A cyber coverage “Fire Drill” – professional liability insaurance implications of the CCH Axcess (Wolters Kluwer Tax & Accounting) malware attack.
Last Monday we received a flurry of frantic phone calls from clients about the denial of access to the CCH Axcess program. On Monday May 6, between the hours of 8-10 a.m. E.T., accountants across the country started realizing their CCH products, which are based in the cloud, were down. At first there was no word from CCH and the radio silence was more unnerving than any sport of announcement. As events unfolded it became apparent that there had been some form of malware attack and Wolter Kluwer had taken the precautionary step of shutting down access to all its servers. A pretty good analysis of the incident is described here and here.
The technicalities of this cyber attack are beyond the scope of this blog. Our primary interest (and that our of CPAGold™ policyholders) was whether there was coverage under the CPAGold™ policy or separate cyber coverage policy.
As described in past blog postings, the CPAGold™ policy affords coverage via various sections. Go here for a full description of this.
Specifically, in this instance the risk was loss of client Personally Identifiable Information (PII) and the legal consequences of this. In this regard, the CPAGold™ policy affords coverage for LEGAL LIABILITY and certain first party (notification and monitoring costs) as follows:
1.1. Professional Liability
We will pay on your behalf all sums in excess of the applicable Deductible amount stated in the Declarations that you become legally obligated to pay as Damages and Defense Expenses resulting from a Claim first made against you during the Policy Period, or an Extended Reporting Period, if applicable, as a result of a Covered Act committed by you…
8.4 Covered Act means any actual or alleged act, error, omission or Personal Injury committed by you in the rendering of or failure to render Professional Services including activities as a fiduciary after the Retroactive Date.
Covered act includes a Privacy Covered Act and Network Security Covered Act.
8.5 Privacy Covered Act means:
8.5.1 accidental loss, misdirection or theft of client, customer commercial data or other personally identifiable information transmitted via electronic media or contained on any computer, portable computer or media device, cloud or server;
8.5.2 Personal injury arising from your use of electronic media, including the publishing of an Internet website or your memberships of a social networking website;
8.5.3 Misdirection of electronic mail or other electronic media; or
8.5.4 Solely with respect to Client Notification and Consultant Costs, loss or theft of Confidential Client Information;
but only if arising from Professional Services performed by any you.
8.6 Network Security Covered Act means:
8.6.1 Introduction of a computer virus or Cybertoxin into, or enabling a Denial of Service Attack on, a third party’s computer, computer system, or network;
8.6.2 Enabling unauthorized access by a third party into another third party’s computer, computer system or network; or
8.6.3 Unauthorized access by you into another third party’s computer, computer system or network;
but only if arising from Professional Services performed by any of you.
8.7 Confidential Client Information means information that has been provided to you by another, or created by you for another where such information is subject to the terms of a confidentiality agreement or equivalent obligating you to protect such information on behalf of another.
9.8 Other Insurance
This Policy shall be excess over, and shall not contribute with, any other existing insurance, bond, contractual indemnification or self-insurance program, unless such other insurance is specifically written to be excess of this Policy.
If it is determined that both this insurance and any other primary, excess or contingent insurance or self-insurance, apply to any Claim covered by this Policy on the same basis, we shall not be liable under this Policy for a greater proportion of the Damages and Defense Expenses than the applicable Limit of Liability under this Policy for such Damages and Defense Expenses bears to the total applicable Limit of Liability of all valid insurance whether or not collectible against such Claims.
…which, subject to the full policy terms, exclusions and limitations, means that any Professional Liability coverage would be in excess of any indemnification provision via the usage agreement with CCH Axcess.
The most important aspect of the CPAGold™ policy clauses outlined above in regard to the CCH event may be Clause 8.6.1 and 8.6.3 as it grants coverage to third party systems. Most do not.
It is wise to compare you current professional liability with the foregoing wording and ask for confirmation from your agent that a situation like the CCH event would be covered.
Additionally, certain clients that have purchased independent cyber coverage with CFC Insurance (London). After consultation with the Underwriter, we were directed to:
SECTION B: PRIVACY LIABILITY
We agree to pay on your behalf all sums which you become legally obliged to pay (including the establishment of any consumer redress fund and associated expenses) as a result of any claim arising out of a cyber event first discovered by you during the period of the policy that results in:
- an actual or suspected disclosure of or unauthorized access to any personally identifiable information (PII), including payment card information or protected healthcare information (PHI);
- your failure to adequately warn affected individuals of a privacy breach, including the failure to provide a data breach notification in a timely manner;
- a breach of any rights of confidentiality as a direct result of your failure to maintain the confidentiality of any data pertaining to an employee or a senior executive officer;
- a breach of any rights of confidentiality, including a breach of any provisions of a non-disclosure agreement or breach of a contractual warranty relating to the confidentiality of commercial information, PII, or PHI;
- actual or suspected disclosure of or unauthorized access to your data or data for which you are responsible.
We will also pay costs and expenses on your behalf.
- “Cyber event” means
any actual or suspected unauthorized system access, electronic attack or privacy breach, including denial of service attack, cyber terrorism, hacking attack, Trojan horse, phishing attack, man-in-the-middle attack, application-layer attack, compromised key attack, malware infection (including spyware or Ransomware) or computer virus.
…which seems to imply that this policy, subject to its full terms, conditions and exclusions would also provide coverage.
There may also be other sections of either policy that provide coverage for the event (e.g. Business Interruption) and other policies that grant coverage (e.g. a Business Owners Policy). You should check with your insurance agent.
Of course, fortunately, Wolters Kluwer Tax & Accounting were able to quickly resolve the problem and this coverage question became moot. However, an event like this could happen again and we may not be so lucky. Therefore, it is prudent to verify with your agent the coverage offered by your professional liability and cyber insurance policies.
Jorgensen & Company are not attorneys and do not offer any form of legal advice. Consult with appropriately qualified local counsel for more assistance. Rickard Jorgensen is President and Chief Underwriting Officer for the CPAGold™ program and may be contacted at (201) 345 2440 or firstname.lastname@example.org