In the past few years we have seen quite a few of these costly and tragic situations and paid a number of claims made against our CPA firm and investment professionals clients.
The essence is that a CPA or adviser (or Trustee) is induced by a trick, artifice or fraudulent misrepresentation to wire funds to an overseas (or domestic) bank account. This could include techniques such as social engineering, pretexting, phishing, spear phishing or any other confidence trick. Criminals are getting more clever by imitating clients or vendors, even to the point of hacking client or vendor systems and sending emails from a what appears to be legitimate server or email account. In addition we have been made aware of a new sophisticated phishing scam which uses the Docusign Infrastructure.
Most recently in our home state of New Jersey a local bank was duped into transferring $460,000 of a municipality’s money to an offshore account (see here for the article). This is not an isolated incident as more New Jersey municipalities are being targeted with cyber attacks.
In past blog posting we have highlighted the way insurers have reacted to this by either excluding coverage (e.g. Hanover insurance’s False Pretenses clause – see Endorsements 915-0902 05 17 or 915-0903 05 17 or Endorsement #: 915-0168 10 17). Some insurers have added a new Social Engineering endorsement which coupled with certain risk management can mitigate claims and provide an element of affirmative insurances protection.
At CPAGold™ we have recently designed an affirmative coverage endorsement which includes a set of protocols which could be used to establish risk management standards.
This is described as a Call Back Obligation which essentially means that BEFORE a wire transfer or check is mailed an agreed protocol is adhered to which is as follows:
Telephone verification protocol
- The firm employee must verify the original instructions by making an answered outbound telephone call to the client, another employee or legitimate party in order to confirm the original or subsequently changed wire instructions or mailing address.
- The firm employee must document the telephone conversation, the confirmation of the wire or mailing address, and the method used to obtain the telephone number in the client file.
- If the telephone number is from a source other than the file, the firm employee must verify that this is from a legitimate independent third party (such as a credible white page listing or the clients’ web site).
This protocol may seem as a little cumbersome, but verifying instructions and the identity of the client, and documenting the file is the simplest way of avoiding being duped.
While no protocol is guaranteed and the criminals are increasingly devious, we encourage all firms to implement such a system of checks to mitigate the possibility of a loss and a very unhappy client.
Of course, if this risk management protocol fails and a loss occurs it is imperative that your malpractice or cyber insurer provides protection. Don’t accept an exclusion.
Jorgensen & Company are not attorneys and do not offer any form of legal advice. Consult with appropriately qualified local counsel for more assistance. Rickard Jorgensen is President and Chief Underwriting Officer for the CPAGold™ program and may be contacted at (201) 345 2440 or firstname.lastname@example.org
- Professional Liability for CPAs – Understanding your coverage – Part I – the insurance application
- Gotcha! Three cyber policy traps to look out for (and a postcript to the CCH hack)
- Coverage for independent subcontractors via the CPAGold™ program.
- A cyber coverage “Fire Drill” – professional liability insurance implications of the CCH Axcess (Wolters Kluwer Tax & Accounting) malware attack.
- Private Company Management Liability Claims