Cybersecurity should be a top concern for accounting firms. There are countless cybersecurity tools and best practices to help mitigate the effects of a data breach and the impact they may have on accounting firms.
Accountants, in particular, must prioritize cybersecurity as an on-going process as opposed to a one-time item that, once completed, does not need to be re-visited. Making sure you have an insurance policy in place that will cover a cybersecurity breach is vital. When it comes to cybersecurity, it’s not a question of if a breach will happen, but when.
State laws setting cybersecurity standards for financial professionals
In the past five years, many states have introduced legislation that specifies requirements for minimum cybersecurity standards that insurers must adhere to when insuring their clients against a data breach.
In late June 2018, California passed a consumer privacy act, AB 375, that takes a broader view of what constitutes private data. The California Consumer Privacy Act (CCPA) allows any California consumer to demand all the information a company has saved. It affects all companies that have at least $25 million in annual revenue.
In 2017 the New York Department of Financial Services (NYDFS) issued its Cybersecurity Regulation. This far-reaching regulatory framework focused on financial institutions, including licensed insurance companies in New York.
The regulation requires that banks, insurance companies, and financial service providers manage cybersecurity risks. It expands the scope of covered data to include information that has traditionally been addressed by other data security laws, such as data breach notification laws and data that, if compromised, poses a material risk to the business or its operators.
The NAIC Model Law is a benchmark for a cybersecurity program that seeks to protect nonpublic information. It requires that licensees take active steps to maintain a comprehensive information security program. Providers who operate in multiple states should remain vigilant about changes to laws in other jurisdictions.
The case for cyber liability insurance
Cyber liability insurance, or data breach response coverage, is a type of commercial insurance that offers protection to businesses from the losses resulting from a breach of data. It includes litigation from upset vendors or clients for exposing data to outside hackers or even from cyber extortionists.
Other instances that data breach response coverage addresses:
First party damages (your organization)
Costs related to managing the effects following a data breach, including legal representation, PCI compliance, and the industry or governmental regulatory fines, forensic investigative efforts, costs related to notifying affected parties, business income, extra expense, and data restoration costs associated with recuperating from the breach.
Third party damages (your customers and vendors)
Many companies have clients who stipulate certain data access as well as the insured preservation of their data as a condition of the contractual relationship. These policies typically cover legal defense costs, the loss of revenues associated with the termination of these arrangements, damages sustained as a result of the loss of PII (Personally Identifiable Information), and an opportunity to the insured to maintain operations following a breach.
Damage to website assets
Many policies cover damages associated with your web assets in the event of an unrecoverable data breach.
Finding the right cyber liability insurance plan
As with other insurance products, there are many different plans which cover needs based on specific conditions. It’s essential to understand the scope of your organization’s vulnerabilities and how your technology investments are currently managed.
One plan may cover employee sabotage, whereas others do not. Also, pay special attention to how data breaches are defined within the plan to ensure proper coverage regardless of the circumstances. Does the policy cover both digital and paper assets?
Discuss your plan and expectations with a trusted broker who can highlight the extent of your business’s liabilities.
Ask these questions when deciding on the right plan:
- What are the regulations or requirements for managing technology within your industry? (HIPAA, PCI, CMR, GDPR, CCCA, Graham-Leach-Bliley Act.)
- What are the fines if a violation occurs? Do you have to report to more than one state?
- Who are you required to notify? Who should you notify?
- Where and how do you access the data that is stored? How is it being protected?
- How are your data and network being managed? What internal processes or policies are in place to ensure integrity?
- Do your security tools affect coverage in a liability policy should a breach occur?
- Do you have a security response plan written?
Despite the comprehensive nature of these plans, some long-lasting effects cannot be surmised — including reputation and the trust gained from your business relationships.
History has not been kind to professional services firms that have fallen victim to data breaches with effects that can be catastrophic and long-lasting. Lost faith from clients and reputation are hard to build back up for many firms. Protect your reputation and get the right coverage.
Vigilance Is Key to Preventing Cybersecurity Breaches
Accounting professionals handle sensitive, nonpublic information daily. They cannot overlook the importance of cybersecurity and must take steps to train themselves, their clients, and their employees to comply with new regulations.
Complying with constantly evolving cybersecurity requirements is challenging. McGowanPRO is here to help with training, educational resources, and decades of experience assisting our clients with regulatory compliance. We also offer insurance coverage that will protect you in the event of a data security breach.
To learn more about how McGowanPRO assists financial professionals and why clients choose us, Contact Rob Ferrini, Program Manager, and Producer at McGowanPRO,508-656-1327.