Tag Archives: AON

COVID-19: A Catalyst for Key Reviews

Law firms and accounting firms alike have complex and often rigorous conflicts and intake processes to vet new business and determine the worthiness of accepting and representing clients. These processes need to consider many different ethical and compliance considerations, depending on the type of work and the jurisdiction(s) the work will reside in. Internally, there are often multiple approvals that must be obtained before representing a new client, and the intake requests often must pass through multiple teams for review and input. While firms have, at times, bolted on additional functions and ad hoc workflows to accommodate new or growing needs, it is not common for these processes to get routinely reviewed for improvements and adjustments. That was until COVID-19.

The COVID-19 pandemic has influenced firms to pause and review three key areas: conflicts and intake processes, technology investments and personnel. Considering conflicts and intake are the initial gateways for all business coming into a firm, and a way to provide a first impression for how a potential client’s firm operates, firms should assess every aspect of their processes to ensure the resources involved can seamlessly adapt to the challenges a pandemic creates, such as using a distributed workforce and a greater need for more mobile technology functionality.

Processes

Firms should use this challenging time to take a deep dive into reviewing their conflicts and intake processes and make these reviews an annual exercise. Create a small team responsible for this annual review. Review all procedures starting at each process stage and the correlating micro-level inputs and outputs, and then learn where the efficiency gaps are. Often, these gaps are caused by a bottleneck at a process stage because this particular step takes more time, and there are not enough resources to handle the volume, or the manual steps are not automated. An effective way to identify this bottleneck is to create quick, easy and routine internal surveys of users’ thoughts on the processes. Include all users that touch these processes, including partners, executive assistants, conflicts and intake staff and departments with overlapping interests or information sharing needs, such as billing, HR, marketing, and IT-support personnel. These annual reviews of the current conflicts and intake processes will help to identify and prioritize areas of improvement. Use the information gathered in the reviews as the building blocks to execute the necessary changes. Performing these reviews annually will help transform a firm from reactive to proactive, which will help firms be more agile as they pivot to address challenges and needs now, and in the future before those challenges and needs become a problem for the firm.  

Technology

The COVID-19 pandemic has also forced firms to review their technology investments, and it is prudent to do so while reviewing the current conflicts and intake technology contracts. There are resources and tools already paid for to help review technology investments that may not be utilized. Reach out to each vendor to find out if there are any new or additional mobile features associated with the product’s use. Finally, ask each technology vendor what its future road map holds for innovation, as well as additional features and functionality. By reviewing conflicts and intake related technology and associated contracts, a firm may realize additional value, features and functionality from their existing technology. A review can also shine a light on potential inadequacies of existing technology and help firms start researching and moving to a better solution. 

See also: 3 Silver Linings From COVID-19

Personnel 

As important as reviewing the conflicts and intake processes is, as well as evaluating what technology investments are, it is equally important to check in on the people who perform these functions. The COVID-19 pandemic has generally resulted in the conflicts and intake staff working from home. This situation can create an environment where collaboration and teamwork could decrease because the workforce is distributed rather than being centralized. To avoid problems, consider cross-training personnel so they learn new skills and can serve the firm in other capacities. Cross-training also creates collaboration and teamwork among the conflicts and intake teams. These efforts will enrich the personnel’s skill sets, increase social interaction with each team and create contingency options for times when a need for a certain position, role or responsibility arises due to changing circumstances. This will also help a firm adapt to situations, such as a pandemic, without missing a beat.   

The COVID-19 pandemic has shown the importance of preparedness and review. A continuous review of a firm’s conflicts and intake processes, technology and personnel should help firms improve in agility and efficiency while also strengthening risk management. Use the COVID-19 pandemic as an opportunity to create a refreshed conflicts and intake process by coupling a firm’s internal resources with an external, independent practitioner skilled in the conflicts and intake arena. Clients, partners and staff will reap the benefits immediately and in the future.

Cyber Risk Impact of Working From Home

The novel coronavirus (COVID-19) and the resultant move to widespread homeworking has created vulnerabilities for criminals to exploit. Homeworking has exposed new access points for cyber criminals to gain entry to corporate systems, including domestic PCs, laptops and Wi-Fi routers. Homeworking has also led to a diminution in employees’ distinction between work and personal emails, to increasing usage of devices with insecure passwords and to use of online applications that would be prohibited in the corporate environment due to security concerns.

Criminals have also exploited the public’s need for information on COVID-19 to create a range of social media and text message attacks, particularly in those countries worst affected by the virus. In addition, the rapid rise of online shopping due to lockdown has exposed the public to a higher level of well-established cyber scams such as form-jacking and spoofing.

Any organization that rapidly deployed new technology, applications, services or systems at the onset of the pandemic should now be focused on taking a look back and ensuring that the organization has implemented best practices in security configuration and architecture. Many organizations are discovering that their rapid deployments, while necessary, may have introduced undesirable security vulnerabilities.

In a new report, Darren Thomson, Head of Cyber Security Strategy at CyberCube; Jon Laux, Head of Cyber Analytics, Reinsurance Solutions, at Aon; and Rebecca Bole, Head of Industry Engagement at CyberCube; explore the changes to our digital landscape and lay out ways to head off problems.

video featuring Jon and Darren discussing some of the report’s key findings can be found on CyberCube’s YouTube channel. Here is a press release.

How Startups Will Save Insurance

Digital disruption used to be seen by insurance industry watchers as an existential threat to the sector. That argument no longer applies. Today, there’s no argument that the insurance needs digitalization to secure its future. 

Across the financial services sector, companies are being re-defined by their clients’ needs.

It’s what happened with banks. They were driven to embrace fintech because of the speed of innovation required, and what their customers were experiencing elsewhere, particularly in the retail sphere. In the same way, insurers (and brokers) are looking to insurtech for answers.

Actually, the insurance industry doesn’t have a choice, with insurance spending as a percentage of GDP declining over the course of the last two decades. The industry’s share of GDP has declined from a high of 7.5% in 2002 to 6.1% in 2017 (source: Swiss Re Sigma Explorer Dataset 2019).

This is happening in part due to an increase in the world’s population and disproportional prosperity growth in emerging markets, creating more consumers who need to protect their property and families. Meanwhile, value is changing in the corporate rankings, where businesses with high-value intangible assets, like Google, Alibaba or Apple, have overtaken companies trading in more tangible products.

It all points to a need for risk management and for the insurance industry to drive innovation and its relevance – especially during a period of great change. Arguably, the incumbent market simply should be innovating at a quicker pace to meet the evolving needs of its client base and its stakeholders.

Many clients today have unmet risk transfer needs, related to intellectual property, the gig worker economy, cyber threats, pandemic or climate, for example. We as an industry need to acknowledge these differences across traditional and emerging markets, tangible and intangible assets, and deliver a differentiated approach in our increasingly connected world.

Meanwhile, the entire sector – brokers and insurers – has been making healthy profits. This combination of an inverted innovation curve and profit pool has proved to be irresistible to entrepreneurs.

See also: Will COVID-19 Disrupt Insurtech?  

Incumbents’ fears around digital disruption are misplaced, however. After all, when the fintech wave hit the banking sector, it didn’t knock out the big players like JPMorgan Chase, Bank of America and Citi. They retained their positions because they took the best of innovation and applied it.

In a similar way, the insurance industry can and will adapt to the direction of change in the use of technology-enabled platforms.

The insurance industry has to incorporate digital distribution and automation in underwriting, the intersection of data science and actuarial science, to design modern underwriting models and create larger pools of insurable risk in ways that insurers remain profitable covering them.

Common ground with clients

Our clients themselves are looking for innovative solutions, so we have common ground. For example, new technology in trucks now allows for user-based analysis of driving behavior. Aon Affinity partnered with CarrierHQ to roll out a new motor insurance program that applies third-party data, real-time driving analytics and a proprietary rating algorithm to score each driver in a fleet of 20 or fewer trucks. Premiums are adjusted monthly for each truck based on the driver scores. To power this behind the scenes, Aon partnered with Instec to enhance the customer experience for small fleet trucking while improving underwriting results for the insurers.

By using our data analytics and insight, we can design technology-enabled platforms for all kinds of business, big and small. It’s why Aon acquired Coverwallet, the leading digital insurance platform for small and medium-sized businesses. 

The evolution is unstoppable because innovation benefits both the insurance markets and the underlying consumer. 

Even pacesetters like Amazon and Uber continue to be defined by their clients and appreciation of the transparency and convenience these platforms afford them.

See also: Time to Retire the Term ‘Insurtech’?  

To meet the needs of a changing consumer, incumbent businesses – including insurers – need to be client-driven and data-centric to embrace innovation and better network among themselves.

But crucially, everyone needs to stay safe in a dynamic environment heightened by cyber risk, global pandemics and climate change, a problem that insurtech is helping resolve to the benefit of both insurers and insureds.

Coronavirus Boosts Cyber Risk

Concern about the spread of the coronavirus has triggered the largest “work-from-home” mobilization in history. Here are practical steps that organizations can take to remain cyber resilient amid the crisis.

The outbreak of COVID-19 has caused significant disruption to businesses and a degree of panic within the employee community. Companies across Asia have activated contingency and business continuity plans and have allowed or instructed employees to work from home to limit the spread of the virus. In a new reality where millions of people are working remotely, secure networks are now more critical than ever. To remain operational and secure, Aon recommends that companies take the following steps:

Defend Against the Phishing Wave

Malicious actors will leverage the intense focus placed on the virus and the fear and panic it creates. Security researchers have already observed phishing emails posing as alerts regarding COVID-19. These emails will typically contain attachments that purport to offer information about the outbreak or updates on how recipients may stay safe. In an environment where people are stressed and hungry for more information, there is a lack of commitment to security best practices.

This is the time for organizations to remind employees of the need for vigilance and the dangers of opening attachments and links from untrusted sources. Running a simulated spear phishing campaign can also demonstrate the level of resilience to these attacks. At a more technical level, up-to-date antivirus and monitoring tools can limit the effectiveness of successful spear phishing attacks.

Test System Preparedness

Organizations will be experiencing an unprecedent amount of traffic accessing the network remotely. Companies with an agile workforce have been preparing for this contingency for some time and will be well-equipped to maintain network integrity through the use of sophisticated virtual private networks (VPNs) and multi-factor authentication. Enterprise security teams are recommended to increase monitoring for attacker activities deriving from work-from-home users, as employees’ personal computers are a weak point that attackers will leverage to gain access to corporate resources.

For those less prepared, COVID-19 presents a challenge. There is a risk that the increased volume of network traffic will strain IT systems and personnel and that employees will be accessing sensitive data and systems via unsecure networks or devices. We recommend that these organizations migrate as quickly as possible to remote working and bring-your-own-device (BYOD) standards. Virtual private networks (VPNs) should be patched regularly (for example, a vulnerability in the Pulse Secure VPN was patched in April 2019, but companies that failed to update were falling victim to ransomware in December), and networks should be load-tested to ensure that the increased traffic can be handled.

See also: Coronavirus: What Should Insurers Do?  

Brace for Disruption

A remote workforce can make it more difficult for IT staff to monitor and contain threats to network security. In an office environment, when a threat is detected, IT can immediately quarantine the device, disconnecting the endpoint (i.e., the compromised computer) from the corporate network while conducting investigations. Where users are working remotely, organizations should ensure that, to the extent possible, IT and security colleagues are readily contactable and ideally able to physically address a compromise at its source. Sophisticated endpoint detection and response (EDR) software can also be used to quarantine workstations remotely, limiting the potential for malicious actors to move through the network.

As this risk moves beyond the technical, companies should adopt
an enterprise risk approach. This can include rehearsing business continuity plans (BCP) and senior management response through tabletop crisis simulations that focus on cyber scenarios as well as how pandemics and other similarly disruptive events are likely to affect automation, connectivity and cyber resilience.

Companies can also safeguard against the increased risk of disruption through a robust cyber insurance policy that, in the event of a digital disruption to systems, can provide cover for business interruption losses, as well as the costs of engaging forensic experts to investigate and remediate a breach.

COVID-19 presents a range of challenges to businesses across Asia, but developments in technology since the SARS outbreak mean companies can remain operational and nimble in the face of uncertainty. Keeping one eye on the pervasive cyber threat in the midst of this crisis is critical to ensuring continuing success.

When Are CPAs Liable for Cybersecurity?

Cybersecurity attacks are inevitable. That’s the unfortunate reality. In fact, in a special report, Cybersecurity Ventures projects cybercrime’s global cost will exceed $1 trillion between 2017 and 2021.

Safeguarding clients’ nonpublic information from cyber-criminals is a top priority for CPA firms. The latest data breach statistics from the 2017 Identity Theft Resource Center Data Breach Report show an alarming number of exposed consumer records in the U.S.

  • 1,579 reported breaches, exposing 179 million records
  • 55% of all breaches involved businesses
  • 59% of all breaches resulted from hacking by outside sources
  • 53% of all breaches exposed Social Security numbers

Now more than ever, organizations and accounting firms of all sizes need to be vigilant about protecting data and responding to threats.

What’s my liability?

“That’s a big question we hear from firms regardless of whether they’ve been attacked,” said Stan Sterna, vice president and risk control specialist for Aon. “There are actually no uniform federal laws on business cybersecurity. But there is a patchwork of state and federal rules.”

Under certain state laws, CPAs can face liability for cybersecurity breaches that expose personal information. Most states have rules for handling breach notifications and for what remediation measures need to be taken. Breach requirements depend on where the client resides – not where your firm is located. We encourage you to learn the dynamic requirements of states that apply to you.

The Texas data breach notification law has been amended several times since its passage in 2009. It requires notification of affected individuals in the event a data breach results in the disclosure of unencrypted personal information consisting of an individual’s first name or first initial, last name and certain personal information such as Social Security and driver’s license numbers.

Federal rules and law

The Safeguards Rule is enforced by the Federal Trade Commission and applies to all companies defined as financial institutions under the Gramm-Leach-Billey (GLB) Act. Businesses that prepare tax returns fall within this definition. Under the rule, businesses are required to develop a written information security plan that describes their program to protect customer information. There are five additional requirements. Learn about the rule and implement applicable compliance protocols.

Do clients have standing to sue a CPA firm if they did not suffer damages as a result of a data breach?

At the federal level, the circuit courts are split as to what constitutes sufficient standing to sue in cyber breach cases. Some courts hold that companies may be liable for damages if client or employee data is stolen, even if the theft causes no harm; instead, it’s sufficient to merely allege that the information was compromised. This broad interpretation will only further increase the risk of cyber liability claims.

Two recent decisions illustrate these differences:

  • The Sixth Circuit court, citing the defendant’s offer for free credit monitoring as evidence, joined the Seventh and Ninth circuits in holding that a cyber victim’s fear of future harm is real and provides sufficient standing to sue. This particular ruling specifically undermines the defense that if no actual cyber fraud or identity theft occurred, the victim has not been damaged and has no standing to sue.
  • However, in another case, the Fourth Circuit held that a plaintiff must allege and show that their personal information was intentionally targeted for theft in a data breach and that there is evidence of the misuse or accessing of that information by data thieves. The division among the circuit courts as to standing is not likely to be resolved unless the U.S. Supreme Court decides a case on the issue.

New cybersecurity regulation sets the stage for other states to follow

In response to several highly publicized consumer data breaches, in 2017 the New York State Department of Financial Services enacted 23 NYCRR 500, “Cyber Requirements for Financial Services Companies,” with which all affected firms must now comply. These “first-in the-nation” data security regulations establish the steps that covered entities must take to secure customer data. The regulations are designed to combat potential cyber events that have a reasonable likelihood of causing material harm to a covered entity’s normal business operations.

See also: 4 Ways to Boost Cybersecurity  

Specifically, insurers, banks, money services businesses and regulated vital currency operators doing business in New York with 10 or more employees and $5 million or more in revenues must comply with the new rules. Under the provisions, companies must:

  • Conduct a cybersecurity risk assessment, prepare a cybersecurity program subject to annual audit and establish a written policy tailored to the company’s individualized risks that are approved by senior management;
  • Appoint a chief information security officer (CISO) responsible for the cybersecurity program who regularly reports on the integrity, security, policies, procedures, risks and effectiveness of the program and on cybersecurity events;
  • Establish multi-factor authentication for remote access of internal servers;
  • Encrypt nonpublic information (PII) and regularly dispose of any nonpublic information that is no longer necessary for conducting business (unless required to be retained by law).
  • Prepare a written incident response plan that effectively responds to events and immediately provides notice to the superintendent of the New York Department of Financial Services of any breaches where notice is required to be provided to any government body, self-regulatory agency or any other supervisory body or where there is a “reasonable likelihood” of material harm to the normal operations of the business;
  • Implement a written policy addressing security concerns associated with third parties who provide services to the covered entity that contain guidelines for due diligence or contractual protections relating to the provider’s policies for access, encryption, notification of cybersecurity events affecting the covered entity’s nonpublic information and representations addressing the provider’s cybersecurity policies relating to the security of the covered entity’s information systems or nonpublic information;
  • Annually file a statement with the New York Department of Financial Services certifying compliance with the regulations.

Meanwhile, the California Consumer Privacy Act of 2018 (CCPA) goes into effect on Jan. 1, 2020. The CCPA represents a significant expansion of consumer privacy regulation. Its GDPR-like statutory framework gives California consumers the:

  • Right to know what categories of their personal information have been collected
  • Right to know whether their personal information has been sold or disclosed, and to whom
  • Right to require a business to stop selling their personal information upon request
  • Right to access their personal information
  • Right to prevent a business from denying equal service and price if a consumer exercises rights per the statute
  • Right to a private cause of action under the statute

What is the impact of these new regulations on CPA firms?

Whether or not a CPA provides professional services for an entity covered by the New York Department of Financial Services or the CCPA, these new rules are important:

  • Regulation in one state frequently results in regulation in other states; both the New York and California cybersecurity regulations may serve as a template for other states contemplating cyber security legislation.
  • The regulations create a framework for plaintiffs’ attorneys to follow when alleging that a company (regardless of whether it is a New York or California covered entity) should have done more to protect private information, keep consumers informed or prevent a data breach or that a CPA firm should have detected data security issues while providing professional services.

Take preventative action now

“If someone sues your firm because of a data breach, you may have a stronger case if you can show that you’ve taken reasonable measures to help prevent an attack or theft,” Sterna advised. “Setting up systems to assist in prevention is an important aspect of managing cybersecurity risk.”

Here are three tips to get you started:

Start with an assessment. What are your cybercrime defenses? Do you have gaps in your data security procedures? Do you have controls in place? How do you document incidents when they happen? What is your response plan when incidents occur?

“Mapping where you stand today and your vulnerabilities is the best way to understand your next steps,” Sterna said. The AICPA’s cybersecurity risk management reporting framework helps you assess existing risk management programs. The Private Companies Practice Section cybersecurity toolkit can also help you understand the most common cybersecurity threats.

Implement best practices. At a minimum:

  • Use encryption wherever appropriate to protect sensitive data. This includes laptops, desktops and mobile devices. Failing to do so threatens your data and your reputation.
  • Train employees to recognize threats and safeguard equipment and data.
  • Develop and practice your response plan for various situations such as a ransomware attack, hack or ID theft.
  • Back up your data so you’ll still have access to it if it’s lost or stolen.
  • Keep your equipment physically secure in your office and on the road.

Get an outsider’s perspective. What better way to learn your firm’s vulnerabilities than to hire an expert for penetration testing? Through a penetration test, a third-party consultant will perform a test tailored to your firm’s needs and budget. They’ll provide insights on your firm’s vulnerabilities and educate you about solutions for protecting your practice. A consultant can also help you implement regular drills that test your firm’s response in the case of various attack scenarios.

See also: Cybersecurity for the Insurance Industry  

Legal and insurance considerations

CPA firms should consult with their legal counsel to assess the firm’s risk of first/third party data security claims and assess vendor data security coverage. The existence and adequacy of data security used by third-party vendors (including contract tax return preparers) is often overlooked.

CPA firms also should consult with their insurance agent or broker to review their current cyber policy to ascertain the adequacy of coverage.

This article is provided for general informational purposes only and is not intended to provide individualized business, insurance or legal advice.  You should discuss your individual circumstances thoroughly with your legal and other advisers before taking any action with regard to the subject matter of this article. Only the relevant insurance policy provides actual terms, coverages, amounts, conditions and exclusions for an insured.