In this episode, Rudy Rudolph, Executive AICPA Risk Advisor — AON, and April Walker, CPA, CGMA, Lead Manager — Tax Practice & Ethics, AICPA & CIMA, discuss how data breaches can cause acute and lasting issues to victims.

Small businesses are often easy targets for cyber criminals because they typically have less security in place than larger companies. A customized cybersecurity insurance policy can help mitigate risks and provide coverage in an evolving market to protect your organization.

What you’ll learn in this episode

• Questions companies need to ask about cyber security insurance (0:59)
• The most common types of cyber attacks (3:56)
• Usual misconceptions about cybersecurity (6:14)
• Types of costs that cyber insurance covers (8:37)
•  Items not generally covered by cybersecurity insurance (11:12)
• Insurance consequences of not following your own cybersecurity policies (13:27)
• Rudy’s final thoughts (15:35)
• A page from Rudy’s travel journal (17:23)

AICPA resources

• Best practices for data security and cybersecurity incident mitigation — Learn about general, preventative and reactive data security tips to implement to keep data protected from identity theft.
• Cyber insurance solutions | AON — AON’s brokerage team understands the risks and how to arrange coverage in an evolving market. It’s not one-size-fits-all, so AON teams with you to create a custom cyber insurance policy fit for your organization.  
• Cybersecurity Lab — Building a nimble cybersecurity response plan | Tax Section Odyssey — In this podcast, Ashley Grover, Cybersecurity Threat Intelligence Analyst — Sylint, discusses how the cyber threat landscape continues to change rapidly. Keeping up with the latest cybersecurity trends is vital to not fall victim to attacks and data theft.
• Gramm-Leach-Bliley Act (GLBA) Written Information Security Plan Template — The GLBA Act requires financial institutions to have a written information security plan. Use this template to document your firm’s policies.
• Identity Theft Checklist | Tax Identity Theft Toolkit — Provide this checklist to clients to help them appropriately and efficiently address identity theft issues and access additional resources.

Transcript

April Walker: On today's podcast, listen to hear more about cybersecurity insurance for CPA firms.

Hi everyone and welcome to the AICPA's Tax Section Odyssey podcast, where we offer thought leadership on all the things tax facing the profession. I am April Walker, a lead manager from the Tax Section and I'm here today with Rudy Rudolph.

Rudy is an executive risk adviser with AON and his role is helping to educate CPA firms on insurance coverage available through AON's AICPA program. Since that's his role, that's what we're going to do today.

Specifically, we're going to delve into cyber insurance. What you need to know if you or your firm don't have this type of coverage or if you have it and you really want to understand what kind of coverage you have or know what questions to ask to be able to get more information about that.

Rudy, let's start off with a company or a CPA firm that doesn't have this type of insurance. What questions will they have to answer during the application process for cyber insurance?

Rudy Rudolph: One of the things I've learned is one of the great parts of the cyber application process is as much as it's filling out an application, it's also almost like a little checklist of helping the firm think of things that they want to implement or should be implementing or even just to have in mind just in general with how they deal with their own internal networks and systems. That's a great thing to look at the cyber application as is.

It's also a guide to help you consider what should be in place, almost like a little checklist. But a lot of the things that they can expect to be answering is mostly encryption and how things are protected within their network and system.

I think most people sometimes tend to overthink the encryption word and think it’s some sort of involved process when really it's just, can someone off the street walking into your office and access information without providing any type of login credentials and password, especially with thumb drives and emails and even external hard drives.

But having those protected with passwords and encryptions, and it's easy to do, that they can expect to see on a cyber application a lot of things making sure that there's backups done weekly or however many and then also if they're retaining any type of payment card information or PCI or personally identifiable information, or PII, as well as the types of transactions, estimate number of transactions in any given year are some of the big things to consider, have in mind, and that they'll see and/or be answering on those applications.

April Walker: I like the way you say it's a checklist of things that you should already be thinking about. You have probably heard me talk on this podcast before and we'll probably talk about it again about security plans and what are the requirements are for CPA firms, and it would seem like that those would go hand in hand.

There are requirements to have a written information security plan. Hopefully you know that, if you don't, that's a takeaway from listing today. But as you're going through that plan, I would think that would be important information you're going to have as you're going through that application.

This is just more of a curiosity question, but I know that until you're hurt, you think it can't happen to you. But then what you do, it's a very traumatic event. Can you talk to us a little bit about what type of cyber attacks are the most common, specifically for CPA firms as that's our topic for today.

Rudy Rudolph: Absolutely. Especially since the COVID pandemic, it seemed like computer or cyber criminals who had nothing better to do, but to sit around and think of different ways to get easy money or an access.

The biggest thing since the pandemic that's been on the rise has been ransomware attacks, which are in part more broadly categorized and they fall under the malware umbrella, I guess if you would, for cyber attacks. Basically, just hacking into or getting into accounting firms, networks and data and basically holding that information ransom until they pay a specified amount.

When I think a lot of accounting firms that are under the mindset that they're too small to be attacked or come under a cyber attack when really cybercriminals target smaller firms because they believe that they're under that mindset that [they] are too small to and maybe don't have the resources and the security measures in place to keep them out.

It's actually reported that it's 30% of all cyber attacks are focused on attacking small businesses because of that lack of cybersecurity measures. Malware and more specifically ransomware have been the number one cyberattacks especially since the COVID pandemic.

April Walker: I feel like I've heard some horror stories of those happening to firms and it always seems to happen March the 3rd or something like that, sometime that’s not very convenient for when they're very busy. It's definitely something to be concerned about.

Let's talk about misconceptions. What do you hear that people do not have right about cybersecurity, either people who have coverage or people who don't think they need coverage?

Rudy Rudolph: The two biggest things I always hear when talking to firms is either one, are not big enough, I'm just a smaller shop that wouldn't have to worry about this now and come after me. That's one of the biggest misconceptions and really they're probably one of the bigger targets, actually, because of the potential lower security measures they have in place.

They have so much data and records or their clients that they're preparing tax returns for and someone could get that information and that's easy identity theft, right there. You can get X amount of people, however many clients you have, you can get all of their names, date of birth, social security numbers, addresses. Right then and there, that's a huge risk and misconception that some of the smallest firms have.

The second is a lot of firms always come to me, we don't have anything, we don't house any data or have any storage software on-premises. Everything is done third-party by Cloud. They handle that, so I don't really need to worry about it, which is not the case.

They may be hosting your information and everything, but if that company gets hacked, now what do you do? If you can't get into anything and they're down and running, what happens then? Even if you are having a third party post your information, you should always have some sort of business continuity and disaster recovery plan in place for that type of scenario.

Keep coming back to COVID. No one saw that coming. Now, we have the hindsight of, if something like this were to happen, now what do we do? I think of it like that, having a plan in place if the unthinkable were to happen, what are you going to do? You can't just sit there like a sitting duck and wait for something. You should have or at least I think you would want to have some sort of plan in place for contingency.

April Walker: Makes a lot of sense. To find out a little bit more about cyber insurance and how it works, I know there's no way to describe every policy. Every policy is different as you're working with a firm, but let's talk generally about what types of costs that cyber insurance does cover and then almost more importantly, I think for people to hear is what costs are not covered.

Rudy Rudolph: The first and foremost, what the cyber policies and cyber insurance covers is identifying any potentially affected individuals that may be affected or impacted by the breach of your network or system, and also the notification to those affected and credit monitoring for them for the next year.

Those are all required by every state. Each state has different regulations, but those are required by all states. If you don't have an insurance policy in place, you're going to have to pay those costs out-of-pocket regardless because it's a state mandate and requirement to provide for it in the event of a breach. I think that's the biggest thing that the policies cover for most firms.

The second biggest is the forensic analysis and identifying that breach, how it occurred and identifying that and making sure that that doesn't happen again. It also provides coverage for data restoration, getting your network backup and running to the condition it was in prior to any type of breach or a hack.

Then depending on the policy, you can opt in for this, sometimes it's generally in a policy right off the bat, but business income or business interruption, so loss of revenue. I think about 200-300 days on average to identify and contain a cyber breach.

Hopefully, they don't get there, but in that time period without your network, you're not really able to operate as you normally would, as if you were able to access all those files, your internet, your emails, getting stuff out to clients and everything like that. That's costing you. The policies tend to cover the cost of that. I think most of them have some calculation to determine that number until you're back up and running.

April Walker: Got you. Then can you think of anything that is specifically not covered that you can think of?

Rudy Rudolph: The biggest thing that we've actually been dealing with for the past few years has been social engineering. More importantly, when someone, we always refer to them as bad actors, using email address that is made to look like either a bank or one of the accounting firms email, but it's really not.

The easiest way to do this is sometimes they'll use an uppercase I to replace an L just as an example in an email address. Then if they're posing as a bank, they'll email the firm. If they're posing as the firm, they'll email client saying, “Hey, you didn't send this amount of money or payment for the services”, whatever it may be, and asks you to send payment to a specified account.

A lot of the times these aren't covered by cyber policies unless you have the specific endorsement coverage that covers four types of social engineering, it not being a breach, there's no breach that took place and the bad actor was using a legitimate email address.

Now, while it wasn't the firm's, it was still a legitimate email address because they changed a letter or something in there to look like the firm or the bank's email address. There was again, no breach, no wrongdoing, so some cyber policies may not be able to provide coverage in that type of scenario.

One of the big things that has come out of this is specific endorsements to provide coverage for social engineering or having firms also consider looking into separate crime coverage policies to cover any of those gray areas where cyber policy may or may not provide coverage for.

April Walker: What about this scenario? I'm a firm, I have a security policy, I mostly abide by it, but I don't follow it to the letter. Is that a scenario where you might have trouble having your insurance claim paid?

Rudy Rudolph: It's definitely possible.

I highly recommend when you're going through either the renewal process or if you're getting a policy, a quote for a policy for the first time, definitely talking with your agent, your underwriter carrier, whoever you're dealing with, and making sure that you understand the policy requirements in terms of what are some of the standard requirements that you require your insureds to have in place.

Usually they have either guides or expected basic security measures that they can send over that they expect their firms they have in place and implement it to ensure that they can provide coverage. Sometimes if you don't meet or don't have any of those standards in place, they could potentially deny coverage saying, hey, we sent you these standards so that you needed to have in place to be insured by us, because of this, you don't have these in place. This claim can't be covered because there was a certain level of expectation where we insured you that you would have in place and by not abiding by that, you're essentially voiding the coverage. Again, it depends.

Each coverage or each policy is different. I would definitely recommend talking that through with your agent, your carrier, your underwriter to make sure that you're one, aware of any type of certain standards that you're required to have in place or should have in place, and making sure that you're meeting those requirements on a regular basis and reviewing that with them to make sure you're in compliance.

April Walker: Perfect. Rudy, can you think of anything we haven't covered that you would like to make sure our listeners are aware of as they are considering and evaluating cyber insurance?

Rudy Rudolph: This day and age, again, I feel like I'm being a dead horse and they keep coming back to the post-COVID reference, but everything has gone remote.

Everyone's being able to work remote now, businesses that we didn't think would be be able to operate remotely were forced to change the way the entire world views working and how we operate nowadays and everything to an extent is relying on computers technology, being able to access information through a computer. I think you'd be naive to, one, not consider having this coverage in places of business, and two, not going forward and having at least some cyber coverage in place.

The amount of cyber attacks have gone up exponentially since the pandemic, because everything has been forced to move to some hybrid or a digital format. I think this is one of those policies that is almost standard requirement for businesses moving forward these days, and it's definitely one thing to keep in the back of your mind is everything is still continuing to transition more and more to the cyber world as we operate, communicate everything like that.

I think it's naive to think that this coverage is unnecessary.

April Walker: Those are great thoughts and great closing. But as we close on this podcasts, I like to think about us taking a journey together towards a better profession. As we're learning more, we can do better. But in doing that, I like to get a glimpse of my guest other journeys outside of the tax world.

Really I'd love for you to share a page from your travel journal, maybe a bucket lists, trip, you have, what you got for me?

Rudy Rudolph: I'm a big golf fan and every year with the Masters Tournament and the Open Championship, there's always a ticket lottery that you can enter to potentially get an opportunity to get tickets to one of them. They don't just sell them like a normal sporting event, they're so exclusive.

Actually just got an email the other day that I won the ticket lotteries for the Open Championship in Scotland next July.

April Walker: Wow, that's cool.

Rudy Rudolph: Pretty excited, just to finalize the ticket purchase. So I'll be headed now to Scotland next year for the Open Championship, and it's to be about there.

April Walker: I love it. The US Open has been here or near here, North Carolina. It's been in Pinehurst a couple of times and I was able to get tickets somehow, not through the lottery, but Scotland sounds like an amazing place to watch golf and just to visit. I'm looking forward to hearing more about that.

Thank you so much Rudy for giving people some food for thought on this really important topic. Again, this is April Walker from the AICPA Tax Section. This community is your go-to source for technical guidance and resources designed especially for CPA tax practitioners like you in mind.

This is a podcast from AICPA and CIMA, together as the Association of International Certified Professional Accountants. You can find this wherever you happen to listen to your podcasts and we encourage you to follow us so you don't miss an episode. If you already follow us, thank you so much and feel free to share with a like-minded friends. You can also find us at aicpa-cima.com/tax, and find our other episodes and also get access to the resources mentioned during the episode. Thank you so much for listening.

This content is designed to provide institute of information, this respect to the subject matter covered and does not represent an official opinion or position of the AICPA, the Association or CIMA. It is provided with the understanding that they are not engaged in offering legal accounting or other professional services. If such advice or expert assistance is required, the services of a competent professional person should be sought. The AICPA, the Association and CIMA make no representations, warranties, or guarantees as to and assume no responsibility for the content or application of the material contained herein, and especially disclaim all liability for any damages arising out of the use of reference to or reliance on such material.

Keep your finger on the pulse of the dynamic and evolving tax landscape with insights from tax thought leaders in the AICPA Tax Section. The Tax Section Odyssey podcast includes a digest of tax developments, trending issues and practice management tips that you need to be aware of to elevate your professional development and your firm practices.

This resource is part of the robust tax resource library available from the AICPA Tax Section. The Tax Section is your go-to home base for staying up to date on the latest tax developments and providing the edge you need for upskilling your professional development. If you’re not already a member, consider joining this prestigious community of your tax peers. You’ll get free CPE, access to rich technical content such as our Annual Tax Compliance Kit, a weekly member newsletter and a digital subscription to The Tax Adviser.