No business of any kind can operate in the modern digital environment without some risk of cyber attack or data breach. CPA firms are especially vulnerable due to the volume of records they contain, often containing sensitive personal and financial information. Insurance companies are increasingly offering solutions for CPA firms that need coverage against cyber attacks. The authors describe the most common type of attack—ransomware—and its potential costs. They then lay out common types of cyber coverage available, provide guidance on how to calculate coverage, and provide tips and traps for potential buyers.
* * *
Many CPA firms may be forced to close their doors for some time because of a cyber attack or breach. Others will be lucky to survive the digital onslaught, perhaps only after spending exorbitant amounts of money and losing otherwise loyal clients to competing firms that have prepared properly. According to the Ponemon Institute, a global leader in publishing data breach information, the possibility of an organization having a cyber breach over the next 24 months is 24% (“Ponemon Institute 2016 Costs of Data Breach Study: Global Analysis,” June 2016, http://ibm.co/2mbj81p).
As recently as several years ago, the average CPA firm wanted to know why it needed cyber insurance at all. Today, the more common question is, “How much cyber insurance do we need?” Some say the benchmark is $1 million of coverage per 100 professionals; others use average breach costs across the country, a nauseating $4 million.
Of course, generalizations are not particularly useful, and averages are irrelevant to any one firm. To begin to understand how costly cyber attacks can be, it is necessary to discuss the most likely attack a firm will encounter: ransomware.
While the methods to breach a computer system are as numerous as they are ingenious, ransomware has quickly risen to enemy number one for most business. According to Beazley, a major cyber insurance provider, there was an estimated 400% increase in ransomware attacks from 2015 to 2016 (“Ransomware Attacks Soar in 2016, Projected to Double Again in 2017,” Beazley Breach Insights, January 2017, http://bit.ly/2moL660). Industry projections estimate that the number of ransomware attacks will further double in 2017.
Ransomware is the common name for various “trojans” that generally target computer files and encrypt them; the hacker then demands a ransom (often in bitcoin) for the decryption key.
Ransomware is the common name for various “trojans” that generally target computer files and encrypt them; the hacker then demands a ransom (often in bitcoin) for the decryption key. Even though these programs have only been popular since late 2013, they have quickly become the single most prevalent threat to CPA firms. The two main avenues of attack are exploit kits and compressed email attachments. In 2016, the authors witnessed an entire firm shut down for four days, starting on the Thursday before the end of tax season, all because a junior staffer downloaded an infected Excel macro. Other common methods include fake emails sent from client computers that contain an attachment that appears to be a PDF, but is actually an executable file containing the malware.
Removing ransomware is relatively straightforward, but unlocking the files without paying the ransom is nearly impossible. With the RSA-4096 encryption used in some CryptoLockers, there are 24096 possible variants of the key; for all practical purposes, this is an infinite number. Furthermore, RSA-4096 has remained uncracked after 40 years of effort. More fortunate firms may only need to deal with AES 256 encryption, with only 2256; that is, approximately 115 quattuorvigintillion different combinations.
Unfortunately, the ransomware that has been studied is only getting more robust, no doubt due to the windfall it has generated. Particularly worrisome is that this new style of malware is now operating in ways that are undetectable to the common user, such as encrypting historic files, including backups, before proceeding to more current ones. Newer malware has also been shown to avoid common behavioral analysis programs and can run undetected in the background of a computer system. In short, users may receive no advance warning that their computer network is infected until a ransomware notice pops up on their screen.
Less and More: Where the Dollars Add Up
It’s not the typical ransom amount (usually $1,000) that damages a firm’s bottom line, but the lost time and additional effort. A firm grossing $5 million a year is worth approximately $2,400 per work hour. It takes two hours to create a bitcoin account and pay the ransom, but it’s not uncommon for the hackers to manually verify the payment before providing the key, which could take up to 48 hours. Even if staff is able to complete some work on paper, the lost time could still add up to approximately $44,000.
Furthermore, assuming the most recent available backup is from midnight the day before the attack (a common practice), the staff will now need to recreate that day’s work. Assuming they’re industrious and it only takes one eight-hour workday, the cost still increases another $19,000. The offending malware will also need to be removed from the system, and the firm will have to verify that clients’ personally identifiable information was not stolen. This will likely require third-party computer forensic experts to verify the nature and scope of the breach. The industry average cost for this type of work varies anywhere from $200 to $1,500 per hour. For one recent firm, such forensic analysis, along with additional fees and reports, cost over $40,000. Adding this to the previous estimate brings the total to $103,000. The alternative, of course, is violating legal due diligence obligations, which can bring serious penalties from a state’s attorney general (up to $150,000 in New York).
Keep in mind that the above is a relatively simple scenario with a best-case outcome. With even slight changes, smaller firms could easily reach such a total cost. To deal with limited losses, professional liability carriers now almost universally offer cyber insurance endorsements to their policies. These economical options typically only provide limits up to $100,000 on an annual aggregate basis. If a firm has a mass breach of information, or multiple cyber incidents in a year, the costs can easily raise an order of magnitude above this. Therefore, most firms consider a separate cyber policy with higher limits and more specialized coverage.
Understanding a Separate Cyber Policy
Cyber insurance policies are still evolving and thus far from homogeneous. Indeed, the impetus for this article was the general lack of knowledge and questionable advice the authors have seen insurance brokers offer firms in this area. It is strongly recommended for firms to consult legal counsel familiar with this field to answer any questions.
There are two key components of cyber insurance: third-party coverage and first-party coverage. The prevailing idea of “cyber insurance” is likely not the big third-party coverage found at the top of most cyber insurance policies—it is actually buried within various first-party claim sub-limits with various retentions and thresholds. Third-party claims typically arise as an alleged result of damage to a client’s network, breach of client information, class action claims, possible media liability, and legal defense costs. Incidentally, most of these types of claims should already be covered under a firm’s professional liability policy.
Could a CPA firm’s client prove that, as a direct result of a cybersecurity breach, they suffered damages? Perhaps, but that is a difficult argument to prove. Third-party claims are rare for accounting firms, and it’s no coincidence that cyber insurers tend to put this third-party coverage amount at the very top of their quotes. Firms feel safe with a large number at the top of the page, and the insurer is unlikely to ever pay out that amount. To date, the authors have never seen a third-party claim against an accounting firm, nor have they heard of any third-party claims from other insurance professionals or searches through court record databases.
First-party coverage costs are typically more limiting, and necessary in a breach, than third-party coverage costs. By understanding a firm’s first-party needs, the third-party coverage amount will usually naturally fall into place.
Only 15 states currently allow for a private right of action for third-party cyber claims, and New York is not one of them. This was recently upheld in Abdale v. North Shore–Long Island Jewish Health System, Inc. (2015 NY Slip Op 25274). The plaintiffs alleged negligent disclosure of medical and personal information; some of the plaintiffs even specified losses from the disclosure because of stolen tax refunds. The courts dismissed the clear majority of their claims; only upholding a comparatively minor charge of negligence.
Nat Calamis, a partner at Washington, D.C.–based law firm Carr Maloney, specializes in cyber law and states: “We’re not seeing a lot of data breach claims that lead to actual litigation, because proving damages is difficult. Most individual claims brought against firms would be comparatively small dollar and focus on common law violations such as negligence, unjust enrichment, and violations of various consumer protections. Firms would do better by ensuring compliance with state’s breach notification laws to avoid enforcement actions by the states themselves that could result in substantial penalties.”
As a result of the above, the more important element of a cyber insurance policy—but one less likely to receive scrutiny—is first-party coverage. This covers costs such as credit monitoring, client notification, and network restoration. Comparing and analyzing policies on this basis can be difficult for inexperienced brokers. First-party coverage costs are typically more limiting, and necessary in a breach, than third-party coverage costs. Thus, by understanding a firm’s first-party needs, the third-party coverage amount will usually naturally fall into place.
What Constitutes a Breach?
When estimating first-party exposure, it is worth understanding what constitutes a breach of client information. There are approximately 47 different state and territory laws on the matter, all slightly different. CPA firms should therefore be aware of the law for any state in which a client resides. The New York definition is found in section 899-aa(1)(c) of the General Business Law:
“Breach of the Security” of the system shall mean unauthorized acquisition or acquisition without valid authorization of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a business … In determining whether information has been acquired, or is reasonably believed to have been acquired, by an unauthorized person or a person without valid authorization, such business may consider the following factors, among others: 1) indications that the information is in the physical possession and control of an unauthorized person, such as a lost or stolen computer or other device containing information; 2) indications that the information has been downloaded or copied; 3) indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported.
A breach can generally be understood to be physical or electronic possession or use of information by an unauthorized person. The key point is determining just what information is covered.
There is nothing groundbreaking in this definition. A breach can generally be understood to be physical or electronic possession or use of information by an unauthorized person. The key point is determining just what information is covered. New York law contains two distinct categories: personal information and private information. “Personal information” means “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.” “Private information” means “personal information consisting of any information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted, or encrypted with an encryption key that has also been acquired: 1) Social Security number; 2) driver’s license or state identification number; 3) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.” Private information does not, however, include “publicly available information that is lawfully made available to the general public from federal, state, or local government records.”
Calculating First-Party Insurance Requirements
Therefore, estimation of a CPA firm’s minimum risk of breach is as simple as assessing how many individuals’ records possessed by the firm contain non-exempt personal or private information. Note that New York now requires a taxpayer’s driver’s license or state-issued ID for electronically filed personal income tax returns, in order to alleviate fraud. While these IDs are classified as personal information, claimed dependents will still need a Social Security number and may not have the requisite ID. For this reason, most firms should stick to counting the number of Social Security numbers on file, as it is unlikely that the firm would have driver’s license, state ID, or banking information for a client without also having the Social Security number. (Obviously, having all of the above, or any combination of different types of information, for one person should be counted as one record, even across multiple years.)
This process should be meticulous and not oversimplified. Counting the number of tax returns will not suffice, because each return may contain multiple Social Security numbers or ID information. The firm may also posses large troves of Social Security numbers, such as benefit plan records or records of previous clients. The desire to include or exclude encrypted files is ultimately a judgment call, but, in the authors’ experience, hackers and negligent or malicious staff never cease to amaze with their ingenuity.
After deriving a rough estimate of the amount of personal and private information on file, one should play it safe and round up to the next order of magnitude (e.g., from 8,467 to 10,000, 943,000 to 1 million). The purpose of this exercise is to develop a minimum estimate of insurance, not a maximum fact of exposure.
For over a decade, the Ponemon Institute has conducted a yearly benchmark study on the cost of a data breach. In its 2016 Cost of Data Breach Study: United States (http://ibm.co/2lT3GHi), it examined the costs incurred by 64 companies in 16 different industries. While there is no accounting firm–specific metric, the average per record cost in the financial industry, including direct and indirect costs, was $264. Direct costs included first-party expenses such as computer forensic costs, call center support, attorneys, and credit monitoring for clients. Indirect costs were mostly uninsurable expenses such as reputational loss, abnormal customer turnover, and internal investigations. With some extrapolation from the breakdown of direct versus indirect costs on the average cost per capita through the financial services industry, approximately 68% of the cost was indirect and mostly uninsurable, while 32% was direct costs and thus mostly insurable.
It is worth noting that this study did not fully break down the costs per commonly insurable first-party coverages discussed above. Unlike with other forms of liability insurance, it is worth being liberal when estimating and assuming that 50% of these costs would be insurable under a cyber policy. This provides a final minimum baseline of $132 per affected record. A firm with 10,000 affected records would therefore have first-party risk of $1.32 million.
Stand-alone cyber policies tend to come in either $250K or $500K limits, followed by multiples of millions up to $10 million. Consider rounding up to the nearest million in coverage, because the estimate is of otherwise internal costs. Within most cyber policies, the first-party coverage limits are lower than or equal to third-party limits, and thus the necessary third-party limit follows naturally.
While most CPA firms should use their volume of Social Security numbers as a benchmark for minimum first-party limits, there are certain situations where this is inappropriate. For example, the authors represent a firm grossing nearly $40 million in revenue that focuses primarily on nonprofits and therefore has a disproportionately small amount of personal information compared to other firms with similar revenue. In this instance, reimbursement for business interruption, a first-party coverage, was the deciding factor. Other firms may also have unique circumstances that alter their coverage calculation, such as firms subject to the HIPAA and HITECH Acts or global firms that must also consider extra-national reporting requirements.
Cyber policy coverages can vary significantly, and insurance brokers may lack knowledge in this area.
There is also an increased trend of firms’ larger clients requesting a minimum level of cyber coverage. Therefore, any estimate of a cyber policy will be incomplete without first investigating any contractual obligations. Such requirements are often written by lawyers unfamiliar with the available limits and associated costs of cyber policies. Any sort of contractual obligation is likely negotiable, but firms should always ensure that they meet their contractual requirements. In such cases, it is best to work with an experienced broker and legal counsel familiar with this area.
What Should Be in a Cyber Policy?
With an estimate on first-party costs in hand, the next step is to determine what coverage for first-party expenses is necessary in a cyber policy and why. Cyber policy coverages can vary significantly, and insurance brokers may lack knowledge in this area. For example, the authors recently assessed a cyber policy for a client that had been sold by the firm’s general agent. Unfortunately, the policy provided no first-party coverage at all; it only covered third-party claims, which were already covered by their professional liability policy. In short, the firm wasted thousands of dollars every year because it assumed its general agent understood what he was selling.
The response to, and cost of, a ransomware attack or mass breach will be different in both scope and kind. To illustrate why certain coverages are important for each scenario, they have been broken into two distinct tiers below.
Tier one: ransomware.
As explained above, ransomware costs will generally come down to paying the extortionist to unlock the files, repairing damage to the system, reimbursing the firm for business interruption costs, and utilizing a computer forensic expert to prove no personal information was stolen. Many cyber insurance policies will pay the ransom outright or reimburse the firm for funds paid to decrypt the data. This may seem counterintuitive, but it is typically impossible for a firm to regain use of the files without paying the ransom, and business interruption costs are often far greater than the ransom. Given the prevalence of ransomware, it’s worth thoroughly understanding the policy requirements for paying the ransom before an attack, not after, since the policy details may be among the information encrypted. Certain policies only require demonstration of duress, while others require insurer consent.
Depending on the nature of the ransomware, it is possible that, either by design or accident, the malware may steal, damage, or corrupt hardware or software. Therefore, check to see if the hacker damage sub-limit will pay to restore the firm’s website, network, computer systems, programs, or data. This coverage often contains varying exclusions, so be certain to read and understand exactly what is or is not covered.
Failure to properly fulfill the state’s breach notification laws may result in regulatory action from the state attorney general.
Even if only one computer is infected, there will still be significant downtime and business interruption as the situation is assessed. Depending on the size of the firm and the time of year, this can be a sizeable cost. Policies from different carriers will offer different retentions, thresholds, time periods, and maximum reimbursements for this unavoidable downtime. For example, a policy’s sub-limit may not respond until the firm has been down for at least 10 business hours (retention), has been reduced to less than 75% of hourly gross profit (threshold), and will be reimbursed a maximum of $1 million (reimbursement), within a 90-day period immediately prior to the interruption (time period).
Coverage is also available for retention of a forensic analysis service to determine the scope and nature of the breach. While New York is in the minority of states that do not explicitly require such an analysis, it can help determine whether any personal information was acquired by the hacker. This coverage is therefore desirable in order to help the firm avoid progressing to tier two.
Tier two: breach of personal information.
Breaches of clients’ personal information can require multifaceted and expensive solutions. When hackers infiltrate a computer system, they can match and even exceed the access and data to which the average user is privy. For this reason, firms will likely require the business interruption and computer forensic services mentioned above, as well as some or all of the additional services listed below.
Each state has its own specific rules on breach notification. There are often state-mandated guidelines regarding notification delivery, the content of the notification, and how quickly clients must be notified. New York requires the following regarding the timing and delay of client notifications:
Following discovery or notification of the breach in the security of the system … the disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement … or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system. … Notification may be delayed if a law enforcement agency determines that such notification impedes a criminal investigation. The notification required by this section shall be made after such law enforcement agency determines that such notification does not compromise such investigation. [General Business Law section 899-aa(2),(4)]
A mass breach could therefore require notification for every single affected client in a very short period, which would be a painful exercise. Indeed, it can become so expensive and cumbersome that major cyber insurance carriers now typically offer breach notification costs outside the overall limits of liability.
Failure to properly fulfill the state’s breach notification laws may result in regulatory action from the state attorney general. In New York, “the court may impose a civil penalty of the greater of five thousand dollars or up to ten dollars per instance of failed notification, provided that the latter amount shall not exceed one hundred fifty thousand dollars” [General Business Law section 899-aa(6)]. Firms should therefore expect to see a sub-limit for regulatory actions to pay for claim expenses and damages, including civil or regulatory fines or penalties that are not compensatory. There should also be a regulatory compensatory sub-limit to compensate the individuals or entities whose personal information was stolen.
While navigating the potential minefield of client notifications and dealing with state regulators, it’s important not to forget about clients’ other concerns. To the authors’ knowledge, credit monitoring is not yet a requirement of any of the 47 different state and territory breach laws. These services are, however, quickly becoming the de facto standard level of care. Per the Ponemon Institute’s 2016 Cost of Data Breach Study: United States, breached financial services firms can expect to lose approximately 7.3% of their clients, so client retention should be an absolute priority. The true currency of CPAs is trust, and providing credit monitoring can demonstrate a long-term commitment to clients.
There will be a deluge of phone calls and emails from clients and legal counsel after a breach. Imagine attempting to converse with every client a firm has, and the media, during a single day or week. To alleviate this burden, crisis management and public relations teams attempt to minimize the potentially devastating effects of a breach on a firm’s business reputation and long-term financial stability. This communications strategy can include properly worded statements meant to limit liability and ease clients’ fears and a call center to further the care of clients during a decidedly personal event.
Furthermore, if the hacker infiltrated the firm’s payment card system, the firm could be subject to payment card industry (PCI) fines and remediation. Affected firms will need coverage for the associated fines, which can range from $50 to $90 per cardholder data compromised, as well as the likely suspension of the firm’s ability to process credit cards. To regain this ability, the firm will need to undergo a PCI remediation, which is arduous, time consuming, and exceedingly complex. While there are only 12 PCI Data Security Standards requirements, there are also upwards of 220 sub-requirements that can be open to interpretation. A security consultant familiar in this area will be necessary to navigate this process. General policy sub-limits for these costs are approximately $25,000.
There is also a possibility that one or more employees may have been duped into providing a fraudulent funds transfer from a company account. This is commonly referred to as “phishing”; a new threat, “whaling,” specifically targets upper management with these same techniques. If this occurs, another sub-limit may cover the loss, theft, or transfer of funds, monies, or securities from company accounts. The funds are typically the firm’s, those in the firm’s custody, or possibly those of a third party to which the firm is legally liable. This is not the same as someone stealing information from a company credit card and making fraudulent purchases.
Finally, the firm’s cyber policy may have a media liability coverage component that covers claims arising from activities such as copyright infringement, publication of private facts, and defamation. Practically, this would most likely concern the firm’s social media posts or promotional materials. While it is not outside the realm of possibility that a cyber claim could occur in this realm, the authors were unable to find instances where a CPA firm has utilized this type of coverage in connection with a breach.
Denial of Coverage
Even with proper first- and third-party limits, as well as all the required sub-limits, several exclusions could be buried within a cyber policy that enable an insurer to deny coverage for some or all of the above matters. Although not yet universal, some policies contain an exclusion for a failure to update or maintain the risk controls detailed on the cyber insurance application. Denial of coverage for this style of exclusion was recently seen in Columbia Casualty Company v. Cottage Health Systems [2:15-cv-03432 (CD Cal 2015)]. After defending a claim brought against Cottage Health and funding a $4.1 million settlement, Columbia Casualty subsequently sued Cottage Health to recoup the entire settlement and defense costs. While Columbia’s allegations were numerous, they mostly rested upon Cottage Health’s failure to maintain the security standards detailed in its security risk assessment. Note that Columbia Casualty is owned by CNA, a common insurer of CPAs. Exclusions like this place an undue pressure on CPA firms to constantly assess their IT staff or provider, and policies that include them should be avoided.
Cyber Policy Cost
Current cyber policy premiums are still very reasonable when compared to the cost of professional liability policies. Even with year-over-year increases in the volume of breaches reported across the market, the sheer number of insurers in the market is currently keeping costs low and competitive. When it comes to getting an estimate on price, CPA firms are best served by working with a knowledgeable broker. The multitude of elements underwriters use to generate a quote do not readily lend themselves to a simple formula or chart.
Evaluating a firm’s needs regarding cyber insurance can be an onerous process, with many assessments and estimates of the firm’s potential needs and risks. It is still, however, far preferable to paying the full costs of a breach or attack on the firm’s computer systems, or, in the worst-case scenario, being forced out of business completely.