Q&A talks about the threat of cyber attacks on small businesses with Tim Francis, cyber risk enterprise lead and second vice president for Travelers Bond & Financial Products in Hartford.
Q: About 50 percent of the 663 tax professionals recently surveyed by Travelers at a National Association of Tax Professionals (NATP) conference found that fewer than 50 percent of attendees were very familiar with the risks posed by cyber incidents, including data and identify theft. How troubling is that, and why is the number so high?
A: The conference attendees included individual tax preparers, enrolled agents, certified public accountants, certified financial planners and attorneys — many of whom are small business owners who personally handle many aspects of their business.
It’s likely that their lack of familiarity about cyber risks is due to limited resources and time to investigate them. Without the money or manpower to focus on data security, smaller tax businesses are left vulnerable to an attack.
The findings are troubling because of the extremely sensitive information tax professionals work with, like Social Security and bank account numbers. This type of data is valuable to a cyber criminal; once it falls into their hands, there’s a good chance it will be sold or used to transfer funds illegally.
Q: The same survey also found only 15 percent of tax pros reported having cyber liability coverage. What is it and how extensive is the coverage?
A: Cyber risk coverage offers liability protection when customers or other individuals hold a company responsible for stolen information.
A cyber policy can also include coverage for a forensic investigation, legal counsel and remediation expenses associated with the breach. In addition, it may include coverage for defense expenses related to regulatory violations and related fines; crisis management or public relations expenses; and business interruption and cyber extortion coverage.
Q: Another telling statistic was that just under one-third report having a written business continuity or disaster recovery plan. What’s the truth behind those findings?
A: This low figure reveals that many tax businesses, regardless of size, do not have a business continuity plan in place, which may affect their ability to withstand a cyber breach or other unexpected event.
A written business continuity plan identifies and mitigates potential threats to a business, its employees and its customers.
It ensures the availability and necessary resources — personnel, equipment, financial arrangements, backed-up computer data and accommodations — to restore vital functions of the business in challenging circumstances.
Having a plan in place is particularly important when business is busy for a tax professional, like during the annual height of tax season.
Q: What are some of the emerging risks facing tax professionals?
A: A primary risk for tax professionals is, of course, cyber risk.
However, in their line of business, tax professionals face additional risks related to performing tax services. Clients expect sound tax preparation strategy and advice. If a tax professional doesn’t adequately communicate the ramifications of a tax or accounting decision, or makes mistakes, the fallout can cause client dissatisfaction or even legal action.
In addition, tax professionals need to ensure they are protecting the people who help run their practice.
For accounting firms in particular, most states require those with one or more employees to purchase workers compensation insurance. Firms are sometimes unaware of this. While the job requirements for a bookkeeper or accountant are not physically demanding, an employee can sustain work-related injuries.
Q: What solutions does Travelers have for tax preparation professionals to avoid or at least reduce the cyber risks? What’s a good solution for their line of work?
A: When it comes to cybercrime, the best offense is a good defense so it’s important to have the right protections in place before an incident occurs.
For tax professionals, this includes working with their insurance agent to make sure all exposures that can be managed are covered and that employees are being proactive and taking steps to limit cyber risks.
Specific risk management strategies include:
• Training employees to protect sensitive information;
• Establishing strong network security by adopting firewall and antivirus technology and working with an IT manager or consultant;
• Creating employee usage policies for handling proprietary information;
• Having and enforcing policies regarding mobile devices;
• Having a plan in place to manage a cyber event if one takes place — similar to a fire drill.
