"I was originally not a fan of cyber insurance," Randy Johnston, a partner with Network Management Group and K2 Consulting, told an audience at the recent CCH Connections Conference. But now, he continued, "I have been committed to cyber insurance policies. Your professional liability insurance will not cover you with you have a cyber breach."
The same message was delivered at the conference by Jim Piller, a principal with New York City's Margolin Winer & Evens. He noted the risks associated with improper disclosure or lost of client data. For example, he cited Florida's breach law.
"If I have one K-1 involving a Florida partnership, if I have one client who lives in Florida, I have to abide by the law," Piller said
Many insurance carries offer cyber liability insurance. However, it is generally not offered as standard coverage. "Endorsements to the CPA firm's commercial insurance policy may be available," according to Scott Spiegel, CFO of the American Institute of CPAs. "In addition, a CPA firm, through its professional liability policy, may buy extended coverage for cyber-related damages to client's network or equipment caused by the CPA firm."
Cyber liability insurance coverage is available through the AICPA Professional Liability Insurance Program, which is endorsed by the AICPA and provided through Aon Insurance Services, the insurance broker and national program administrator.
Cyber liability coverage was recently introduced as an endorsement option for the CPA Value Plan, through what is called CPA Net Protect. Overall, " Currently, we have more than 1,000 firms with the endorsement with growth coming over the last two to three years as cyber awareness has increased," Spiegel says.
Cyber liability insurance is not yet available through Camico, which is endorsed by 15 state CPA societies, including those in California and New York. While no details are available, the company anticipates having a program available by April when a major policy rewrite is expected to be unveiled.
Piller noted that while cyber liability insurance is not expensive the risk of data breaches can be. He noted firms need "to ramp up cyber security in order to avoid possible reputation damage and heavy fines associated with the failure to comply with the law."
Johnston believes that the risks of disclosure of public health information is a particular problem. "I believe all firms have HIPAA information," Johnston told CCH attendees. He said that includes names, telephone numbers and email addresses of clients.
Besides establishing policies to protect data, Johnson said organizations need to ascertain what kinds of data they have. "Organizations should consider creating and inventory of the types of data that they store," he said.