With data breaches and cyber hacks dominating the headlines seemingly every day - Equifax and Yahoo are just the latest big name companies to report a mega-breach - business leaders are becoming ever more concerned about hackers and other breaches in data security.
This threat is doubly vexing for accounting firm leaders, who face the dual challenge of not only protecting their information as a business, but also protecting client information.
Data breach laws have now been adopted by 47 states in the U.S. Potential exposures and risks for closely held company directors and officers are now reaching the level of publicly held companies, according to CPA Mutual, a national risk retention group and accounting firm liability coverage provider.
Judges are less likely to throw out claims than they were in the past, even for small and mid-sized independent public accounting firms. Liability not only affects the business, but also can extend to individual leaders.
According to CPA Mutual, since offering cyber coverage to their clients, members have experienced 18 cyber losses. On average, these have cost just under $17,000 with the most expensive claim to date coming in at $166,000. Since 2015, the number of claims has doubled each year.
Given this climate, says Bill Thompson, CPA, RPLU, President of CPA Mutual, it is imperative CPA firm leaders regularly review their cyber liability policies to ensure they have the best plan in place.
Some insurers like CPA Mutual that offer cyber liability insurance also have resources for risk mitigation and disaster planning. However, cyber liability insurance primarily covers the costs associated with an actual breach, according to Kari Stern, senior claims manager with NAS Insurance in California.
“That’s where the most expense is: costs associated with counsel for legal advice and draft notices. There are IT forensics costs to determine where the breach occurred and to what extent data was compromised,” Stern says. “If you need to give notice and have clients in multiple states, drafting notices becomes really important so that it’s done efficiently. Each state has different notification requirements. You may also need a call center set up to handle queries once the notifications go out.”
Other costs covered in cyber liability coverage (depending on if you have first-party or third-party policies) include:
Business interruption and public relations costs
Infringement of copyrights and trademarks
Paying ransomware breaches
Credit monitoring services offered to clients
Data restoration and security upgrades
Additional legal claims or lawsuits
A few general examples of the types of data breaches CPA firms can experience include everything from the “happy-hour loss” of a laptop containing personal client information to wire fraud or ransom- ware attacks.
According to the 2017 Ponemon Cost of Data Breach Study by the Ponemon Institute, the average cost for each lost or stolen record containing sensitive and conﬁdential information decreased from $158 per record in 2016 to $141 per record in this year’s study. However, the average size of data breaches has increased 1.8 percent to more than 24,000 records per incident. Doing the math, that equals more than $3 million in data value at stake.
Stern cautions that each cyber liability policy is different, in that some don’t cover your cloud provider or other vendors or third parties that may access your system. Those vendors or third parties can include everyone from clients accessing the system from client portals, third party IT contractors, or, possibly, representatives from regulatory agencies, for example.
Those vendors may have less secure protocols. “A lot depends on where your information is stored. You may have an insured server, but are you allowing a third party to access your server to perform certain tasks? You could also be at risk by sharing information via shared drop boxes,” Stern says.
Thompson says there should always be clear language in any agreements in force between the firm and third parties, relative to confidentiality of client data and responsibilities, should a breach occur because of an error or lapse in security on the part of the third party.
“I remind our members that the Target [retailer] breach was primarily caused by a virus introduced into Target’s systems by their HVAC contractor,” Thompson says.
Strong and regularly changed passwords and an employee base that is consistently and repeatedly monitored for good security practices are still the top two ways to mitigate risk of a data breach, according to Stern. “When required, give employees and the employees of vendors their own passwords. That way, even if an employee is terminated at the vendor level, you can cut off that access,” Stern says.
“Ultimately, the insured accounting firm is the one exposed to liability,” Thompson notes. “Make use of your insurance provider’s cyber liability resources page, if available, to help mitigate your risk. Then carefully review your options with regard to cyber liability insurance. Not all policies are created equal.”
Deanna Arteaga is a professional freelance writer and public relations specialist who for the past six years has covered CPA industry trends for AccountingWEB. She also writes about CPA firm marketing, higher education and professional development for CPAs, and workplace trends in the accounting profession. She has more than 20 years...