Insurance for Outsourcing: A Must-Have for CPAs & Firms

Table of Contents

Hey CPAs and tax pros!

I've got an important topic for us to dive into today, and it's one that often slips through the cracks: insurance when you're outsourcing. So, grab your coffee, tea, or whatever you love to drink, and let's get into it!

Outsourcing is widespread in our field these days. It can really streamline our operations, but it also introduces some significant risks, especially in terms of data security and liability.

One crucial aspect that tends to be overlooked? You guessed it—insurance coverage.

Key Insurance Considerations When Outsourcing

1. Tea Time with Your Insurance Provider

Before you dive into the world of outsource accounting service, take a moment to have a chat with your insurance provider. Trust me, this little conversation can make a big difference. Taking this time to sit down with your insurance provider can save you a lot of stress and potential trouble in the future. Make sure you get all the answers you need so you can proceed with confidence.

Here's a personalized checklist to guide you:

Review Your Current Policy: First things first, grab your insurance policy and give it a good read. Then, get in touch with your insurance folks to discuss it. Ask them directly if your current coverage includes outsourcing. Are there any gaps you should be aware of?
Offshore Considerations: Thinking about sending some work overseas? You need to know how this impacts your insurance. Ask about the specifics of offshore outsourcing and whether there are any exclusions or additional requirements when your data or operations cross borders.
Data Protection: This is a big one. Your data might travel to different countries, so find out how your policy handles that. Will you be covered in case of a data breach or loss when it's handled by an offshore team? Make sure you're protected no matter where your data goes.
Risk Management: Every decision comes with its risks. Talk to your insurance provider about the specific risks associated with outsourcing. Ask them how your policy can help manage these risks, so you can move forward with peace of mind.
Policy Adjustments: Based on your conversation, you might need to tweak your policy. Ask your provider what changes or additional coverages you might need to ensure you're fully protected when outsourcing.

2. Clear as Day: Updating Your Engagement Letters

When it comes to outsourcing, your engagement letters are more important than ever. Taking the time to detail your outsourcing practices in your engagement letters is a simple yet powerful way to keep everyone on the same page. It's a small step that can make a big difference.

Let's talk about why you need to be upfront about your outsourcing practices in these documents:

Transparency with Clients: Your insurance company may require you to disclose your outsourcing arrangements in your engagement letters. This isn't just a bureaucratic step—it's about being transparent with your clients. Section 7216 requires client consent prior to outsourcing; we have written a detailed blog here. By clearly outlining your outsourcing practices, you're setting the right expectations from the beginning, which helps build trust.
Preventing Misunderstandings: Clearly stating your outsourcing practices in your engagement letters can help prevent misunderstandings or disputes later on. When your clients know exactly what to expect, there are fewer chances for confusion or conflict.
Setting the Right Expectations: By being open about your outsourcing, you're ensuring that your clients understand how their data will be handled and who will be responsible for various tasks. This can be particularly important for issues related to data security and liability.
Avoiding Plot Twists: Nobody likes surprises when it comes to insurance, especially those involving data security and liability. By clearly outlining your outsourcing arrangements in your engagement letters, you avoid unexpected twists that could complicate your relationship with your clients and your insurance coverage.
Insurance Compliance: Your insurance company might have specific requirements about how you disclose. Make sure your engagement letters meet these requirements to ensure your insurance coverage remains intact and effective.

3. Choosing the Right Partners: Sherlocking Your Way Through Vendors

Before you pick an outsourcing partner, your insurance folks will likely suggest you do some serious digging. Taking these steps helps ensure you choose a reliable and secure outsourcing partner, protecting your business and client data.

Here are some tips:

Do Your Homework: Research potential partners thoroughly and keep detailed records of your findings. This is crucial if you ever need to demonstrate your efforts to regulators or your insurance provider. This way, if anything goes wrong, you can show that you did your due diligence.
Follow the Rules: If you're a tax professional or accountant, remember IRS rules and AICPA guidance require due diligence with third parties. Ensure your partners meet these standards.
Choose Reputable Partners: Stick with reputable outsourcing partners who prioritize security and have a solid reputation. Avoid freelancers, random individuals, or small operations you know little about. Your data deserves to be in safe, trusted hands.
Security Matters: Data security is paramount. You definitely don’t want your sensitive information floating around in some random Starbucks' Wi-Fi in another country. Check if your outsourcing partner is SOC (System and Organization Controls) certified. This certification indicates they have met high standards for managing data securely and protecting client information.
Insurance Coverage: Verify that your outsourcing partner has their own insurance coverage. This adds an extra layer of protection and shows that they are serious about their business and prepared for any potential issues.

4. Beef Up Your Coverage

It's time to take a closer look at your insurance coverage and ensure your business is fully prepared and well-protected in today's ever-evolving landscape for whatever comes its way. Better safe than sorry!

By personalizing your insurance strategy, you're not just safeguarding your business—you're investing in its resilience and longevity. Here are some ways to do it:

Cybersecurity Protection: With the rise of cyber threats, it's vital to fortify your defenses. Think about adding specialized cybersecurity insurance tailored to your business's unique needs. Your digital assets deserve top-notch protection.
E&O Shield: Mistakes happen, but they don't have to be catastrophic. Give yourself peace of mind with Errors and Omissions (E&O) insurance. It's like a safety net for your professional endeavors, shielding you from potential claims of negligence or oversight.
Partners in Protection: Your outsourcing pals are an extension of your team, so it's essential to ensure they're covered too. Before diving into any partnerships, make sure they have robust insurance coverage. After all, a shared commitment to protection strengthens your collective resilience.

5. IRS and Legal Compliance: Dotting I’s and Crossing T’s

Let's talk about IRS compliance. Remember, compliance isn't just about ticking boxes—it's about building a fortress of trust around your client relationships. So, let's dive in, equipped with knowledge and determination, and ensure your compliance plan is as personalized as your client interactions.

Here's your personalized roadmap to keep your client info safe and your reputation sterling:

Guarding Client Confidentiality: Uncle Sam expects nothing less than top-notch protection for your client's data. Ensure you're locking down that sensitive info tight.
Annual Consent Check-In: Picture this - you and your client, renewing your commitment annually. It's not just about paperwork; it's about reaffirming trust and transparency, one signature at a time.
IRS Resources as Your Sidekick: Feeling lost? Don't worry, you've got backup. Let's tap into IRS publications like 4557 and 5708 together. They're not just guidelines; they're your dependable partners.
Tackling IRC 7216 Together: Ready for a challenge? IRC 7216 might seem daunting, but with our attention to detail and a bit of elbow grease, we'll conquer it together. We have a comprehensive blog post about this. Click here to read more.

Real-Life Stories

There are some real-life nightmares that hit a little too close to home for accounting firms like ours.

Let’s check out these cautionary tales:

Case Study 1: Millet & Company’s Ransomware Attack - Legal Battles and Lasting Reputation Damage

Introduction

Millet & Company (Name changed for confidentiality purposes), an accounting firm based in Florida, experienced a severe ransomware attack that critically disrupted their operations just before the March 15 tax deadline. Although the attackers were never identified, the firm suspects that the attack originated from a longtime associate in Bangladesh. The attack resulted in significant data loss and financial repercussions, coinciding with their server and application migration process.

What Happened?

The firm was hit by a ransomware attack demanding three bitcoins to unlock their servers. Unfortunately, the firm had not backed up data for the past 30 days as they plan on migrating their servers. The server was locked, and the accounting firm came to a complete halt for 3 weeks in the middle of tax season. The owner decided not to pay the ransom, resulting in the need to redo all the work from the previous month, including tax returns.

Impact

Data on the Dark Web: The stolen data was later posted on the dark web, causing significant legal and financial repercussions.

Multiple Lawsuits: The breach led to several lawsuits totaling $1.3 million, resulting from various legal claims against the firm.

Client Notifications from Attackers: Clients received notifications directly from the attackers, informing them of the ransomware and breach.

Denial of Insurance Claims: The firm’s insurance claims were denied due to several factors:

Negligence in outsourcing practices
Absence of an information security plan
Failure to consult with the insurance company before engaging with foreign partners
Lack of backups for client information and keeping server ports open
Insufficient due diligence as required by IRS guidelines and AICPA standards before outsourcing
Non-compliance with regulatory disclosures and FTC/IRS guidelines

Reputational Damage: The incident was widely covered in both local and national news, resulting in severe reputational damage to the firm.

Bankruptcy: The financial strain and mounting legal issues forced the firm and its partners to file for bankruptcy.

Stress and Legal Costs: Managing the aftermath involved immense stress and substantial legal costs, including defending against lawsuits, filing for bankruptcy, and challenging insurance claim denials.

We suggest working with reputable service providers. We have talked more about this in our blog here.

Case Study 2: Mac Financial’s Data Theft Crisis - Client Stolen Funds and Firm’s Bankruptcy

Introduction

Mac Financial (Name changed for confidentiality purposes), a firm seeking efficiency and lower costs through outsourcing to West Africa, experienced a devastating security breach that led to significant financial and reputational damage. The oversight in security measures proved costly, ultimately leading to the firm's bankruptcy.

What Happened?

The firm outsourced its accounting and bookkeeping operations to an unverified provider in West Africa. This lack of security and due diligence led to the theft of sensitive client data, including credit card and bank account information.

Impact:

Card Testing and Fund Extraction Scam: The stolen data was used in a card testing scam, where small test transactions were made on third-party platforms using the compromised credit card and bank account information. Successful tests facilitated the unauthorized withdrawal of over $500,000 from client accounts. Despite clients disputing these transactions as unauthorized, the funds had already been transferred out of the country by the time the disputes were raised, and the money was unrecoverable.

Multiple Lawsuits: Clients affected by the data breach experienced significant financial losses totaling over $500,000. The firm faced numerous lawsuits, ultimately settling with all clients for $1.8 million. To cover these costs, the firm’s partners had to take on substantial debt, mortgage their homes, and sell their assets.

Client Loss and Damaged Reputation: The breach caused the firm to lose 50% of its clients and suffer permanent damage to its reputation.

Insurance Claim Denial: The firm’s insurance claim was denied due to failure to adhere to security protocols and reasonable due diligence.

Bankruptcy: The combination of legal fees, client losses, and financial instability resulted in the firm’s bankruptcy in 1 year time, highlighting the severe consequences of inadequate security measures in outsourcing arrangements.

The Moral of the Story

The bottom Line? Safeguard your future.

The takeaway is crystal clear: insurance isn't a luxury—it's a necessity, especially when it comes to outsourcing. Take the time to dot your i's and cross your t's. Research your options, adhere to regulations, and choose your partners with care. Insurance isn't just a checkbox—it's your lifeline when the unexpected strikes.

So, let's make a pact to prioritize protection. Let's ensure our businesses, our clients, and our futures are secure by investing in the right coverage and making informed decisions about outsourcing.

Stay sharp, stay vigilant, and above all, stay secure!

FAQ's

Ensure they have SOC certifications, robust data protection measures, and their own liability insurance.

Annually or whenever you change your outsourcing practices or partners.

Notify your insurance provider immediately, assess the extent of the breach, and consult legal counsel to mitigate any potential damages. Remember, in the accounting world, being proactive about insurance isn’t just smart—it’s imperative. Protect your practice, safeguard your clients, and ensure your outsourcing strategy is solid from the ground up.

Christopher Rivera

Christopher Rivera, Chris serves as a Director of Client Relations and Business Development at Entigrity. He is an expert at leading and managing teams actively from the front. His expertise in sales, training, coaching, mentoring and influencing combined with his competitive nature makes him a strong leader. Chris has traveled through the length and width of the country and has spoken with more than five thousand CPAs, understanding their challenges and limitations. On the grounds of that, he can now easily provide opinions and solutions that can be immensely helpful to the professionals. He has also represented Entigrity at a number of major accounting conferences and networking events.