Cyber risks: accountancy firms' exposure

How can your practice defend itself against a possible cyber incident?

It is becoming increasingly common to hear mention of the names of professional services firms in the press in connection with a cyber breach incident. Cyber attacks have become a fact of life, highlighting the ever-evolving challenges that all professional services firms need to meet.

Preserving confidentiality is a core professional duty, and a failure to do so can lead to a number of exposures. Professional services firms, including accountants and auditors, are often viewed as good targets for hackers, due to the wealth of sensitive confidential data they hold and because firms can be perceived to have less sophisticated data security than clients in, for example, the financial services and healthcare sectors.

A cyber breach can occur due to a number of factors - for example: an employee opening a dubious attachment to an email or responding with passwords or other security information to a phishing attack, the introduction of malware via a third party supplier's system, or the failure to keep software up to date leaving vulnerabilities in the system open to exploitation. It can be more difficult for smaller firms to protect themselves from attack, as they do not have the same resources to invest in cyber-security defences and training as do larger organisations.

The UK has not yet had anything like the claims exposure from cyber events that has been seen in the US. However, that may change following implementation of the General Data Protection Regulation (GDPR) in May 2018.

How are firms exposed?

First party losses

The aftermath of a cyber breach is unpredictable and depends on the nature and extent of the breach, the information compromised and the effectiveness of containment and recovery. A firm may incur first party costs/losses in connection with any or all of the following:

  • business interruption
  • ransom payments
  • reputational harm
  • technical and forensic investigations
  • security and other IT improvements and repairs
  • client notifications
  • loss of intellectual property
  • public relations advice
  • legal fees.

At their worst, cyber breaches can have catastrophic consequences for the subject of the attack. It is often reputational damage which can have the most significant impact, as a loss of trust from clients (whether justified or not) can be disastrous if widespread.

In addition firms may find themselves subject to claims from third parties and regulatory action.

Malpractice claims

Clients may make claims against professional firms which are unwittingly caught up in cyber frauds. The most common examples we have seen have been claims by clients against law firms. A number have been subject to so-called ‘Friday afternoon frauds’, where a fraudster dupes the firm into sending its client’s money to the fraudster (often through falsified email communications). Claims arising from these events usually take the form of a claim for breach of trust, and can be very difficult to defend.

Claims of this sort usually relate to the professional firm paying client money to a fraudster. However, it may also be possible for a client to sue for negligence in other circumstances. For instance, it might be possible to make out a claim if a professional firm’s IT security were to be unreasonably weak and that allowed hackers to send the client falsified bank details, purportedly from the professional firm, leading to the client unknowingly paying its money to fraudsters.

Privacy liability

If a cyber-attack results in a loss or disclosure of data, claims may be made by the owners and/or subjects of the data. For example, claims might be sought for compensation under the data protection legislation; there may be breach of confidence claims, breach of contract claims – for example breach of an express or implied term that data would be stored securely - or negligence claims for the failure to take reasonable security precautions.

Regulatory exposures

Regulatory action following a cyber event might relate to a failure to protect confidential information or a failure to notify affected individuals in compliance with laws or regulations.

ACCA – confidentiality is one of the key principles of the ACCA code. Whilst it is the case that even the strongest and most sophisticated of systems and controls employed to prevent cyber attacks will not be water-tight, it may be that a breach following a failure to take even the most basic steps to secure client information might constitute misconduct and therefore render members liable to disciplinary proceedings. Other regulators have taken disciplinary action, including imposing fines, for failing to take reasonable steps in relation to preventing breaches.

Information Commissioner’s Office (ICO) – one of the key principles of the GDPR in the context of cyber security is Article 5f which states that the firm must have appropriate security measures in place to protect personal data. We have seen fines imposed by the ICO for security failures by professionals.

The role of insurance

Professional indemnity insurance may provide some insurance cover in the event of a cyber breach. However, there may be significant gaps in the cover provided in relation to a number of the exposures outlined above. In particular, a standalone PII policy will not usually provide cover for first party losses, such as the cost to the firm of identifying and fixing the security issue.

In contrast, cyber liability policies have a built in response protocol in order to respond quickly and effectively to a data breach. This is usually led by a breach response coordinator, who will organise the forensic response, instructing third party suppliers (such as PR firms and credit monitoring services), considering notification obligations to regulators and individuals (if appropriate) and dealing with subsequent third party claims.

The cover provided under cyber policies is typically split into three main parts: (1) first party losses; (2) breach response costs; and (3) third party losses. Crucially, cyber policies typically provide cover for the following:

  • crisis management costs such as forensic and IT specialists
  • reputation advice services
  • specialist legal advice
  • the cost of notifying regulatory bodies and affected individuals
  • the cost of providing account and credit monitoring to affected individuals
  • sums paid in response to cyber extortion
  • data and computer program restoration costs
  • business interruption losses
  • fines and penalties for breach of data protection regulatory breaches (or at least to the extent that insurability is not prohibited by the regulator or by law)
  • privacy, network and media liabilities, including those not necessarily arising from malpractice.

Cyber policies also often have a lower self-insured retention or deductible than may be found in a PII policy.

However, there are some important exclusions under cyber policies. Reputational damage is not covered. Cover is typically limited to the management of reputational issues but not for the actual harm. Cyber policies also usually operate to restore systems but not to improve them, which may not be of use if a serious vulnerability has been exposed.

Policies also typically exclude the following:

  • replacement/repair of physical items eg laptops, failed servers
  • dishonest and improper conduct
  • bodily injury and property damage
  • trade secrets: cyber policies generally exclude the value of the data to the insured.

Therefore, if commercially sensitive data is released into the public domain, the financial consequences for the insured (which may be severe) are unlikely to be insured.

Ever-changing landscape

The cybersecurity landscape is constantly changing and is increasingly sophisticated. In addition, changes in the way firms work, such as agile working, impact upon the risks that firms face in keeping data confidential. Set against changes to data protection regulation and threats of litigation, there is an increased need for firms to assess their cyber risk and consider holding standalone cyber insurance as part of a firm policy to detect, prevent and respond to cyber events.

Examples of cyber incidents

  • External fraudsters used the accountant’s HMRC agent login details to divert tax refunds that were due to be paid into clients’ own bank accounts. Although it was not the accountant’s system that had been compromised, they still had to undergo security checks to ensure that there was no internal breach. Additionally they also had to inspect their client HMRC records to ascertain which clients had been affected.
  • After an employee clicked on an attachment to an email, the accountant’s server was infected with the Zepto virus, which caused much of their data to become encrypted. They then received a ransomware email demanding £2,500 in bitcoin currency to de-encrypt - which they chose not to pay. They immediately contacted their IT consultant who was able to recover most data and get the system up and running but this took nearly a week.
  • A client’s system was hacked and the fraudsters sent emails to the client’s accountants (purportedly from the client) asking them to transfer funds and make payments on their behalf. The accountant complied with the requests, as this was their usual practice previously agreed with the client. The accountant became suspicious by a request for a larger than usual amount, contacted the client and the fraud was brought to light. The client held the accountant responsible even though it was the client's system that had been breached.

Ian Peacock – partner, Clyde & Co LLP on behalf of Lockton Companies LLP

If you have any questions or would like to discuss cyber insurance, please contact Roselin Ali or Catherine Davis at Lockton Companies LLP on 0117 9065057 or ACCAaccountants@uk.lockton.com.