McGowanPRO Professional Liability Blog / Resources / Articles

CPAs keep vast troves of valuable personal data that cybercriminals are itching to get their fingers on.

So far, the most notorious CPA breaches have culminated in identity thefts that led to fraudulent tax returns. Those cases became the bane of recent tax seasons when victims tried to file their taxes with the IRS and found that a hacker had used their personal data to file a fraudulent return and get an illicit refund.

An IRS-led crackdown slashed those kinds of cases in half last year, USA Today reported, but that still amounted to 787,000 fraudulent returns processed in 2016 alone. And the crackdown is not exactly good news for CPAs. After all, the news headlines about tax-return fraud make CPAs an inviting target.

Why cybercriminals want to breach CPA firms

Let’s quickly review the kinds of private data CPAs have in their computer systems:

• Full names and addresses
• Social Security numbers
• Telephone numbers
• Bank account and routing numbers
• Employment, income, and expense information
• Brokerage information
• Confidential client communications

It’s difficult to imagine what cybercriminals could not do with all this data. With names, addresses, and Social Security numbers, hackers can use phishing, malware, and other tactics to break into people’s home computers, access their logins to their banks and financial providers, and clean them out.

Another cybercriminal favorite, information on the financial condition of CPA clients is extremely valuable. And private email or text-message conversations between CPAs and clients can wreak havoc if they are made public. When these kinds of confidential information fall into the wrong hands, there’s no telling how much damage can be done. But it’s safe to say the liabilities could cripple many CPA organizations — if they lack cyber insurance.

Ransomware Underscores Risks CPAs Face

Ransomware is the most serious and insidious cyber threat to emerge in recent years. Cybercriminals using a range of tactics sneak into organizations’ computer networks, take up residence and wait for a vulnerable moment to strike — encrypting systems and demanding a ransom in return for decrypting them.

If undetected, these breaches can give cybercriminals widespread access to computer networks and the sensitive data within them. So, your CPA firm could pay the ransom to get your systems back online and still face the risk that private client data now belongs to cybercriminals.

What’s more, many ransomware attackers these days refuse to unlock computer systems after they get their money, potentially creating ruinous downtime for organizations that depend heavily on their computer networks.

Regulatory demands are expanding

New York State created new cyber security rules in 2017 for organizations that report to the state’s Department of Financial Services (DFS). Generally, CPA firms are not covered (yet), but given that many CPAs work with financial companies, they still need to be familiar with the regulations.

As CPA Journal put it: “In order to counsel these businesses, CPAs must understand the new regulations and their impact. In addition, it makes sense for CPA firms to be proactive in adopting the new regulations, as the profession itself is likely to be included in future regulatory efforts.”

New York’s rules provide a broad outline for safer cyber security practices. According to CPA Journal, New York’s rules require covered companies to:

• Assess current risks to create a cybersecurity program and put cybersecurity policies in place.
• Create a plan to dispose of nonpublic information they don’t need anymore.
• Review and limit access privileges.
• Ensure third-party service providers are secure.
• Assign a chief information security officer (CISO).
• Train employees and monitor authorized users.
• Craft an incident-response plan.
• Establish multifactor authentication.
• Conduct penetration testing and vulnerability assessments.
• Establish security policies for applications developed in-house.
• Encrypt data at rest and in transit.
• Establish an audit trail.

These kinds of practices reflect the principles of sound cyber hygiene that every company that any firm would be well advised to follow (and may well have to if more states adopt the rules). Also, companies that implement programs and policies to secure private data can potentially reduce their overall liability in a breach (though this depends on the facts of an individual lawsuit).

With cyber risk rising every day, a comprehensive network-security program is just one component of a sound risk-management program. Another crucial component is a cyber insurance policy that can protect your organization if it becomes the target of litigation.

A cyber insurance policy for CPAs can cover legal liability from:

• Theft, loss, or unauthorized disclosure of private data or third-party corporate information.
• Failure to comply with state breach notice laws.
• Failure to comply with the insured’s privacy policies.
• Failure to administer an identity theft prevention program required by governmental regulation.
• Unauthorized access, theft, or destruction of data.
• Denial of service attacks and virus transmission involving the insured’s computer systems resulting from computer security breaches.

All these risks underscore why professionals like CPAs should look into cyber coverage from McGowanPRO. We can help CPAs in organizations of all sizes get the right cyber coverage for their exact needs.

 If you would like to speak to a professional advisor concerning your company’s exposure to cyber risks, please contact Rob Ferrini at McGowanPRO. 508-656-1327 or rferrini@mcgowanpro.com 

By John Raspante, CPA, MST, CDFA, Director of Risk Management

Many claims faced by CPAs have their origin in breach of contract causes of action. While the more prevalent claims assert negligence as the cause of action, breach of contract is growing in frequency. NAPLIA’s book of insureds have been indoctrinated on the use of engagement letters and client termination letters. Nevertheless, when a CPA ceases to provide services or simply stops work, the knee jerk reaction by the client is to allege a breach of the contract has occurred.  Consider the following claim scenario:

ABC accounting firm has provided bookkeeping, payroll tax preparation, and corporate tax preparation services for their longtime client BEST Manufacturing (BM). An engagement letter is in place, but contains no stop-work provision. Thirty days prior to the due date for the corporate tax return the CPA firm decides on ending the client relationship and sends BM a standard client termination letter. The letter contains the basics of a solid termination letter and includes the status of unpaid fees, ABC's willingness to assist the new CPA firm, pending due dates, and the reason(s) for the termination. It should be noted, the reasons for the termination centers around the unpaid fees and possible corporate tax filings in other states as a result of what ABC feels are BMs satisfying corporate tax NEXUS requirements is these states. BM insists that the fees will be paid as they have just opened locations in other states and cash flow will improve. With respect to the NEXUS requirements being satisfied, BM states they will register later in the year and other manufacturers they know of do not file in those states. 

As a result of the termination, BM is appalled and feels this should have been discussed and not facilitated by a letter. After all, the relationship has spanned several decades and the managing partner’s father serviced the BM prior to the formation of ABC. Second, BM feels they were not provided ample time to locate a new CPA Firm, and opposes going on extension. Several calls are placed to ABC by BM and they go unanswered. As the managing board at BM grows more infuriated, they finally call their corporate council and serve a complaint to ABC alleging breach of contract. In addition, they file an ethical complaint with the state board of accounting alleging violations of the accountancy act.

LESSONS

While the majority of the problems faced by ABC could have been averted by a stop-work caveat (the focus of this article) which we have included, the following are also recommended to effectively deal with client terminations: 

• Allow for ample time, if possible, when terminating. This termination occurred 30 days prior to the due date of the corporate tax return.
• Begin the process of terminating with a phone call and or a meeting as opposed to simply sending a letter giving BM little time to shop for a new CPA firm.
• Discuss the reason(s) for termination. While the unpaid fees were important, the NEXUS issue was the real reason for terminating. ABC should have explained that a NEXUS study should have been conducted and what others do or don’t do does not satisfy professional standards.

SAMPLE WORDING 

If I elect to terminate my services for nonpayment, or for any other reason provided for in this letter, my engagement will be deemed to have been completed upon written notification of termination, even if I have not completed your return.  You will be obligated to compensate me for all time expended, and to reimburse me for all of our out-of-pocket costs, through the date of termination. In addition, I will be held harmless from any resulting damages caused by this termination.

North American Professional Liability Insurance Agency, LLC (“NAPLIA”) is pleased to announce a business alliance with Accountants Advisory Group, LLC (“AAG”), effective immediately.

Recognizing that risk management goes beyond matters of professional liability, NAPLIA has entered into a strategic alliance with AAG.  NAPLIA’s clients will now have direct access to AAG’s accounting expertise and full range of advisory services. NAPLIA is aligning with the leaders of today’s accounting firms as they work toward achieving long term success by growing their practices — organically and through M&A — increasing profitability, and developing succession plans. In addition to practice management advisory services, AAG can provide outsourced marketing and lead generation services to NAPLIA’s clients to provide them opportunities to:

• Attain above average growth each year
• Avoid an upward merger
• Replace retiring rainmakers
• Increase client realizations through engaging higher quality clients
• Become more competitive in their marketplace by implementing new niche and specialty services
• Continuously upgrade their client base
• Have access to marketing professionals who have diverse talents and years of experience in the accounting industry

Through AAG’s vast network of resources, NAPLIA’s clients will also have access to a full range of M&A consulting, recruiting resources, and partner retreat services to support their growth and assist in succession planning.

As an example of NAPLIA and AAG’s commitment to CPA firms’ success, the firms will jointly offer webinars on a variety of topics, such as:

• Risk Management in M&A
• Target marketing and lead generation
• Advisory and value added services
• Using M&A as a growth and succession plan
• Growth initiatives through industry and niche specialization
• Partner performance compensation and accountability programs
• Recruiting: best practices and risk management
• Partner retreats and strategic meetings
• Practice management subjects, including partner compensation structure, leadership, partner governance, succession planning strategies, etc.
• HR-related topics

NAPLIA aims to differentiate from other insurance agencies by providing “more than just a policy.” Stephen Vono, Principal, says “NAPLIA is dedicated to providing CPA firms with continuous risk management and practical learning opportunities to keep our clients’ firms protected.  This alliance with Accountants Advisory Group will allow us to provide our clients with a broader range of resources from some of the top minds in the profession.”

Joe Tarasco, the CEO of AAG, said, “It's not enough for the leaders of today’s public accounting firms to insure themselves against professional liability risk. They need to manage their succession planning risks, as well as, the risks of diluting the value of their practices. We look forward to assisting NAPLIA’s clients in adding value to their practices along with implementing successful succession plans for the future.”

Background:

North American Professional Liability Insurance Agency, LLC (“NAPLIA”) is an agency well-known and respected in the accountants’ professional liability industry for close to 20 years, and is the managing general agent (MGA) for CPA ProSecure. The professionals at NAPLIA have decades of specialized experience in providing professional liability, and related insurance products to public accounting firms. We are proud members of the Professional Liability Underwriting Society (PLUS), the Better Business Bureau, and hold the highest ranking from Dun & Bradstreet for companies our size.

Accountants Advisory Group, LLC (“AAG”) is a national and international consulting firm specializing in Certified Public Accounting firms in the areas of succession planning, growth strategies, strategic planning, marketing and lead generation, mergers and acquisitions, and recruiting.   www.accountantsadvisory.com

On July 18, 2016, Gary Sutherland and Paul Smith headed to New York to attend the IA Watch and BD Watch conference on the Department of Labor’s New Fiduciary Rule: How Your Business Must Change.

The time was well spent, except for perhaps, the traffic on the way back.  Here are the top five things we learned about the new fiduciary rule.

1.  Hearing from the legal and compliance experts on the new DOL fiduciary rule you couldn’t help but hear the following themes.

• Major time commitment
• Major allocation of resources and money
• Technology must lead the way to compliance
• In some cases professionals are still in “denial”
• The use of independent outside consultants
• Lots of work for the ERISA attorneys

• Limit product offerings
• Level compensation
• Combination of both

• Scope
• Arbitration
• Standard of Care, best interest standard and advisor compensation
• Warranties
• Disclosures

• Leave it alone
• Cash it out
• Bring with you to the new employer
• Give it to the advisor

5. Additional comments

• Robo Advisors for small plans and IRAs will be the norm not the exception
• “Good compliance is good business”
• Level fees and inactivity surveillance guidance
• Level fee and the use of BICE light
• Original signed BICE agreement must be kept for 6 years
• ERISA claims no “right” to a jury
• BICE equals best interest contract exemption

John Raspante of NAPLIA explains how engagement letters can market additional services, limit liability, and help with dispute resolution.

Watch the video on the Accounting Today website.

Visit engagementletters.com for sample CPA firm engagement letters.

John Raspante, Director of Risk Management, NAPLIA was interviewed by Accounting Today on the malpractice risk areas for CPA firms.  Areas discussed include: Affordable Care Act, FATCA, SSARS 21 and the overturning of the Defense of Marriage Act.

 "Not if, but when" John warns.

Watch the video on the Accounting Today website.

Stephen Vono, Partner, NAPLIA was interviewed by Accounting Today on the importance of Engagement Letters for CPA firms.

Watch the video on the Accounting Today website.

For sample engagement letters, visit engagementletters.com.

The Investment Advisor’s Guide to Errors & Omissions Insurance offers exclusive insight providing: 

• Clarity to the Insurance Evaluation Process 
• Specific Guidance and Roadmap to Improved Outcomes 
• Risk Management Resources for your Practice

What are insurance underwriters looking for in an investment advisor’s application for errors & omissions (aka professional liability) insurance? It is a question that we are often asked, and due to the complexity of the risk, the answer is never simple.

Applicants’ unique risk characteristics are not always apparent – even to themselves.

The Investment Advisor’s Guide to Errors & Omissions Insurance will help you anticipate areas of underwriter concern as it relates to your specific investment practice, helping you internally evaluate your risk exposures and better define your activities and professional services.

In several chapters we have offered our opinions which are based on 20-plus years of negotiating insurance coverages and working in the investment advisory space. Naturally, we cannot promise that all insurance carriers follow the same guidelines — or treat similar information uniformly — as we make clear in the following pages.

We have tried to anticipate questions — from the most basic to the more nuanced — while digging deeper into the prevailing wisdom of current underwriting concerns and carrier tendencies. We will update this guide as newly-defined and evolving risk exposures find their way into our applications.

The object of this guide is neither based solely on the reduction of premium or pricing, nor does it suggest altering your application in any way that is not 100% accurate to circumvent the concern of adverse underwriting (because doing so could potentially void coverage). It is critically more important to make sure coverage is correct and exposures are covered without gaps; or any deficiencies are understood and assessed appropriately.

If you have questions about errors & omission insurance, please contact us.  We'd be glad to answer any questions or help you review a competitive quote.

When client files are removed from the office there is an increased risk of loss. It’s easy for an employee to misplace a USB stick, leave important documents on a train or have a company laptop stolen, and client files may then be available to (often non-traceable) third
parties. Firms should therefore only remove client files from the office when such files are necessary for reference in client meetings.

Permission for removal should always be obtained from a manager and portable devices that hold client files should always be encrypted (see guidelines in Chapter 3). Client files should not be stored on portable storage media (e.g., (USB sticks, smartphones, tablets etc.) or laptops for longer than the period of active use if such devices will be removed from the office. Client data should be deleted from such devices when no longer required.

The partner or officer responsible for information security or compliance within your firm should be advised immediately if client files are lost outside of the office. This step is critical to allow you to comply with your incident notification policies and manage any additional damage that the disclosure may cause.

Employees may be reluctant to report a loss, but a firm needs to communicate to its employees the importance for compliance under firm policies and as well as under law. One approach to minimize the risk of not reporting, at least with regards to electronic media, is for the company to only permit company-issued electronic storage media to store client files and to keep inventory of such media. This inventory documents all devices that have access to client files. Keeping the inventory up to date and running regular device checks can provide early notification of losses that may otherwise remain undetected.

Attention should also be paid to the potential for employees to remove client files at the end of their employment. Portable devices, physical documents and even hard drives may easily leave with a departing employee, either as an oversight or an act of malice. The associated risks can be minimized with measures including:

• A departing employee checklist: This checklist ensures that all company-issued devices (and the client files that they may contain) are returned before the employee leaves the company.
• A media sanitization policy that extends to employees’ personal devices: This provision ensures that client files are removed from devices that do not fall under the company’s direct control.

Responsibility for these measures will be more effective if assigned to a named representative. The representative will in most cases be the departing employee’s direct superior.

Check back each month for a new chapter of the NAPLIA cyber ebook.