Attention FAE Customers:
Please be aware that NASBA credits are awarded based on whether the events are webcast or in-person, as well as on the number of CPE credits.
Please check the event registration page to see if NASBA credits are being awarded for the programs you select.

CPA Roundtable: Should small firms invest in cybersecurity insurance?

Chris Gaetano
Published Date:
Jan 26, 2016

Rona Pocker

Financial and Regulatory Risk Management Consultant, Turnaround Risk Management, Inc., Manhattan

I think before even thinking about insurance, you need to understand the nature and types of cyber risks you’re exposed to. The Office of the Comptroller of the Currency has a new tool on its website that can help you with that. What you’re doing is assessing the inherent risk profile: the amount of risk posed, types of risk, volume, complexity, reliance on third-party vendors, etc. You should also assess the cybersecurity controls you already have in place, both in terms of technology and procedures. Once a firm has made that assessment, you’re in a much better position to make a determination as to whether or not insurance is worthwhile. It may be that the insurance doesn’t cover the nature of the risk, it may be too costly given the probability of occurrence, or it may not be an appropriate insurance program. 

Policies are not one-size-fits-all either. You could buy insurance based on very narrow aspects, or you could buy insurance based on a very broad assessment. Because of this, it’s important to understand what risks you’re ultimately exposed to, as well as assess the controls you already have in place to mitigate risk. None of us lives in a zero-risk environment, so the question is, even for a small firm, “What exposure is there?”


John Fodera

John P. Fodera

Partner, EisnerAmper, Long Island

Companies should, at a minimum, try to get some quotes and find out what the insurance would cost them. At the end of the day, I think it’s much more important to have your written information security program and your training and your client programs in order to mitigate the risk. Still, insurance can go a long way in covering that risk, but you should take a look at the benefits you’d get from having it. If a firm’s considering it, the best thing to do is get quotes from different carriers—they’re not all the same. One thing to consider is whether you’re getting what you pay for, so a firm needs to consider the kind of benefits it would get from having that type of insurance: What does it cover, how does it align with the work you do, and what sort of terms will they want?

 Still, I don’t think you can really generalize. There have been a lot more breaches happening, and the kind of information CPA firms have is getting more valuable to hackers. But you really have to do a thorough evaluation to find out where you are in terms of risk and what your appetite for it is, and then see if you’re going to accept the risk; if you want to do some kind of risk transfer, which would be an insurance policy; or put stronger protocols in place to mitigate it.


Tom Sonde

Thomas J. Sonde

Management Consultant, SilverRoad Solutions 

Chair, NYSSCPA Technology Assurance Committee, Manasquan, N.J.

If you’re the victim of a cyberattack, it’s going to be a lot more complex for you than in a big firm because you don’t have the resources, personnel and financial perspective. You won’t have a large legal department or IT department—maybe you have a guy who’s kind of IT. But overall, you have fewer resources, so your needs are actually greater than a larger firm. While I understand that costs can be very high, the impact of being hacked can be huge, even for a small firm, and it’s very easy to get hacked—if they can hack into the Pentagon, they can hack into a local CPA firm. Without insurance, what are you going to do then? Even if you’re talking about a CPA firm with four or five partners, you can have some pretty substantial clients with a lot of valuable information, and so your exposure could be enormous. Big or small, a CPA firm should get an insurance policy, and a good one too—part of my understanding of insurance is that they will force you to do things that will protect you a bit—maybe not prevent an attack, but at least force you to have a plan for what happens when you do. You may think it’s costly, but wait until your client data is lifted and see how costly that can be.


Mark MartinelliMark Martinelli

Executive Vice President and Chief Audit Executive, 

Synchrony Financial, Stamford, Conn.

For large- and medium-sized firms, cybersecurity insurance is a must. For smaller firms, say less than 10 individuals, I would certainly do some research on what the price of getting it would be. The challenge, though, is this is not a time-tested insurance. You get insurance on your house, on malpractice liability—these are areas with pretty well-established norms. With cyberinsurance, there is still some level of gray—say a CPA firm is broken into because a vendor it uses had a breakdown in controls. All the tax information from your clients that came in through that vendor is stolen. Does your insurance apply? There’s a lot of gray area here because it hasn’t really been court tested, which makes researching the policies available and making sure you deal with a reputable firm all the more important. 

If a firm does decide to get insurance, I would go to a specialist for a policy versus a more general insurance company. This is because you can describe to them the type of firm you have and the risks you’ve assessed, and in turn, they can give you an idea of what type of more tailored insurance would be appropriate, almost like a cafeteria plan. So you say, “Fine, I’ll take the basic plan and third-party vulnerability.” Since this field hasn’t gone through legal testing yet, I absolutely would take a tailored approach. Of course, this means you’re also going to have to do regular assessments of your processes and vulnerabilities. You have bright people who, nonetheless, just install McAfee and think that’s all they need. You’re going to need someone to come in to make sure you have the software and hardware you need. Whether or not you take insurance, though, don’t make the mistake of thinking, “We’re a small firm—who could want my data?” Client data can be used in a large variety of ways, and, if you think about it, it’s easier to get it from a smaller firm than a bigger one.

Click here to see more of the latest news from the NYSSCPA.