Is Liability Insurance Enough for Cyberattacks?

by 

Ariel Sandell

CPA firms that depend solely on General Liability or even Cyber Liability insurance are exposed to costly risks. Today, many of the country’s top insurers are really only offering "breach insurance" which means that only the cost of IT remediation and client notification are covered, not third-party (client or government) legal action and fines.

Jul 8th 2021

Given the severity and frequency of cyberattacks, many Liability insurance policies CPA firms hold are now excluding coverage for common cyber security breaches. This leaves many firms exposed to financial, legal and business continuity risks of which they may or may not be aware.

While a cybersecurity liability plan may cover third-party legal action and regulatory compliance fines, these additional riders are usually much more expensive with more requirements to be eligible for coverage. There are also a lot of grey areas when it comes to what is covered—including who is considered at fault for the breach (often, the insured is the one carrying that burden).

For example, top cyber breach insurer, AXA, is no longer offering coverage for ransomware attacks. Considering the devastating potential for a ransomware attack to cripple an accounting firm by essentially encrypting all files on an infected computer or network, rendering them useless, this exclusion and others like it strongly signal that it’s time for the accounting profession to think differently about how firms should plan to protect themselves from these growing threats. But how?

Take a Multi-Pronged Approach

Until now, many cyber breach insurers only required clients to check off a few boxes about their security. Now, they are starting to require even more questions be answered and more in-depth assessments in regard to specific requirements related to cybersecurity, before providing coverage.

This means that to get the comprehensive cyber protection your firm requires in an environment of growing government regulation and insurer coverage claw backs there are more gray areas to address.  With more fine print to read and much more leg work required on your end before you can access a level of coverage that will mitigate the maximum amount of risk and exposure, it’s important to do a deep dive into what is really required of your firm.

Considering just the compliance requirements alone, for the GLBA/FTC Safeguards Rule, IRS Data Security Plan and state-based requirements such as the New York SHIELD Act, NYDFS, as well as federal regulations including HIPAA . Clearly, this is is a complex process that requires more than a once-a-year liability insurance renewal check to accomplish successfully.

One Facet of a Robust Response

In order to ensure your firm is truly protected, you need to take a multi-pronged approach including the following steps:

1. Learn about the current IRS requirements for data security specific to tax preparers as well as other regulations and risks that your firm may be exposed to.

2. Conduct a thorough cyber liability assessment to identify the potential risks for your firm.

3. Using this assessment, look for gaps in your current coverage.

4. Create a plan to close these gaps with a comprehensive assessment of where your firm’s cyber liabilities are at present and the specific steps you need to address them to prevent future issues.

5. Compare liability insurance policies and cyber riders to select coverage that maximizes your protection at a reasonable cost.

6. Create and update the required documentation for the IRS, other governing bodies and any insurer you are working with as well as laying out a written plan for how you are protecting your clients’ data and all of the sensitive information your firm handles.

7. Ensure that data security and cyber risk mitigation plan and training are distributed to your employees and any third-parties who need to be aware of it.

It’s key for accounting firm owners and partners to remember that just like health insurance and life insurance have never prevented anybody from getting sick or dying, only having cyber breach or liability insurance has never stopped anyone from getting hacked, breached, or worse.

Your firm needs to focus not only on maximizing its insurance coverage, but also put a process in place for learning about your specific risks related to the type of practice and clients you have. In addition, ensuring your firm has a comprehensive data security plan that meets the requirements of the governing bodies that impact it.

Is Your Firm Prepared?

This question may be one of the most critical ones you ask yourself as a firm owner or partner, because as we have laid out here there are many serious cyberattacks and risks which could threaten the very existence of your firm. The good news is, there are companies who specialize in assisting accounting professionals specifically with these often time-consuming, burdensome but mission-critical tasks.

For professional consultation consider engaging with a third-party with the specialized expertise you need to truly protect the practice and client trust you have worked so hard to build.