriminals are itching to get their fingers on.

So far, the most notorious CPA breaches have culminated in identity thefts that led to fraudulent tax returns. Those cases became the bane of recent tax seasons when victims tried to file their taxes with the IRS and found that a hacker had used their personal data to file a fraudulent return and get an illicit refund.

An IRS-led crackdown slashed those kinds of cases in half last year, USA Today reported, but that still amounted to 787,000 fraudulent returns processed in 2016 alone. And the crackdown is not exactly good news for CPAs. After all, the news headlines about tax-return fraud make CPAs an inviting target.

Why cybercriminals want to breach CPA firms

Let’s quickly review the kinds of private data CPAs have in their computer systems:

• Full names and addresses
• Social Security numbers
• Telephone numbers
• Bank account and routing numbers
• Employment, income, and expense information
• Brokerage information
• Confidential client communications

It’s difficult to imagine what cybercriminals could not do with all this data. With names, addresses, and Social Security numbers, hackers can use phishing, malware, and other tactics to break into people’s home computers, access their logins to their banks and financial providers, and clean them out.

Another cybercriminal favorite, information on the financial condition of CPA clients is extremely valuable. And private email or text-message conversations between CPAs and clients can wreak havoc if they are made public. When these kinds of confidential information fall into the wrong hands, there’s no telling how much damage can be done. But it’s safe to say the liabilities could cripple many CPA organizations — if they lack cyber insurance.

Ransomware Underscores Risks CPAs Face

Ransomware is the most serious and insidious cyber threat to emerge in recent years. Cybercriminals using a range of tactics sneak into organizations’ computer networks, take up residence and wait for a vulnerable moment to strike — encrypting systems and demanding a ransom in return for decrypting them.

If undetected, these breaches can give cybercriminals widespread access to computer networks and the sensitive data within them. So, your CPA firm could pay the ransom to get your systems back online and still face the risk that private client data now belongs to cybercriminals.

What’s more, many ransomware attackers these days refuse to unlock computer systems after they get their money, potentially creating ruinous downtime for organizations that depend heavily on their computer networks.

Regulatory demands are expanding

New York State created new cyber security rules in 2017 for organizations that report to the state’s Department of Financial Services (DFS). Generally, CPA firms are not covered (yet), but given that many CPAs work with financial companies, they still need to be familiar with the regulations.

As CPA Journal put it: “In order to counsel these businesses, CPAs must understand the new regulations and their impact. In addition, it makes sense for CPA firms to be proactive in adopting the new regulations, as the profession itself is likely to be included in future regulatory efforts.”

New York’s rules provide a broad outline for safer cyber security practices. According to CPA Journal, New York’s rules require covered companies to:

• Assess current risks to create a cybersecurity program and put cybersecurity policies in place.
• Create a plan to dispose of nonpublic information they don’t need anymore.
• Review and limit access privileges.
• Ensure third-party service providers are secure.
• Assign a chief information security officer (CISO).
• Train employees and monitor authorized users.
• Craft an incident-response plan.
• Establish multifactor authentication.
• Conduct penetration testing and vulnerability assessments.
• Establish security policies for applications developed in-house.
• Encrypt data at rest and in transit.
• Establish an audit trail.

These kinds of practices reflect the principles of sound cyber hygiene that every company that any firm would be well advised to follow (and may well have to if more states adopt the rules). Also, companies that implement programs and policies to secure private data can potentially reduce their overall liability in a breach (though this depends on the facts of an individual lawsuit).

With cyber risk rising every day, a comprehensive network-security program is just one component of a sound risk-management program. Another crucial component is a cyber insurance policy that can protect your organization if it becomes the target of litigation.

A cyber insurance policy for CPAs can cover legal liability from:

• Theft, loss, or unauthorized disclosure of private data or third-party corporate information.
• Failure to comply with state breach notice laws.
• Failure to comply with the insured’s privacy policies.
• Failure to administer an identity theft prevention program required by governmental regulation.
• Unauthorized access, theft, or destruction of data.
• Denial of service attacks and virus transmission involving the insured’s computer systems resulting from computer security breaches.

All these risks underscore why professionals like CPAs should look into cyber coverage from McGowanPRO. We can help CPAs in organizations of all sizes get the right cyber coverage for their exact needs.

 If you would like to speak to a professional advisor concerning your company’s exposure to cyber risks, please contact Rob Ferrini at McGowanPRO. 508-656-1327 or rferrini@mcgowanpro.com 

Because of the growing cybercrime epidemic, NAPLIA now offers BIZLock® Cybercrime Protection, a comprehensive cyber insurance program specifically designed for small to medium sized professional firms.

Cybercrime Creates Very Serious Exposures…

• Incident response obligations and the associated forensic, PR, Legal and notification expenses
• Liability arising from the Loss/theft of the personal information of others within your control
• Cyber extortion and Ransomware (thieves lock down your system and hold it for ransom)
• Regulatory fines and penalties
• Payment card industry fines and penalties
• Losses arising from the theft of Business Identifying Information or BII
• Business interruption losses and more

Watch our 3 minute video for a quick highlight:         IFI Chalk Talk VIDEO.

Program Summary:

• Limits from $50,000 to $1MM
• Premiums ranging between $569 to $1999 per year (annual revenues less than $10MM)
• Retentions/Deductibles at $1,000
• Essential Risk management / Compliance tools
• Incident Response On-Demand™ – Comprehensive 24/7 claims and remediation/resolution services provided by the BIZLock team and its panel of experts
• Simple application and instant coverage, subject to qualification

Protect your business today. Click here to obtain instant pricing, limit options and actual coverage. Or, copy and paste this URL into your browser https://bizlock.net/partner/naplia

BIZLock is quick, simple and vital to help secure your business against today’s evolving cyber risks. 

Don’t risk becoming a victim of cybercrime without having a professional solution and remedy standing behind you.  Protect yourself against cybercrime with BIZLock.

For more information-

Contact:

Rob Ferrini | Program Manager | NAPLIA

Direct: 508.656. 1327 |Toll Free: 866.262.7542, ext. 1327 | Fax: 508.656.1399

robf@naplia.com

The first six months of 2016 show cyber claims increasing 56% over 2015

Hacking and Malware claims are up by 62%

Professional service firms cyber claims are about 14.5% of all cyber claims reported

*According to specialty insurer Beazley

I have written before on the enormous amount of information available on a daily basis and on how hard it is to keep up with the sheer volume of content. I like many try and keep as current as I can but have also decided I can no longer fret over it, there isn’t enough time in the day.

There is one tool that I use and enjoy, it is called “getpocket”. This is an app that can sit on your browser bar and allows you to click the + feature and add the story, article, video other content to a saved folder within “getpocket” for later reading or review.

This is helpful when I see something useful but am unable to read it now but do not want to forget it or lose it.

There are two versions of “getpocket” a free version and a paid version (less than $50 per year). The paid version allows for sub folders and no pop up ads.

Speaking about apps, I have 68 phone apps, many I use frequently. My current favorites are the flashlight, local weather and a new one called “Truecaller”. Truecaller identifies incoming calls and even marks many as “SPAM”. I can also block incoming call with one easy click. 

This is a real time saver as I no longer pick up sales calls on my cell phone thinking it must be important or urgent if they are calling my cell phone.

I was curious about the number of phone apps available, and it stands at about 1.5 million different phone applications, so I guess my 68 is within reason?

I have also discovered the best time for me to read and comprehend new information is in the morning, preferably early with my coffee, probably because I have hit the 60 age group category.

Disclaimer: I have no affiliation and do not derive any benefits for the above mentioned vendors.

For Immediate Release

April 4, 2016

Framingham, MA - North American Professional Liability Insurance Agency, LLC (NAPLIA) is pleased to announce that CEO, Gary Sutherland, CIC MLIS, and Senior Vice President, Paul Smith, AIF, will be panellists in a presentation titled “What You Need to Know About Cybersecurity” at the fi360 conference in San Diego, California on April 7, 2016.

The Cybersecurity panel presentation will discuss current best in class breach prevention tools and procedures, how to prepare for an OCIE Examination with a focus on Cyber and Privacy Liability prevention, and how insurance can be used as a defense of last resort.  Additional topics include why Cybersecurity matters, what firm leaders need to know about preventing a breach, and how to prevent a breach from shutting down your firm for good.

 “It is an honor to share our expertise in Cybersecurity at the fi360 conference, which attracts 600 financial services industry leaders.  Cybersecurity is a hot topic because it has so many facets and it can be devastating for affected firms. “ says Gary Sutherland, CEO, NAPLIA. 

The third panelist in the Cybersecurity panel presentation is Brian Edelman, CEO, Financial Computer, Inc.  The panel will be moderated by Tom Schrandt, AIF®, Vice President, Lockton Affinity, LLC.

NAPLIA has specialized in providing Fiduciary Liability Insurance to Plan Sponsors since 1998, in concert with Professional Liability, (errors & omissions) and related insurance products for Accountants, Investment Advisors, Attorneys, and other professionals. No other national agency can match our personal service and expertise in the risks associated with operating under ERISA; and no other independent agency can match our national recognition for excellence in the Qualified Plan and Investment Advisory insurance and bonding space.  Learn more at naplia.com. 

###

NAPLIA's Stephen Vono was interviewed by Accounting Today for a video on cyber security for CPA firms.  His message - you have a target on your back!

We read with interest a brief article on the Robinson + Cole website that "a new version of the notorious and nasty ransomware Cryptowall, dubbed Cryptowall 4.0, has hit the scene."

Cryptowall 4.0 acts differently than its previous strategy of locking a computer entirely.  It is able to change the names of specific files so you won't be able to find them on your drive.

The primary way that Cryptowall 4.0 infects a computer is through a zipfile with an attachment that looks like a resume, though presumably the file name could be different.  So, be vigiliant about downloading files from emails, particularly from senders you don't recognize or in messages that look suspicious.

It will also be a good idea to back-up your data frequently.

Read the full article

When client files are removed from the office there is an increased risk of loss. It’s easy for an employee to misplace a USB stick, leave important documents on a train or have a company laptop stolen, and client files may then be available to (often non-traceable) third
parties. Firms should therefore only remove client files from the office when such files are necessary for reference in client meetings.

Permission for removal should always be obtained from a manager and portable devices that hold client files should always be encrypted (see guidelines in Chapter 3). Client files should not be stored on portable storage media (e.g., (USB sticks, smartphones, tablets etc.) or laptops for longer than the period of active use if such devices will be removed from the office. Client data should be deleted from such devices when no longer required.

The partner or officer responsible for information security or compliance within your firm should be advised immediately if client files are lost outside of the office. This step is critical to allow you to comply with your incident notification policies and manage any additional damage that the disclosure may cause.

Employees may be reluctant to report a loss, but a firm needs to communicate to its employees the importance for compliance under firm policies and as well as under law. One approach to minimize the risk of not reporting, at least with regards to electronic media, is for the company to only permit company-issued electronic storage media to store client files and to keep inventory of such media. This inventory documents all devices that have access to client files. Keeping the inventory up to date and running regular device checks can provide early notification of losses that may otherwise remain undetected.

Attention should also be paid to the potential for employees to remove client files at the end of their employment. Portable devices, physical documents and even hard drives may easily leave with a departing employee, either as an oversight or an act of malice. The associated risks can be minimized with measures including:

• A departing employee checklist: This checklist ensures that all company-issued devices (and the client files that they may contain) are returned before the employee leaves the company.
• A media sanitization policy that extends to employees’ personal devices: This provision ensures that client files are removed from devices that do not fall under the company’s direct control.

Responsibility for these measures will be more effective if assigned to a named representative. The representative will in most cases be the departing employee’s direct superior.

Check back each month for a new chapter of the NAPLIA cyber ebook.