Share this content
financial planning

Is Liability Insurance Enough for Cyberattacks?


CPA firms that depend solely on general liability or even cyber liability insurance are exposed to costly risks. Today, many of the country’s top insurers offer only "breach insurance," which covers only the cost of IT remediation and client notification, not third-party (client or government) legal action and fines.

Jul 8th 2021
Share this content

Many Liability insurance policies that CPA firms hold are excluding coverage for common cybersecurity breaches. This leaves many firms exposed to financial, legal and business continuity risks of which they may or may not be aware.

While a cybersecurity liability plan may cover third-party legal action and regulatory compliance fines, these additional riders are usually much more expensive and there are more requirements to be eligible for coverage. There are also a lot of grey areas when it comes to what is covered—including who is considered at fault for the breach. (Often, the insured is the one carrying that burden.)

For example, top cyber breach insurer AXA is no longer offering coverage for ransomware attacks, which have the potential to cripple an accounting firm by essentially encrypting all files on an infected computer or network, thereby rendering them useless. This exclusion and others like it make it clear that it’s time for the accounting profession to think differently about how firms should plan to protect themselves from these growing threats. But how?

Take a Multi-Pronged Approach

Until now, many cyber breach insurers only required clients to check off a few boxes about their security. Now, they are asking even more questions and completing more in-depth assessments regarding specific requirements related to cybersecurity before providing coverage.

Getting the comprehensive cyber protection your firm requires in an environment of growing government regulation and other obstacles can be a challenge. Because there's more fine print to read and more leg work required to access the level of coverage that is best for your firm, it’s important to research what the requirements are to qualify.

One Facet of a Robust Response

In order to ensure your firm is truly protected, you need to take a multi-pronged approach, including the following steps:

1. Learn about the current IRS requirements for data security specific to tax preparers as well as other regulations and risks that your firm may be exposed to.

2. Conduct a thorough cyber liability assessment to identify the potential risks for your firm.

3. Using this assessment, look for gaps in your current coverage.

4. Create a plan to close these gaps with a comprehensive assessment of where your firm’s cyber liabilities are at present and the specific steps you need to take to address them to prevent future issues.

5. Compare liability insurance policies and cyber riders to select coverage that maximizes your protection at a reasonable cost.

6. Create and update the required documentation for the IRS, other governing bodies and any insurer you are working with as well as laying out a written plan for how you are protecting your clients’ data and all of the sensitive information your firm handles.

7. Ensure that data security and cyber risk mitigation plans and training are distributed to your employees and any third-parties who need to be aware of them.

Remember that health insurance and life insurance have never prevented anybody from getting sick or dying, so having cyber breach or liability insurance will never prevent anyone from getting hacked, breached or worse.

Your firm needs to focus on not only maximizing its insurance coverage, but also putting a process in place for learning about the specific risks related to your practice and clients. In addition, ensure your firm has a comprehensive data security plan that meets the requirements of the governing bodies that impact it.

Is Your Firm Prepared?

This is among the most critical questions to ask as a firm owner or partner because there are so many cyberattacks and other risks that could threaten the very existence of your firm. The good news is there are companies who specialize in assisting accounting professionals specifically with these often time-consuming, burdensome albeit critical tasks.

For professional consultation, consider engaging with a third-party with the specialized expertise you need to protect the practice and the client trust you have worked so hard to build.