Professional indemnity insurance claims: cyber risk

Intro:
Hello, and welcome to the CPA Australia podcast, your weekly source for accounting education and career and leadership discussion.

Drew Fenton:
Welcome everyone to CPA Australia's podcast on lessons from professional indemnity insurance cyber risk. Cyber risk can expose your client's personal identification information and disrupt your normal day-to-day business operations. In addition, remote working may present an additional risk exposure for public practitioners.

Drew Fenton:
This podcast will use current real life cyber insurance claims to demonstrate the risks faced by CPA Australia members and outlined measures to help prevent and deal with cyber attacks. My name is Drew Fenton and I'm your host for today's podcast. I'm a director of Fenton Green who has been in partnership with CPA Australia for many years, providing insurance and risk management services to those in public practise.

Drew Fenton:
Fenton Green provide professional indemnity insurance to approximately 3,000 CPA member firms and provide cyber risk insurance to approximately two-thirds of those members. I would just like to add, we have seen at this time coming up to Christmas 2020 that there is an increased risk profile in relation to cyber risks. This is because people are away on holidays because, as everybody has been doing, working remotely. This change in the normal environment increases your risk profile.

Drew Fenton:
Joining me today is Kieran Doyle, partner and head of cyber at specialist insurance firm Wotton Kearney. Kieran, tell us a bit about yourself and your firm's experience in managing cyber claims on behalf of QBE.

Kieran Doyle:
Thanks, Drew, and thanks for the opportunity to talk to CPA Australia. So we've got a fairly well developed cyber and incident response practise here at Wotton and Kearney. As a firm we see hundreds of incidents a year ranging from the biggest attacks reported in the media, including those that hit international headlines, as well as dealing with a significant volume of incidents that hits SME businesses here in Australia.

Kieran Doyle:
And certainly for QBE and CPA, we have been managing the cyber incident response platform for about five years. And we've seen everything during that time from large sophisticated attacks through to quite unsophisticated sort of smash and grab type cyber attacks on CPAs, anything from a slightly larger CPA to those working from home, anything from ransomware, business email compromise, what have you. And certainly seen that increase over the last few years, particularly arising out of COVID.

Drew Fenton:
Kieran, on average, how many cyber claims do you see from CPA firms, noting that we have approximately 2,000 firms that take out cyber insurance.

Kieran Doyle:
So we see about one in every 50 on average CPA firms are attacked each year in terms of the incidents that we handle. The attack trends are quite interesting because they're quite lumpy in the sense that CPAs might be a particular target for hackers for a period of a couple of months. And then they may then focus on a different industry. But suffice to say that CPAs and financial services more broadly is one of the top three industries targeted by hackers given they are data rich organisations.

Kieran Doyle:
But one thing I would say about that one in 50 number is that I think that not all incidents are actually reported. So we don't deal with, I think, all CPA incidents, primarily because I think either CPAs may try and deal with the incident themselves or it may in fact be something that they ignore.

Drew Fenton:
Look, my thoughts there are the same as yours that CPA firms, in my view, are at the top of the risk profile in relation to, as you said, rich data of financial information, tax file numbers, et cetera. That said, what do you assess that an average CPA claim, and to give context to all those listening, how much do do you think it's costing those CPA firms / insurance?

Kieran Doyle:
Look, I think the range is quite significant. I think as an average number for 2020, I've got a cost of 34,000 per incident. But the range is quite significant. I mean, we see incidents anything from no more than a couple of thousand dollars, $5,000 for something quite simple and something that can be easily dealt with through to we've had incidents for CPAs in excess of $300,000 and not for very big businesses either. These are businesses in the sort of low millions in terms of turnover.

Kieran Doyle:
The biggest driver of that number is cost. The IT forensics containment recovery piece accounts for about 60, 70% of the total cost and in a significant incident, those numbers can be enormous for a small business CPA.

Drew Fenton:
Yeah, look, that, and I think also that moral and expertise support is vital in those that have a claim. Now, my next question follows on from that. So Monday morning, the computer doesn't work or there's a ransom or you become aware of a matter. What is the first step once one of our clients calls your helpline. Tell us what happens from there just briefly.

Kieran Doyle:
Sure. So, the first step is what's called a triage call. So effectively, that's a time for us to get on the phone urgently with the CPA and speak to them about the incident. We get a brief overview of what's happened, what they're seeing, what they're experiencing, have they involved someone already? It's a fact-find for us initially. And usually, within the first few minutes, we can assess what the most likely type of incident it is. And from there, work out what help is required for that CPA.

Kieran Doyle:
I would say it's quite important to get on the phone to us quite early, the earlier the better in terms of getting the right vendors involved. Quite often, we get a phone call after the CPA has involved their IT managed service provider. It's very rare that the CPAs we deal with have their own internal IT and whilst those IT providers for CPAs can be quite useful and provide a really good, I suppose ... At least help the CPA assess what type of incident it is, quite often, they're not fully equipped to deal with the containment and the rectification and the level of forensics that's required with a cyber incident, which is why we'd always recommend getting on the phone to us as soon as possible so we can seek that specialist cyber security vendor help.

Drew Fenton:
Look, that is our message to our clients. Success is about partnerships and Wotton Kearney, because obviously you see so many of these incidents, are in a far better position to help CPA members then possibly their own internal or external IT provider. Now, look, we hear lots and lots of names of attacks of cyber this and cyber that. Would you be able to just give us a little bit of insight of the most common types of claims you see?

Kieran Doyle:
Yeah, sure. So look, we overwhelmingly see two types of attacks, ransomware and business email compromise. To give you a brief overview of what each is. Ransomware is effectively an attacker gaining control, logging into a device or a computer, encrypting all the files on that computer such that they can't be opened or used and displaying a ransomware note, which effectively demands the payment of a ransom to decrypt all the files.

Kieran Doyle:
Business email compromise is effectively an email takeover attack. So that's where a hacker obtains a person's credentials to log into their email account. They can do that offline and even simultaneously, as the person themselves is logging in and using their emails.

Kieran Doyle:
The goal with a ransomware attack is really the payment of the ransom whereas the goal with the business email compromise is it can be numerous. Mostly we see the goal is to intercept payments, either owed or due, either to suppliers or from clients. But it can also result in data theft and lead to significant privacy risk.

Kieran Doyle:
In both examples, the most common method of attack is phishing emails, P-H phishing, not recreational fishing, either getting you to download a file or convince you to pass over your credentials by directing you to a fake say Microsoft page that looks legitimate, stealing your passwords.

Kieran Doyle:
We also see two other methods used not as commonly as phishing. Credential stuffing, which is effectively relying on people's propensity to reuse passwords and in doing so, if someone's say Netflix account was previously compromised, relying on the fact that that person uses the same password to also log into their work computer. We also see brute force attack, which is quite simply some hackers having programmes to repeatedly guess passwords, relying on the password not being very complex to force their way into that person's login.

Drew Fenton:
Kieran, thanks for that. Email, everybody's got it. Would you be able to just give us an example of a simple email compromised claim?

Kieran Doyle:
Sure, so look, we handled one recently, in fact, for a CPA, about $2 million revenue business, woke up one morning to a number of emails from clients, queries about an email file they've been asked to open from the CPA. And also in that same mailbox, there was a lot of messages that had bounced back that weren't able to send. So that CPA obviously thought something was a bit unusual that morning, had a look at the sent items in their mailbox and quickly discovered that it appeared that all contacts and those that had sent an email to that CPA in their mailbox had all been emailed back by a hacker.

Kieran Doyle:
So obviously, once that CPA stopped freaking out they gave us a call and we got IT forensics involved quite quickly to, first of all, contain the incident and stop the access, which is quite easy in a business email compromise in the sense that you start changing passwords, stop that access to the hacker. And then undertaking a forensic exercise too, which can be quite comprehensive, depending on the level of access that the hacker had to the mailbox.

Kieran Doyle:
In the particular example we dealt with recently, unfortunately, the forensic investigation resulted in a finding that the hacker had actually downloaded an entire copy of the mailbox, which allowed them to create that email campaign, to send emails purporting to be the CPA too all the clients in the mailbox. So it required quite an extensive privacy review.

Kieran Doyle:
An important factor for CPAs to be aware of is that most might think that they fall under the $3 million turnover threshold to require compliance with the Privacy Act. However, for CPAs, most of them would also be TFN recipients under the Privacy Act, which brings almost all CPAs under the remit of the Privacy Act, such that for this particular example, we needed to do a privacy review, what's called a PII review of the mailbox to determine how many TFN were in that mailbox and therefore, how many individuals or clients needed to be notified.

Kieran Doyle:
So quite a significant undertaking actually for that client. And it's quite a costly one, too. I know you asked for a simple example, but I thought it would be useful to give probably a more challenging example because these things are never ... Can be quite easy to deal with, although they can also go completely wrong, be quite frustrating for ... It can cause a lot of interruption for the CPA to their business, take a few months to investigate and create a lot of fatigue for the business, it's a challenging thing to deal with.

Drew Fenton:
Yes, everybody has effectively unlimited information in their email files and this is a difficult situation for CPA firms to control and manage. In relation to managing-

Kieran Doyle:
If I could just say one thing there. Sorry to interrupt.

Drew Fenton:
That's all right.

Kieran Doyle:
I think it's an important point that one, because you might be able to control, and we hear this quite a lot from CPAs, "I don't send TFNs to my clients over email," which is a great practise to have from a privacy perspective. But unfortunately, you can't control what your client sends you over email, and that's more or less the emails that we are concerned about from a privacy review perspective. So that can often be quite something that CPAs don't realise. We always get the comment from any client that, "Oh, I won't have any client data or personal information in my mailbox." But I don't think I've ever had a claim where one client wasn't surprised about their level of personal information that they actually do have in their mailboxes.

Drew Fenton:
I agree entirely, Kieran. And to help CPA firms, is there any simple preventative measures you could suggest to them in relation to this email exposure?

Kieran Doyle:
Yeah. I mean, I think of them in two categories. There's sort of the process procedure points and also what you can do from a technology perspective. From a procedure standpoint, awareness. Employee awareness is the number one prevention tool that any business can employ. Making employees, or even themselves, more aware and vigilant of receiving phishing emails and questioning why emails are being sent to them I think is quite important.

Kieran Doyle:
From a technology perspective, there's a few things that can be done. Multifactor authentication is a number one defence to preventing unauthorised third parties from logging into a mailbox remotely. It's quite often something that's thought of as quite a nuisance, but I think in 2020, it's a must have. Strong passwords and also having passwords that regularly change every few months to prevent against that credential stuffing threat.

Kieran Doyle:
And also, not necessarily a prevention tool, but something we see from a post-ops perspective, quite often with business email compromise, it's difficult to complete the forensic review without audit logging being turned on in emails in Office 365.

Kieran Doyle:
So I'd encourage all the CPAs out there, as much as your IT provider might suggest that audit logging isn't essential and will take up a lot of space on your hard drive from the logging material that actually sits there, it is actually quite an important thing from a forensic perspective, because it really helps us show what level of access the hacker had and what they did when they were in the mailbox, which is quite often a challenge for us to work out when we don't have access to that evidence.

Drew Fenton:
Thanks for that. We might just quickly move on to ransomware. We hear, "Oh, got hacked and had to pay Bitcoin dah, dah, dah." And it goes on. And we hear these wonderful stories. Do you or can you provide for us today just a quick example of a ransomware claim?

Kieran Doyle:
Yeah, sure. I think the first thing I'll say about ransomware is we're seeing it spike in 2020, it's certainly the new tool of choice for hackers, ransomware. And we dealt with relatively recently for a CPA who, in fact, works from home. So not a big business by any means. Again, typical, wake up in the morning to discover all the files on the computer are encrypted, can't open anything with an extortion note there, demanding a ransom, in this case of 5,000 Australian dollars.

Kieran Doyle:
The interesting thing for the listeners out there, I think, is that the hackers are actually quite clever in terms of working out who their audience is and working out sort of the ability for their target to actually pay a ransom and pitch the number, the amount of ransom that's going to be demanded to match the size of the business.

Kieran Doyle:
So in this case, the attackers thought that $5,000 was something that thIS CPA could pay. We dealt with the hacker over emails. Unfortunately, in this case, we didn't have backups because the backups were encrypted. So it wasn't an easy recovery for the CPA.

Kieran Doyle:
So we started emailing the hacker to buy some time. And the reason we did that is because the ransom note not only demanded the $5,000, but it also included a threat to publish client details. As part of the note, to prove that the hacker was genuine and had control of the environment, they included a snapshot of client banking details that actually sat on that CPA's computer in their files which obviously caused a bit of panic for the CPA, given that we knew that we weren't only dealing with a ransom attack.

Kieran Doyle:
Sometimes these ransomware claims are simple in a way in that they only involve an encryption of files and the goal is to effectively decrypt the files. But in this case, we also knew that the threat actor had taken data, client data, creating a privacy risk for that CPA.

Kieran Doyle:
Fortunately, while there were no backups to assist with the recovery, there were manual backups for this CPA. So suppose going back to paper files, in this case, was actually a good thing, although, unfortunately, whilst it's great that there's manual backups, to re-input all of that data to the CPA's system would take quite some time. And it did take quite some time, causing lots of business interruption for that particular CPA. And it was almost a bit of a disaster, that CPA was even thinking about giving up their business because they experienced such fatigue from dealing with the incident for months and months and months.

Kieran Doyle:
So, again, with that privacy angle, that ended up being quite an expensive claim for that particular CPA. Fortunately, resolved where we were able to get the CPA back up and running to where they were before. But at the expense of not just a cost expense, but also fatigue, very, very, very draining for that CPA.

Drew Fenton:
Kieran, thanks. Yes. And can we just say to all those listening, there is a significant human / practise cost in relation to any claim, whether it be a professional indemnity or a cyber claim that cannot be underestimated. Kieran, we asked you about email and how to possibly stop that. Is ransomware the same or is there something else that you might be able to add there?

Kieran Doyle:
Yeah, look, I think the same tips apply for ransomware. Employee awareness, MFA, multifactor authentication, strong password, conventional controls. Probably the two things I'd add for ransomware are first of all, make sure you have backups and not only that, but make sure your backups are backing up. We've dealt with plenty of CPA incidents where they go to the backup, only to realise it hasn't actually properly backed up for months. So we've lost three or four months worth of work that CPA has done because it hasn't backed up properly.

Kieran Doyle:
And also making sure that the backups are not connected or there's a period of time or there's a redundancy backup or there's a period of time where the backup isn't connected so it doesn't become infected itself when a ransomware attack occurs.

Kieran Doyle:
The other thing I'd say is ensuring that patching is up to date. Microsoft, for example, puts out patching once a month. And they're encouraging you to patch for a reason because they've found a vulnerability and it needs to be fixed. So having up-to-date patching is vitally important because it means that you've got the most up-to-date secure software.

Drew Fenton:
We heard you mention earlier on, Kieran, about the human side of the digital world in which we live in. Could you give us an example of a human error / inappropriate training that's led to a claim that you've worked on?

Kieran Doyle:
Sure. Human error can be anything from falling for a phishing email, but we also see human error claims such as quite simple things like a CPA emailing the wrong client in the context of a tax return lodgement and providing those return details to a different client. I mean, that in itself, it's not a cyber breach, but it's still a privacy risk and a data breach risk for a CPA. We see those sorts of incidents all the time.

Kieran Doyle:
Fortunately, those incidents can be more straightforward in terms of being able to remedy the consequences. You've got a remediation option there available under the Privacy Act. For example, if you're able to obtain the information back or get some confirmation, it wasn't read and that email has been destroyed. And that quite often is what our advice is in those scenarios. Unfortunately, the email recall button doesn't really work as I think we all know, but it doesn't mean that you can't call that client and ask for. It's never too late to call that client and ask for them to kindly delete the email.

Drew Fenton:
Yeah, no, I have to put my hand up and say I've been in that situation myself. And that's exactly what I did.

Kieran Doyle:
I think we've all done it.

Drew Fenton:
Now, this is a question at the end of our total questions today that we're in business, we have good systems, good risk management systems, but there is a possibility here that something could go wrong. Can you share with us maybe a couple of key measures that CPA firms could or should consider in preparing for an attack?

Kieran Doyle:
Sure, yeah. Look, I've spoken about a few of them in the context of preventing ransomware and business email compromise, things like multi-factor authentication, backups, patching, good credential control, strong, sophisticated rotating passwords and also employee awareness and training. I think all of those things are measures that CPA firms should consider to put them in the best possible position to prevent or bounce back quickly from a cyber attack.

Kieran Doyle:
One thing that we haven't really mentioned, though, today is planning and having a plan, planning for the worst, I think, is something that all CPAs should consider. In the context of business continuity planning, ensuring that incident response, cyber attack planning is part of that. It doesn't mean that CPAs need to have all the answers about how they're going to respond to a cyber attack. And certainly, it's almost impossible to do that, given how fluid some of these situations are and also how dynamic cyber attacks are.

Kieran Doyle:
It's hard to say that the next cyber attack you get is going to be the same as the last one because the hackers are trying to always outdo the cybersecurity professionals and be ahead of the game to ensure that they continue have successful attacks. You can do all of the prevention work that is out there and available. And all those steps that I've mentioned are very good steps that CPAs should take. But just also planning for the fact that ... I think you should plan for the likelihood that you will be attacked. You don't know when, it will be sudden and knowing and even just giving some thought as to how you might respond to that type of incident, I think, is vitally important.

Kieran Doyle:
Having something down in paper, very, very simple, a few steps. What would I do? Hopefully, the first thing they'll do is give us a call and let us help them triage the incident. I think that's really key. But even just opening that mindset into thinking about this is something that whilst we don't wish it upon even our worst enemy, it's something that is likely to happen at some point in your business life.

Drew Fenton:
Kieran, thanks. I really appreciate your information, obviously coming from a wealth of experience and knowledge, dealing in this on a day-to-day basis. In conclusion today, we live in a digital world. We can't get out of it. Our strongest advice is that all those in practise don't have all the answers and should be seeking assistance from initially your insurance broker, who should be advising you on your risk profile and ultimately risk management. And if appropriate, risk transfer / insurance.

Drew Fenton:
CPA has further information on strategies for public practitioners to help manage risk, including claims examples on the importance of engagement documents, risks posed by colleagues and clients, and the use of file notes in our earlier podcasts in the series on reducing the risk of PI insurance claims, which can be found on CPA Australia's podcast channel. Thank you all for listening.

Outro:
Thanks for listening to the CPA Australia podcast. For more information on today's episode, please visit the show notes at www.cpaaustralia.com.au/podcast. Never miss an episode by subscribing to our podcast on Apple podcasts, Spotify, or Stitcher.