CAMICO Archives - CAMICO

Claims Chronicles 127-B

Amber — Thu, 18 Dec 2025 17:15:59 +0000

The post Claims Chronicles 127-B appeared first on CAMICO.

The Cyber Saga Continues… Protect Your Firm from First-Party and Third-Party Cyber Exposures

Amber — Tue, 24 Jun 2025 23:34:08 +0000

In today’s digital landscape, it is no surprise that there appears to be a new cybersecurity story in the news every week, from attacks on major infrastructure to small companies being held for ransom. The risk of cyber threats continues to grow for CPA firms, along with other professional services firms, as all are considered prime targets for cyber criminals given the wealth of sensitive client data, financial information, and/or legal documents they maintain.

Don’t be lulled into a false sense of comfort that your firm (or your clients) are too small or too large to be attacked. CAMICO is seeing an uptick in the number of cyber-related claims impacting CPA firms of all sizes and unfortunately, the severity of these cyber crimes and ransomware attacks have grown in recent years.

Some of the more frequent categories of loss for CPA firms related to cyber claims include:

Social engineering
Funds transfer fraud
Theft of data
Loss of laptop or data stick
Unauthorized use of networks
Failure to protect client confidential information shared with a third-party service provider
Computer system cloud hack
Lost profits related to cyber events
Ransom attacks

Identifying key cyber risks and best practices to mitigate risk exposures is important to safeguard confidential information, maintain client trust, and ensure your firm’s continuity. One of the important concepts people must be aware of when evaluating their cybersecurity exposures is the difference between first-party risks and third-party risks. First-party risks are damages and losses you incur from a cyber attack or security breach of your firm, whereas third-party risks often arise when a hacker has penetrated the firm’s (or client’s) computer system causing damages to a client or other third party as a result of the cyber incident for which the firm may be blamed in whole or in part.

As you would expect, first-party cyber exposures have become increasingly problematic for CPA firms as cyber criminals are targeting CPA firms and tax professionals with greater frequency because of the abundance of client data found on CPA firms’ computers. If they are successful in gaining access to a firm’s information infrastructure, there can be costly measures that need to be taken by the firm such as hiring IT forensic experts to determine the extent of the breach, consulting with attorneys who specialize in data breach laws and notification obligations, and providing credit monitoring to those impacted by the breach.

What may be surprising to some CPAs, however, is the increase in third-party cyber exposures that are impacting firms. These situations often arise when a client has been hacked, and the hacker has penetrated the client’s computer system and once inside, causes all manner of losses for which the CPA firm may be blamed. Unfortunately, many of these incidents tend to be high-dollar claims against the CPA firm. These claims typically include allegations that the firm failed to detect red flags associated with communications executed by the hacker, falling below the standard of care by initiating wire transfers (later determined to be fraudulent) without “proper” client authorization, failure to “warn and advise” clients of the potential risks/threats of cyber attacks, and the list goes on.

Cyber Claims Trends
Human error remains a significant threat to cybersecurity, with a wide range of activities such as weak password practices, falling for phishing attacks, and the mishandling of sensitive information contributing to security breaches.

Social engineering, which is the art of exploiting human behavior as a manipulation technique to gain access to confidential information, is one of the most dangerous types of cybersecurity threats to CPA firms given the type of information that firms gather and store. “Phishing” is one of the more widespread social engineering schemes, where information in an email attempts to convince a recipient that the email is from a legitimate source and the recipient needs to respond to the request by clicking a link. The trend this past tax season as reported in CAMICO’s mid-March 2025 Alert is bogus emails from the “Social Security Administration” or “IRS e-Services.” As employees are the most common entry point for phishing attacks, a firm’s best protection against social engineering attempts is to make continuous efforts to raise awareness with staff to never take these emails at face value and instead, maintain ongoing vigilance and enhanced skepticism with every email and online interaction.

Consider the following two scenarios from the CAMICO claims files which unfortunately are becoming all too familiar for CPA firms:

Scenario #1: Client hacked; CPA firm initiated fraudulent wire-transfers
A client of the CPA firm was hacked, and the hacker penetrated and commandeered the client’s email account. The hacker emailed several requests to the CPA firm to wire funds to a new account — a classic “man in the middle” attack. After receiving each request, a CPA firm staff member emailed the client to verify the wire transfer instructions. As the hacker had full control of the client’s email account, the hacker was able to respond back to the CPA firm to verify the payments to the hacker’s overseas bank account.

The above scenario, unfortunately, has become a recurring fact pattern, and these fraudulent wire transfer requests frequently cause large dollar losses. If the fraudster is controlling the client’s email and potentially their phone system as well, and the fraudulent request mimics previous legitimate requests, it is often difficult for the firm to identify the request as illegitimate. When fraud is discovered after the transfer, the funds are usually not recoverable. Domestic banks are not always helpful in preventing fraudulent transfers, as laws tend to limit their risk exposures and enable them to deny responsibility.

With the increased number of claims related to fraudulent wire transfers, the best risk management practice in the absence of any written protocols to the contrary is to verbally confirm all wire transfer requests with the client, and not rely on email or voicemail confirmations. Unfortunately, technological advances have permitted sophisticated scammers to create AI versions not only of people’s voices, but also realistic avatars of scam targets so that you can’t trust your ears or your eyes on virtual calls (Microsoft Teams). Ideally, you and your client will have a code word and/or phrase to confirm the authenticity of the person you are speaking to. Additional loss prevention guidance to minimize fraudulent wire transfer exposure can be found in CAMCO’s article Social Engineering Scams/Fraudulent Wire Transfers. Refer to the Cyber/Data Security Resource Center on CAMICO’s Members-Only Site.

Scenario #2: Ransomware
An employee of a CPA firm opened an unsolicited email attachment from “IRS e-Services” that immediately downloaded ransomware onto the firm’s computer system. The employee noticed that the file names were rapidly being changed to “Needs Decrypting.” The employee turned off and rebooted the computer, but the virus had already spread to all the firm’s servers, and all the files became encrypted. The employee reported the incident to the firm’s managing partner and the firm promptly took actions in accordance with their Incident Response Plan. Once it was determined that a breach had occurred, the firm complied with applicable state and federal laws, and the breach was reported to law enforcement.

Ransomware is one of the most malicious hacker attack vectors and firms of all sizes have become victims. It sneaks into computer systems, encrypts files, and demands a ransom before agreeing to decrypt the files. A major problem is that hackers do not always decrypt files even after the ransom is paid.

Ransom demands have certainly increased in recent years and it is not unusual to see them range from several thousand dollars to several hundred thousand dollars. Some ransomware attacks rely on software that now has known fixes, so a solution might be found online. Other ransom attacks are more advanced and have no known fixes, other than the victim retrieving and relying on the latest backup files. Therefore, being prepared and taking precautions against cyber risk exposures is essential.

To gain a greater perspective on how CPA firms are impacted by cyber exposures, refer to the IMPACT 126 Claims Chronicles for two additional cyber-related claims.

Has your firm prepared for a cyber incident?
Remember, it is not if you will be attacked, but when.

The weakest link in most cybersecurity attacks today continues to be the human element, so it is important to remember that your firm employees are a vital line of defense. Take action now to arm your employees with education, awareness, and reminders, so that they can make informed decisions about what they click.

Although not meant to be all-inclusive, the following additional basic best practice measures are extremely important when addressing the human element of data security:

Cybersecurity awareness training: As employees are the most common entry point for phishing attacks, a firm’s best protection against social engineering is to make continuous efforts to raise awareness of the importance of ongoing vigilance and enhanced skepticism of each email and online interaction. Education can come in various forms, both formal and informal. Consider sharing with your team “real-life” examples of the potential scam emails received by members of your firm. Learning of the attempted attacks on their colleagues heightens awareness of the nature and types of scams that pose potential threats.

As part of the firm-wide cybersecurity awareness training, you should also consider reviewing the firm’s existing protocols and infrastructure (refer to the firm’s written security plan in place) that supports the firm’s commitment to taking appropriate cybersecurity precautions so that all employees are aware and updated when changes are made. If your firm does not yet have a written security plan in place or you are in the process of updating your document, refer to CAMICO’s Written Information Security Plan (“WISP” or “ISP”) template. The template can be found on the Cyber/Data Security Resource Center on the CAMICO Members-Only Site.

Raising the cybersecurity IQ of all employees will help tremendously in guarding against a breach and will minimize your firm’s potential exposure as employees will be better able to recognize social engineering attempts and understand the importance of guarding their login/authentication credentials both in the office and at home. To be of ultimate value, it is important for firms to commit to embracing a motto of continuous education because the threat landscape doesn’t stop evolving when your employees’ cybersecurity training is done.

2. Use multi-factor authentication. This can add an extra level of security to prevent an account hack, especially when employees work remotely.

3. Change and strengthen passwords frequently. Systems are only as secure as the passwords used to access them.

4. Ensure all software has the latest security options/patches. This will help protect against malware, viruses, and hacker attacks.

5. Require regular data backups. By encouraging employees to regularly back up their data you are preventing data loss when disaster strikes. While this may be a hard policy to enforce for employees working remotely, it remains the best practice. In many instances, devices can be set to back up to the cloud automatically. When relying on cloud storage remember that ransomware can also compromise cloud services. Any data stored in the cloud should also be periodically backed up to an external hard drive. Data backups ensure that a business can continue to operate, even if resources are taken offline by a ransomware attack.

6. Maintain strong cyber hygiene. Reinforce with employees the cyber protocols to be followed when working both in the office as well as remotely (e.g., machine use restrictions, Wi-Fi passwords, VPN, firewalls, etc.).

7. Remind all employees of the importance of powering down computers when not in use. Computers are not accessible to attacks or intrusions when powered off.

Choose the Right Cyber Insurance Coverage
Cyber insurance protects against financial losses related to data breaches or other covered cyber events. Cyber insurance coverage is basically divided along two lines:

First-party, which refers to losses directly suffered by the policyholder (or insured) firm in response to a firm’s data breach or other covered cyber event, and
Third-party, which refers to damages alleged by clients or other third parties that the negligence of the CPA firm contributed in whole or in part to the third party’s cyber-related loss. CAMICO’s professional liability policy generally will cover third-party cyber claims subject to applicable policy terms, conditions, and exclusions.

It is possible that a single cyber incident may give rise to both damage suffered by the firm (first-party losses) and damages allegedly suffered by others that blame the firm (third-party losses). The relationship between the first and third parties can be formed in many ways. It can be contractual (for example, engagement letters), built through tort law, common law, or other ways. CPA firm clients are third parties, and others may become a third party based on the nature of an incident. Clients may have insurance of their own, making them a first party with their own cyber insurance carrier.

First-party insurance typically covers the direct costs of actions needed after a firm has had a data breach, extortion, ransomware attack, or other hacker malfeasance against the firm. Third-party cyber-liability insurance, on the other hand, covers the costs of dealing with the claims of other parties that seek to hold your firm at least partially responsible for damages that they have incurred because of a cyber incident. Sometimes, the line between first-party damage and third-party damage becomes blurred — especially if a firm and its client have both been breached, and forensic analysis cannot conclusively establish either the sequence of events leading up to the breach and/or how the breach occurred.

Although not meant to be all-inclusive, the table below shows common cyber costs and damage that may be incurred in cyber-related claim situations, classified by first- and/or third-party potential exposures:

	First-Party Exposures	Third-Party Exposures
Restoration of the damaged systems, hardware, software and network	X
Cost to restore lost data	X
Ransom fees to retrieve lost data or reopen systems	X
Notification costs	X	X
Forensic investigation costs	X
Credit monitoring costs	X	X
Reprogramming costs	X
Business interruption costs	X
Lost client’s money sent to someone incorrectly due to a cyber event		X
Costs (restoration, fines/fees, etc.) incurred by the third party required due to lost data		X

Understanding the difference between first-party and third-party risks is essential when seeking cyber insurance. Ideally, every CPA firm should have some degree of insurance coverage for both first-party and third-party risks as the CPA firm faces exposure to many accusations and lawsuits in the event of a compromise or data breach impacting its clients’ data. For example, everyone faces risks of inadvertently forwarding a malware-infected email message that subsequently wreaks havoc after being opened by a recipient, or of their computers and networks being breached and subsequently exploited by hackers to serve as launching pads from which to target others. Relying on only one type of cyber insurance that may be limited to either first- or third-party coverage may leave businesses exposed to significant financial and legal risks. Whereas investing in both first-party and third-party cyber insurance ensures greater protection against today’s growing cyber threats.

If you have any specific coverage-related questions, please contact your agent or CAMICO at 1.800.652.1772, and ask to speak with your underwriter.

Additional CAMICO Resources
Additional risk management guidance and information on this topic is available on the Members-Only Site — refer to CAMICO’s Cyber/Data Security Resource Center. CAMICO policyholders with questions regarding this communication or other risk management questions should contact the Loss Prevention department at lp@camico.com, or call our advice hotline at 800.652.1772 and ask to speak with a Loss Prevention Specialist.

The post The Cyber Saga Continues… Protect Your Firm from First-Party and Third-Party Cyber Exposures appeared first on CAMICO.

Conflicts of Interest Still Cause Trouble for CPAs

Amber — Tue, 13 May 2025 21:40:17 +0000

By Duncan B. Will, CPA/ABV/CFF, CFE

Conflicts of interest have long been a major factor in professional liability claims against CPAs. Part of the problem is that potential conflicts of interest are hard to recognize or identify until something goes wrong. When clients are satisfied, they tend to perceive the CPA as a competent advisor who has their best interests at heart. It’s not until clients become disappointed that their perception of the CPA begins to change. The CPA appears to no longer be prioritizing the client’s best interests. Sometimes the CPA may even appear to have sacrificed the client’s best interests to benefit the CPA or another party to the client’s detriment.

One common claim scenario is that of the CPA advising both parties to a transaction, or helping the parties resolve a dispute. For example, the CPA will sometimes agree to represent both the husband and the wife in a divorce when they are still friendly and cooperative. Many times though, the couple’s relationship will deteriorate, leaving the CPA stuck in the middle and caught in the crossfire.

The same is true for dissolutions or disputes between business partners. Disputes between partners or owners often result in the CPA’s advice becoming perceived by one of them as favoring the other.

Participating in business deals or investments with clients is another common scenario where everyone is happy while the investment performs well. But as soon as it takes a downturn or falls apart, the client’s perception of the CPA erodes.

These scenarios are riskiest when issues develop slowly, and the CPA is slow to recognize the slippery slope they are traversing by continuing to serve the parties’ conflicting interests.

Case Study

Consider the following case study (the names have been changed):

For decades, Paul Noble, the founder and managing partner of his CPA firm, had served as a trusted financial advisor to his clients. Like many CPAs, he also had his own personal financial advisor—stockbroker Rich Arrington. Noble frequently shared advice he received from Arrington with his firm’s clients and partners.

Chad Pennyworth, a junior broker at Arrington’s brokerage house, worked with some of Noble’s clients and took on many of Arrington’s accounts when Arrington retired. Noble trusted Arrington’s judgment in Pennyworth’s training and development. Though Noble did not refer any of his clients or acquaintances to Pennyworth, he did inform several of them that he had elected to work with him. Because of Noble’s reputation, many of his clients chose to engage Pennyworth as their own broker when they learned of Noble’s faith in Pennyworth.

Almost immediately after Arrington left, Pennyworth sold Noble some bonds, based on incorrect information that misidentified the bonds’ guarantor as the state, when the bonds were instead guaranteed by a financially challenged local school district.

Pennyworth acknowledged the mistake to Noble, and the brokerage firm agreed to repurchase the bonds from Noble’s portfolio, subject to a nondisclosure agreement, which Noble signed. Noble was pleased when a safer alternative was substituted for the bond investment a couple weeks later.

Two years later though, Noble was troubled when he read of the financial disaster that was all over the news: the local school district’s failure and worthlessness of the bonds the district had guaranteed. Pension funds and investors, including some of his clients, were hurt badly by the losses. Noble felt sorry for the investors but was relieved he had avoided a similar fate.

His relief turned to dismay, as some of his clients called to discuss the impact of the losses they sustained and their intentions to sue Pennyworth and the brokerage house.

Noble’s hands had been tied because of the nondisclosure agreement. He had not warned his clients of the elevated risk of the bond investment, and his clients were now surprised to learn that he was not “in the soup” with them.

During the class action lawsuit against Pennyworth and the brokerage house which followed, Noble’s initial investment, the reversal of that transaction, and the nondisclosure agreement became public knowledge. Noble’s reputation was ruined. He was now seen as a greedy, self-interested collaborator. Ultimately, Noble and his firm were added to the list of defendants in the class action lawsuit. His former clients alleged that Noble and his firm had a duty to disclose the concerns regarding their investment, had ignored the apparent conflict of interest, and had prioritized their own interests over those of their clients.

Loss Prevention Tips

Recognize and communicate potential conflicts of interests. Project the scenario forward to anticipate what would happen if things were to go wrong. Juries tend to sympathize with clients — especially with the benefit of hindsight and the evidence laid out by a skilled attorney.

Embrace “active ethics.” The CPA should recognize that his or her own personal interests can be adverse to client interests and should not agree to sign nondisclosure agreements without first protecting vulnerable clients. Moreover, disclosing a conflict of interest, while helpful, does not resolve the problem, even if clients acknowledge and sign the CPA’s disclosure regarding the potential conflict of interest. Clients could later argue that their consent was not “informed” by a third party (such as an attorney). Do not get too comfortable with disclosure as a form of protection. In the end, the issue will be whether there is a perception that the CPA’s loyalty to his or her clients waned.

Recognize that there are risks associated with providing referrals. Clients often link the CPA who gives a referral to the professional who ultimately performs the services. In instances where it may be perceived that a CPA is offering a referral, the CPA should be careful to name three or more qualified candidates to perform the service and encourage the client to perform their own due diligence in assessing the suitability of the professionals’ qualifications.

Duncan Will is a Loss Prevention Director and Accounting and Auditing Specialist with CAMICO. He advises policyholders through the CAMICO Loss Prevention hotline and speaks to CPA groups on a wide range of topics.

The post Conflicts of Interest Still Cause Trouble for CPAs appeared first on CAMICO.

Meet CAMICO’s New Vice President of Information Technology John Zissu

Amber — Sat, 19 Apr 2025 22:33:18 +0000

John Zissu joined CAMICO as Vice President of Information Technology on April 7, 2025.

Prior to CAMICO, Zissu served as Vice President – Platform Owner at Everest North America and as Vice President of Technology at Tokio Marine HCC (TMHCC), where he spearheaded projects that significantly improved operational efficiency through modern core, digital, and data systems implementations. Specifically, within the TMHCC consolidation, Zissu worked on miscellaneous professional liability and employment practices implementations, developing highly relevant subject matter expertise for CAMICO.

His expertise in modernizing technology operations includes cloud architecture, cybersecurity, data analytics, and the strategic implementation of Robotic Process Automation (RPA) and Artificial Intelligence (AI).

“John brings 25 years of insurance industry experience, including 15 years in specialty carrier technology leadership, driving strategic transformation,” said CAMICO President and CEO Mike Ray. “His deep understanding of insurance underwriting, claims, and financial processes, coupled with expertise in modern carrier platform architecture, enables him to translate complex technology into actionable business strategies. He is well prepared to step into this important leadership role and provide value to CAMICO and its policyholders.”

Zissu holds a J.D. from Fordham Law and a bachelor’s degree in psychology from The College of New Jersey, bringing a unique blend of analytical and strategic thinking.

“I am thrilled to be joining the CAMICO family and looking forward to contributing to CAMICO’s continued growth and success,” Zissu said. “From my first interactions, it was clear how much CAMICO values its people and its reputation for providing exceptional client value. I’m passionate about using technology to create positive change, and I’m eager to work alongside the team to develop solutions that make a real difference for our employees and policyholders.”

The post Meet CAMICO’s New Vice President of Information Technology John Zissu appeared first on CAMICO.

CAMICO Tip: Best Practices to Prevent Wire Transfer Fraud

Amber — Thu, 20 Mar 2025 01:22:07 +0000

Q: My client has asked our firm to initiate wire transfers. What risks are associated with agreeing to initiate wire transfers and what protocols should our firm consider?

A: CPA firms continue to be at high risk of social engineering attempts due to the type of information firms gather and store. If the firm and/or a client’s email is hacked, a wire transfer request could come from a fraudster/hacker. As fraudulent wire transfers frequently cause large dollar losses, firms need to be hypervigilant in their efforts to protect the firm and clients against wire transfer fraud.

If the fraudster controls the client’s and the firm’s email, commonly referred to as a “man in the middle” attack, the fraudulent request may mimic previous legitimate requests, which can make it very difficult for a firm to identify the request as illegitimate. When the fraud is discovered after the transfer, the funds are usually not recoverable. Domestic banks are often not helpful in preventing fraudulent transfers, as laws tend to limit their risk exposure and enable them to deny responsibility.

Given the increasingly sophisticated phishing and spoofing scams, CAMICO strongly encourages firms to have written protocols in place with clients who need such services that outline the protocols to be followed when executing wire transfer requests. Certainly, best practice would be to verbally verify the authenticity of all wire transfer requests that are received by the firm via email correspondence, but for those clients who may wish to limit the requirement for your firm to verbally verify each wire transfer, the client should specify in writing those limits (e.g., by dollar threshold, business purpose, etc.) as well as acknowledge their responsibility for the added risks associated with this limited verbal verification process. We recommend including as part of the verification process specific questions to which only your client would know the answer.

The post CAMICO Tip: Best Practices to Prevent Wire Transfer Fraud appeared first on CAMICO.

CAMICO Tip: Tax Engagements – Managing Client Expectations

Amber — Wed, 19 Feb 2025 19:39:25 +0000

Are you taking the right steps to manage (and document) client expectations? Effective communication is a key factor in any CPA-client relationship, and when you work to stay in control of managing client expectations, you help to safeguard your firm. To that end, good documentation is critical to successfully managing client expectations. Jurors (members of the public) generally consider CPAs to be experts in documentation, and falling short of that expectation may be viewed as negligent and perceived as falling below the standard of care.

Below are helpful documentation tips to get you through the remainder of tax season:

Engagement letters. While engagement letters won’t immunize you from lawsuits, they can be your first line of defense if a client makes a claim against you. Although you likely already have executed engagement letters in place with your tax clients, for those engagements that have had some engagement creep, memorialize the additional services by updating your engagement letter or obtaining a signed addendum clarifying the revised scope and limits.
Always document significant meetings and communications. Follow up with written communications in circumstances including, but not limited to:
- Change in engagement scope (may require a new engagement letter)
- Negative information (e.g., tax return is already late, client’s failure to timely provide information, client is facing an audit)
- Judgment calls (e.g., aggressive tax positions taken by your predecessor)
- Client agreement to take significant action
- Conversations regarding transactions, extensions, or estimated tax payments
“Advise” clients of opportunities and “warn” clients about risks. Consider the need for additional documentation (e.g., client notification letters, tax representation letters, etc.) to mitigate high-risk issues such as the following:
- Recent legal and regulatory developments regarding the Beneficial Ownership Information (BOI) reporting requirements under the Corporate Transparency Act (CTA) have implications for reporting companies’ compliance obligations and FinCEN’s enforcement of the CTA reporting rules as currently promulgated. As the CTA-BOI saga continues, CAMICO strongly recommends that CPA firms continue to keep clients informed and advised as these significant developments occur.
- For clients with significant digital asset transactions, it may be prudent to have them sign a tax representation letter or a stand-alone certification letter at the conclusion of the engagement addressing cryptoasset implications. The additional defensive documentation provides evidence of the client’s understanding and acceptance of their responsibilities regarding digital asset transactions and the limitations of the services your firm provided.
Written documentation should be factual, professional, and without personal commentary or unsubstantiated opinions. Unprofessional and/or inappropriate comments can damage the integrity of documentation. Ask yourself whether your documentation would be helpful or harmful if presented at trial.

The post CAMICO Tip: Tax Engagements – Managing Client Expectations appeared first on CAMICO.