The act of purchasing professional liability insurance, or renewing a policy, is one that only rarely appears on an accountant’s work list. Yet there are many areas where that choice can have consequences that go beyond the normal day-to-day decisions in an accounting practice.
“A CPA can spend their entire career building their brand, but they overlook their due diligence when it comes time to purchase a liability policy,” said Stan Sterna, vice president at Aon, the broker and national administrator of the American Institute of CPAs’ Member Insurance Program. “They will purchase a policy without putting any thought into the quality of claim or risk control services offered by the carrier.”
“Generally speaking, in a hard market the premiums go up and underwriting tightens up,” said Stephen Vono, senior vice president at McGowanPro. “We’re seeing that now in several different types of insurance that accountants typically purchase — cyber liability and employment practices, in addition to professional liability. The reason we’re in a hard market is COVID-related claims and defense costs are going up. There are a lot of favorable court rulings against insurance carriers. And the fact that one carrier paid a $40 million ransomware fee didn’t help.”
“When a claim goes beyond the policy limit, there are other insurance companies that share in the risk,” he said. “That’s reinsurance, and the costs for that are rising as well. Almost all companies have reinsurance.”
Premiums will go up for the rest of 2021 and 2022, predicted Vono, with states that have larger metropolitan areas seeing more of the hard market effect — states like California, New York, Oregon, Washington, Arizona, Texas, Florida, New Jersey, Massachusetts and Illinois. “All states with major metropolitan areas will see larger increases than, say, Iowa or Idaho, because there is a lot more claims activity in those states,” he said.
What do you want?
The most important thing to look for in a policy is its definition of professional services, said Vono: “It needs to be broad enough to cover all the services that the firm provides. Look for broad coverage as opposed to restrictive coverage.”
“We see a lot of CPAs and Enrolled Agents, especially smaller independents, who are not properly insured,” observed John Torvi, vice president of marketing and sales at Landy Insurance. “They started out as preparers, but gradually moved into doing payroll, audit and compilation. Their policy didn’t encompass the expansion of their business.”
Ron Parisi, a former insurance executive and president of Orchard Accounting and online firm CPA On Fire, agreed: “As a result of all the different COVID-related government programs, CPAs have extended themselves beyond the typical accounting firm services. It’s important to pay attention to engagement scope creep. For example, simple tax work and bookkeeping might have evolved into applying for Paycheck Protection Program loans and Employee Retention Credits. Whatever you do for your clients should be named and documented.”
Liability industry expert Ricard Jorgensen concurred. “The profession continues to expand beyond the traditional services of tax, audit and accounting, and looks to serve more unconventional businesses,” he said. “Many firms are establishing practices focused on the cannabis industry. But all professional liability policies contain an exclusion related to criminal acts which could potentially inhibit coverage for services to this industry — federally, and in certain states, the sale and production of cannabis is a crime. If a firm intends to serve the cannabis industry, they should check with the insurer to make sure the criminal acts exclusion does not apply to this work.”
New threat vectors
“The number of cyber attacks against CPA firms has grown exponentially,” Jorgensen observed. “This is especially so where remote operations during the COVID pandemic have created a heightened network security risk. Firms should make sure that liability arising from the theft of personally identifiable information or loss of client funds due to social engineering is covered by their policy. Ideally, all firms should consider securing separate comprehensive cyber coverage in a standalone policy.”
Gary Florian, vice president of underwriting and policy services at Camico, agreed. “We recommend a complete cyber insurance program that includes the breach response services needed to help safeguard a firm’s information and reputation,” he said. “In the event of a cyber incident, a number of steps need to be taken, and breach response services will coordinate these steps in conjunction with an insurance program that may provide coverage for some or all of the related expenses.”
“For example, the cyber risk advisor with the cyber insurance carrier should coordinate an investigation to verify whether the incident is a breach as defined by current state and/or federal laws,” he continued. “An IT forensics expert should investigate the incident to determine whether there was a security breach and if client confidential information was accessed. IT forensics experts also respond to ransomware events to assist in decrypting and restoring files, as well as eradicating malware from the system.”
If the incident is determined to be a breach, notification letters to clients may need to be prepared and mailed, Florian noted. “Clients who receive notification letters may have additional questions about the breach, and a call center can initially handle those questions. Clients may also request credit monitoring services in a post-breach environment. If state laws require law enforcement to be notified in the event of a theft, reports in the media may affect the firm’s public image, and media relations firms may be retained to help protect the firm’s reputation.”
“It’s also important for firms to have access to cyber risk management tools and resources to prevent cyber breaches in the first place,” Florian added. “If an incident does occur, a firm will want access to breach response services and experts who can manage the incident or breach and the related insurance claim.”
It may not be a question of “whether,” but “when” a business will suffer a breach, observed Torvi. “No matter how careful you are, in some ways the depth of the cyber criminal is beyond anyone’s reach,” he said. “Just consider the big names of entities that have been hacked. And accounting professionals are a huge target.”
There is an uptick in the cost of policies, according to John Raspante, director of risk management for McGowanPro. “Everyone who renews gets a little bit of an increase. In some cases, firms have capitalized on consulting opportunities, and when revenue goes up, premiums do also.”
“Some carriers have lines of business other than CPA professional liability, and when they get hit with catastrophic losses, it affects all insured. There was a lot of property damage related to last year’s civil disobedience and natural disasters. This resulted in business interruption claims, debt and damage to physical property, which led to a number of bigger carriers passing the costs on to other lines of business.”
There are a number of policy options that can reduce the cost of insurance, but the insured should carefully consider the risks, Raspante indicated. And in some cases, the insured aren’t aware of them.
“There are policies sold where any legal costs reduce the policy limits,” he said. “Other policies are sold ‘outside the limits,’ which will defend claims without reducing the coverage. Naturally, an ‘outside the limits’ policy is more expensive.”
“There are also ‘per-claim’ deductibles and ‘aggregate’ deductibles,” he said. “With an aggregate deductible, once the aggregate is reached, the insurance company pays everything else, but if it’s per claim, you have to pay the deductible for each claim. The per-claim policy would cost less, but it can also cost you — you have to assess the chances of your getting sued more than once in the same year. If you have multiple claims and a per-claim deductible, paying the deductibles can erode the policy limits, leaving nothing to cover the indemnity.”
There may be different deductibles for different services, observed Raspante, noting that the insured has the responsibility to read the entire policy. “Some people only look at their policy when there’s a claim against them, but then it’s too late,” he said.
“There are a lot of components that go into the algorithm that determines the premium,” he said. “You can manage the price of the policy by changing certain components, but there’s a risk involved.”
Ideally, the professional liability carrier should be focused on only serving accountants’ professional liability matters, Aon’s Sterna suggested. “Accountants’ claims are very technical and specialized, so you want a claims staff dedicated to working on these types of matters,” he said. “Some companies handle a variety of policies, and their claims managers have a large number of claims in their inventory. Each strategy on a claim may be different — certain defenses are right for accountants’ liability that might not be acceptable to others. They’re doing triage claim management.”
This can create service issues, he indicated: “Where a company has limited market presence, they don’t have the bandwidth to have a dedicated staff. Some are reluctant to fully commit to insuring the profession in the long term. They get in and out of the market without dedicating specific resources to accounting.”
And with the proliferation of lawsuits and the subpoenas they generate, the policy should include subpoena assistance, Sterna added: “For example, divorce actions often seek financial records of the opposing party. Subpoena assistance offers legal advice to help the accountant respond to document requests. They don’t want to give away too many documents that might feed into a fishing expedition against your client.”