October is Cybersecurity Month, and Jason Rogers, senior vice president of Gallagher Affinity, details the types of insurance accounting firms should have to protect themselves from cybercriminals and hackers. He also discusses trends and shares some real-life consequences of firms that were not properly covered.
By: Jim DeLuccia, PICPA Communications Manager
Since October is Cybersecurity Month, we thought it most appropriate to go right to PICPA's insurance partner, Gallagher Affinity, to get some tips on the types of insurance accounting firms should have to be sure they are protecting themselves and client data. Joining me for this discussion is Jason Rogers, Senior Vice President of Gallagher Affinity.
I’m starting off with a little bit of a basic question here, but I think it might help facilitate the discussion. What are some of the basic levels of insurance accounting firms should have?
[Jason] When we look at our clients and their businesses, we kind of divide them into two major segments. The first one would be your traditional business insurance exposures. That's going to consist of your property, your GL [general liability], your workers' comp, and even your health insurance. And then you get into more of your specialized insurance for your specific business exposures, and that's really where your professional liability and cyber comes into play. This is really the sleep insurance for the firm, to protect you against lawsuits, and really provides a safety blanket, so to speak, for you and your personal assets that you have within the firm.
How do the types of insurance vary, based on the size of an accounting firm? For example, when you have a sole practitioner versus a firm that has two to five CPAs, and so forth?
[Jason] The type of insurance you're going to purchase is really going to be based on the individual risk profile of the firm, so when we're working with our clients, some of the key areas that we're going to look at, it's going to be revenues, areas of practice or focus of the firm, the types of clients you might be working with, and the type of partner assets that might be within the firm. We take all that information, and we really use that as a guide to select the right limit of liability, the right deductible, provide the right type of coverage. If there's any kind of endorsements or enhancements that we need to add so that the firm would be covered, we go ahead and do that as well. So, it really comes down to the profile of the firm and the specifics of the firm from there, and really partnering with an expert such as Gallagher Affinity to understand where those exposures are and what types of coverage should be in place.
On the smaller side, I think you also mentioned solo practitioners. One key item to consider, and we've seen it come up quite a bit, is that you might be a home-based solo practitioner working from your home, and you think that you have enough coverage through your homeowner's policy. But one thing you might want to look at is whether or not business property and liability is excluded under your homeowner's policy. Many times it is, so we always advise our clients that it's important that you review your policy and also speak to your agent to see whether or not you have coverage under that homeowner's policy you might be covered under.
I'm glad you pointed that part out. I know that there is, I guess, a little bit of gray area there when folks work out of their homes. Wanted to transition here to what I mentioned at the top of this broadcast: the dangers that lurk online. What types of insurance should accounting firms have to protect themselves from hackers and cyber criminals?
[Jason] First and foremost is really having a good quality cyber insurance program. That's key to any type of coverage against any kind of hackers or cyber criminals. But not all coverages are built the same. Some cyber policies are in addition to a professional liability policy, so it's almost like an add-on or a sublimit. This is good to have, but it's not going to provide the same robust coverage that a full standalone cyber policy would provide. So that's really what we are encouraging our customers and clients to purchase, is a standalone dedicated cyber policy.
And really you're going to look for three key provisions when you're looking at that cyber policy. The first one is liability protection against unauthorized release of any kind of personally identifiable information. That's called PII information. And then also that's going to cover for any kind of violations of privacy, so any kind of client information that's compromised, this is the liability that protects you. Then there's also legal defense for regulatory investigations. And then lastly, there's breach response coverage, which is really your first party exposures, and that's responding to an event after it happens, the credit monitoring, the notification that goes into that.
So as you can see, there's a lot of different components to the cyber purchase, and it's important that you understand which ones you're purchasing and which ones you need, and really think about doing that on a standalone basis and having that own dedicated cyber policy.
That's interesting, and speaking along these terms, what are a few insurance trends related to accounting firms that you've noticed in recent months or, say, the last year?
[Jason] We've got a lot of experience working with firms and individuals, but by and large, one thing that continues to pop up is just really failing to communicate in writing with clients. Any time you have a conversation with a client or you have any kind of discussion, it's just really good practice management to write down notes and document that conversation. This is especially important at the time of a claim, because many times what's going to happen is the claim comes in, and the allegations are for things that have happened in the past. If you have good books and records and are able to record what took place, you're in a much better position at the time of a claim or a dispute with a client.
The other thing that pops up from time to time is referral business. That would be referring one of your clients over to another professional. It could be a financial planner, it could be a lawyer, it could be a realtor. I always say to our clients, it's good practice to provide a list of professionals versus just one professional to that client, and then from there they're able to do their due diligence and figure out which professional is the best fit for them, make more of an informed decision.
But obviously you, as a professional, you're going to vet that list and be comfortable with all the professionals that you provide to your client. But it really does help provide some separation. We've seen a lot of claim scenarios involving referrals that have gone sideways, so give them a choice, let them make an informed decision, and I think that should help you later down the line.
Wow, okay, that's interesting. And then speaking of interesting, or potentially interesting here, what are a few real-life consequences you've witnessed where firms were not properly insured?
[Jason] Sure, and I'll focus on a couple different cyber examples, since it is Cyber Awareness Month. By and large, one of the largest trends we're seeing is sophisticated phishing schemes. There is a hacker who either has access to your email or a client's email, or sometimes both, and then what they usually do, will ask for money to be moved or transferred. We had a recent situation where a CFO and a controller's accounts were compromised, and what happened is they reached out to their CPA to move several million dollars for an acquisition. The acquisition was fraudulent. The money went to a hacker, and not surprisingly, soon after the transfer, was gone.
These phishing, wire transfer schemes are very sophisticated, and are the focus of the hackers. We tell our clients it's very important that first and foremost, you verify all transactions via phone call, actually speak to your client, make sure that they understand that the request has been made and it's at their knowledge and consent. And then also for the practice, it's important that another, preferably a senior partner or a partner reviews that wire transfer before anything is done. Again, helping provide some separation, having another set of eyes look at that transaction is important to make sure that the money doesn't go in the wrong hands.
The other trend we're seeing is ransomware attacks. Essentially what happens with a ransomware attack is a hacker is inside of your system or your network, unbeknownst to you, and what will happen is that they will introduce malicious code into your network. That can lock down your computers, it can steal client information, it can do a variety of different things. But typically they're going to lock you out of your own computer, and they're going to request that you send some kind of money, usually cryptocurrency or Bitcoin, to unlock that. Many times what happens is they're in your system for months, weeks, and we've seen a big trend of the hackers taking over the system right around tax season. As you would imagine, if you’re a firm getting ready for tax season, or in tax season, and you're locked out of your own network and computer, that could be crippling for the firm.
So a couple things for you to consider, kind of key steps. Back up all your information regularly. That's very important, so that you can have access to it if you need to recreate your system. Train your people not to open any kind of suspicious hyperlinks or files. Make sure you're installing all of your virus software and up to date on all of your security updates. And then lastly, establishing permission and restrictions within your network to help cordon off any kind of activity from others outside of your network.
Okay, that's a lot there. It does seem like these attacks are getting more and more sophisticated. Would you agree?
[Jason] Oh, absolutely. You know, CPAs especially have a lot of valuable information. They've got access to clients' books, records, and accounts. Those are the types of things that hackers are trying to get at. So, it's really important that you as a professional take the necessary steps on the front end, kind of proactively, to make sure that your network's protected. But then also on the back end, so that if you do have an intrusion or you do have an event, that you have the proper cyber liability coverage in place to protect you and the firm. That is crucial.
You've outlined a lot of good information here, Jason. Finally, where can accounting firms turn to research what will work best for their specific situation?
[Jason] As the endorsed broker for PICPA, Gallagher Affinity has a lot of resources that you're able to get. We've been working with the PICPA for over 65 years. Our staff is great. I mean, they are focused on the accountant space. They really work well with a lot of different firms. Small, big, large, you name it, we have clients of all different varying sizes. But these really are experts, so what they can do for you, they can help you, walk you through the application process, if maybe you're a new firm or looking to establish coverage. They can review your policy to determine if you have any kind of coverage gaps.
We get a lot of requests from the larger or mid-size firms. Maybe they're taking on a new client, maybe they're doing some new work. We're able to review their policy and make sure they have the adequate protection in place. And then lastly, with our book of business, we're able to look at premium levels. We can review your policy, look at where your premium is, and do a comparison to some other peers that we have within our portfolio, making sure that your pricing is fair and adequate.
And then lastly on the cyber side, we had introduced a cyber program several years ago, and really it was revolutionary. If you look at cyber and how you apply for it, even today, it's going to be a long-form application. Most of the questions are very IT-focused. It can be quite a chore to fill it out. What we did is, we worked with a couple of our partners to develop an online application, so it's a four-question simplified app. Everything is online. It's all yes/no questions. And you're able to transact through our portal, so you can purchase your policy, pay by credit card. Pricing starts at $299 for our smaller firms, and it's really a user-friendly process. So that's something to consider if you're in the market for cyber, even if you're just shopping around. Take a look at the website, and there's a lot of helpful information there for you.
Great. Well Jason, thanks again for sharing this valuable insight with our listeners. I appreciate it.
[Jason] Not a problem. I appreciate the opportunity, and as always, look forward to helping out members and helping them with their insurance needs.
Visit www.picpa.org/memberdiscounts to get more information from Gallagher Affinity and some of the other services that the PICPA offers there.