The Ambitious Bookkeeper Podcast

23 ⎸ What kind of Insurance do Bookkeepers Need? With Jock Wols

November 17, 2021 Jock Wols Episode 23
23 ⎸ What kind of Insurance do Bookkeepers Need? With Jock Wols
The Ambitious Bookkeeper Podcast
More Info
The Ambitious Bookkeeper Podcast
23 ⎸ What kind of Insurance do Bookkeepers Need? With Jock Wols
Nov 17, 2021 Episode 23
Jock Wols

In this interview episode I have Jock Wols, the CEO of RiskDesk, which specializes in finding the right insurance coverage for professionals and works extensively with Accountants, Bookkeepers, and Attorneys as well as other business professionals. Jock is helping us understand what type of insurance we need, when we need it, and things to consider when assessing your risk tolerance, plus so much more. This episode is value-packed and surely will answer your questions that pertain to Insurance.

Reach out directly to Jock at jock.wols@myriskdesk.com or find out more at www.myriskdesk.com.

In the show I mention a checklist that talks about buying insurance. You can grab that here: 

Start a Bookkeeping Business FREE Checklist

Thanks for listening. For more information about the Ambitious Bookkeeper Podcast or interest in our programs or mentoring visit our resources below:

Connect on Instagram: instagram.com/ambitiousbookkeeper

Connect on LinkedIn: Linkedin.com/in/SerenaShoup

Connect of Facebook: Facebook.com/serenashoupcpa

Click here to get the free First 100 Leads Training with James Wedmore >>

Join the next free training at ambitiousbookkeeper.com/training

Show Notes Transcript

In this interview episode I have Jock Wols, the CEO of RiskDesk, which specializes in finding the right insurance coverage for professionals and works extensively with Accountants, Bookkeepers, and Attorneys as well as other business professionals. Jock is helping us understand what type of insurance we need, when we need it, and things to consider when assessing your risk tolerance, plus so much more. This episode is value-packed and surely will answer your questions that pertain to Insurance.

Reach out directly to Jock at jock.wols@myriskdesk.com or find out more at www.myriskdesk.com.

In the show I mention a checklist that talks about buying insurance. You can grab that here: 

Start a Bookkeeping Business FREE Checklist

Thanks for listening. For more information about the Ambitious Bookkeeper Podcast or interest in our programs or mentoring visit our resources below:

Connect on Instagram: instagram.com/ambitiousbookkeeper

Connect on LinkedIn: Linkedin.com/in/SerenaShoup

Connect of Facebook: Facebook.com/serenashoupcpa

Click here to get the free First 100 Leads Training with James Wedmore >>

Join the next free training at ambitiousbookkeeper.com/training

Jock:

almost all of the bookkeepers who I've worked with, who starting up, they make the decision as soon as they land that, as soon as they land that first client. So once that engagement letters, secured, they will say, okay, you know, as of today engagement letter signed, I'm going to get that, policy in place as of today. So, um, so that's, uh, that's. The appropriate, uh, kind of approach.

Serena:

Welcome back to the ambitious bookkeeper podcast. Today. I have another guest for you. This is jock. He is the CEO and founder of risk desk and insurance broker and technology company based out of Lexington, Kentucky. He has over 16 years of experience helping businesses manage their risk by delivering market-leading cyber liability, professional liability and management liability. insurance Solutions before he established risk desk in 2017, jock managed the professional liability portfolio at XL Catlin and was based in London, New York and Lexington. He graduated from wa Washington and Lee university with the BSC in 2004 and has his MBA from New York university. You can reach out to him directly. We will link his information in the show notes, but I wanted to bring him on. This podcast, because I specifically help bookkeepers and accountants who are just going out on their own. And one of my major recommendations is to always get insurance and there's a lot of. There's a lot of options out there. There's also a lot of confusion and what you might need depending on your business model. So I wanted to bring in an expert and help kind of break that down for you. So without further ado, welcome Jock. Thank you for joining me.

Jock:

Well, thanks for having me see, Cirina appreciate being on your podcast and hopefully I can be of value to you. And, uh, and your, yeah,

Serena:

absolutely. So let's kind of get into it. Um, one of, like I said, one of my recommendations for new business owners is to get, uh, insurance, but a lot of the bookkeepers and accountants, I work with some of us actually, um, Most of us are working virtually. So that kind of plays into things depending on the type of insurance you need, whether you're virtual or meeting clients in an office. And then the other aspect is a lot of us are doing stuff on the cloud. So I know that kind of, um, it just there's so much to, peel back on that. So what first off, like, what is your first recommendation for someone. That fits that profile is a virtual accountant and we can also get into accounting versus bookkeeping if we want. Perfect. Um, yeah. So I'll let you take it away.

Jock:

Yeah. So, uh, I work extensively with the bookkeeping and accounting community and they've, they tend to be three products that I get frequently asked about and they tend to be. Eno insurance, which is also referred to as professional liability insurance, cyber insurance, and then general liability insurance. And so I think, um, what you and I had talked about, maybe we can kind of go into each of those different, uh, products and help the audience kind of better understand what the benefits of those products are. And really the helpless to provide a bit of benchmarking insights and what's, what the community does, as a, uh, as a whole. Um, and, and, and I'll start off with the, with the Eno insurance, because that really represents. A professionals or bookkeeper slash accountants, a primary kind of business risk. And that business risk stems from a wrongful act that you have committed or alleged to have committed in the services that you provide to your clients. So what really, really all that means. You mess something up, you know, client suffers a financial loss. They hold you liable for that financial loss and looking to you to identify, uh, and indemnify them. And the two kind of key policy benefits represent. The payment of damages. I what's settled between you as the defendant and, uh, that the client is the plaintiff and then the payment of any claim expenses or legal expenses incurred to resolve such such a matter. So from a high level perspective, that is what an Eno or professional liability insurance policy is designed to protect you against.

Serena:

And so that's. Like the minimum that bookkeepers and accountants should have.

Jock:

Yeah. And, and it, if I kind of take a step back in terms of the priority, in terms of the related to the different products, uh, bookkeepers and accountants secure the Eno and profess professional liability, that is, that is kind of the must have that. Is you starting a business. You, you, you, you, you you've come come to certain. As soon as you start your business, that is the number one product that, uh, that you want to, uh, want to get oil, evaluate them and look into them without kind of jumping ahead. The cyber liability or cyber insurance represents the I'd like to have it, I'll get it at some stage in the future. That depends on timing and budgeting and pricing really. And then the general liability is like, You know, depending on what stage, what growth phase of your business you are. So it's, uh, it's 1, 2, 3. That's how I sort of categorize of those, uh, those different products.

Serena:

Great. That's really helpful because that's always, I mean, I tell people, go get insurance and then they start getting quotes and they're like, well, I don't know really what kind of insurance to get. So I always recommend Eno professional, um, and cyber, honestly. So, um, And then the general liability really only matters if you are meeting it, bringing clients into your office, correct?

Jock:

Correct. Um, it's not extensively exclusively limited to that exposure, but businesses that benefit most from a general liability policy of businesses that either have a lot of interaction with, uh, like face to face interaction with clients. Pastas by men does, uh, visitors or businesses that manufacture produce something. So there's a virtual bookkeeper. The likelihood of. The, the, the exposure in comparison to, uh, such as like a retail look, a location for example, is very different. Again, I'm not saying your exposure is zero, right, but it's, it's, it's very different. And so often what you see with a general liability policy. That's those purchasing decisions are made when you either have an office location. And either you have visitors that come to see you or your landlord requires it, or there's a common area that, um, you may have an exposure through, through other businesses, uh, visitors and so forth. Um,

Serena:

yeah, that makes sense. So have you come across because a lot of. Um, I'm assuming there's a lot of us that might be in coworking spaces and things like that. Have you come across clients of yours that. Need a general liability for working in a coworking space, or is that something that the coworking space has insurance for?

Jock:

Yeah. So the coworking space we'll have, uh, insurance for, uh, for that type of exposure, um, whether, and, and, and it just depends on, uh, on the claim or the scenario, whether you're at fault and they would potentially look to subrogate against you. In some cases, the coworking and it's, it's not many, but some coworking spaces may have a requirement that you carry a, uh, uh, a general liability policy unlikely. And, uh, it, most of the time, uh, they, it depends on the size of it. If it's a, we work, they, they, they, they won't have that. If it's a smaller location or smaller business, sometimes they do have it, but it, it tends to. The quote, unquote kind of more sophisticated requirements, the most coworking spaces, especially now that they're looking for them, they're looking for members, they're looking to have people come into their spot, so they don't want to have it be prohibitive either.

Serena:

Right. That's actually something that. Came up when I rented, I rent a very tiny room in a, an office suite that I share with a few other businesses. Um, and one of the requirements on the contract or the lease agreement was to have general liability, but I was actually able to negotiate that with the landlord by promising I won't bring clients in because none of my clients live here. So it's not really a risk. But, um, yeah, so let's talk about, um, I'm, I'm looking at kind of the notes that we had, the, the next kind of thing on our list was to talk about the scope of services and how that plays into. Maybe, uh, the type of insurance you have or, um, things like that, because bookkeeping, it's important to, you know, have your engagement letters, which is something that you probably talk to your customers about. Um, but in your engagement letter, it's important to really kind of explain that because sometimes we call things bookkeeping, but it's actually accounting or consulting. So can you talk about that

Jock:

a little. Yeah. If, if you think about the fee evaluate the, the language of the insurance policy, you can notify the insurer of a claim from Iranian. Act that stems from the professional services and that you had, that you provided. So the definition of professional services is really critical and sort of how you teed me up, uh, in terms of the engagement letter and the scope of services that you provide. Uh, to your clients and you try to define that. And B uh, in some cases it's pretty specific about what you will provide and sometimes what you want, uh, provide, uh, the insurance policy operates in a similar kind of capacity. So what the definition of professional services states, is important. And there's really two ways that ensure. Outline the definition of professional services. The one approach that one set of insurance takes is they will say, Hey, Serena, what do you do? And you say, I'm a as part of the application process, and you say I'm a bookkeeper and they will say, they will say professional services means. Full stop. The second approach than another set of insurers full take is it's a, Hey Serena, what do you do? You say I'm a bookkeeper and they will say bookkeeping falls under the accounting industry group. And as a result, the definition of professional services for that industry group. As a bookkeeper, as a tax preparer, as an enrolled agent, as an accountant, as a CPA, et cetera, et cetera, regardless whether you provide services in those other capacities or not, it doesn't, uh, it doesn't matter because you will disclose your kind of practice area as part of the application process, but you would automatically be covered for those, uh, for the tax preparation services and really where it's important is when. If during the course of the policy, uh, you to provide tax preparation services that. The in approach be, and the latter approach, you will be automatically provide extended coverage to those services. You don't have to notify the insurer. What will happen at the, at the renewal process at the subsequent policy, you'll obviously say, Hey, I'm doing tax preparation services now. So that could have an impact on the renewal terms or in the premium, but it's not going to jeopardize, uh, it's not going to jeopardize your active policy. The second item to consider that, and especially for your, um, for your audience is if there is an overlap into. Other professionals or into, in to other services, let's say accounting. Um, and I know your, uh, your accountant by background. If, if, if an allegation is made against you for a wrongful act stemming from accounting services, if it doesn't say counting under the definition of professional services, it could represent. Gray area, whether the insurer would cover that or not, if it's just limited to bookkeeping. So, and again, I'm not providing any kind of coverage interpretation. Each insurer will evaluate the claim on its own, uh, own merits, but the, you may be held to a higher standard if you are qualified as an accountant. Um, so, so, so that's certainly something, uh, certainly something to kind of.

Serena:

Yeah. So what that means for our listeners to break it down a little bit is if you are like me and you came from maybe a corporate background, you have your accounting degree or a CPA license, or both really can't have a CPA without a degree. But, um, if you have that in your background, even if you are only running a bookkeeping firm and not providing actual CPA services, It kind of depends on what your client is interpreting if I'm not mistaken.

Jock:

Exactly. And so if you think about it from the client's perspective and from the, uh, from the plaintiff, they will try to cast a pretty wide net in terms of who they're targeting. And in terms of. What the allegations are. And if they say, you know, CPA has always held to a higher standard. So that could, um, that could mean that, okay. If they know you're qualified as a CPA, they could make an allegation. Hey, you provided these CPA services. You failed in the X, Y, Z. And as a result, you know, on damages. So I demand for damages is X versus versus Y. So that's a. You know, you talked about the engagement letter from a risk management perspective. That's the, that's pretty much the number one thing to, uh, to kind of focus on in terms of managing your exposures is what are you promising or what are you committing yourself to doing it? And so if you know, you're a CPA or you qualified as a CPA and you say, Hey, I'm not providing any CPA services or. The first line of defense is what does engagement, lettersay. And especially in the scope or services with allegations that are alleged in context of the scope of services that you promise to do.

Serena:

Right. So anyone listening, if you are not going to be providing tax or audit or the typical CPA services, you definitely need to say that in your engagement letter, because if you are like me and you have your CPA license, you have to be very explicit that even though I'm a licensed CPA, I'm not providing those types of services. We are strictly doing bookkeeping and consulting. So basically what you're saying is. It's best to work with an insurance provider that specializes with the accounting industry and can have a broader definition of those professional services so that you're better covered right.

Jock:

In one way. Yes. Um, and without selling against myself, uh, you know, if you purely. We'll keep a you're purely going to focus on bookkeeping services. And the definition of professional services means bookkeeping as the approach a or bookkeeping tax preparation, accounting, et cetera, et cetera. If it's purely bookkeeping. From the definition of professional services between those two, it shouldn't really make a difference. Now, again, I'm not providing coverage interpretation and each insurance is going to evaluate it separately. But, I'm not trying to scare anyone, but it's just, you know, there's a couple of best practices, actions you can take in terms of managing your insurance policy, making sure that the definition of professional services matches a scope of services that you provide is, one of those things, you know, approach be sort of makes it easier for everyone involved in, also for the broker or the agent and the insurer, because it eliminates that, uh, that gray area. And sometimes it is a gray area. Um, But again, if I know I work with a lot of bookkeepers who go down the path of a approach and they're perfectly happy with that. Um, so, and I'm, I'm not, I'm certainly not suggesting those insurers, uh, uh, not paying claims. That's not, that's not what I'm trying to.

Serena:

Right. And, uh, it also helps from the perspective of the. Bookkeeping or accounting business owner in case they want to expand their suite of services. Right. Zero. So, um, yeah. And it's, it's great to have this conversation, so people are aware of, okay, well, if I do have that kind of policy to policy, then I need to make sure to let my insurance provider know that I'm expanding my services before the renewal period, otherwise. Yeah, exactly. Yeah. Okay. Great to know.

Jock:

So the second best practice, uh, item that I have in terms of the insurance policy, which I always recommend to, uh, to check is this concept around the, uh, retroactive dates. Okay. I apologize if this is going to get a little technical, but just bear with me.

Serena:

I, they can handle it.

Jock:

Okay. Okay. So professional liability or, you know, policies are written on a claims-made basis. That means that you can notify the insurer for a, of a claim that for a wrongful act that either occurred. During the policy period or on or after the retroactive date. So if you think about just that first part of this statement, a wrongful act that occurs during the policy period in a claim that is made, if you, over the next 12 months, the likelihood of you providing services today, your clients suffering a financial loss today and holding you responsible for that in commencing litigation. Yeah. Highly unlikely it all happening in one day. So there's a duration of time that exists between when that wrongful act is committed or alleged to have committed. And the litigation is, uh, is commenced or the, or the allegation is, uh, is made against you. Right. So what, so if you think about the know we sort of referred to as a tail exposure, so in most cases, Uh, the, the claim way wrongful act won't be for wrongful act that that's committed during the policy period. It's, uh, that wrongful act was committed, uh, at a, at a, at a prior, uh, at a prior stage. So what in pride during prior policy periods? So what insurers have done, they've basically said, Hey, we will establish a point in time. From when Floyd a claim, a wrongful act is covered. Um, and that point in time is, uh, is defined as the retroactive date. So if you buy a new policy today, it says, you know, the first 2021 is effective date of the policy and the retroactive dates November 1st, 2021 in 12 months time you'll policy will renew the policy period will advance by one year, but it's critical that the retroactive. Remains 11 one, 2021. So you will always, that's one thing you always want to check, because if that advances then basically any exposure over the next 12 months would not be covered by the, uh, by the subsequent, policy period. So what, what that means is it doesn't really matter who the insurer is at the time that the wrongful act is committed. It's the critical thing is who's the insurer at the time that you have the active policy and how far back does that policy go into. The wrongful acts that are covered so I'll just pause there for a moment, cause through quite a bit that you did, but, uh, uh, fire away, any questions, any kind of clarification to, um, you

Serena:

may need. So that's why it's so important to get insurance. When you first start.

Jock:

Exactly exactly. You're, you're, you're spot on because if you trade for a couple, couple months or six months or a year, and then in the future by, and, you know, policy, you know, you may not insure a, may not want to backdate those, uh, the retroactive date for those exposures because they. They're going to ask themselves a question. Well, why are you buying an insurance policy now? Why have you been doing providing services for six to 12 months? Is there something we don't know or are you expecting a claim and that's why you have you messed something up and that's why you're buying an insurance policy now.

Serena:

Wow. So this is really also good information for us to take back to our clients to ensure that they're taking necessary steps as a business owner to stay covered for things as well. Um, I mean, if you're in my world, that's one of the first things on my checklist for starting a bookkeeping business is getting insurance and it doesn't mean you have to get insurance before you ever land a client. Does it? Because I always recommend it's like, once you. Uh, like have that first discovery call, it looks like it's going to go well, like that's when you, things are validated, that's when you can buy insurance, you don't have to do it ahead of time necessarily.

Jock:

No, you don't necessarily have to do there an exposure. Um, You could be, you could be providing advice. So some, uh, a service to your client, even though active client, even though they're not a client yet, yet that they may take and say, oh, Serena said, I should do X, Y, Z. And I've done that. And now stuff to finish lists, they never made, they may have never become a client. So there could be an exposure, uh, uh, through that likelihood of though is pretty elements of, again, I'm not saying that it's, there's no exposure. Uh, it is pretty, it is pretty benign. Um, so, so that kind of talks to two things. One is obviously the retroactive date. Uh, but then also the second piece is under the definition of professional services, broader policies will provide, you will extend coverage for services is rendered on a pro bono basis. Meaning if you have, if you engaged in an RFP or if you provide. Uh, advice to a prospect or someone and they don't, they don't compensate you for it. They don't pay a fee or, uh, you're not charging them for it. They could be that would extend coverage to those, uh, to those kinds of engagements or quote unquote engagements. Um, okay. Interesting. Yeah, I know. And many let me, but uh, certain insurance policies they want, they just say, Hey, we want you to be a client. And, uh, uh, you have to be. We will only have a claim stemming from a client or some way you have been compensated for a fee or, uh, or.

Serena:

So that would exclude anyone doing like voluntary volunteer work for like being a treasurer on a board of directors or something. So that's also good to know exactly because CPAs are always being asked to sit on boards or act as a treasurer or secretaries of non-profits. So this is all really great information. Um, awesome.

Jock:

And just kind of, while we're getting sort of down the best practices routes, and you asked, Hey, when's the best time to buy an insurance policy again, not to suggest you have an exposure again, just trying to provide a little context of what, uh, what your, what your audience's peers are doing when they make the purchasing decision. And most of them. In fact, almost all of the bookkeepers who I've worked with, who starting up, they make the decision as soon as they land that, as soon as they land that first client. So once that engagement letters, secured, they will say, okay, you know, as of today engagement letter signed, I'm going to get that, policy in place as of today. So, um, so that's, uh, that's. The appropriate, uh, kind of approach. And again, sometimes, you know, you just don't know how long it takes to get that first client. Sometimes it happens really quickly and other times it doesn't happen until a couple months down the line. So it just, just depends.

Serena:

Yeah. That's kind of, that's been the general advice that I give to, because, you know, It's not always cheap to get insurance. You want to make sure you're going to have money coming in to cover that cost. So, um, but that's a lot cheaper to start up a virtual bookkeeping business than most other forms of businesses. Yeah. So like, if, if mainly the only thing that you really have to outlay cash for at the beginning as an insurance policy and a computer. Yeah. So

Jock:

that's of course content, maybe. So. Yeah.

Serena:

Awesome. So let's get into, since we're kind of talking about being a virtual book keeper, can we talk a little bit about cybersecurity and how important that might be for working on the cloud versus, or maybe it, maybe it doesn't matter whether you're on the cloud or not. How important is it?

Jock:

Yes. So side the wonderful world of cyber insurance and cyber security. Um, that segment as everyone probably can appreciate has been getting a lot of attention over the last 24 months. And if I kind of wind back maybe to 10 years ago, in terms of the cyber threats that businesses have faced with. Uh, 10 years ago, the typical type of cyber threat represented a data breach or hacking event that then led a business to lose information. And as a result of that loss of information, incurred expenses related to credit monitoring costs or notification expenses, it forensic expenses to identify where that, where that. With how the breach occurred, um, data restoration expenses, et cetera. So a long, long list of things. And so from a very kind of basic, perspective how businesses evaluated their cyber risk was one to say, do I do operate in high risk? I think financial services or healthcare. And then what information do I possess or access? Is it sensitive information like credit card information, social security, numbers, names, address, financial records, uh, my clients, uh, details, et cetera. And how much of that information do I, uh, do, uh, do I have, um, so if you, if. So, so most of the threat revolved around information and the sensitivity of information, if you fast forward to today. Very popular threats are very popular. Cyber attacks represented the most one very popular one right now with, uh, cyber criminals is a ransomware attack. And for those of you who don't know what ransomware is, it basically means a viruses uploaded into a system, your software and your hardware is disabled. Uh, black screen pops up and it says, pay, pay X amount of Bitcoin to this, uh, to this account. And we will send you the decryption key. So what that's done is if you think about the risk of the exposure, the risk it's it's changed, it's changed it to an operational risk because if you, if you're prevented from serving your clients, we're doing business. You've got a problem you're handcuffed. So what the, so, so, so, so that operational risk has really changed, um, changed the demand for the insurance product. Uh, and it's, it's, it's, it's almost industry agnostic. It doesn't really matter if you hire high risk industries, such as financial services or healthcare. It, it, it, it doesn't matter. The cybercriminals, they don't care. It doesn't matter if you've got sensitive information or, or how, or how much information you have now, they can leverage that information to drive up the ransom demand. But you are still, you are at a greater risk today from a cyber security incident than you were maybe 10, 10 years ago, because of the nature of the threats that are involved at the time.

Serena:

And every business has a technology. Component now. So, um, yeah, whether it's running your machinery or if it's just accessing QuickBooks, right.

Jock:

Exactly. And so if you kind of think, if you sort of think about how do you, how do you manage your risk and what, what are the risk management strategies that you can, can adopt this sort of three pillars that I kind of think about, uh, in terms of the, that fall under the risk mitigation and the responsible bucket, and they, they represent one general awareness and education. Um, that's first and foremost, uh, you know, I'm thinking, see an article about. Here's a ransomware attack, you know, maybe pay a little more attention to that than you had in the past. Educate yourself. You know, if there's a cybersecurity course that you can take, um, especially one that's geared towards bookkeepers, maybe, um, maybe consider taking that, um, then you sort of go into that next, uh, the next pillar, which is the best practices piece. It's like, okay, well, what, what can you do to reduce or mitigate, mitigate. Your your, your exposure. Um, and there's a couple of questions. And so I'll work with book keeping community, and we, from an insurance perspective, insurers asking more questions over the last, have been asking more questions over the last 12, 12 months because they have been suffering, uh, greater losses in their portfolios. And so they basically identified correlations. Businesses are doing an aunt doing in terms that that can lead to a more profitable portfolio or a profitable portfolio. And so they are starting to mandate that the businesses adopt some of these best practices. So things like. I assume you were just going to ask what a, what, what are some of these questions? Things like, do you use multifactor authentication when accessing a network, you know, think about that. You log into your, your bank accounts and you get put in your password and you get a text message with that. Uh, four, six digit code. That's what multifactor authentication is. There's like another, another level of verifying that authenticity of that. And that's, that's pretty much the number one thing that ensures asking, uh, right now they, um, it's, in many cases, if you don't have that in place, they won't even offer you insurance terms. Um, another thing that they're asking about is Do you verify the authenticity of any changes to bank account information or bank details? So have the typical type of scenarios, someone emails and says, Hey, my bank account information has changed, please. Uh, please updates, uh, with, with this, if you don't call back and, uh, and, uh, to check if that request isauthentic, you've got a problem. And if you do make that, make that change. So risk management they're looking at, Hey, do you, do you kind of follow these, uh, these processes and protocols.

Serena:

Yeah. And you always kind of assume that, and this is something that now I, I need to make sure right. Are my team, everyone on the team is also educated on because you always assume that if, well, if I know and I'm doing it, then surely my whole team is, but it's not. Always second nature to everybody, especially if they are not as tech savvy., but for an example, at my old company, um, that ha that happened, the someone, a vendor quote, unquote emailed and said, our bank details are changed, please. Send it here instead of there. Cause we would wire information and huge, huge checks like 50,000, a hundred thousand. Like it was a big amount of money. It was someone's entire salary. And they were just like, okay. And they didn't even question. Yep. And, um, it was fraud. So, uh, that's one thing that if you are working with a team, even if it's a team of contractors, make sure that they are using two factor authentication and they are, they understand those kinds of risks. Um, don't ever change something based on an email like that, unless, you know, you've gotten confirmation.

Jock:

Yeah. And so, so these, um, education and making that available to pretty much the entire organization or the entire business, including yourself, is it goes a long way. That's also one of the requirements that insurers have is like, sometimes it's sort of Woodland. Hey, if is everyone at a certain level of anyone involved in. Oh, are they educated or do they have access to, are they getting the proper and we call it social engineering, fraud training. And so that email piece is one of it, but they also use, they also use social engineering to basically as deceptive communication and preying on someone's sometimes emotional. The motions and triggering to take certain actions to kind of gain access to the system. And so sometimes they can sit in a system, um, and wait for, you know, the transactions they'll sit in there for six months, three months. They're extremely patient when it comes to that. Uh, and then. Decide when to, when to strike and they'll try to impersonate the communication. It's a set communication between two legitimate parties. To commit the, um, the cybercrime, yeah there's a lot, uh, there's lot, a lot to it. Um, and so the best practices piece is, and it's going to continue to change, but those are just a couple. A couple examples of what insurers are looking for right now.

Serena:

Right? So with my policy, I have cyber liability and the price keeps going up on it every year. By the way, when I first signed up for it, it was like really cheap. Um, and I haven't changed anything in the way that I do things other than just making my systems more secure, but the price is still going up, but one of the requirements is to have a. I think it's called a cyber risk plan., but it basically outlines these best practices and having like, uh, an actual policy in your company about, um, how you're going to handle certain things. And if you're using two factor authentication, requiring password changes every so often and things like that. So it can be really overwhelming as a solopreneur. Even like, I mean, I, I kind of still feel like a solopreneur, but I do have a team. It's a very simple team. Most of us are part time, but it's still like the more hands you have you have to just make sure that it is going to take time to, to lay out a policy like that, but it is really important. So is that something that you guys also require of your cyber liability? Yeah.

Jock:

It, it, it depends on the insurer really, whether they have that requirement or not, you know, as you kind of stated for small businesses, it can be pretty burdensome. And in, in, in a way it's like, Hey, where do you, where do you start with that? So, um, taking the approach for that. Yeah of saying, Hey, I may not use the word enter the term wants loosely, but I want this incident response plan, you know, the F the biggest benefit of it is to start thinking about it as thinking about the exposures. So it's not necessarily, you know, when something happens. Often that incident response, it's never going to go how you outlined in that document. But what has happened is that you've, you've already thought about some of the exposures and then you can disseminate some of the vulnerabilities or the exposures to your, your partners, to your staff, to your, uh, to, to, to other colleagues or, or businesses who you work with. And especially if they. And if you try to kind of flip it around in terms of the clients that you work with, if a client tells you, Hey, here's my POS would just log into my bank account information, you know, do whatever you need to do. It's like you can kind of, they may not either, they may not be educated or, you know, you should view that as, Hey, here's a, his vulnerability. You can flip it around and say, Hey, I'm trying to educate you and say, you shouldn't be doing that. You should give me read-only access or what, or whatever it is, and try to you're protecting yourself. But you're also providing him maybe a bit of a value back to that client and taking some of those, those items from the incident response plan can do exactly. Can do exactly that. Yeah. Um,

Serena:

yeah, that's a good, a good point. Um, there are lots of clients. Are very trusting of their bookkeepers or the banks that they work with. Don't have the capability of doing statement only access. And that's when it comes down to that's when it becomes also important too. And it's kind of off topic, but to have banks that, you know, have those capabilities and that you can recommend to the client.

Jock:

Yeah, exactly. Yeah, it's a, you just think of every, every platform, every, you know, login every. Every employee, every vendor, every partner, we have represents a potential vulnerability, vulnerability. And so that represents an entry point or a point of access to, uh, to you to get closer to you and, uh, expose to you potentially exposes you to a cyber security incidents. So kind of think of it from that perspective and like, how do you sort of close or manage those, uh, those loopholes, um, as best as you can. Um, but, um, It's a serine. I just want to kind of circle back with you on you talking about, uh, cyber pricing and cyber, uh, premiums going up. We are in this period right now in the insurance market. Insurance haven't lost money in 2020 and now 2021 is at the halfway market was worse than 2020, uh, for them. Um, so rates are going up and there's, there's really three things that insurers are doing to take corrective action, uh, with their portfolios. Ensures across the board, every single insurance during, uh, doing this firstly that increasing their rights, um, then the determining, determining eligibility requirements I should do, they want as part of their portfolio and then the evaluating best practices, you know, do you have best practices in place? You know, three to six months ago, I could go to an insurance say. I have good Serena. This is a, this her name, a business name. She's a bookkeeper. She generates X amount of revenue. Um, give me, give me a quote option and I could get easily, could get quotes now. That's that has changed dramatically where they, where they're starting to ask some of these questions and that are sort of, uh, that, that are highlighted. What does she do training? Does she ever, you mentioned the incident response plan. Does she, uh, have multifactor authentication, um, MFA, uh, In in, in place. Um, and so if, I think, if you think about risk management, risk management, cyber risk, You can't think of those, you know, the education, the best practices, the insurance piece of it, uh, independently, anymore. It's all, it's all related. And that previously you could get an insurance policy without caring about the other two. And now insurers are kind of doing a U-turn saying, Hey, we need you to think about these other two things before you even get an insurance policy. So for those bookkeepers who are starting, uh, starting up, you know, as you start, you're practicing. Thinking, you know, start at the beginning, start, start thinking again. I'm not suggesting not to get an insurance policy because there isn't exposure from day one, but there's a trade off between. Okay. How much does it cost and, uh, and, uh, and have a budget budgeted for it. And what's what's to my, my, my risk tolerance level. So, but what you can do from day one, You can start thinking about these things, uh, you can start thinking about, okay, what does backing up of data mean? Does it mean, you know, I've, I've got everything on my, on my laptop and if the laptop precious, you know, I'm in trouble or, Hey, I've got stuff in QuickBooks, it's a, in the cloud or a download some of my files in Dropbox, et cetera, et cetera. So start thinking about some of these things that as you get. Building your business, your practice that you can start implementing and trying to start on the, uh, with, with, uh, with, with the rights, uh, with the right step.

Serena:

Yeah. That's really, really good to think about. Um, as you were talking about that, I was thinking like backing up data. If you're working completely on the cloud, you might, you might assume that you don't need to do any of that. Um, so I would love to hear your take on. Would you recommend if all of your stuff is on the cloud? For instance, we are doing, we use hub dock and zero. And so all of the. All of our client's receipts and statements and everything are in hub doc as well, as well as zero, if they're attached to a transaction. So they're in two places. Um, but on some of our clients, we actually cause you can back things up from hub doc to a Dropbox or a Google drive. Um, and then we house all of our clients, um, like all of our workplace papers and everything in Google drive, um, in the professional version, not the personal. So, is that something that you also recommend having a duplicated in multiple cloud locations? Or do you actually recommend, uh, bookkeepers to still have like an external hard drive that they back everything up to? I'm very curious.

Jock:

Yeah. So it's, it becomes a business decision, right? Because the, the reason why SROs are asking about the backup of information is not to prevent the cyber. But it gives you options in the event, you are, you have, you've incurred a cybersecurity incidents. So let's just pick on ransomware. If your, if your system has locked, your hardware and software is locked and you can't get in. If you've got your information backed up, that gives you, and the, an option of how to deal with that, uh, uh, with that attack. So you can throw away everything and say, Hey, we're going to get brand new hardware. Um, because we, we know we can. All the information, uh, and we're not going to pay the ransom. We don't want to pay the, uh, we don't want to pay the, uh, the cybercriminals, right? So it gives you an option or you can just stay ahead. I'm going to pay the cybercriminals. If some of the data's corrupted or damaged, we know we can still, uh, back it up. And so if you think about, okay, how do you access that, uh, that backed up information if it's a third-party platform and it's likely that Hubdoc. With someone else. So a zero is not compromised. So you could probably set that up pretty, uh, pretty easily and pretty quickly you'll gain access to that pretty easily. But there could be, it doesn't, it's not the Hubdoc kind of fault, but what if, uh, I want it to do and, and they know how to access that information and exfiltrate that, uh, information from, from, uh, from the cloud. So think of it as like, Hey, there's, if you have more, more layers in place of protection, it, it provides you with a greater degree of kind of security. But if you, you know, if, if you've got five different spots that you have. Downloading or backing up the backup of the backup. Does that, does that, does that make sense, practically again, I'm not, I wouldn't dissuade anyone from, uh, from doing. And that's why I said it becomes a bit of a business decision in terms of, okay, well, what's, what's, what's not just efficient, but also practical, practical to

Serena:

implement, right? With the, like, with backing things up from Hubdoc to a Google drive back that can all be automated if you set it up correctly. And then I was kind of thinking, so in those instances it might make sense. And that's something that we always offer to our. Yes, we are holding all of this and hub dock for you. We're attaching the receipts to the Trent, the source transactions in zero. I would S I still always recommend let's link it to your Google drive or your Dropbox. So you always have a backup for it in case anything, if you ever need to retrieve it. But also like if our relationship ends, you don't have to, like, it's just easier that way you don't have to ever feel like your information is hostage. We're held hostage by us if, you know, if something were to go awry or whatever. Um, so there's a lot of like kind of succession planning built into that too. And just, um, yeah, a lot of it does come down to assessing your own risk tolerance and what you're okay with. I mean, kind of like investing, right? You have to figure out what your risk tolerance is. How much would it set you back if you had to. Recreate three years worth of business records for a client. If all of your stuff was, you know, removed from or your access was removed from it. Um, so I'm also thinking about. Instances where like Gusto, for example, they're all on the cloud. We know that we can go back, um, basically forever for all of our clients and download payroll reports. But one of the internal practices that we have is as soon as we run payroll, we download the PDF report to our Google drive anyways. So that's a form of backing things up as. Instead of just relying on that service providers network, always being up when you need it.

Jock:

Exactly. Exactly.

Serena:

So this has been really awesome. Uh, did you have anything else that you wanted to cover before our time is up today?

Jock:

Yeah, so, so there's one other critical piece in terms of the cyber insurance piece, which I haven't covered. And that is if we think about, you know, if you think back to the Eno professional liability policy, that tends to be a relatively standardized insurance solution. Now there's a couple, there's a couple sort of bells and whistles, just to kind of think about when it comes to cyber. Right. The range of options is extremely varied. And, and really what I mean by that is, you know, think about the trajectory or the evolution of cyber threats, starting with the data breach and hacking event to things like ransomware or social engineering fraud, uh, wire transfer fraud, which are the newer, the emerging threats, not every insurance solution. Provides protection against all of those, uh, all of those things. So, yeah, so, when I speak to clients and it doesn't have, you know, can be a middle-market accounting firm or when we'll film and they tell me they've got an insurance policy, a cyber insurance policy in place, they tell me they've got a professional liability policy in place. That they covered. But if they say I've got a cyber insurance policy in place, it actually means nothing to me until I read the policy language. And until I identify what it means., and so I'll just pick , on the bundled solutions because they tend to be. Not everyone and not, not for every single, uh, market. There are some very good bundled solutions, but in general, the bundled solutions where they say, Hey, get the Eno, the professional liability, and we'll throw in cyber for, for free or for $5 a month. Okay. They tend to be the most coverage, deficient, uh, solutions. They want to cover you. For instance, they won't cover you for wire transfer fraud of social engineering fraud. So be very vigilant about what's. Uh, you know, Ask the agent also broke us the insurer. Hey, is way. Hey is, uh, and if they say yes. Okay. Is there a sub-limit, uh, two, it is, um, is wire transfer fraud covered is cyber crime covered is social engineering, fraud, efficient and covered. Um, and you know, the, the more normal responses you get. The worst, that kinda, uh, the voice that kinda is. Um, so my approach tends to be, I try to avoid with certain exceptions, avoid the bundled solutions and look for standalone cyber insurance solutions. The standalone products tend to be better. Not at the, again, they're not equal, uh, across the across insurance, but they tend to be, uh, they tend to have more favorable, , coverage. Um, so it's in, Hey, you know, if someone says I'm going to, you know, you can buy this for $5 a month, it's only going to give you a basic kind of. And you know, that going into it. And you know, you shouldn't rely on this as your kind of comprehensive cyber insurance solutions, but you'd rather have that rather than, than nothing, then that's fine. You know, just make an educated, uh, B be in a position to make an educated decision, around that.

Serena:

Right. And then maybe. Timeline of when you're going to like, add this to your budget and get more comprehensive coverage.

Jock:

Yeah, exactly. And so, so with those, with, with, with the bookkeepers to starting out too, I work with that's the decision around cyber insurance. Again, I'm not saying you shouldn't be getting it, but it's it it's a trade-off and that's why I sort of categorize it and I'd like to have it. I just don't know when I'm going to get a bucket. That's. These there there's an exposure and you're trading in a virtual capacity and, you know, blah, blah, blah. So there's so, so businesses OD risks. Yeah. But you also mindful of, Hey, I'm a might get some of the responses I have, but I'll come back to you when I get my, you know, fifth, sixth, 10th clients, and I've got that cash flow kind of going. So, uh, which is, you know, I started my own business. I completely understand the insurance purchasing decision or the factors that go into it. Um, so certainly not judging my with when it comes to cyber insurance, cyber safety. My key objective is to kind of provide insights to what you should be thinking about what the differences are. It's not as simple as just saying, Hey, I'm going to get a, you know, I'm going to get an, you know, insurance policy. I'm good with cyber. It's like you, the devil is really in the details.

Serena:

Yeah. It's the same with health insurance. Cause we're exploring that too. And I was discussing with my students the other day. About that process and how I was shopping around options, uh, because. It, you know what, I'm just going to go out, go and say it is, it's always going to be better to work with a broker that can shop around the policies for you and help you understand. And that's what we're finding with health insurance as well, because I want to make sure that certain things are covered. Right. Um, and learning how to it's really hard. To be a normal person and know how to read that kind of stuff. It's not fun. It's really boring. That's why you need to just work with an expert and have them help you explain it kind of, or how have you helped help you interpret it? Kind of like we do with our clients. Like that's why they work with us. We're experts on the numbers. We can help explain them. Um, and I, I recommend everyone should work with a broker and health insurance and. Business insurance as well. Uh, it'll probably be an easier journey. And then you will know that you don't have the gaps that you weren't expecting to have.

Jock:

And I mean, or to just helps you make an educated decision, right. You get a different perspective and, uh, we can understand, okay, well, here's, here's one option and it means X, Y, Z. He has another option and you can certainly advocate shopping around every, uh, every now and again, uh, because that's what you, I mean, you gotta make sure that.

Serena:

Awesome. So thank you so much for coming on here and helping break down all of this. I think it is going to be very valuable for all of the listeners. Um, and even for, for everyone to take back. And kind of help their clients work through these kinds of risk management type things, , were used to helping manage risk when it comes to money and cash. Uh, but this is another way that you can add a little value is just like ask the question of your clients., do you have a insurance policy, , and a cyber policy because it's not, like you said, it's, it's operational now. It can happen to any, any type of business. So, uh, I, it's probably important for every type of business to have cyber.

Jock:

Is that correct? Correct.

Serena:

Yeah. I mean, everything is especially, I mean, I'm sure a lot of it had to do with everything being completely virtual through COVID it was just like an opportunity that the hackers. Couldn't pass up.

Jock:

Exactly. Yep. For sure.

Serena:

So, awesome. Well, like I said, I will link all of your information in the show notes and for everyone listening, eventually jock and I are planning on doing a Facebook live or something to have you bring questions. So as you've listened to this episode, if you. Whenever you listened and jot down some questions, uh, watch out for an email in the future, letting you know that we're gonna, we're going to do a live Q and a. Um, and do you have any final words Jock?

Jock:

Thanks again for having me. I know insurance is a bit of a dry topic at times, but a hope for you, this has been valuable to, uh, to everyone listening and, uh, look forward to the, , the, the Q and a session.

Serena:

Yeah. Great. Awesome. Thanks again for coming on and we'll talk to you soon.

Jock:

Okay. Sounds good. Thank you. Bye. Hi, Serena.

Podcasts we love