Being prepared for trouble
Firms need to brace themselves for liability issues old and new
Since the majority of CPA firms do at least some type of tax work, and tax is the most frequently litigated issue in the professional liability field, it pays to keep an eye on the coverage provided by your errors & omissions, or professional liability, policy, according to Alvin Fennell, vice president at Aon Affinity.
“It’s especially important for practitioners who decide to go out on their own,” he said.
“CPAS are naturally entrepreneurial,” he observed. “Many smaller firms are formed by professionals with a number of years of experience at larger firms. They’re experienced in helping business clients that are starting out, and they decide they want to start their own business and be self-directed.”
”Probably the last thing on their minds is the potential liability they might incur, but it’s going to happen sooner or later,” he said. “It might have nothing to do with the work product — it’s the nature of the business. Often, it may not be your fault, it just might be your turn.”
Practitioners should understand what their policy covers, emphasized Rickard Jorgensen, president and chief underwriting officer of CPAGOLD: “In the past year we have seen several social engineering claims — a.k.a. fraudulent wire transfer scams — which have resulted in six-figure payments. If a CPA’S policy contains a ‘false pre- tense’ exclusion, there is likely no coverage for this.”
“We continue to see scams where criminals file bogus tax returns, although this is reducing in frequency,” he continued. “We have seen a recent round of sexploitation emails where an individual is targeted for cyber extortion by using stolen passwords. Many professional liability insurers will limit coverage for these types of claims. Cyber extortion is an exclusion in some malpractice policies. A CPA should carefully check their policy.”
The European Union’s General Data Protection Regulation, or GDPR, which became effective in May this year, imposed certain obligations on CPA firms with international clients. So far, the impact on U.S. CPAS has been minimal, Jorgensen noted, but trends are often global and it is likely that in the not-too-distant future there will be a similar law, if not federally, then in some progressive states like California, New York or Washington, that establishes stronger rules for the protection of personal client information and penalties for a breach. “It may be prudent for a CPA firm to start thinking about this and anticipate what practice changes might be needed to comply,” he said.
Tax reform has added some complexities to most practices that weren’t there before.
“Given the [Tax Cuts and Jobs Act’s] significant changes related to the flat corporate tax rate and the new deduction for pass-through entities, some clients may rethink their choice of legal entity,” noted Suzanne Holl, a CPA and senior vice president of loss prevention services at Camico.
“This type of evaluation and assessment certainly has tax implications associated with it, and CPAS can certainly address the opportunities that are available to maximize the client’s tax benefits,” she said. “But CPA firms should be wary of rendering legal advice without a license. Clients will need other advisors — in this case, legal counsel — to help them, as well as the CPA firm, to evaluate and implement changes that may be necessary to address the legal implications related to choice-of-entity decisions.”
Cyber exposure is another area that calls for special scrutiny, according to Holl.
“Cybercriminals have been targeting CPA firms and tax professionals because of the abundance of client data found on the firms’ computers,” she observed. “Data such as income, dependents, credits and deductions are ideal for helping scammers make fraudulent tax returns look legitimate.”
“Firms should address their cyber exposures with a combination of insurance coverages and cybersecurity measures, including educating employees about phishing attacks, installing a secure client web portal, adding another layer of security with multi-factor authentication, and avoiding public Wifi or hotspots when inputting or working with personal identity information,” she said.
Insurance coverage should address both first-party losses directly borne by the policyholder firm, and third-party damages alleged by clients or other third parties for which the policyholder firm may be liable, Holl indicated.
“First-party cyber coverage should include breach response services to help determine whether an incident is a breach as defined by current state and/or federal laws,” she said. “Cyber advisors and IT forensics should assist with reporting and notification requirements, call centers, credit monitoring services, and public relations services.”
“Cyber advisors should also respond to ransomware attacks and provide services to decrypt and restore the firm’s files, among other services,” she continued. “Firms should always back up all important data and information frequently to ensure that critical data is not lost in the event of a cyberattack or physical incident such as a fire or flood.”
“Finally, firms should protect the backups in a remote or external location where they are safe from ransomware that seeks out backup copies,” Holl advised. “Periodically, verify whether the backup is working.”