Skip to Main Content

insightsarticles

Creating a culture of cybersecurity awareness

04.08.19

Best Practices for Educating Your Financial Institution’s Board of Directors on Cybersecurity

According to Cybersecurity Ventures, cybercrime will account for $6 trillion annually by 2021—that’s more than the global trade of all major illegal drugs combined. Data breaches and other information security events adversely impact organizations through significant losses in revenue, erosion of customer trust, substantial remediation costs, increased insurance premiums, and more.

The financial services industry has always led the way with internal controls, vendor management, and now with cybersecurity for one simple reason—you are in the business of money and it is critical to protect it.

That said, cybersecurity controls require more than just a strong IT department—an effective cybersecurity program, much like ethical behavior, depends on culture. Since your organization’s leadership plays a key role in driving your cybersecurity culture, boards of directors and senior management need a solid understanding of cybersecurity risks and impacts.

According to a 2018 Technology Survey of bank directors by Bank Director, 79% say they need to enhance their level of technology expertise. Many board members come from non-technology backgrounds and careers, and though they are able to support their institution’s mission and drive growth, they may not be able to provide direction in the areas of information technology and security. They may also not recognize what attractive targets they make for phishing and other cybercrimes due to their high level of access to valuable information, their ability to send and receive data from financial institution personnel, and their potential exemption from certain employee policies.

Keeping board members up-to-date on the evolving landscape of cybersecurity risks can present a serious challenge due to board members’ time constraints. To help, here are some best practices you can follow to make educating your institution’s board and senior management a relatively simple and sustainable process.

Leverage Existing Cybersecurity Training Resources

In most cases, you already provide and require cybersecurity training for employees, typically through internal IT experts, third-party vendors, or self-paced courses available online. Board members should complete the same training at least annually.

Require Board Members to Comply with Information Security Policies

Despite their high-risk profile, board members are often exempted from policies applicable to employees, including password requirements and other critical information security policies. Given the sensitive information and levels of access board members have, it is imperative that they fully comply with all information security policies.

Facilitate Regular Review of Information Security Audits and Assessments

Information security audits and assessments provide valuable insights into areas for improvement. Keep your board members aware of any findings, recommendations, or potential risks noted in recent audits and assessments. Provide a regular status report to the board of ongoing efforts and progress to resolve or mitigate findings and risks. Use these regular communications as an opportunity to provide cybersecurity education to the board, and don’t hesitate to speak up about any specific areas and emerging risks you may be concerned about.

Regular Cybersecurity Updates and Discussions

Keep the board and senior management updated on cybersecurity threats, incidents, and any changes to the bank’s cybersecurity program. Provide this information on a quarterly basis and include the cause of and any remediation for such events, as well as any trends in incidents. Regular updates to the board and senior management provide guidance for budgets, goals, and overall strategic direction. With more awareness of security incidents and events, trends in occurrences, and potential risks, the board and senior management are more likely to support greater investments in the bank’s security efforts.

Annual Board Approval of Information Security Plans and Policies

The board should review and approve all information security policies and relevant procedures on an annual basis, as these board-approved policies will establish the financial institution’s directive for effective internal control and cybersecurity programs. Important examples include Information Security and Acceptable Use Policies, Cybersecurity Policy, Incident Response Plan, Business Continuity Plan, and Disaster Recovery Plan.

Knowing your current position and having a plan are key. Through continuous assessment of your board’s fluency with cybersecurity and establishing a process of ongoing education that’s both effective and manageable, your financial institution can improve its culture of cybersecurity awareness—helping reduce the likelihood of future security incidents and events that could adversely impact your board, your financial institution’s employees, and your customers.

Related Industries

Read this if you are a bank.

Consolidated Appropriations Act
On December 27, 2020, the Consolidated Appropriations Act, 2021 (CAA) was signed into law. For financial institutions, aside from approving an additional $284 billion in Paycheck Protection Program funding, the CAA most notably extended troubled debt restructuring (TDR) relief. Originally provided in Section 4013 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act, this relief allows financial institutions to temporarily disregard TDR accounting under US generally accepted accounting principles for certain COVlD-19-related loan modifications. Under the CARES Act, this relief was set to expire on December 31, 2020. The CAA extends such relief to January 1, 2022.

Relief from CECL implementation was also extended from December 31, 2020 to January 1, 2022.

We are here to help
If any questions arise, please contact the financial services team with any questions.

Article
TDR and CECL relief is extended for financial institutions

Read this if your company is seeking guidance on PPP loans.

The Consolidated Appropriations Act, 2021 (H.R. 133) was signed into law on December 27, 2020. This bill contains guidance on the existing Paycheck Protection Program (PPP) and guidelines for the next round of PPP funding.

Updates on existing PPP loans

Income and expense treatment of PPP loans. Forgiven PPP loans will not be included in taxable income and eligible expenses paid with PPP funds will be tax-deductible. This tax treatment applies to both current and future PPP loans.

Tax attributes and basis adjustments. Tax attributes such as net operating losses and passive loss carryovers, and basis increases generated from the result of the PPP loans will not be reduced if the loans are forgiven.

Economic Injury Disaster Loans (EIDL). Any previous or future EIDL advance will not reduce PPP loan forgiveness. Any borrowers who already received forgiveness of their PPP loans and had their EIDL subtracted from the forgiveness amount will be able to file an amended forgiveness application to have their PPP forgiveness amount increased by the amount of the EIDL advance. The SBA has 15 days from the effective date of this bill to produce an amended forgiveness application. 

Simplified forgiveness application for loans under $150,000. Borrowers who received PPP loans for $150,000 or less will now be able to file a simplified one-page forgiveness application and will not be required to submit documentation with the application. The SBA has 24 days from the effective date of this bill to make this new forgiveness application available. 

Use of PPP funds. Congress expanded the types of expenses that may be paid with PPP funds. Prior eligible expenses were limited to payroll (including health benefits), rent, covered mortgage interest, and utilities. Additional expenses now include software and cloud computing services to support business operations, the purchase of essential goods from suppliers, and expenditures for complying with government guidance relating to COVID-19.

These additional expenses apply to both existing and new PPP loans, but they do not apply to existing loans if forgiveness has already been obtained.
 
In addition, the definition of "payroll costs" has been expanded to include costs for group life, disability, dental, and vision insurance. These additions also apply to both existing and new loans.

Information for new PPP loans

Application deadline. March 31, 2021 

Eligibility for first-time borrowers. A business that did not previously apply for or receive a PPP loan may apply for a new loan. The same requirements apply from the first round of loans. The business must employ fewer than 500 employees per physical location and the borrower must certify the loan is necessary due to economic uncertainty.

Eligibility for second-time borrowers. Businesses that received a prior PPP loan may apply for a second loan, however the eligibility requirements are a little more stringent. The business must have fewer than 300 employees per physical location (down from 500 previously) and it must have experienced a decline in gross revenue of at least 25% in any quarter in 2020 as compared to the same quarter in 2019. The business must have also expended (or will expend) their initial PPP loan proceeds. 

Maximum loan amount. Lesser of $2 million or 2.5x average monthly payroll for either calendar 2019 or the 12-month period prior to the date of the loan. Businesses operating in the accommodations and food service industry (NAICS code 72) can use a 3.5x average monthly payroll multiple. If the business previously received a loan less than the new amount allowed, or if it returned a portion or all of the previous loan, it can apply for additional funds up to the maximum loan amount. 

New types of businesses eligible for loans.

  • Broadcast news stations, radio stations, and newspapers that will use the proceeds to support the production and distribution of local and emergency information 
  • Certain 501(c)(6) organizations with fewer than 300 employees and that are not significantly involved in lobbying activities 
  • Housing cooperatives with fewer than 300 employees 
  • Companies in bankruptcy if the bankruptcy court approves

Ineligible businesses. A business that was ineligible to receive a PPP loan during the first round is still ineligible to receive a loan in the new round. The new legislation also prohibits the following businesses from receiving a loan in the second round:

  • Publicly traded companies 
  • Businesses owned 20% or more by a Chinese or Hong Kong entity or have a resident of China on its board 
  • Businesses engaged primarily in political or lobbying activities
  • Businesses required to register under the Foreign Agents Registration Act 
  • Businesses not in operation on February 15, 2020 

Forgiveness qualifications. New PPP loans will be eligible for forgiveness if at least 60% of the proceeds are used on payroll costs. Partial forgiveness will still be available if less than 60% of the funds are used on payroll costs. 

Covered period. The borrower may choose a covered period (i.e., the amount of time in which the PPP funds must be spent) between 8 and 24 weeks from the date of the loan disbursement.

Employee Retention Tax Credit. The CARES Act prohibited a business from claiming the Employee Retention Tax Credit if they received a PPP loan. The new legislation retroactively repeals that prohibition, although it is unclear how an employer can claim retroactive relief. The new bill also expands the tax credit for 2021. 

Additional guidance is expected from the SBA in the coming weeks on many of these items and we will provide updates when the information is released.

We’re here to help.
If you have questions about PPP loans, contact a BerryDunn professional.

Article
Paycheck Protection Program: Updates on new and existing loans

Read this if you are a community bank.

On December 1, 2020, the Federal Deposit Insurance Corporation (FDIC) issued its third quarter 2020 Quarterly Banking Profile. The report provides financial information based on call reports filed by 5,033 FDIC-insured commercial banks and savings institutions. The report also contains a section specific to community-bank performance based on the financial information of 4,590 FDIC-insured community banks. Here are some highlights from the community bank section of the report:

  • The community bank sector experienced a $659.7 million increase in quarterly net income from a year prior, despite a 116.6% increase in provision expense and continued net interest margin (NIM) compression. This increase was mainly due to loan sales, which were up 154.2% from 2019. Year-over-year, net income increased 10%.
  • Provision expense decreased 32.3% from second quarter 2020 to $1.6 billion. That said, year-to-date provision expense increased 194.3% compared to 2019 year-to-date.
  • NIM declined 41 basis points from a year prior to a record low of 3.27% (on an annualized basis). 
  • Net operating revenue increased by $2.8 billion from third quarter 2019, a 12.1% increase. This increase was attributable to higher revenue from loan sales and an increase in net interest income mainly due to higher interest income from commercial and industrial (C&I) loans (up 14.8%) and a decrease in interest expense (down 36.8%).
  • Average funding costs declined for the fourth consecutive quarter to 0.53%.
  • Growth in total loans and leases was stagnant from second quarter 2020, growing by only 1%. However, total loans and leases increased by 13.4% from third quarter 2019. This increase was mainly due to C&I lending, which was up 71%. This growth in C&I lending was mainly comprised of Paycheck Protection Program loans originated in the second quarter.
  • The noncurrent rate (loans 90 days or more past due or in nonaccrual status) remained unchanged at 0.80% from second quarter 2020. That being said, noncurrent balances were up $1.6 billion in total from third quarter 2019. This year-over-year increase was mainly attributable to increases in noncurrent nonfarm nonresidential, C&I, and farm loan balances.
  • Net charge-offs decreased 22.1% year-over-year and currently stand at 0.10%.
  • Total deposit growth since second quarter 2020 was modest at 1.8%. However, total deposits compared to third quarter 2019 were up 16.7%.
  • The number of community banks declined by 34 to 4,590 from second quarter 2020. This change included one new community bank, three banks transitioning from non-community to community banks, eight banks transitioning from community to non-community banks, 29 community bank mergers or consolidations, and one community bank self-liquidation.

Community banks have been resilient and weathered the 2020 storm, as evidenced by an increase in year-over-year net income of 10%. However, tightening NIMs will force community banks to find creative ways to increase their NIM, grow their earning asset base, and identify ways to increase non-interest income to maintain current net income levels. 

Much uncertainty still exists. For instance, although significant charge-offs have not yet materialized, the financial picture for many borrowers remains uncertain, and payment deferrals have made some credit quality indicators, such as past due status, less reliable. The ability of community banks to maintain relationships with their borrowers and remain apprised of the results of their borrowers’ operations has never been more important. 

Despite the turbulence caused by the pandemic, there are many positive takeaways, and community banks have proven their resilience. Previous investments in technology, including customer facing solutions and internal communication tools, have saved time and money. As the pandemic forced many banks to move away from paper-centric processes, the resulting efficiencies of digitizing these processes will last long after the pandemic. 

If you have questions about your specific situation, please don’t hesitate to contact BerryDunn’s Financial Services team. We’re here to help.
 

Article
FDIC issues its third quarter 2020 banking profile

Read this if you are an employee benefit plan fiduciary.

The COVID-19 pandemic has challenged individuals and organizations to continue operating during a time where face-to-face interaction may not be plausible, and access to organizational resources may be restricted. However, life has not stopped, and participants in your employee benefit plan may continue to make important decisions based on their financial needs. This article looks at distributions from your plan, specifically focusing on required minimum distributions (RMD) and coronavirus-related distributions.

Required minimum distributions

If an employee benefit plan is subject to the RMD rules of Code Section 401(a)(9), then distributions of a participant’s accrued benefits must commence April 1 of the calendar year following the later of 1) the participant attaining age 70½, or 2) the participant’s severance from employment. Under the Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020, RMDs have been temporarily waived for retirement plans for 2020. This change applies to direct contribution plans, such as 401(k), 403(b), 457(b) plans, and IRAs. In addition, RMDs were waived for IRA owners who turned 70½ in 2019 and were required to take an RMD by April 1, 2020 and have not yet done so. Note: the waiver will not alter a participant’s required beginning date for purposes of applying the minimum distribution rules in future periods.

Coronavirus-related distributions

Under section 2202 of the CARES Act, qualified participants who are diagnosed with coronavirus, whose spouse or dependent is diagnosed with coronavirus, or who experience adverse financial consequences due to certain virus-related events including quarantine, furlough, layoff, having hours reduced, or losing child care are eligible to receive a coronavirus-related distribution.

These distributions are considered coronavirus-related distributions if the participant or his/her spouse or dependent has experienced adverse effects noted above due to the coronavirus, the distributions do not exceed $100,000 in the aggregate, and the distributions were taken on or after January 1, 2020 and on or before December 30, 2020.  

Such distributions are not subject to the 10% penalty tax under Internal Revenue Code (IRC) § 72(t), and participants have the option of including their distributions in income ratably over a three year period, or the entire amount, starting in the year the distribution was received. Such distributions are exempt from the IRC § 402(f) notice requirement, which explains rollover rules, as well as the effects of rolling a distribution to a qualifying IRA and the effects of not rolling it over. Also, participants can be exempt from owing federal taxes by repaying the coronavirus-related distribution. 

Participants receiving this distribution have a three-year window, starting on the distribution date, to contribute up to the full amount of the distribution to an eligible retirement plan as if the contribution were a timely rollover of an eligible rollover distribution. So, if a participant were to include the distribution amount ratably over the three-year period (2020-2022), and the full amount of the distribution was repaid to an eligible retirement plan in 2022, the participant may file amended federal income tax returns for 2020 and 2021 to claim a refund for taxes paid on the income included from the distributions. The participant will not be required to include any amount in income in 2022. We recommend the plan sponsor maintain documentation supporting the participant was eligible to receive the coronavirus-related distribution. 

There is much uncertainty due to the COVID-19 pandemic. A result of this uncertainty has been changes to guidance and treatment of plan transactions, which has forced many of our clients to review and alter their control environments. We have provided our current understanding of the guidance the IRS has provided for the treatment surrounding distributions, specifically RMDs and coronavirus-related distributions. If you and your team have any additional questions specific to your organization or plan, please contact us

Article
Impacts of the CARES Act on employee benefit plan distributions

Read this if you are a financial manager of an ESOP.

Employee Stock Ownership Plans (ESOPs) must generally buy back, or repurchase, participants’ shares when they leave the plan or want to diversify holdings. If the ESOP does not purchase the stock the company is required to purchase the shares from the participant under the “put option” described in Internal Revenue Code (IRS) Section 409(h).These rules require the company to either provide enough cash to the ESOP to fund stock repurchases, if adequate other assets are not available within the ESOP, or to fund the repurchase of shares outside of the ESOP. Anticipating the amount and timing of these repurchases requires a lot of number crunching and assumptions to arrive at an estimated “Repurchase Obligation” at a point in time. In most cases, ESOPs enlist the help of valuation specialists, actuaries, or outsider vendors to prepare a study.

All this is done as a component of ESOP cash flow planning but also begs the question, what do you need to record or disclose in your company’s financial statements related to this obligation?

The Financial Accounting Standards Board’s guidance on the subject is contained in Accounting Standards Codification (ASC) Topic 718, Compensation - Stock Compensation. More specifically, ASC Section 718-40-50 clearly outlines the terms, allocated share and fair value information, compensation and other related disclosure requirements for ESOPs in paragraphs 1a through g. One of these requirements—paragraph f—requires disclosure of “the existence and nature of any repurchase obligation...” While the existence of a potential repurchase obligation is undeniable due to the requirements of IRC Section 409(h), disclosure of the nature of the obligation may require judgement and a careful reread of the plan documents.

Existence of the obligation

What private companies record for redemptions is straightforward. They are required to accrue obligations related to redemption events initiated on or before the balance sheet date and disclose share and obligation balance information related to those transactions of material.

Disclosures must include the number of allocated shares and the fair value of those shares as of the balance sheet date. This sounds like a general disclosure of terms, but the intention is to communicate maximum repurchase obligation exposure. If redemptions subsequent to the balance sheet date require material and imminent use of cash, the company should consider whether it is required to disclose them as a subsequent event (including amounts) under ASC Topic 855, Subsequent Events.

Nature of the obligation

So, what do you need to disclose specific to the nature of your company’s ESOP shares repurchase obligation?

Put options against the ESOP trust (i.e., rights afforded under the ESOP requiring the trust to purchase outstanding stock at given prices within specific time horizons). Plan terms allowing redemption payments in excess of a certain threshold to be made over a defined period of time (e.g., retiring employees with vested balances greater than $5,000 may receive their payments in equal installments over a five-year period, while those with lower balances may receive their benefit in a lump sum).

If your company’s ownership has an ESOP component or you are considering an ESOP as part of your exit strategy, please reach out to Linda Roberts and Estera Ciparyte-McDonald. They can help you better understand the myriad considerations to be taken into account, and the required and potential financial statement impact and disclosures.

Article
ESOP repurchase obligations―Planning for future pay ups

If you received PPP funds, read on.

The Treasury has released new information regarding Paycheck Program Protection forgiveness. 

Based on IRS guidance, if you intend to apply for forgiveness and have a reasonable expectation it will be granted, the expenses used to support forgiveness will not be permitted as a deduction in 2020. It is unclear whether this guidance would apply if a taxpayer is undecided with regard to their forgiveness application at year end. Here is what we know so far.

The CARES Act included provisions that stated PPP loan forgiveness would not be considered taxable income under the Internal Revenue Code (“IRC”). The CARES Act specifically provides the forgiveness is not taxable income under IRC Section 61.

However, the IRS has issued the following guidance on this matter, which relates to the expenses paid with the PPP loan funds.

Notice 2020-32, states IRC Section 265(a)(1) applies to disallow expenses that were included on and supported a taxpayer’s successful PPP loan forgiveness application. 

In general, this section states NO deductions are permitted for expenses that are directly attributable to tax exempt income. 

The IRS seems to have concluded, in this Notice, the PPP loan forgiveness is tax exempt income. Therefore, the salary and occupancy costs used to support forgiveness, under current IRS guidance, will not be tax deductible.

Unanswered questions

This notice, while somewhat informative, raises many unanswered questions. For example, what are the tax consequences if a PPP loan is forgiven in 2021 and the expenses supporting the forgiveness were incurred in 2020? Could the forgiveness be construed as something other than tax exempt income?

Revenue Ruling 2020-27 attempts to answer some of these questions and provides additional guidance with regard to IRS expectations. The Ruling seems to indicate there are two possible tax positions relative to expenses that qualify PPP loans for forgiveness:

  • First, the loan forgiveness could be construed as tax exempt income and, pursuant to IRC Section 265 expenses directly attributable to the exempt income are not deductible.
  • Second, loan forgiveness could be construed as the reimbursement of certain expenses, and not as tax exempt income. Under the reimbursement approach the IRS has stated if you intend to apply for forgiveness and reasonably expect to receive forgiveness the reimbursed expenses are not deductible, even if forgiveness is obtained in the following tax year. This position seems to be supported by several tax controversies which were litigated in favor of the IRS. 

Some taxpayers had anticipated using a rule known as the tax benefit rule to deduct expense in 2020 and report a recovery (income) in 2021 when the loan is forgiven. It appears the IRS is not willing to accept this filing position.

We are hoping Congress will revisit this issue and consider statutory changes which allow for the deduction of expenses. Some taxpayers are planning to extend their income tax returns, taking a wait and see approach, with the hopes Congress will amend the statutes and allow for a deduction.

Under current law, it appears the salary, interest, rent used to support a forgiveness application will not be permitted as a tax deduction on your 2020 tax returns. This could result in a significant change in your 2020 taxable income.

Final considerations

For estimated tax payment purposes, we believe it would be reasonable to attribute the lost deductions to the quarter in which you made your final determination to file for forgiveness. This could mitigate any underpayment of estimated income tax penalties. 

If you are making safe harbor quarter estimates and/or have sufficient withholdings any incremental tax would be due with your return on April 15, 2021. Generally, the IRS safe harbor is to pay 110% of prior year tax during the current year to be penalty proof.

If you have questions about your specific situation, please contact us. We’re here to help.

COVID-19 business support

We will continue to post updates as we uncover them. Let us know if you have questions. For more information regarding the Paycheck Protection Program, the CARES Act, or other COVID-19 resources, see our COVID-19 Resource Center.

Article
Update: Treasury issues a revenue ruling and revenue procedure regarding PPP forgiveness

If you received over $2 million in PPP funds, read on.

The Small Business Administration (SBA) has posted a new form to collect additional information on loan necessity from businesses that received over $2 million in PPP funds. The comment period is now open and closes on November 25, 2020. As we seek more clarity, here is what we know.

What is happening: 

The SBA released PPP Loan Necessity Questionnaires (Forms 3509 and 3510) for borrowers that received PPP loans of $2 million or more on October 30, 2020. The forms are not available at the SBA or Treasury websites, but were released through the PPP Loan Forgiveness portal to lenders.  

Here is an excellent description of what we know thus far. Here are our concerns: 

  • The timing and lack of clarity. The 10-day turnaround is very tight. It could be very difficult to manage if it hits during a month or quarter close, or even worse at year-end.

  • This is counter to what was described in the FAQs at the time, so it leaves us with many unanswered questions.
  • It appears that information on the form might be subject to FOIA. There is a toggle to indicate what information you consider to be confidential. We recommend that you carefully review what information you have not flagged as confidential before submitting the form.

Other considerations and actions you can take in the meantime:

  • We know that the questionnaire is triggered by submitting an application for forgiveness. Given some of the uncertainty of other program impacts and this additional information that is requested, it may be reasonable to wait to seek loan forgiveness until we determine the impact.
  • You may wish to comment on the federal notice. See instructions for submitting comments below.

COVID-19 business support

We will continue to post updates as we uncover them. Let us know if you have questions. For more information regarding the Paycheck Protection Program, the CARES Act, or other COVID-19 resources, see our COVID-19 Resource Center.

Instructions for submitting comments:
Agency Clearance Officer                  
Curtis Rich
Small Business Administration
409 3rd Street SW
5th Floor
Washington, DC 20416

and 

SBA Desk Officer
Office of Information and Regulatory Affairs
Office of Management and Budget
New Executive Office Building
Washington, DC  20503

Your comments should be titled as follows:
Title: Paycheck Protection Program
OMB Control Number: 3245-0407

Comments should include one or all of the following: 
(a) whether the collection of information is necessary, 
(b) whether the estimate of 1.6 hours to complete or review the proposed application form is accurate (42,000 applications, 67,833 annual hour burden), 
(c) whether there are ways to minimize this burden, and
(d) whether there are ways to enhance the quality, utility, and clarity of the information.

Article
Paycheck Protection Program: New regulatory announcements