Pennsylvania CPA Journal

A Stand-Alone Cyber Policy Matters More Than Ever

Some firms believe the risk exposure of cybercrime can be addressed with an endorsement to an existing professional liability policy. This assumption often leaves critical coverage gaps that can have serious financial and operational consequences.  

Insightful lessons can be learned by reviewing professional liability issues. With this in mind, Gallagher Affinity provides this column for your review. For more information about liability issues, contact Irene Walton at irene_walton@ajg.com.

26summ_liability.tmb-0The risk of cybercrime is no longer a distant concern for accounting professionals. It is a daily business reality. CPA firms handle highly sensitive data, which makes them a consistent target for cybercriminals.

Many firms assume this exposure can be addressed with a cyber endorsement to an existing professional liability or business owner policy. Unfortunately, what may appear sufficient often leaves critical gaps. Then, when an incident occurs, those gaps create serious financial and operational consequences. Understanding the difference between a stand-alone cyber policy and a cyber endorsement is essential to protecting your firm and your clients.

Growing Exposure

CPA firms store and transmit tax returns, Social Security numbers, payroll data, and banking information. Cybercriminals actively seek this type of data because it can be monetized quickly.

The nature of accounting work also increases exposure. During peak busy periods, firms process high volumes of sensitive information under tight deadlines. Frequent client communication creates opportunities for phishing attacks. The movement of funds introduces additional risk for wire fraud and social engineering schemes.

Smaller firms face added challenges. Many do not have dedicated IT security teams or advanced monitoring tools, which makes them more vulnerable. Cybercriminals know this and target firms that appear easier to penetrate.

Insurance can help manage this exposure. But the question is not whether a firm carries cyber coverage, it is whether that coverage responds effectively during a claim.

A Real-World Scenario

Consider a midsize CPA firm that receives an email that appears to come from a client requesting updated financial documents. An employee clicks a link within the email and unknowingly provides login credentials.

Within hours, attackers extract client data and deploy ransomware that locks critical files. The firm must halt operations during a peak work period. Clients begin calling. Regulatory obligations require notification. Legal counsel is engaged, along with forensic investigators to determine the scope of the breach.

Costs escalate quickly, easily reaching tens or hundreds of thousands of dollars. If the firm carries only a cyber endorsement with limited sublimits, those funds may be exhausted early in the response process.

Stand-Alone vs. Endorsement

Cyber coverage varies significantly depending on how it is structured. The differences between a stand-alone policy and an endorsement on errors and omission or business owner’s policies can determine how a claim unfolds.

Stand-Alone Policy

Pros:

  • Broad coverage designed specifically for cyberevents, including ransomware, data breaches, and social engineering fraud.
  • Higher, dedicated limits that do not erode other policies.
  • Access to breach response teams, including legal counsel, forensic investigators, and public relations specialists.
  • Coverage for both first-party losses and third-party liability.
  • Business interruption coverage tied directly to cyberincidents.
  • Risk management tools such as employee training and vulnerability assessments.

Cons:

  • Higher upfront cost compared to an endorsement.
  • Separate underwriting process that may require detailed information.

Cyber Endorsement

Pros:

  • Lower cost and easy to add to an existing policy.
  • Simplified underwriting process.
  • Provides limited protection for firms with minimal exposure.

Cons:

  • Lower sublimits that can be exhausted quickly.
  • Coverage restrictions may exclude ransomware or funds transfer fraud.
  • Shares limits with other claims, such as professional liability.
  • Limited or no access to dedicated breach response services.
  • May only provide first-party coverage, excluding third-party liability.
  • Potential gaps between policies that create uncertainty during a claim.

First-Party and Third-Party Exposure

One of the most important distinctions in cybercoverage is the difference between first-party and third-party risk.

First-party coverage addresses the direct costs a firm incurs following an incident. This includes forensic investigations, data restoration, legal consultation, and business interruption losses.

Third-party coverage applies when clients or other affected parties allege harm. This may involve claims related to failure to protect sensitive information, financial loss due to fraud, or regulatory actions.

Many cyber endorsements focus on first-party losses and provide limited or no third-party protection. This gap can be significant given the reliance clients place on firms to safeguard their financial data.

When an Incident Occurs

The response to a cyberevent often determines the overall impact. A stand-alone cyber policy is designed to activate quickly and coordinate a structured response:

  • A breach coach, typically a specialized attorney, is engaged to guide the response.
  • Forensic investigators assess how the breach occurred and what data was affected.
  • A notification strategy is developed to meet regulatory requirements.
  • Public relations support is coordinated if reputational risk is present.

The coordinated approach helps contain the incident and reduce long-term damage.

Endorsements typically do not offer this level of structured response or immediate access to specialized resources.

The Difference Matters

A cyberincident is not just a technical issue. Firms may face obligations under federal and state data breach notification laws, as well as IRS data security expectations for tax preparers. These requirements can introduce strict timelines and documentation standards. At the same time, clients may pursue claims if they believe their information was not adequately protected.

Endorsements are not designed to address this full spectrum of exposure. They extend existing policies but often lack the depth required for complex cyberevents.

Stand-alone cyber policies are built for these situations. They provide broader protection, dedicated limits, and access to expertise.

Cost vs. Value

Cost often drives the decision to choose an endorsement. On the surface, endorsements appear more affordable. However, a cost comparison does not reflect the full picture.

The more important factor is value. A lower-cost endorsement that fails to respond adequately can leave a firm responsible for significant expenses. These may include uncovered legal fees, notification costs, and lost income due to downtime.

Reputational damage can also have lasting effects. Clients expect their financial information to remain secure. A single incident can impact trust and retention.

When firms evaluate coverage based on value rather than price, the advantages of a stand-alone policy tend to outweigh cyber endorsements.

Key Considerations

Firms should review their cybercoverage regularly to ensure it aligns with current risks. Here are some key questions firms should address:

  • What are your cybercoverage limits, and are they adequate?
  • Does the policy cover ransomware and social engineering fraud?
  • Do you have access to a breach response team?
  • Does the policy include business interruption coverage?
  • How quickly will the policy respond to an incident?

If these answers are unclear or reveal limitations, it may be time to reassess the structure of your coverage.

Looking Ahead

The threats from cybercrime will continue to evolve, but CPA firms will remain high-value targets. The firms that are best positioned to navigate this environment are those that understand their exposure and take a proactive approach to managing it.

A stand-alone cyber policy provides clarity, stronger protection, and access to resources that can make a meaningful difference when an incident occurs. It is not just about having coverage in place. It is about having coverage that performs under pressure.

Irene M. Walton is area vice president, affinity manager, with Gallagher Affinity in Mount Laurel, N.J. She can be reached at irene_walton@ajg.com.