3 Cyber Insurance Tips for CPAs and Accounting Firms

The modern risk management landscape presents numerous areas of potential exposure for professional insureds, including accounting firms and professionals. A first-party policy covers an insured s own losses or damage to the insured s property, such as in the event of cyberattack. In contrast, a third-party policy covers losses resulting from the insured s liability to a third party and arises once the third party has asserted a claim against the insured, which can take many forms.

To maximize recovery in the event of a loss or claim, here are three tips for account ing firms and professionals to consider.

Have a Plan for Cyberattacks

Recent years have seen a massive increase in cyberattacks, which can take many forms, including ransomware, extortion, data breaches, client data theft, wire transfer fraud, social engineering, phishing, spear phishing, email spoofing and other forms of email hacking and account compromise. To make matters worse, the rise of artificial intelligence may only compound these threats by giving bad actors more tools and means of attacking unsuspecting firms. Due to their widespread prevalence, the question has become when, not if, an insured will suffer a cyberattack.

Fortunately for insureds, cyber insurance can cover many of these losses. One way to streamline a firm s coverage is to get their preferred cyber forensics vendor preapproved and listed on their cyber policy. If the firm suffers a cyber-attack, the last thing it needs is a challenge from its insurer regarding the appropriate forensics firm to investigate the loss and whether the rates are reasonable. Similarly, many cyber policies cover notice, crisis and public-relations costs incurred due to cyberattacks. The policyholder can also request preapproval for these preferred firms.

In addition, several other types of policies can cover cyberattacks and similar events, including crime, property, commercial general liability and professional liability policies, sometimes under sublimited coverages in endorsements added to the policies. In the event of a data breach, the best practice is to cast a wide net and report the claim under any and all potential coverages. There is no rule that only cyber policies can cover data breaches   the plain meaning of the coverage is paramount.

Reporting

Cyberattacks can also lead to claims from clients, affected third parties or regulators alleging that the insured failed to adequately safeguard client data. In addition to the aftermath of a cyberattack, third-party claims can also take place in many other contexts and take other forms, including demand letters, subpoenas, civil investigative demands and requests to toll statutes of limitation, among others. Insureds should be aware that there are many types of covered claims, so firms should provide notice to any insurers that may potentially provide coverage for the claim.

Tailor Coverage and Prepare Your Defense

Insureds can tailor their third-party coverage to meet their needs before a potential claim. Many professional liability policies provide coverage for claims alleging wrongful acts by the insured in its rendering or failure to render professional services. CPAs wear many hats and provide a variety of services to their clients. One best practice is to ensure that the description of professional services in your professional liability policy adequately encompasses all the services your firm provides to clients. Like cyber policies, insurers of third-party liability policies may preapprove a firm s preferred defense counsel and its hourly rates. Insureds should also be aware of insurer attempts to change the agreement after the fact, as insurers often try to impose hourly rate caps or litigation management guidelines not included or referenced in the policy.

Forewarned is forearmed — there are a variety of sources of cyber exposure and potential liability in today s risk landscape, but with a bit of prior planning, accounting firms and professionals can better protect themselves in the event of an attack or claim.