Cyber Liability Insurance for CPA Firms
We see the mega data breaches on the news, and wonder if our personal information has been stolen. If some of the world’s largest companies cannot protect personal data with their large budgets, what can a small firm do? One step is to purchase cyber liability insurance. This is a relatively new product offered by a few insurers, and often under a different name and with varying levels of coverage. Being a relatively new product, there’s a lot of catching up to do – so let’s start with the basics for partners to think about.
Known as “first-party insurance,” this type of policy covers the company for loss of its own data or lost income or other damages from a data breach or cyber attack. Coverage may include:
- Legal, technical or forensic investigations of a possible breach or attack, and
- The cost of remediating the damage from:
- The breach or attack, business interruption insurance;
- Payments to extortionists threatening to expose sensitive information; and
- Data loss restoration due to a cyber attack.
“Third-party insurance” covers your clients, and perhaps others you do business with, if your file including their data is breached or attacked. Policies vary widely, but third-party coverage may cover the costs associated with potential consequences or requirements such as
- Responses to civil lawsuits;
- Preparation of responses to governmental inquiries;
- Payment of any related government fines and penalties;
- Notification of clients and other victims;
- Public relations expenses associated with a cyber crisis; and
- Credit monitoring services for clients.
In assessing coverage, start by considering the fact that a CPA firm’s central concern is the loss of client data, not just because of the risk to which the clients are exposed, but also because of the loss of client trust and general reputation to the firm itself. What insurance does the company already have to cover the consequences listed above? Some coverage may already be provided under standard theft protection so you only have select (but important) holes that need to be filled. In particular, look for exclusions for items such as data breaches that happen in-house.
Other steps I recommend include:
- Consider purchasing “Acts and Omissions” insurance for both contracted and in-house activity. If a firm outsources some of its work, the firm may be responsible not only for its acts, but also the acts of the firm it hired and delegated control over the sensitive client information.
- Cost/benefit analysis: we preach it, and here is our chance to do it. Compare the cost of the potential loss against the additional insurance premiums. As a rough guide, the average compromised record costs $154, according to the Ponemon Institute’s 2015 Cost of Data Breach Study. For a CPA or tax preparation firm that earns $100,000 in annual revenues, a $1 million policy can cost as little as $1,200.
- Consider purchasing retroactive coverage for current, unknown existing breaches that have yet to be discovered. Not all insurers have this feature.
While meeting the impending Oct. 15 tax deadline is an annual struggle, there’s often some downtime in late October or early November to assess and address the adequacy of a firm’s insurance coverage. Consider addressing your firm’s cyber needs before the end of the year to to manage the 2016 tax season with more peace of mind.
What specific help is available in choosing coverage? Certainly many insurance brokers can help, but they receive commissions so they are not independent. Outside counsel can help in evaluating risks and scope of coverage. Peers in professional networks can also be helpful.
Valrie Chambers, CPA, PhD, is an Associate Professor of Accounting at Stetson University in Celebration, Fla. She has more than a decade of public accounting experience as owner/partner-in-charge of a CPA firm in Houston that specialized in advising small business owners. Dr. Chambers has been published in numerous journals and received the Texas Society of CPAs Outstanding Accounting Educator Award for mid-sized Texas universities in 2012. She has volunteered for the AICPA and the IRS’s Volunteer Income Tax Assistance in Corpus Christi.
Sign courtesy of Shutterstock.