Members will be aware that the threat to businesses from cybersecurity attacks continues to increase, and the expectation is that cyber criminals will seek to attack businesses at predicted peak times of the year, for instance month end, so practitioners need to continue to be vigilant.
To support members in practice, and to support your clients, we’ve pulled together useful ACCA and partner guidance and resources on cybersecurity.
We’ve also teamed up with the IASME Consortium to raise awareness of the Cyber Essentials scheme. Since 2020, IASME Consortium has been the National Cyber Security Centre’s Cyber Essentials Partner, responsible for the delivery of the scheme.
Cyber Essentials is an effective government-backed scheme which focuses on the five technical controls designed to guard against the most common internet-based cyber security threats. It allows organisations of all sizes to demonstrate their commitment to cyber security and is now widely considered the minimum level of cyber security for businesses.
In the latest article, Duncan Sutcliffe writes about the importance of cyber insurance for accountants. Duncan knows a thing or two about cyber insurance: his company, Sutcliffe and Co Insurance Brokers, has been insuring companies against the eventuality of a cyber attack for over a decade. Sutcliffe and Co are also behind the £25,000 worth of cyber insurance included with Cyber Essentials.
Will my professional indemnity insurance cover data breaches?
Professional indemnity insurance is designed to cover you for errors, omissions and negligence in your professional service. For an accountant, that might be if you forgot to send a client's tax return in on time or you filled it out incompletely; it might be that you failed to advise a client about the best way to organise their business shares.
Some professional indemnity, as part of the errors, omissions and negligence, includes some cover for third party loss of data, which means it would cover mistakes which involved losing customer data or sending data to the wrong person. This third-party cover is likely to be very limited and it is usually necessary to have the additional cover of cyber insurance which is far more comprehensive when it comes to a data incident and includes both third and the first party cover.
In recent years, insurers have been told by the regulator to make it clear whether cyber is or is not covered in policies. If it is covered, it has to be made very clear what it is restricted to, and in many cases, insurers are explicitly saying that there is no cyber cover.
Certainly, for professionals like accountants and lawyers, who deal with financial transactions and hold a great deal of sensitive data, it is quite common to have an endorsement saying this policy no longer gives you cover for cyber.
Insurers want to remove that cover because professional indemnity insurance was never designed to cover cyber risk. It was there to cover accountants getting their sums wrong, not for the increasing tide of data breach claims. In a nutshell, your professional indemnity gives very limited cover or indeed no longer covers you for cyber incidents and you need a separate cyber insurance policy.
What is cyber insurance?
Cyber insurance is there to cover an organisation in the event of an accidental or malicious data breach or data incident. Sutcliffe and Co has seen claims for all kinds of incidents, malicious or accidental, ranging from viruses to misdirected emails.
What does cyber insurance cover?
A basic cyber insurance policy will cover the technical incident response costs and the legal, regulatory and crisis management costs. This can be compared to an emergency response service. A more comprehensive cyber insurance policy might cover more.
Depending on the size of the cyber attack, and the amount of cover you have on your insurance, the policy could pay fines and penalties where legally permissible. It can also cover lost income where the incident stops you trading or causes a downturn in revenue.
In the event of ransomware, a policy would help with restoring systems and data.
Cyber insurance is included as part of Cyber Essentials for UK-based organisations that certify as a whole organisation with a turnover of less than £20m. This cover gives up to £25,000 worth of liability.
In the event of a breach, the policy holder would immediately be able to ring an emergency helpline. They would then receive the services of a cyber incident response team whose job is to find the problem, stop the problem, and restore their systems and data. They would also receive help from a legal team who would deal with any litigation and regulation issues. This could be anything from a breach of the Data Protection Act to a breach of contract. Crisis management and PR support would assist them with communications and that might include support to notify data subjects.
An example might be the discovery of a data breach that may have compromised clients. The insurance would close the breach, assess the extent of the breach and then notify the clients and the information commissioner. It will then deal with any regulatory and legislative issues. The crisis management team would help minimise any reputational damage.
The Information Commissioner's Office (ICO) has said that if you suspect you've had a data incident you must report it within 72 hours. When you do report it, you've got to tell them what's happened, what you're doing about it, who may be affected and the scale of it. This can be really difficult. But if you've got cyber insurance, you can very quickly have forensic and legal people there who will be able to put together a presentation for the ICO, telling it who's affected and what you're doing about it.
The ICO has also said that in regard to punishments, their view will be strongly influenced by how you respond to an incident; they have also said that if you have Cyber Essentials certification, your punishment will be reduced.
As trusted advisers, are accountants responsible for advising their clients about cyber risk?
Professionals have to be careful that they don't stray into areas outside their expertise or qualification. But they are allowed to give a degree of generic advice about relevant subjects. Certainly, many businesses are very reliant on a CRM and accounting systems for their trade so it's important that the IT system is robust and efficient and communicates with the accountants as well as the business and other parties securely.
If the system fails or is breached, there is the risk that many businesses would cease trading. With this in mind, it is significant how many accountants now have an IT wing or subsidiary because of the overlap.
Will it make a difference to my insurance if I have a cyber security certification?
Many professional indemnity proposal forms or application forms now have questions about cyber; they might have an additional questionnaire that comes with it. If the insurer is concerned that risk is too high, they might impose an endorsement on a policy excluding cyber.
However, if an applicant can prove that they are lower risk due to a cyber security certification such as Cyber Essentials, that's instantly answering a lot of questions and providing a lot of reassurance. So, in this example, the applicant might be able to keep some cyber cover, or if not, it might enable them to get cyber insurance at a cheaper rate.
When an organisation applies for cyber insurance, do they have to prove they have mitigated risk?
Anyone who wants to buy cyber insurance has to prove a certain degree of cybersecurity in the same way that with your house insurance, you have to confirm that you not only have a front door, but that door has a certain standard of lock on it.
As with home insurance, if you don't have many valuables, insurers will be happy with a standard five lever mortice deadlock. But if you live in a palace with lots of possessions, then insurers might insist upon an alarm and CCTV.
To determine the risk, cyber insurers will take a look at your size and sector of business, your existing security levels, and the amount of data you keep. Insurers like to see firewalls, virus protection, multi-factor authentication and software patching – achieving Cyber Essentials certification ticks most of the boxes that insurance companies expect. They also like a robust backup procedure and regular staff cyber security awareness training.
How much could a cyber attack against an accounting firm cost?
Cyber claims come in all shapes and sizes ranging from the inconvenient to the catastrophic and are just as likely to impact sole traders as global firms – the difference being global firms have well-resourced defences.
A recent case we have seen involved a small accountancy firm where an infected spreadsheet attached to an email contained malicious software called a 'keylogger' which enabled the criminals to watch every keystroke, giving them important information including passwords for online banking and other websites. The breach was quickly spotted but the incident ended up costing £180,000.
For a small organisation, that's any organisation with fewer than 50 employees, a small breach tends to come in at between £10,000- £30,000. A large breach for a small organisation tends to come in at between £60,000 and £80,000, but there have been some huge cases recently. Some of the most expensive breaches recently have involved ransomware.
The free cyber insurance included in Cyber Essentials would usually cover the costs for a small breach and certainly cover the essential emergency assistance for a breach. A large breach can cost astronomical amounts as we've just discussed.
Any company can upgrade their insurance cover to higher limits of indemnity. We will always take into account that they have got Cyber Essentials so they get preferential rates because Cyber Essentials is shown to reduce the risk by at least 80%.
More information
Access ACCA's guidance and resources.