30th May 2022
Champion Professional Risks, the specialist insurance brokers who provide tailored Professional Indemnity insurance cover to Lifecycle members, give an update on what accountants need to know about the current cyber risks.
About ‘cyber’
Most businesses now rely heavily on computer software or systems to operate and this is certainly the case for the majority of accountancy firms. This reliance on technology leaves accountancy firms more exposed to ‘cyber risks’ than ever before. Cyber risk ranges from third parties illegally accessing data or preventing access to business-critical systems, through to the accidental or unintended disclosure of information by an employee. Its impact can include significant disruption to normal operations, financial loss and reputational damage.
In 2020, Accounting Today estimated that following covid and the increase in homeworking, there had been a 300% increase in cyber attacks on accounting firms of all sizes[1] and earlier this year accountancy firms SJD Accountancy and Nixon Williams admitted a ‘cyber security incident’ had incapacitated their key systems, causing significant disruption to services. [2]
The ICAEW recognises the rising threat of cyber crime in recent months especially in light of the war in Ukraine. A recent article[3] quotes a cyber security expert saying:
“Russian hackers have been disrupting businesses for years, and have been particularly active in Ukraine. It is highly likely that they will turn more attention to the countries and organisations that have taken a public stance against Russia’s actions… Whether you’re an SME or a big company, and you’ve got any potential links to Russia, you’re going to be a target.”
Why are accountants so exposed to cyber risks?
Nature of business activities
Accountancy firms have direct access to clients’ financial and other sensitive information, which is especially desirable to cyber criminals. Information like tax IDs, bank account details, payroll data and employee details can all be sold on the dark web or used to perpetrate further cyber attacks on businesses and individuals.
Profession-based software
Accountancy firms use a relatively small number of accounting software packages, so if cyber criminals can find a weak point in one of those systems, they can exploit it to their advantage across large numbers of firms – increasing the potential reward for a single crime.
Security standards
Small to medium sized accountancy firms who have underinvested in IT are being increasingly targeted because they offer a ‘gateway’ to their clients’ information which would be much more difficult to access via their own – often more robust – systems. Inadequate security has been further exacerbated by the rise in homeworking which provides for easier, often less secure remote access to company systems.
Policies and procedures
Lack of robust cyber-secure policies and procedures renders accountancy firms vulnerable to attack at any time. But cyber criminals are sophisticated and will often strike when firms are at their busiest, such as at the run up to the end of the tax year.
“Accountancy firms are in the top three organisations that cyber criminals target. This means accountants have to be especially vigilant, and ensure that our systems are up to date, our policies are robust and our people are alert to the risks and trained to spot them.”[4]
Against this backdrop, the management of cyber risk is increasingly important.
Tips for managing your cyber risk
There are a range of steps accountancy firms can take including:
- Encourage a cyber conscious culture where employees are aware of the potential for a cyber attack and understand what they should (or shouldn’t) be doing to prevent it: for example, not clicking on links in suspicious emails.
- Remind employees to be especially aware of phishing emails and text messages during busy periods.
- Develop and communicate a detailed incident response and business continuity procedure to mitigate the impact of any attack.
- Invest in robust IT protection/cyber security software and consider using a Virtual Private Network (VPN) and firewalls for remote working.
- Back up critical data regularly so it can be quickly restored if needed.
And of course, ensure you have adequate insurance protection.
Cyber and Professional Indemnity (PI)
The primary intent of a PI policy is to protect an insured from claims from a third party (usually a client) arising out of their professional activities. By contrast, stand-alone cyber cover is intended to protect against both first and third party losses arising from the use of – and dependence on – information technology.
Simple? Not completely. Cyber related incidents can cause a range of problems including preventing an accountancy firm from carrying out its professional activities causing both third and first party losses.
What does the ICAEW say about cyber and compulsory PI?
The ICAEW, like the regulators of other professions has, broadly speaking, ensured accountancy clients are protected by making sure its approved wording doesn’t exclude cover for third party losses arising out of a cyber-related incident. But in September 2021 it clarified that relevant first party losses with a cyber trigger (for example a firm’s costs related to investigating the cause of a cyber attack) are not covered.
For full belt and braces cover, accountancy firms should buy a separate cyber policy in addition to the PI insurance but it is likely there could still be some overlap between PI and stand-alone cyber policies, so employing the services of a specialist PI or financial lines broker is recommended.
Champion Professional Risks specialise in Professional Indemnity and other ‘financial lines’ insurances including cyber cover, across a range of professions. If you would like to discuss the risks which affect your accountancy firm, please do not hesitate to contact us.
T: 0330 128 9828
E: info@championpi.co.uk
[1] https://www.nwcrc.co.uk/accountants-guidance
[2] https://www.accountingweb.co.uk/tech/tech-pulse/sjd-nixon-williams-parent-confirms-data-leak
[3] https://www.icaew.com/insights/viewpoints-on-the-news/2022/mar-2022/ukraine-crisis-the-cyber-threat-from-russia-is-real
[4] https://www.aatcomment.org.uk/accountancy-resources/cyber-security/how-cyber-criminals-are-picking-off-accountants-at-year-end/ March 2021