The frequency and sophistication of cybersecurity attacks continue to intensify leaving businesses, governments and not-for-profits with an ever-present risk of falling victim to data breaches. Cyberattacks not only disrupt normal business operations, they also erode public trust and can lead to irreparable reputational damage, loss of customers and intellectual property, litigation, and significant fines and penalties. Even as businesses race to invest in the latest technologies to improve operational efficiencies and protect critical information assets, many are woefully lacking formal programs to communicate with and reassure stakeholders of the effectiveness of their cybersecurity risk-management activities. To change this, the American Institute of Certified Public Accountants (AICPA) has developed a standard cybersecurity risk-management reporting framework for entities in all industries across the globe to use in the future.
Cybersecurity Risk Management Reporting Framework
The new AICPA Cybersecurity Risk Management Reporting Framework focuses on 19 criteria categories that businesses must address to demonstrate that they are effectively managing cybersecurity threats and have in place suitable policies, processes and controls to protect data and to detect, respond to, mitigate and recover from a security breach. It builds upon the globally accepted internal control framework established by the Committee of Sponsoring Organizations (COSO) and is incorporated into the new system and organization controls (SOC) reporting guidance that helps entities build trust with their constituents, and document their efforts to protect and secure information and technology. Its intent is to help businesses ensure that all of their stakeholders, including senior management, members of the board of directors, business partners and customers, have documentation to help them understand and make informed decisions based on how an organization manages its cybersecurity risks. Investors and analysts may also benefit from receiving this insight into the potential threats to an organization’s operational, reporting and/or compliance objectives, which, subsequently, can affect the business’s value.
SOC cybersecurity exam reports, which must be prepared by certified public accountants (CPAs) to provide independent and unbiased assessments of a risk management program’s effectiveness, include three sections:
- Assertion of Management, which describes an entity’s cybersecurity risk-management program and its inherent limitations;
- Independent Accountant’s Report detailing the entity’s risk-management responsibilities, the responsibilities of the accountant preparing the report, and his or her opinion on the entity’s program;
- Management’s Description of an entity’s cybersecurity risk-management program, including details about how the entity “identifies its information assets, the ways in which it manages the cybersecurity risks that threaten it, and the key security policies and processes implemented and operated to protect the entity’s information assets against those risks.” The report can focus on “a point in time” initially and subsequently cover a longer 12-month “period of time.”
Readiness Review Provide Short-Term Cybersecurity Risk Assessment
SOC reports should reduce entities’ communication and compliance burdens, minimize their risk of vulnerabilities and provide a vehicle for sharing this information with a broad range of stakeholders. Nonetheless, businesses that do not want to invest the time or dollars into a thorough audit or SOC report have a short-term option to evaluate their existing cybersecurity processes and consider steps they may need to take to enhance and bolster those controls.
A “readiness review” is more of a cursory check-up of the security, availability and confidentiality of an entity’s existing information and technology based on more than 230 “points of focus” identified by the AICPA to measure the effectiveness of an organization’s internal controls. The informal evaluation aims to detect potential weaknesses and recognize opportunities to enhance security by employing a broad range of best practices when designing, implementing and initiating an effective cybersecurity risk-management program that meets their unique needs, objectives and business structure.
No longer can the responsibility to protect confidential business data be relegated solely to an information technology expert or a single team. Cybersecurity must be an enterprise-wide priority involving every level of an organization, including senior management, members of the board of directors and even individual employees who regularly connect to the network and have access to an organization’s knowledge base. While it is nearly impossible to eliminate the threat of a cyberattack, businesses can be proactive and take steps to minimize their risk of falling victim to these security breaches and putting their brands and reputations in danger. Time is of the essence.
The professionals with Berkowitz Pollack Brant’s Business Consulting Group have deep experience working with businesses to address the rising challenges of cybersecurity risks and help them to instill confidence and security among their vendors, customers and business partners. The firm holds certification on completion of cybersecurity training and is registered with the AICPA to provide service businesses with SOC audits and reports that help improve transparency and build trust among service organization’s current and prospective customers.
About the Author: Steve Nouss, CPA, CGMA, is a director with Berkowitz Pollack Brant’s Consulting Services practice, where he provides profit-enhancing CFO services, operational reviews, enterprise risk management, internal audit and anti-fraud services for businesses of all sizes. In addition, Nouss is a System and Organization Controls (SOC) specialist who holds AICPA certification in cybersecurity. He can be reached at the CPA firm’s Ft. Lauderdale, Fla., office at (954) 712-7000 or via email at info@bpbcpa.com.
There is no doubt that the rise of interconnectivity between networks, devices and apps have helped businesses in virtually all industries improve operational efficiency and personalize the customer experience. While more than half of U.S. states have made some progress in defining the sales taxability of digital goods and software, either by adopting the standards set out by the Streamlined Sales Tax Governing Board or through their own definitions, there remains a lack of definitive agreement on the parameters that define the sales and use taxability of intangible cloud-based products and services. Many providers of cloud computing, video streaming and online research offerings assume that the sale of their software and service delivery methods are intangible and therefore exempt from the collection and remittance of sales tax. In reality, cloud computing sales can often create economic nexus and trigger a sales tax liability based on the type of software sold and the delivery method employed.
When Does Cloud Computing Create Taxable Nexus?
There are many ways that businesses can create economic nexus, or a minimum legal presence, in a state that will require them to pay and/or collect sales and use taxes within that state. Obvious activities include owning property or employing workers in a particular state. However, with the rise of cloud services and online transactions, many states have been pushing the boundaries of “physical presence” as defined in the Supreme Court decision in Quill vs. North Dakota in order to collect taxes from out-of-state businesses that make online sales in their states. Common examples of laws for which businesses may qualify as operating in a state without even knowing it include online click-through nexus solicitation and referral laws, affiliate nexus for businesses that pay commissions to remote sellers located in other states, or nexus based on a business’s payroll or it sales activity that exceeds a statutory threshold within a state.
Complicating the determination of nexus and exposure to a state’s sales and use tax are laws involving the sales of software and cloud-computing services. Whether cloud computing is subject to sales tax depends on how each state characterizes the software (canned or customized, tangible or virtual, or product or service) and the method used to deliver it to an end user. More specifically, providers must ask how a state characterizes Software-as-a-Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). Is the software considered tangible personal property (TPP), a service or an intangible? Who controls the end product, the software company or the out-of-state purchaser?
Some states have made progress addressing the taxability of the SaaS models, for which software is hosted in one state but licensed for remote use by customers in other states. Those states that impose sales tax on SaaS transaction do so because they consider the model to involve the following qualities:
- a sale of prewritten or canned software that it considers to be “tangible personal property,” or
- a sale of computer or data processing “services,” which many states, such as Arizona, expressly characterize as taxable services.
However, the challenge with sales and use tax compliance is a lack of consistency in the guidance from one state to the next. For example, SaaS transactions are not taxable in 29 states, but in Florida, this rule applies only when the software is considered a service and does not include the transfer of tangible personal property. In 2015, the New York Department of Taxation and Finance addressed the taxability of Infrastructure as a Service (IaaS) cloud computing by ruling that businesses providing its customers with access to computing power are, in fact, delivering a non-taxable service and therefore exempt from sales and use tax in the state.
As states update their nexus standards, businesses must remain alert to evolving laws and their potential sales and use tax liabilities based on the goods or services they provide.
Applying the Right Sales Tax to the Right State
When the sale of a cloud service is taxable, the provider must identify the state or states to which it should source the transaction. Typically, sourcing depends on how a state characterizes a transaction as either 1) the sale of tangible personal property sourced to its destination or use, or 2) the sale of a service sourced to the location where a benefit is derived.
For the latter, the benefit may be derived in multiple states for which a taxpayer should apportion the tax base and impose tax on only that portion of the service for which the benefit is being received in the taxing jurisdiction. This information must be included in contract terms, especially when a purchaser intends to use the service concurrently in multiple states, for which it must provide the seller with the percentage of use in each taxing jurisdiction. In turn, the seller may charge sales tax based on the percentage of use allocated to each of the applicable taxing jurisdictions in which it has sales nexus. When the seller does not have a nexus or responsibility to collect sales tax in a particular jurisdiction, the responsibility for remitting use tax on the service would fall to the purchaser.
However, cloud-computing sellers often have a hard time distinguishing where the benefits of their digital product or services will be derived. Is it the location where the purchaser runs the software on its server or where the end user is located? Is it the jurisdiction when the purchasing entity is located or where the purchasing business’s ultimate users are located?
While few states provide specific answers to these questions, it is advisable that cloud computing sellers, at a minimum, apply a consistent approach to all of their sales/use tax allocations. Additionally, it behooves sellers to identify in their sales contracts the location where a purchasers’ users are located as well as indemnification language to protect the cloud service provider from any future sales and use tax liabilities.
Conclusion
Businesses must consistently assess their exposure to sales and use tax liabilities, especially as a growing number of states are overextending their reach and enacting their own economic nexus laws in order to fill their eroding coffers and generate tax revenue from outside their borders, including the cloud. For example, Alabama passed a law that requires out-of-state retailers to collect and pay sales and use tax when their gross receipts or total sales of tangible personal property to Alabama customers exceeds $250,000 per year. Similar economic nexus laws based on annual sales thresholds have been adopted by other states, including Colorado, Indiana, Massachusetts, North Dakota, South Dakota, Tennessee and Vermont.
One potential glimmer of hope that may help online businesses avoid an overabundance of regulations and corporate income tax liabilities has come from Representative Jim Sensenbrenner of Wisconsin who recently introduced the No Regulation Without Representation Act of 2017. Under the proposed HR 2887, states would be prohibited from taxing or regulating a business’s interstate online commerce unless such business or individual has a physical presence in that state’s jurisdiction. Should Congress approve the bill, online businesses and cloud service providers have the ability to sell across any state line free of sales and use tax, as long as they do not have a physical presence in a jurisdiction. In the meantime, businesses operating in the digital age must take the time to navigate carefully through treacherous waters of conflicting sales and use tax laws.
About the Author: Karen A. Lake, CPA, is an associate director in the Tax Services practice of Berkowitz Pollack Brant and a SALT specialist who helps individuals, businesses and non-profit entities navigate complex federal, state and local taxes, credits and incentives. She can be reached at the firm’s Miami office at (305) 379-7000
or via email at info@bpbcpa.com.
Posted on May 15, 2017 by
On May 12, 2017, a global ransomware attack named WannaCry impacted businesses, governments and individuals in more than 150 countries. Luckily the damage it could have caused was limited with quick thinking by an IT pro.
Ransomware is malicious software that blocks data owners from accessing their own systems and data. Once criminals have control of a person’s or organization’s systems and data, they demand payment to return them.
Trend Micro’s “2016 Security Roundup: A Record Year for Enterprise Threats” report found that cyber threats grew by 752 percent in 2016, with ransomware and Business Email Compromise (BEC) scams leading the charge, resulting in $1 billion in losses for organizations worldwide.
Here are some ways you can protect yourself and your organization from ransomware
- Install and maintain antivirus software on servers and computers
- Ensure server patches are up-to-date and that you have processes updated in a timely manner
- Implement strong and effective password controls
- Establish effective online and website controls, including pop-up blockers and preventative controls for downloading software
- Restrict the ability to open email attachments, and ensure that all attachments are scanned and properly handled
- Conduct regular system back-ups and store the backed-up data offline
- Ensure that data is properly classified and protect it accordingly
- Perform periodic IT risk assessments to evaluate the IT environment, identify gaps and risks, and develop and implement remediation controls
Berkowitz Pollack Brant’s consulting group includes information-technology experts who have experience in establishing and implementing safety protocols, conducting IT risk assessments and advising on protection measures. Please contact Sean Chari or Steve Nouss at (954) 712-7000 if our team can be of assistance.
Businesses large and small are increasingly “moving to the cloud” to keep their data easily accessible while staying ahead of changing technologies. To be sure, this corporate refrain is nothing new, but many businesses making the transition lack a clear understanding about the risks and rewards they should consider before making the leap to the cloud.
What is the Cloud?
The cloud is a network of servers that allow users to store and access data and programs via the Internet rather than on a computer hard drive or servers physically located onsite in an office or home. The most recognizable cloud services are Apple iCloud, Google Drive and Microsoft 365, which allow users to store, backup and synchronize large amounts of data across all of their devices with the click of a button and without a significant investment in hardware to host their own data centers. Users pay for what they need, and the service providers take care of all matters relating to cloud administration, maintenance and updates.
Protecting Data from Dangers in and around the Cloud
Along with all of the conveniences of cloud computing, including improved cost efficiency, capacity, accessibility, back up and data recovery, come a range of challenges. Foremost, the cloud environment lacks a comprehensive set of security standards, leaving businesses with the difficult decisions to entrust their sensitive data to third-party providers that may or may not have adequate controls in place. To minimize their exposure to risks, businesses should first assess their own needs, compliance requirements and security protocols before taking steps to thoroughly investigate cloud providers. Key issues to consider include:
Data Location and Physical Security. Where is the data stored geographically? Is the data replicated outside the country? Does the provider have a backup plan in case of disaster or interruption in services?
User Access. How does the cloud provider manage user access? What redundant connectivity protocols are in place to ensure cloud services can continue operations in the event of an outage or disruption to the cloud infrastructure?
Digital Security. How and how often does the provider perform security testing? What encryption policies does the provider use to protect data, both in motion and at rest? How are encryption keys managed? What controls are in place to ensure customer data is hidden from a providers insiders and from its other customers?
Incidence Management. Does the provider maintain logs of security attacks? What systems are in place to respond to security breaches and mitigate damages?
Compliance. Does the provider have experience meeting the unique data security and regulatory provisions of a particular business? Has the provider earned certification or completed a third-party audit of its claims? Do customers have a right to audit?
The Contract. Never sign an agreement before reading the contract terms, especially when considering that providers can limit their liability for any unauthorized access or use, corruption or loss of customer data. Moreover, businesses must vigilantly monitor their selected providers’ efforts to meet their service level agreements
The decision to move to the cloud should not be made without careful assessment of the multitude of providers nor without consideration for a business’s own needs and risks. Malicious attacks are a real danger to data security. However, many of the most recent headline-making incidences did not involve the cloud but rather compromises made on the user level. Therefore, businesses must employ strong security measures on the enterprise-level, including adoption of rigorous policies to educate all users within an organization and those that have access to its mission critical data.
About the Author: Joe Gutierrez is the IT director of Berkowitz Pollack Brant Advisors and Accountants and a noted speaker on issues relating data management and security within professional service firms. He can be reached at the CPA firm’s Miami office at (305) 379-7000 or via email at info@bpbcpa.com.
On November 24, 2014, Sony Pictures Entertainment was hacked, purportedly in response to a pending movie release. International headlines focused on the salacious details about the Hollywood executives and celebrities mentioned in the breached emails. Widely ignored by the news media was Sony’s lack of protection and monitoring of its IT environment, which exposed the company to significant operational and financial risks. More notably, this was not the first breach of the company’s network.
Sensitive information exposed by the Sony hack included critical corporate data, such as strategic plans and scripts, as well as personal, identifiable information about the company’s employees, including their names, social security numbers and bank account numbers. For Sony CEO Michael Lynton, unencrypted emails revealed personal bank and credit card account numbers and login passwords as well as images of his family members’ passports and social security cards. The attack shines a light on the all too common corporate culture of inadequate security practices and the misguided perspective that IT-related risks are not critical to business operations.
News Flash: IT Security is Critical to Business Success
Budget constraints and perceived lack of exposure to business risks are failing arguments against increased IT controls and network-security vigilance. The costs of an effective IT security control environment are far less than the financial and reputational damages a company will suffer after a hack. Just ask Home Depot and Target. Both spent millions of dollars in clean-up efforts, damages and fines following IT security attacks that resulted in the theft of millions of customers’ credit card data.
Organizations of all sizes and industries are equally vulnerable to a hack. The moment that an organization connects its business to the Internet (for email communications, sales processing, purchasing, research and/or social media) it becomes a potential target for a hacker.
The results of the “2014 Global Report on the Cost of Cyber Crime” conducted by the privacy, data protection and information security policy firm Ponemon, point to some staggering trends:
Cyber crimes continue to rise. The average cost per incident was $7.6 million in 2014, compared to $7.2 million in 2013.
Cyber crime costs vary by the size of an organization. On average, smaller organizations were impacted more negatively by a data breach than larger organizations.
The costs of cyber attacks increase when they are not resolved quickly. On average, businesses took 31 days to contain attacks, at an average cost of $639,642, up 23 percent from 2013. Malicious insider attacks took an average of 58 days to contain.
Security intelligence systems help to reduce costs of an attack. Security intelligence systems that efficiently detect and contain cyber attacks saved companies an average of $2.6 million in cyber-attack mitigation costs. Moreover, the study found that both encryption technologies and advanced perimeter controls with reputation feeds provided businesses with additional mitigation control effectiveness.
Enterprise security governance practices moderate the cost of cyber attacks. Investment in enterprise security governance models, which define and implement effective practices and employ qualified personnel, was found to reduce the cost of cyber attack damages by an estimated $1.3 million.
Businesses’ growing dependency on real-time data analytics and their increased Internet presence and reliance on technology as a whole combined with the level of sophistication of cyber-hackers is cause for alarm. To protect themselves from the myriad of cyber attacks that have and continue to occur, all organizations must take steps to protect their assets and those of their clients. This is especially true for small- and mid-size companies that have fewer resources available to them to contain and respond to cyber attacks than their larger counterparts. For these organizations, the reputational and economical damages of a breach could hamper significantly or shut down their operations.
Regardless of size and complexity, all organizations need to be proactive in employing IT security governance models. These simple solutions provide immediate protection with minimal additional costs.
- Strong Password Controls
- Email Encryption
- Encryption of Critical, Sensitive Files on Networks, Computers and Mobile Devices
- Effective IT Security Monitoring Tools
- Cyber-Liability Insurance Policies. Businesses should discuss this often-forgotten topic with their agents to determine the appropriate types of liability coverage programs that work best for them.
Operating in today’s hyper-connected environment does not come without risks. However, by discussing and employing IT security governance, businesses will be better equipped to contain and even prevent a cyber-attack. Could your organization survive with its current model?
About the author: Sean Chari is a senior manager in Berkowitz Pollack Brant’s Consulting practice. He can be reached in the CPA firm’s Ft. Lauderdale office at (954) 712-7000 or via email at info@bpbcpa.com
