Cyber Archives - CAMICO

Claim Chronicles 126-A

Amber — Thu, 26 Jun 2025 21:01:17 +0000

First-party damages: refers to losses directly suffered by the policyholder (or insured) firm in response to a firm’s data breach or other covered cyber event.

Topic: First-Party Cyber Attack

CAMICO policyholder Mary Davis had just signed on to her computer one morning when she received an email from a “potential client” named “Tim,” who was requesting her services. In the email, “Tim” stated that he would pay Mary $7,500 upfront and an additional $300 for processing fees. “The client” asked Mary to invoice him via QuickBooks and so she did. QuickBooks fronted the $7,800 prior to any verification that there were funds in “Tim’s” account to cover the invoice. Four days later, “Tim” sent another email stating that he included an additional $11,000 because he wanted Mary to purchase computers for his daughters and ship them to him. The next day, Mary noticed a credit to her account for $20,000. Later that evening, she received another email from “Tim” saying that he had changed his mind about the computers and asked her to issue him a refund for $11,000 and so she did. “Tim,” (the fraudster) then cancelled the original transaction, causing Mary to lose $11,000 plus the $7,500 that QuickBooks fronted. This is because it turned out that there wasn’t any money in “Tim’s” account to cover the thousands of dollars. Mary contacted the police and her bank to notify them of the fraud and on the same day, she received a notification from Intuit (QuickBooks) that the initial transaction for $20,000 had been charged back. The police came to Mary’s residence and took a report but the damage was done. Mary was now a victim of fraud through her own business and the funds were not recovered.

Select the answer that is the correct response:

1. What kind of cyber attack occurred in this claim?
a. Ransomware
b. Phishing
c. Password attack

2. Was this first-party claim covered by the policyholder’s coverage with CAMICO?
a. Yes
b. No

3. Does CAMICO’s claims department see more first-party or third-party claims?
a. First-party claims
b. Third-party claims

Correct Answers:

1. b. Phishing is a variation of spoofing, which occurs when an attacker attempts to obtain personal or financial information from the victim using fraudulent means, most often by impersonating as another user or organization.

2. b. No. It was not covered because it was financial loss by the policyholder, which is not included in the CyberCPA endorsement, the Accountants Professional Liability policy, a Business Owner’s Policy (BOP) or theft policy. For a higher level of coverage, such as a stand-alone cyber policy, contact CAMICO for more information at 1.800.652.1772.

3. a and b. Both, and this is why: For every first-party claim that is reported, there is the risk of a third-party claim developing due to stolen information. CAMICO’s claims department investigates every claim with both first-party and third-party damages in mind. Third-party damages, if discovered, are handled under the Accountants Professional Liability (APL) policy. Therefore, if a first-party claim is reported, a third-party potential claim is also opened to lock in coverage should third-party damages occur. But in most cases, a third-party claim doesn’t arise because most policyholders become aware of their system being attacked prior to damages being able to occur. Many policyholders have their own IT team who can shut down the system and start a forensic investigation on what was taken and to notify people as soon as possible.

The “Claim Chronicles” are drawn from CAMICO claims files and illustrate some of the dangers and pitfalls in the accounting profession. All names were changed.

The post Claim Chronicles 126-A appeared first on CAMICO.

Claim Chronicles 126-B

Amber — Thu, 26 Jun 2025 20:53:03 +0000

Third-party damages: refers to damages alleged by clients or other third parties that the negligence of the CPA firm contributed in whole or in part to the third party’s cyber-related loss.

Topic: Third-Party Cyber Attack

CAMICO policyholders Michael Jones and Tom Smith of Jones & Smith Accounting Services were out of the office during the week of May 19-23. On May 20, their office received a call from a fraudster who claimed to work for Wells Fargo. Leslie Johnson, a current employee of the accounting firm, was the individual who answered the call and shared the requested information with the attacker. A day later, the scammer initiated multiple fraudulent transactions. While Jones was traveling back to the office on May 26, he received a call from Matthew Patterson, a client relationship manager with Wells Fargo. Patterson advised that a transaction for $224,528 was requested, along with a $175,000 ACH (Automated Clearing House) electronic payment. Jones explained that they were fraudulent transactions, and both were stopped and deleted. Alarmed by the fraud, Jones called the fraud department later that evening to discuss his concerns. He learned that three transactions for $153,000, $193,000, and $175,000 were moved into a fraudulent account and were deleted and reversed on May 23. Four days later, a lump sum for $525,000 was transferred out of the client’s account into a different fraudulent account, however, the funds were not reversed. Wells Fargo was able to stop three transactions, but not the largest one of $525,000. Fortunately for Jones, some of the money was recovered through Wells Fargo’s cyber carrier (after a forensic investigation was conducted).

Select the answer that is the correct response:

1. What was the accounting firm’s breach/ key mistake?
a. Not implementing multiple security tools to detect and block cyber threats
b. Not installing robust security software and maintaining it with the latest security updates
c. Human error; lack of proper training and strict adherence to firm-wide protocols

2. Was this third-party claim covered by the policyholder’s coverage with CAMICO?
a. Yes
b. No

3. Are most third-party claims covered under a policy with CAMICO?
a. Yes
b. No

Correct Answers:

1. c. Leslie Johnson, an employee at the accounting firm, gave the attacker sensitive information without proper verification and company protocol. Firms can and should consider their people as the first line of defense against cyber threats. Human error remains a significant threat to cybersecurity, with a wide range of activities such as weak password practices, falling for phishing attacks, and the mishandling of sensitive information contributing to security breaches. Refer to The Cyber Saga Continues… Protect Your Firm from First-Party and Third-Party Cyber Exposures article in this IMPACT for risk management tips on this topic.

2. a. Yes. It was fully covered under the policyholder’s Accountants Professional Liability (APL) policy because they engaged to do a professional service and their office gave the attacker information that resulted in the fraudulent transactions, so the insuring agreement was met. CAMICO’s APL insurance is designed to cover losses by third parties that CAMICO’s policyholder is responsible for due to negligence. This claim is an example of a vishing cyber attack, or voice phishing, where fraudulent phone calls are made to trick individuals into revealing personal information or money. These scams often involve attackers impersonating trusted entities like banks, government agencies, or tech support to gain the victim’s trust and exploit them.

3. a. Yes. As long as a claim fits the insuring agreement and no exclusions apply, most third-party cyber damages that are a result of the professional services that the policyholder engaged to do are covered. How liability is assessed: Was the policyholder liable for allowing the fraudulent activity to occur? What duties did the policyholder owe? What duties did the policyholder breach? What damages were sustained and are those damages a result of the breached duties?

The “Claim Chronicles” are drawn from CAMICO claims files and illustrate some of the dangers and pitfalls in the accounting profession. All names were changed.

The post Claim Chronicles 126-B appeared first on CAMICO.

The Cyber Saga Continues… Protect Your Firm from First-Party and Third-Party Cyber Exposures

Amber — Tue, 24 Jun 2025 23:34:08 +0000

In today’s digital landscape, it is no surprise that there appears to be a new cybersecurity story in the news every week, from attacks on major infrastructure to small companies being held for ransom. The risk of cyber threats continues to grow for CPA firms, along with other professional services firms, as all are considered prime targets for cyber criminals given the wealth of sensitive client data, financial information, and/or legal documents they maintain.

Don’t be lulled into a false sense of comfort that your firm (or your clients) are too small or too large to be attacked. CAMICO is seeing an uptick in the number of cyber-related claims impacting CPA firms of all sizes and unfortunately, the severity of these cyber crimes and ransomware attacks have grown in recent years.

Some of the more frequent categories of loss for CPA firms related to cyber claims include:

Social engineering
Funds transfer fraud
Theft of data
Loss of laptop or data stick
Unauthorized use of networks
Failure to protect client confidential information shared with a third-party service provider
Computer system cloud hack
Lost profits related to cyber events
Ransom attacks

Identifying key cyber risks and best practices to mitigate risk exposures is important to safeguard confidential information, maintain client trust, and ensure your firm’s continuity. One of the important concepts people must be aware of when evaluating their cybersecurity exposures is the difference between first-party risks and third-party risks. First-party risks are damages and losses you incur from a cyber attack or security breach of your firm, whereas third-party risks often arise when a hacker has penetrated the firm’s (or client’s) computer system causing damages to a client or other third party as a result of the cyber incident for which the firm may be blamed in whole or in part.

As you would expect, first-party cyber exposures have become increasingly problematic for CPA firms as cyber criminals are targeting CPA firms and tax professionals with greater frequency because of the abundance of client data found on CPA firms’ computers. If they are successful in gaining access to a firm’s information infrastructure, there can be costly measures that need to be taken by the firm such as hiring IT forensic experts to determine the extent of the breach, consulting with attorneys who specialize in data breach laws and notification obligations, and providing credit monitoring to those impacted by the breach.

What may be surprising to some CPAs, however, is the increase in third-party cyber exposures that are impacting firms. These situations often arise when a client has been hacked, and the hacker has penetrated the client’s computer system and once inside, causes all manner of losses for which the CPA firm may be blamed. Unfortunately, many of these incidents tend to be high-dollar claims against the CPA firm. These claims typically include allegations that the firm failed to detect red flags associated with communications executed by the hacker, falling below the standard of care by initiating wire transfers (later determined to be fraudulent) without “proper” client authorization, failure to “warn and advise” clients of the potential risks/threats of cyber attacks, and the list goes on.

Cyber Claims Trends
Human error remains a significant threat to cybersecurity, with a wide range of activities such as weak password practices, falling for phishing attacks, and the mishandling of sensitive information contributing to security breaches.

Social engineering, which is the art of exploiting human behavior as a manipulation technique to gain access to confidential information, is one of the most dangerous types of cybersecurity threats to CPA firms given the type of information that firms gather and store. “Phishing” is one of the more widespread social engineering schemes, where information in an email attempts to convince a recipient that the email is from a legitimate source and the recipient needs to respond to the request by clicking a link. The trend this past tax season as reported in CAMICO’s mid-March 2025 Alert is bogus emails from the “Social Security Administration” or “IRS e-Services.” As employees are the most common entry point for phishing attacks, a firm’s best protection against social engineering attempts is to make continuous efforts to raise awareness with staff to never take these emails at face value and instead, maintain ongoing vigilance and enhanced skepticism with every email and online interaction.

Consider the following two scenarios from the CAMICO claims files which unfortunately are becoming all too familiar for CPA firms:

Scenario #1: Client hacked; CPA firm initiated fraudulent wire-transfers
A client of the CPA firm was hacked, and the hacker penetrated and commandeered the client’s email account. The hacker emailed several requests to the CPA firm to wire funds to a new account — a classic “man in the middle” attack. After receiving each request, a CPA firm staff member emailed the client to verify the wire transfer instructions. As the hacker had full control of the client’s email account, the hacker was able to respond back to the CPA firm to verify the payments to the hacker’s overseas bank account.

The above scenario, unfortunately, has become a recurring fact pattern, and these fraudulent wire transfer requests frequently cause large dollar losses. If the fraudster is controlling the client’s email and potentially their phone system as well, and the fraudulent request mimics previous legitimate requests, it is often difficult for the firm to identify the request as illegitimate. When fraud is discovered after the transfer, the funds are usually not recoverable. Domestic banks are not always helpful in preventing fraudulent transfers, as laws tend to limit their risk exposures and enable them to deny responsibility.

With the increased number of claims related to fraudulent wire transfers, the best risk management practice in the absence of any written protocols to the contrary is to verbally confirm all wire transfer requests with the client, and not rely on email or voicemail confirmations. Unfortunately, technological advances have permitted sophisticated scammers to create AI versions not only of people’s voices, but also realistic avatars of scam targets so that you can’t trust your ears or your eyes on virtual calls (Microsoft Teams). Ideally, you and your client will have a code word and/or phrase to confirm the authenticity of the person you are speaking to. Additional loss prevention guidance to minimize fraudulent wire transfer exposure can be found in CAMCO’s article Social Engineering Scams/Fraudulent Wire Transfers. Refer to the Cyber/Data Security Resource Center on CAMICO’s Members-Only Site.

Scenario #2: Ransomware
An employee of a CPA firm opened an unsolicited email attachment from “IRS e-Services” that immediately downloaded ransomware onto the firm’s computer system. The employee noticed that the file names were rapidly being changed to “Needs Decrypting.” The employee turned off and rebooted the computer, but the virus had already spread to all the firm’s servers, and all the files became encrypted. The employee reported the incident to the firm’s managing partner and the firm promptly took actions in accordance with their Incident Response Plan. Once it was determined that a breach had occurred, the firm complied with applicable state and federal laws, and the breach was reported to law enforcement.

Ransomware is one of the most malicious hacker attack vectors and firms of all sizes have become victims. It sneaks into computer systems, encrypts files, and demands a ransom before agreeing to decrypt the files. A major problem is that hackers do not always decrypt files even after the ransom is paid.

Ransom demands have certainly increased in recent years and it is not unusual to see them range from several thousand dollars to several hundred thousand dollars. Some ransomware attacks rely on software that now has known fixes, so a solution might be found online. Other ransom attacks are more advanced and have no known fixes, other than the victim retrieving and relying on the latest backup files. Therefore, being prepared and taking precautions against cyber risk exposures is essential.

To gain a greater perspective on how CPA firms are impacted by cyber exposures, refer to the IMPACT 126 Claims Chronicles for two additional cyber-related claims.

Has your firm prepared for a cyber incident?
Remember, it is not if you will be attacked, but when.

The weakest link in most cybersecurity attacks today continues to be the human element, so it is important to remember that your firm employees are a vital line of defense. Take action now to arm your employees with education, awareness, and reminders, so that they can make informed decisions about what they click.

Although not meant to be all-inclusive, the following additional basic best practice measures are extremely important when addressing the human element of data security:

Cybersecurity awareness training: As employees are the most common entry point for phishing attacks, a firm’s best protection against social engineering is to make continuous efforts to raise awareness of the importance of ongoing vigilance and enhanced skepticism of each email and online interaction. Education can come in various forms, both formal and informal. Consider sharing with your team “real-life” examples of the potential scam emails received by members of your firm. Learning of the attempted attacks on their colleagues heightens awareness of the nature and types of scams that pose potential threats.

As part of the firm-wide cybersecurity awareness training, you should also consider reviewing the firm’s existing protocols and infrastructure (refer to the firm’s written security plan in place) that supports the firm’s commitment to taking appropriate cybersecurity precautions so that all employees are aware and updated when changes are made. If your firm does not yet have a written security plan in place or you are in the process of updating your document, refer to CAMICO’s Written Information Security Plan (“WISP” or “ISP”) template. The template can be found on the Cyber/Data Security Resource Center on the CAMICO Members-Only Site.

Raising the cybersecurity IQ of all employees will help tremendously in guarding against a breach and will minimize your firm’s potential exposure as employees will be better able to recognize social engineering attempts and understand the importance of guarding their login/authentication credentials both in the office and at home. To be of ultimate value, it is important for firms to commit to embracing a motto of continuous education because the threat landscape doesn’t stop evolving when your employees’ cybersecurity training is done.

2. Use multi-factor authentication. This can add an extra level of security to prevent an account hack, especially when employees work remotely.

3. Change and strengthen passwords frequently. Systems are only as secure as the passwords used to access them.

4. Ensure all software has the latest security options/patches. This will help protect against malware, viruses, and hacker attacks.

5. Require regular data backups. By encouraging employees to regularly back up their data you are preventing data loss when disaster strikes. While this may be a hard policy to enforce for employees working remotely, it remains the best practice. In many instances, devices can be set to back up to the cloud automatically. When relying on cloud storage remember that ransomware can also compromise cloud services. Any data stored in the cloud should also be periodically backed up to an external hard drive. Data backups ensure that a business can continue to operate, even if resources are taken offline by a ransomware attack.

6. Maintain strong cyber hygiene. Reinforce with employees the cyber protocols to be followed when working both in the office as well as remotely (e.g., machine use restrictions, Wi-Fi passwords, VPN, firewalls, etc.).

7. Remind all employees of the importance of powering down computers when not in use. Computers are not accessible to attacks or intrusions when powered off.

Choose the Right Cyber Insurance Coverage
Cyber insurance protects against financial losses related to data breaches or other covered cyber events. Cyber insurance coverage is basically divided along two lines:

First-party, which refers to losses directly suffered by the policyholder (or insured) firm in response to a firm’s data breach or other covered cyber event, and
Third-party, which refers to damages alleged by clients or other third parties that the negligence of the CPA firm contributed in whole or in part to the third party’s cyber-related loss. CAMICO’s professional liability policy generally will cover third-party cyber claims subject to applicable policy terms, conditions, and exclusions.

It is possible that a single cyber incident may give rise to both damage suffered by the firm (first-party losses) and damages allegedly suffered by others that blame the firm (third-party losses). The relationship between the first and third parties can be formed in many ways. It can be contractual (for example, engagement letters), built through tort law, common law, or other ways. CPA firm clients are third parties, and others may become a third party based on the nature of an incident. Clients may have insurance of their own, making them a first party with their own cyber insurance carrier.

First-party insurance typically covers the direct costs of actions needed after a firm has had a data breach, extortion, ransomware attack, or other hacker malfeasance against the firm. Third-party cyber-liability insurance, on the other hand, covers the costs of dealing with the claims of other parties that seek to hold your firm at least partially responsible for damages that they have incurred because of a cyber incident. Sometimes, the line between first-party damage and third-party damage becomes blurred — especially if a firm and its client have both been breached, and forensic analysis cannot conclusively establish either the sequence of events leading up to the breach and/or how the breach occurred.

Although not meant to be all-inclusive, the table below shows common cyber costs and damage that may be incurred in cyber-related claim situations, classified by first- and/or third-party potential exposures:

	First-Party Exposures	Third-Party Exposures
Restoration of the damaged systems, hardware, software and network	X
Cost to restore lost data	X
Ransom fees to retrieve lost data or reopen systems	X
Notification costs	X	X
Forensic investigation costs	X
Credit monitoring costs	X	X
Reprogramming costs	X
Business interruption costs	X
Lost client’s money sent to someone incorrectly due to a cyber event		X
Costs (restoration, fines/fees, etc.) incurred by the third party required due to lost data		X

Understanding the difference between first-party and third-party risks is essential when seeking cyber insurance. Ideally, every CPA firm should have some degree of insurance coverage for both first-party and third-party risks as the CPA firm faces exposure to many accusations and lawsuits in the event of a compromise or data breach impacting its clients’ data. For example, everyone faces risks of inadvertently forwarding a malware-infected email message that subsequently wreaks havoc after being opened by a recipient, or of their computers and networks being breached and subsequently exploited by hackers to serve as launching pads from which to target others. Relying on only one type of cyber insurance that may be limited to either first- or third-party coverage may leave businesses exposed to significant financial and legal risks. Whereas investing in both first-party and third-party cyber insurance ensures greater protection against today’s growing cyber threats.

If you have any specific coverage-related questions, please contact your agent or CAMICO at 1.800.652.1772, and ask to speak with your underwriter.

Additional CAMICO Resources
Additional risk management guidance and information on this topic is available on the Members-Only Site — refer to CAMICO’s Cyber/Data Security Resource Center. CAMICO policyholders with questions regarding this communication or other risk management questions should contact the Loss Prevention department at lp@camico.com, or call our advice hotline at 800.652.1772 and ask to speak with a Loss Prevention Specialist.

The post The Cyber Saga Continues… Protect Your Firm from First-Party and Third-Party Cyber Exposures appeared first on CAMICO.

Understanding First-Party and Third-Party Cyber Coverages

ssAdmin — Tue, 22 Oct 2024 17:34:50 +0000

With cybersecurity threats coming from all directions, it’s crucial for CPA firms and their staff to be aware of how the risk exposures impact the firm as well as the client. When there is a claim, it is important to understand how cyber insurance coverages respond and it’s vital to engage with qualified legal and technical experts to produce the best possible outcomes for your firm.

Cyber coverages are therefore divided along two lines:

First party, which refers to losses directly suffered by the policyholder (or insured) firm.
Third party, which refers to damages alleged by clients or other third parties for which the policyholder firm may be liable.

A single incident may give rise to both damages suffered by the firm (first-party losses) and damages allegedly suffered by others that blame the firm (third-party losses). The insurance coverages will respond according to which party is bearing losses or alleging damages.

First-party exposures have become increasingly problematic for CPA firms. Here are a few major reasons why:

Cyber criminals are targeting CPA firms and tax professionals with greater frequency because of the abundance of client data found on the firms’ computers. If they are successful in gaining access to the firm’s information there can be costly measures that need to be taken by the firm.
By inducing a recipient to click an innocent-looking link or attachment, hackers penetrate a firm’s computer system to access client data, read email messages, and commandeer email and other programs. A common scam is to change bank account and routing numbers on client tax returns so that refunds are deposited into the scammers’ bank accounts instead of the clients’ accounts. The costs to complete the forensic analysis, fix the problems, and notify all possible clients would be first-party exposures to the firm. Hackers also use a firm’s tax software programs to falsify and submit tax returns that generate large tax refunds routed to the hackers’ own bank accounts, a third-party exposure to the same hack.
Ransomware attacks and demands against a CPA firm also generate losses borne by the CPA firm. Ransom demands can be expensive, and paying them does not guarantee that files encrypted by the malware will be restored. Rebuilding the firm’s previous work takes time, as information and data need to be gathered, reentered and reconstructed. Such activity is in addition to other data breach expenses if an investigation determines that client data has been compromised.
If a firm’s client data has been compromised, there can be a significant cost to the firm associated with complying with the notification requirements to each potential party whose information may have been compromised.

Third-party exposures often arise when a hacker has penetrated the firm’s or client’s computer system and once inside can cause all manner of losses for which the firm may be blamed. For example:

By using client information, or by commandeering the client’s email accounts, scammers can make purported client email look legitimate and trustworthy, tricking someone at the firm into clicking an attachment or link, which then downloads a virus or malware. Once malware is downloaded, it can enable a hacker to gain remote access to the firm’s computer network, read email messages, and obtain information about other clients and use the information to steal funds.
“Spear phishing” targets a specific firm, or person within a firm, by using client information or a client email account to make fraudulent messages look legitimate. If the hacker squats in both the client’s and the firm’s email accounts, messages going back and forth between the client and the firm can be manipulated on both ends, making it extremely difficult to determine that a “man-in-the-middle” attack is in progress.
Client data can also be mined by hackers to perpetrate large-dollar thefts. A common technique is to identify high-end clients who have given bill-paying or wire authority to firms providing business management services. A hacker posing as a client will email a request from the client’s email account for a wire transfer of funds into an account controlled by the hacker. If the account is in another country, the transferred funds are usually irretrievable. They may also request a new vendor be added and start sending fraudulent bills to be paid to this new fake vendor.

Loss Prevention Tip: Have controls in place and always confirm the legitimacy of an email message before clicking an attachment or link, or taking any action. Call for verbal confirmation, and receive confirmation by an actual phone call—not by email or voicemail. Email and other electronic systems may also be compromised and unreliable in an incident. Voicemail can be hacked as well, making it just as unreliable as email. To further minimize fraudulent wire transfer exposure, the firm should establish written protocols with clients for handling client funds, especially as related to handling wire transfer requests. Consider establishing dollar thresholds above which verbal consent would be required if clients do not want to be “bothered” to approve each request. In addition, document who the authorized client representative(s) would be for providing such consent if/when the client is not available.

Scammers have also been known to use many ruses, posing as (for example):

Tax software companies recommending that tax preparers update their software
The user’s computer “security” system requiring a password
Potential clients soliciting professional services
Legal and technical experts

Loss Prevention Tip: If an email message asks the recipient to click a link or attachment, go directly to the website for information rather than clicking on links provided in the message, or call for confirmation that the email is legitimate and not a scam.

First-Party Cyber Coverage

In the event a firm’s computer system appears to have been breached by malware, a mobile device goes missing, or anything appears to have compromised the firm’s data security, a number of steps need to be taken. A complete cyber insurance program will coordinate these steps and may provide coverage for some or all of the related expenses. Each cyber policy is different so reviewing the coverage language is critical. Examples include:

Investigation – The cyber risk adviser or attorney with the cyber insurance carrier coordinates an investigation to verify whether the incident is a breach as defined by current state and/or federal laws.
IT forensics – An IT forensics expert investigates the incident as part of determining whether or not there was a security breach and if client confidential information was accessed. IT forensics experts also respond to ransomware events to assist in decrypting and restoring files as well as eradicating malware from the system.
Notification letters – If the incident is determined to be a breach, counsel may be appointed to investigate the need for, and preparation of, notification letters to clients.
Call centers – Clients who receive notification letters may have additional questions about the breach, and a call center will initially handle those questions.
Credit monitoring services – Clients may demand such services in a post-breach environment.
Media relations – Media relations firms may be hired in such situations to help protect the firm’s reputation. If state laws require law enforcement to be notified in the event of a theft, media reports may affect the firm’s public image and reputation.
Cyber extortion or terrorism – A policy may be purchased to pay money to terrorists or extortionists to retrieve locked or stolen critical data.

Such losses incurred by the insured firm are generally considered “first party” and subject to the first-party policies or endorsements.

Third-Party Cyber Coverage

If a client alleges damages arising from an insured firm’s act, error, or omission, for which the insured may be liable, the damages typically would be addressed under third-party coverage included in the CAMICO Accountants Professional Liability (APL) insurance policies—not the CPA’s cyber coverage.

In the cyber area, one common example is the fraudulent wire transfer executed because of a hacker hijacking the client’s or insured’s email account and prompting the CPA firm to transfer client funds into an account controlled by the hacker. Claims sometimes carry substantial third-party exposure, and once funds are transferred, they are usually not recoverable. Even if the client was hacked due to their lack of cybersecurity, the CPA firm can be held at least partially responsible for the transfer of money because they had the last chance to stop the fraudulent transfer.

CAMICO includes third-party cyber coverage in its APL policy, including damages caused by fraud of others (not fraud of an insured), social engineering, phishing, and other forms of misrepresentation. CPA firms should be wary of any APL policy that carries an exclusion for claims arising from such damages.

An information security plan/program, including an incident response plan (IRP), should be in place to satisfy provisions of state and federal regulations. For example, the IRS requires tax return preparers to comply with the Gramm-Leach-Bliley Act’s (“GLBA”) Safeguards Rule, which establishes minimum requirements for protecting sensitive client data. One such requirement is to have in place a written information (data) security plan (ISP), and to periodically review the effectiveness of the program and reassess the risk factors as well as any material changes to the firm’s operations.

An ISP has many benefits, not the least of which is that it will help a firm use its resources wisely and efficiently to plan for a breach and thus reduce firm expenses when a breach occurs. Stand-alone cyber coverage is available to our policyholders who desire a higher level of coverage. Contact CAMICO for more information at 1.800.652.1772.

The information provided in this article is a general overview and not intended to be a complete description of all applicable terms and conditions of coverage. Actual coverages and risk management services and resources may vary and are subject to policy provisions as issued. Coverage and risk management services may vary and are provided by CAMICO and/or through its partners and subsidiaries.

The post Understanding First-Party and Third-Party Cyber Coverages appeared first on CAMICO.

Understand Your Risks: Generative Artificial Intelligence Solutions

Amber — Thu, 14 Mar 2024 22:47:38 +0000

Generative artificial intelligence (“AI”) solutions such as OpenAI’s ChatGPT continue to gain popularity. Many CPA firms seek to leverage the use of generative AI to accelerate innovation and increase productivity. As the use of AI technology evolves, CPAs need to obtain a solid understanding of their needs and objectives – and gain an understanding of how AI works – before they can begin to identify if an AI opportunity is right for their firm.

Although generative AI solutions can provide benefits for CPA firms, from CAMICO’s perspective, there are critical risks associated with generative AI that should be vetted by firms and mitigation strategies implemented to minimize potential exposures. These risks include but are not limited to concerns with accuracy and quality control, confidentiality, privacy, security, and ethical issues.

For example, consider the following areas of potential risk exposure:

Accuracy and quality control
AI-generated content cannot be relied upon as-is, as the information may be outdated, misleading or — in some cases — fabricated. All AI-generated content must be reviewed for accuracy before placing any reliance on it and should be given the same consideration as you would to the work of an intern or first-year staff person. Firms need to have proper oversight procedures in place to ensure that personnel with the appropriate competencies will review and interpret the data and content provided, make informed decisions, and provide expert guidance in applying the AI-generated information to specific client and/or firm fact patterns.
Confidentiality
In accordance with applicable professional and legal standards of care, sensitive client information, as well as firm- and personnel-related information, must be treated with the utmost confidentiality and should not be disclosed without express written permission. Since it is critical that the operations, activities, and business affairs of a firm and their clients are kept confidential when using generative AI, it is imperative firms ensure employees understand the terms of the firm’s Confidentiality Policy and are informed that any use of AI technology in violation of the firm’s Confidentiality Policy is strictly prohibited.
Data privacy and security
With data privacy protection initiatives spreading across the U.S., it is important for CPA firms to ensure the privacy and security of the sensitive personal information they collect, use, or store. To help mitigate data privacy and security risks, it is vital that firms prioritize data encryption, implement access controls, and adhere to data protection regulations. In addition, transparency is a key element in overcoming generative AI privacy challenges so it may be necessary to consult with qualified legal counsel and update, if needed, the firm’s Privacy Policy to ensure transparency about the categories of sensitive information collected, the sources of that information, the purpose for the collection, and how the firm stores and shares such information.
Ethical considerations
As generative AI has raised concerns about its potential for misinformation, deception, and manipulation of public opinion, firms need to consider the implications related to its actual or perceived unethical use. For example, firms should establish written guidelines to clarify that these technologies must not be used to create content that is inappropriate, discriminatory, or otherwise harmful to others or the firm.

Risk management tips:

Get educated, as AI is here to stay. Learn more about the generative AI tools that are available and take appropriate due diligence steps to assess which, if any, of these tools may be appropriate to deliver the most benefit to your firm.
Develop an implementation strategy. Successful integration of generative AI, or any new technology, requires a well-crafted implementation plan which should include, among other things, appropriate education and training to ensure responsible use.
Document! Document your firm’s authorized usage (e.g. open use, limited use, or prohibited use) of generative AI and communicate these terms and conditions to your staff. CAMICO offers a sample Generative Artificial Intelligence Chatbot Usage Policy template for this purpose on CAMICO’s Members-Only Site.

CAMICO policyholders with questions regarding this communication or other risk management questions should contact the Loss Prevention department at lp@camico.com or call our advice hotline at 800.652.1772 and ask to speak with a Loss Prevention Specialist.

The post Understand Your Risks: Generative Artificial Intelligence Solutions appeared first on CAMICO.

Loss Prevention Best Practices for Tax Season

ssAdmin — Mon, 13 Mar 2023 19:25:00 +0000

CAMICO has been developing solutions for CPA professional liability problems for more than 35 years, and tax season has always been a major part of that activity. The use of engagement letters for non-audit work, including tax engagements, was pioneered by CAMICO as an effective way to help document the CPA’s understanding with the client.

CAMICO recommends engagement letters for every engagement, and several other loss prevention practices are often just as valuable, such as follow-up documentation, fraud prevention, internal control advisory letters, client assessment, ongoing client evaluation, and disengagement.

The following are brief descriptions of each of these areas and some of the online resources available to CAMICO policyholders via the Members-Only Site to help manage risk exposures.

Engagement Letters

The first step in establishing effective communications with the client, managing client expectations, and avoiding misunderstandings and disappointments, is the engagement letter. In many respects it is a written contract between the CPA and the client, and as such it should clarify the services that the CPA will render, describe the scope and limitations of the engagement, and allocate, in limiting language, your responsibilities and the responsibilities of the client. In the event of a dispute, the engagement letter will serve as documented evidence of the duties your firm was to perform.

Best practices include always trying to get the client’s signature – an unsigned engagement letter may be interpreted by the courts as a non-agreement unless you have embedded unilateral language in your engagement letter. Although not as powerful as a client signature would be, unilateral clauses do afford some protection to the CPA. If additional services are going to be provided by the CPA, or the services cross into a different area (e.g., from the tax ramifications of a sale, to a business valuation), a new engagement letter may be needed.

CAMICO’s guidance on engagement letters is found in the Engagement Letter Resource Center, located on the CAMICO Members-Only Site (Policyholder Login is at mickey.camico.com). Sample tax letter templates for Individual, Partnership, Corporate, Estate/Trust, and other tax engagement letters are also found in the Engagement Letter Resource Center.

Documentation

The engagement letter is often just the first in a series of documents needed in an engagement. For example:

All significant client meetings should be documented with a written description of the subjects discussed at the meeting. This will help ensure that both you and the client are proceeding with the same expectations and assumptions.
“Informed consent” letters should be used in certain situations, such as S corporation elections or estate tax planning. The letters help clarify that the CPA advised and informed the client, and the client agreed with the advice. Without this letter, it is easier for claimants to make it appear that the CPA made the decisions on behalf of the client. The letter will help prevent the client from successfully asserting later that your firm is responsible for unexpected events and for less-than-optimal results.
Written confirmation should be obtained for the amounts used for calculations, such as those used with tax extension payments. The client can review the information and change any of it that is incorrect. The client can also send the data via email or fax, which becomes part of the records, support and documentation—always critical in the event of a dispute.

More documentation guidance and tips can be found on the CAMICO Members-Only Site under Knowledge Tree, Risk Management, Documentation Issues.

Fraud/Internal Control

CPAs are not required to verify certain types of information, but if something looks irregular, a prudent course of action is to investigate, document, communicate, and get it right. Client and public expectations of CPAs have increased in recent years to the point where CPAs are expected to: 1) always detect fraud, and 2) advise and warn clients about their exposures to fraud.

The public expectation that CPAs should always detect fraud can be extremely difficult to meet, but the expectation to advise and warn is much less difficult. By advising and warning clients of their defalcation exposures, CPAs are better serving clients and minimizing liability stemming from the expectation to detect fraud.

Use an internal control advisory letter to advise and warn clients about their exposures to defalcation. The letter: 1) warns about general risks, 2) suggests steps clients can take to reduce risks, and 3) offers annual CPA services to address fraud risks. Examples can be found in the Fraud Resource Center on the CAMICO Members-Only Site under “Risk Management Tools and Engagement Letters.”

Client Assessment/Disengagement

Firms should evaluate all potential new clients and re-evaluate all current clients on a regular basis, at least annually. This enables the firm to better monitor clients, consider any changes that might affect the professional relationship, and avoid situations that could escalate into crises. Firms can also stipulate in their engagement letters that the engagement is not binding until client acceptance procedures have been completed.

A “Client Assessment Checklist” can be accessed in the Engagement Letter Resource Center on the CAMICO Members-Only Site. The checklist also provides guidance on how to avoid fee collection problems and how to use mediation and arbitration clauses effectively. The “Ongoing Evaluation and Disengagement Checklist” is also in the Engagement Letter Resource Center and helps firms identify problem clients and other issues that may call for disengagement.

Early Reporting

Contact CAMICO as soon as an issue with a client or engagement comes up. Taking advantage of CAMICO’s Loss Prevention services will help you avoid costly mistakes, problems, disputes and claims. Reporting a potential claim early also enables CAMICO to work on an early resolution, which helps the firm to get back to business as usual.

Policyholders can always contact the CAMICO Loss Prevention department for more advice and guidance. Call 1.800.652.1772, or lp@camico.com

The post Loss Prevention Best Practices for Tax Season appeared first on CAMICO.