13th June 2023
A highly topical issue in the current climate. Dan Maloney – Managing Director at Champion Insurance Group, the specialist insurance brokers who provide tailored Professional Indemnity insurance cover to Lifecycle members, updates us on the current landscape.
‘Cyber risks’
Most businesses now rely heavily on computer software or systems to operate and this is certainly the case for the majority of accountancy firms. This reliance on technology leaves accountancy firms more exposed to ‘cyber risks’ than ever before. Cyber risks ranges from third parties illegally accessing data or preventing access to business-critical systems, through to the accidental or unintended disclosure of information by an employee. Its impact can include significant disruption to normal operations, financial loss and reputational damage.
There are a number of factors which have led to an increase in frequency of cyber attacks in general, not least the tragedy unfolding in Ukraine. In April 2023 The National Cyber Security Centre (NCSC), which is part of the GCHQ intelligence and security body, issued a warning to businesses about the threat. According to the NCSC, since the start of Russia’s invasion of Ukraine, “a new class of Russian cyber adversary has emerged” made up of “state-aligned groups often sympathetic to Russia’s invasion”. It said these actors were “ideologically, rather than financially” motivated and were “not subject to formal state control” meaning their actions were “less predictable”. The NCSC said these hackers often focus on distributed denial-of-service (DDoS) attacks, when a system’s bandwidth or resources are flooded with a large amount of activity, as well as the defacement of websites and the spread of misinformation[1].
Indeed the ICAEW also recognises the rising threat of cyber crime. A recent article[2] quotes a cyber security expert saying:
“Russian hackers have been disrupting businesses for years, and have been particularly active in Ukraine. It is highly likely that they will turn more attention to the countries and organisations that have taken a public stance against Russia’s actions… Whether you’re an SME or a big company, and if you’ve got any potential links to Russia, you’re going to be a target.”
Why are accountants so exposed to cyber risks?
Nature of business activities
Accountancy firms have direct access to clients’ financial and other sensitive information, which is especially desirable to cyber criminals. Information like tax IDs, bank account details, payroll data and employee details can all be sold on the dark web or used to perpetrate further cyber attacks on businesses and individuals.
Profession-based software
Accountancy firms use a relatively small number of accounting software packages, so if cyber criminals can find a weak point in one of those systems, they can exploit it to their advantage across large numbers of firms – increasing the potential reward for a single crime.
Security standards
Small to medium sized accountancy firms who have underinvested in IT are being increasingly targeted because they offer a ‘gateway’ to their clients’ information which would be much more difficult to access via their own – often more robust – systems. Inadequate security has been further exacerbated by the rise in homeworking which provides for easier, often less secure remote access to company systems.
Policies and procedures
Lack of robust cyber-secure policies and procedures renders accountancy firms vulnerable to attack at any time. But cyber criminals are sophisticated and will often strike when firms are at their busiest, such as at the run up to the end of the tax year.
“Accountancy firms are in the top three organisations that cyber criminals target. This means accountants have to be especially vigilant, and ensure that our systems are up to date, our policies are robust and our people are alert to the risks and trained to spot them.”[3]
Against this backdrop, the management of cyber risk is increasingly important.
Tips for managing your cyber risk
There are a range of steps accountancy firms can take including:
- Encourage a cyber conscious culture where employees are aware of the potential for a cyber attack and understand what they should (or shouldn’t) be doing to prevent it: for example, not clicking on links in suspicious emails.
- Remind employees to be especially aware of phishing emails and text messages during busy periods.
- Develop and communicate a detailed incident response and business continuity procedure to mitigate the impact of any attack.
- Invest in robust IT protection/cyber security software and consider using a Virtual Private Network (VPN), Multi Factor Authentication (MFA) and firewalls for remote working.
- Back up critical data regularly so it can be quickly restored if needed.
And of course, ensure you have adequate insurance protection.
Cyber and Professional Indemnity (PI)
The primary intent of a PI policy is to protect an insured from claims from a third party (usually a client) arising out of their professional activities. By contrast, stand-alone cyber cover is intended to protect against both first and third party losses arising from the use of – and dependence on – information technology.
Simple? Not completely. Cyber related incidents can cause a range of problems including preventing an accountancy firm from carrying out its professional activities causing both third and first party losses.
What does the ICAEW say about cyber and compulsory PI?
The ICAEW, like the regulators of other professions has, broadly speaking, ensured accountancy clients are protected by making sure its approved wording doesn’t exclude cover for third party losses arising out of a cyber-related incident. But in September 2021 it clarified that relevant first party losses with a cyber trigger (for example a firm’s costs related to investigating the cause of a cyber attack) are not covered.
For full belt and braces cover, accountancy firms should buy a separate cyber policy in addition to the PI insurance but it is likely there could still be some overlap between PI and stand-alone cyber policies, so employing the services of a specialist PI or financial lines broker is recommended.
Champion Professional Risks, specialist subsidiary of Champion Insurance Group, specialise in Professional Indemnity and other ‘financial lines’ insurances including cyber cover, across a range of professions. If you would like to discuss the risks which affect your accountancy firm, please do not hesitate to contact them on 0330 128 9828.
[1] https://inews.co.uk/news/politics/russia-linked-cyber-threat-uk-security-national-alert-2283123?mid=1
[2] https://www.icaew.com/insights/viewpoints-on-the-news/2022/mar-2022/ukraine-crisis-the-cyber-threat-from-russia-is-real
[3] https://www.aatcomment.org.uk/accountancy-resources/cyber-security/how-cyber-criminals-are-picking-off-accountants-at-year-end/ March 2021