Skip to Main Content

insightsarticles

Cyberattack preparation: A basics refresher

03.23.22

Read this if you have a cybersecurity program.

This week President Joe Biden warned Americans about intelligence that indicated Russia may be preparing to conduct cyberattacks on our private sector businesses and infrastructure as retaliation for sanctions applied to the Russian government (and the oligarchs) as punishment for the invasion of Ukraine. Though there is no specific threat at this time, President Biden’s warning has been an ongoing message since the invasion began. There is no need to panic, but this is a great time to re-visit your current security controls. Focusing on basic IT controls goes can make a big difference in the event of an attack, as hackers tend to go after the easy, low hanging fruit. 

  1. Access controls
    Review and understand how all access to your networks is obtained by on-site employees, remote employees, and vendors and guests. Make sure that users are maintaining strong passwords and that no user is connecting remotely to any of your systems without some form of multi-factor authentication (MFA). MFA can come in the form of a token (in hand or built-in) or as one of those numerical codes you have delivered to your phone or email. Poor access controls are simply the difference between leaving your house unlocked versus locked when you leave to go somewhere. 
  2. Patching
    One of the most common audit findings we have to date and one of the biggest reasons behind successful attacks is related to unpatched systems. Software patches are issued by software providers to address vulnerabilities in systems that act as an unlocked door to a hacker, and allow hackers to leverage the vulnerability as a way to get into your systems. Ensuring your organization has a robust patch management program in place and that systems are up-to-date on needed patches is critical to your security operations. Think of an unpatched system like a car with a broken window—sure the door is locked, but any thief can reach through the broken window and unlock the car. 
  3. Logging 
    Account activity, network traffic, system changes—these are all things that can be easily logged and with the right tools, configured to alert you to suspicious activity. Logging that is done correctly can alert management to suspicious activity occurring on your network and notifies your security team to investigate the issue. Consider logging and alerting like your home’s security camera. It may alert you to the activity outside, but someone still needs to review the footage and react to it to mitigate the threat.  
  4. Test backups and more
    Making sure that your systems are successful backed up and kept separate from your production systems is a control we are all familiar with. Organizations should do more than just make sure their backups are performed nightly and maintained, but need to make sure that those data backups can be restored back to a useable state on a regular basis. More so than backups, we also often hear in the work we do that our client’s test only parts of their disaster recovery and failover plans—but have never tested a full-scale fail-over to their backup systems to determine if the failover would be successful in the event of an event or disaster. Organizations shouldn’t be scared to do a full-scale failover test, because when the time comes, you may not have the option to do a partial failover and just hope that it occurs successfully. Not testing your backups is like not test driving a car before you buy it. Sure it looks nice in the lot, but does it actually run? 
  5. Incident Management Plan 
    We often review Incident Management Plans as part of the work we do, and often note that the plans are outdated and contain incorrect information. This is an ideal time to make sure your plans are current and reflect changes that may have occurred, like your increasingly remote work force, or that systems have changed. An outdated Incident Management Plan is like being sick and trying to call your doctor for help only to find out your doctor has retired. 
  6. Training—phishing attacks
    Hackers’ most common approach to gain access to systems and deploy crippling ransomware attacks is through phishing campaigns via email. Phishing campaigns trick a user into either providing the hacker with credentials to log into systems or to download malware that could turn into ransomware through what appears to be legitimate business correspondence. Training end-users on what to look for in verifying an email’s authenticity is critical and should be seen as an opportunity that benefits the entire organization. Testing users is also critical so management understands the current risk and what is needed for additional training. Security teams should also have other supporting controls to help prevent phishing emails and detection tools in place in case a user does fall for an email. Not training your employees on security is like not coaching your little league team on how to play baseball and then being surprised you didn’t win the game because no one knew what to do. 

In the current environment, information security is an asset to any organization and needs to be supported so that you can protect your organization from cyberattacks of all kinds. While we can never guarantee that having controls in place will prevent an attack from occurring, they make it a lot more challenging for the hacker. One more analogy, and then I’m done, I promise. Basic IT controls are like speedbumps in a neighborhood. While they keep most people from speeding (and if you hit them too fast they do a number on your car), you can still get over them with enough motivation. 

If you have questions about your cybersecurity controls, or would like more information, please contact our IT security experts. We’re here to help.

Related Professionals

Principals

BerryDunn experts and consultants

Read this if you are responsible for cybersecurity at your organization. 

During the financial audit process auditors are required to develop and confirm their understanding of Information Technology (IT) and cybersecurity practices as it relates to financial reporting to better understand risks and because of auditors’ heavy reliance on data pulled from accounting information systems. As auditors, we have seen a significant increase in the amount of impactful incidents affecting not-for-profit organizations and our IT security experts often share valuable advisory comments in annual audit communications with our clients. With recent incidents and a very rapidly changing business environment, here are the three most important from the last six months that impact all not-for-profits. 

Board oversight of cybersecurity 

Cybersecurity gaps within an organization’s systems may lead to risk exposure and have material impacts on all aspects of operations. Responsibility for cybersecurity controls and for establishing a culture of awareness and security should come from the Board and senior leadership. Board members and senior leaders should stay apprised of cybersecurity efforts on a regular basis and incidents should be summarized and reported on a quarterly basis. 

The Board should also consider adding a member who is a professional with IT and cybersecurity experience to help manage and understand the specific risks to the organization and help drive and support cybersecurity efforts.

Ransomware threats and preventive controls

The use of ransomware as a profitable attack on organizations by hackers continues to rapidly increase. Within the last year there have been multiple high-profile incidents that illustrate the impact of a successful attack. These impacts fall into two main areas. One impact may be financial, as millions of dollars are paid to the bad actors as ransom in hopes of being able to regain control of systems. The second impact is operational, resulting in a loss of control of systems and data during the event. Potentially, an unsuccessful data restoration could result in the total loss of information and data maintained on your networks. 

Though no organization may be able to prevent a ransomware attack from occurring entirely, there are basic cybersecurity controls that help reduce the likelihood and impact of an attack. Preventive controls may include: 

  • Security awareness training on phishing emails and overall IT security practices for all organization users
  • Multi-factor authentication 
  • Access controls that prevent users from installing unapproved software onto organization-owned workstations and networks
  • Anti-malware software installed on devices that connect to organization systems 
  • Use of Zero Trust data management tools for backups
  • Disabling macros in emails (prevents back-end processes from automatically running) 

In addition to including these preventive controls to your cybersecurity program, your organization should assess current corrective controls already in place to react to a ransomware event if one is detected or reported. Corrective controls may include:

  • Disaster recovery plans/business continuity plans 
  • Incident response plans
  • Backup controls and restoration tests 

As the risk of ransomware continues to increase and the types of attacks continue to increase in sophistication, your organization should consider regular assessments of IT controls and cybersecurity practices on a regular basis. Such assessments may be performed in conjunction with annual financial statement audits as an expanded scope and/or as a separate annual IT assessment. 

COVID-19 IT considerations 

The global COVID-19 pandemic significantly impacted nearly every aspect of modern life, including the way we work. As personnel were sent home and literally became a remote workforce overnight, changes to IT systems and controls rapidly adjusted to accommodate this new way of business. 

Where controls and procedures were adjusted, if not suspended, your organization should review those changes and determine if controls should revert back to the pre-pandemic process—or be formally changed and documented as policy. 

Guidance from the American Institute of Certified Public Accountants (AICPA) dictates that a gap in controls associated with the pandemic is not a legitimate reason for not completing a control and that any changes must be documented and properly managed.  

Well over a year into the pandemic, the concept of a hybrid workforce has emerged as the predominant way employees and businesses want to work. Your organization should review current policies and procedures that may pre-date the pandemic to ensure that the updates both document and consider the current business environment. 

Additionally, with personnel working remotely or in a hybrid model, or a combination of both, you should assess practices for managing remote access and a hybrid workforce and, where needed, implement industry best-practice tools and procedures to accommodate a remote workforce while maintaining security controls. If you have questions regarding you cybersecurity procedures or want to learn more, please contact our team. We’re here to help. 
 

Article
Cybersecurity update for organizations: Considerations for boards and senior management

A version of this article was previously published on the Massachusetts Nonprofit Network

Editor’s note: while this blog is not technical in nature, you should read it if you are involved in IT security, auditing, and management of organizations that may participate in strategic planning and business activities where considerations of compliance and controls is required.

As we find ourselves in a fast-moving, strong business growth environment, there is no better time to consider the controls needed to enhance your IT security as you implement new, high-demand technology and software to allow your organization to thrive and grow. Here are five risks you need to take care of if you want to build or maintain strong IT security.

1. Third-party risk management―It’s still your fault

We rely daily on our business partners and vendors to make the work we do happen. With a focus on IT, third-party vendors are a potential weak link in the information security chain and may expose your organization to risk. However, though a data breach may be the fault of a third-party, you are still responsible for it. Potential data breaches and exposure of customer information may occur, leaving you to explain to customers and clients answers and explanations you may not have. 

Though software as a service (SaaS) providers, along with other IT third-party services, have been around for well over a decade now, we still neglect our businesses by not considering and addressing third-party risk. These third-party providers likely store, maintain, and access company data, which could potentially contain personally identifiable information (names, social security numbers, dates of birth, addresses), financial information (credit cards or banking information), and healthcare information of your customers. 

While many of the third-party providers have comprehensive security programs in place to protect that sensitive information, a study in 2017 found that 30% of data breaches were caused by employee error or while under the control of third-party vendors.1  This study reemphasizes that when data leaves your control, it is at risk of exposure. 

In many cases, procurement and contracting policies likely have language in contracts that already establish requirements for third-parties related to IT security; however the enforcement of such requirements and awareness of what is written in the contract is not enforced or is collected, put in a file, and not reviewed. What can you do about it?

Improved vendor management

It is paramount that all organizations (no matter their size) have a comprehensive vendor management program that goes beyond contracting requirements in place to defend themselves against third-party risk which includes:

  1. An inventory of all third-parties used and their criticality and risk ranking. Criticality should be assigned using a “critical, high, medium or low” scoring matrix. 
  2. At time of onboarding or RFP, develop a standardized approach for evaluating if potential vendors have sufficient IT security controls in place. This may be done through an IT questionnaire, review of a Systems and Organization Controls (SOC report) or other audit/certifications, and/or policy review. Additional research may be conducted that focuses on management and the company’s financial stability. 
  3. As a result of the steps in #2, develop a vendor risk assessment using a high, medium and low scoring approach. Higher risk vendors should have specific concerns addressed in contracts and are subject to more in depth annual due diligence procedures. 
  4. Reporting to senior management and/or the board annually on the vendors used by the organization, the services they perform, their risk, and ways the organization monitors the vendors. 

2. Regulation and privacy laws―They are coming 

2018 saw the implementation of the European Union’s General Data Privacy Regulation (GDPR) which was the first major data privacy law pushed onto any organization that possesses, handles, or has access to any citizen of EU’s personal information. Enforcement has started and the Information Commissioner’s Office has begun fining some of the world’s most famous companies, including substantial fines to Marriott International and British Airways of $125 million and $183 million Euros, respectively.2  Gone are the days where regulations lacked the teeth to force companies into compliance. 

With thanks to other major data breaches where hundreds of millions’ consumers private information was lost or obtained (e.g., Experian), more regulation is coming. Although there is little expectation of an American federal requirement for data protection, individual states and other regulating organizations are introducing requirements. Each new regulation seeks to protect consumer privacy but the specifics and enforcement of each differ. 

Expected to be most impactful in 2019 is the California Consumer Privacy Act,  which applies to organizations that handle, collect, or process consumer information and do business in the state of California (you do not have to be located in CA to be under the umbrella of enforcement).

In 2018, Maine passed the toughest law on telecommunications providers for selling consumer information. Massachusetts’ long standing privacy and data breach laws were amended with stronger requirements in January of 2019. Additional privacy and breach laws are in discussion or on the table for many states including Colorado, Delaware, Ohio, Oregon, Ohio, Vermont, and Washington, amongst others.      

Preparation and awareness are key

All organizations, no matter your line of business must be aware of and understand current laws and proposed legislation. New laws are expected to not only address the protection of customer data, but also employee information. All organizations should monitor proposed legislation and be aware of the potential enforceable requirements. The good news is that there are a lot of resources out there and, in most cases, legislative requirements allow for grace periods to allow organizations to develop a complete understanding of proposed laws and implement needed controls. 

3. Data management―Time to cut through the clutter 

We all work with people who have thousands of emails in their inbox (in some cases, dating back several years). Those users’ biggest fears may start to come to fruition―that their “organizational” approach of not deleting anything may come to an end with a simple email and data retention policy put in place by their employer. 

The amount of data we generate in a day is massive. Forbes estimates that we generate 2.5 quintillion bytes of data each day and that 90% of all the world’s data was generated in the last two years alone.3 While data is a gold mine for analytics and market research, it is also an increasing liability and security risk. 

Inc. Magazine says that 73% of the data we have available to us is not used.4 Within that data could be personally identifiable information (such as social security numbers, names, addresses, etc.); financial information (bank accounts, credit cards etc.); and/or confidential business data. That data is valuable to hackers and corporate spies and in many cases data’s existence and location is unknown by the organizations that have it. 

In addition to the security risk that all this data poses, it also may expose an organization to liability in the event of a lawsuit of investigation. Emails and other communications are a favorite target of subpoenas and investigations and should be deleted within 90 days (including deleted items folders). 

Take an inventory before you act

Organizations should first complete a full data inventory and understand what types of data they maintain and handle, and where and how they store that data. Next, organizations can develop a data retention policy that meets their needs. Utilizing backup storage media may be a solution that helps reduce the need to store and maintain a large amount of data on internal systems. 

4. Doing the basics right―The simple things work 

Across industries and regardless of organization size, the most common problem we see is the absence of basic controls for IT security. Every organization, no matter their size, should work to ensure they have controls in place. Some must-haves:

  • Established IT security policies
  • Routine, monitored patch management practices (for all servers and workstations)
  • Change management controls (for both software and hardware changes)
  • Anti-virus/malware on all servers and workstations
  • Specific IT security risk assessments 
  • User access reviews
  • System logging and monitoring 
  • Employee security training

Go back to the basics 

We often see organizations that focus on new and emerging technologies, but have not taken the time to put basic security controls in place. Simple deterrents will help thwarting hackers. I often tell my clients a locked car scares away most ill-willed people, but a thief can still smash the window.  

Smaller organizations can consider using third-party security providers, if they are not able to implement basic IT security measures. From our experience, small organizations are being held to the same data security and privacy expectations by their customers as larger competitors and need to be able to provide assurance that controls are in place.  

5. Employee retention and training 

Unemployment rates are at an all-time low, and the demand for IT security experts at an all-time high. In fact, Monster.com reported that in 2019 the unemployment rate for IT security professionals is 0%.5 

Organizations should be highly focused on employee retention and training to keep current employees up-to-speed on technology and security trends. One study found that only 15% of IT security professionals were not looking to switch jobs within one year.6  

Surprisingly, money is not the top factor for turnover―68% of respondents prioritized working for a company that takes their opinions seriously.6 

For years we have told our clients they need to create and foster a culture of security from the top down, and that IT security must be considered more than just an overhead cost. It needs to align with overall business strategy and goals. Organizations need to create designated roles and responsibilities for security that provide your security personnel with a sense of direction―and the ability to truly protect the organization, their people, and the data. 

Training and support goes a long way

Offering training to security personnel allows them to stay abreast of current topics, but it also shows those employees you value their knowledge and the work they do. You need to train technology workers to be aware of new threats, and on techniques to best defend and protect from such risks. 

Reducing turnover rate of IT personnel is critical to IT security success. Continuously having to retrain and onboard employees is both costly and time-consuming. High turnover impacts your culture and also hampers your ability to grow and expand a security program. 

Making the effort to empower and train all employees is a powerful way to demonstrate your appreciation and support of the employees within your organization—and keep your data more secure.  

Our IT security consultants can help

Ensuring that you have a stable and established IT security program in place by considering the above risks will help your organization adapt to technology changes and create more than just an IT security program, but a culture of security minded employees. 

Our team of IT security and control experts can help your organization create and implement controls needed to consider emerging IT risks. For more information, contact the team
 

Sources:
[1] https://iapp.org/news/a/surprising-stats-on-third-party-vendor-risk-and-breach-likelihood/  
[2] https://resources.infosecinstitute.com/first-big-gdpr-fines/
[3] https://www.forbes.com/sites/bernardmarr/2018/05/21/how-much-data-do-we-create-every-day-the-mind-blowing-stats-everyone-should-read/#458b58860ba9
[4] https://www.inc.com/jeff-barrett/misusing-data-could-be-costing-your-business-heres-how.html
[5] https://www.monster.com/career-advice/article/tech-cybersecurity-zero-percent-unemployment-1016
[6] https://www.securitymagazine.com/articles/88833-what-will-improve-cyber-talent-retention

Article
Five IT risks everyone should be aware of

Is your organization a service provider that hosts or supports sensitive customer data, (e.g., personal health information (PHI), personally identifiable information (PII))? If so, you need to be aware of a recent decision by the American Institute of Certified Public Accountants that may affect how your organization manages its systems and data.

In April, the AICPA’s Assurance Executive Committee decided to replace the five Trust Service Principles (TSPs) with Trust Services Criteria (TSC), requiring service organizations to completely rework their internal controls, and present SOC 2 findings in a revised format. This switch may sound frustrating or intimidating, but we can help you understand the difference between the principles and the criteria.

The SOC 2 Today
Service providers design and implement internal controls to protect customer data and comply with certain regulations. Typically, a service provider hires an independent auditor to conduct an annual Service Organization Control (SOC) 2 examination to help ensure that controls work as intended. Among other things, the resulting SOC 2 report assures stakeholders (customers and business partners) the organization is reducing data risk and exposure.

Currently, SOC 2 reports focus on five Trust Services Principles (TSP):

  • Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that can compromise the availability, integrity, confidentiality, and privacy of information or systems — and affect the entity's ability to meet its objectives.

  • Availability: Information and systems are available for operation and use to meet the entity's objectives.

  • Processing Integrity: System processing is complete, valid, accurate, timely, and authorized to meet the entity's objectives.

  • Confidentiality: Information designated as confidential is protected to meet the entity's objectives.

  • Privacy: Personal information is collected, used, retained, disclosed, and disposed of to meet the entity's objectives.

New SOC 2 Format
The TSC directly relate to the 17 principles found in the Committee of Sponsoring Organization (COSO)’s 2013 Framework for evaluating internal controls, and include additional criteria related to COSO Principle 12. The new TSC are:

  • Control Environment: emphasis on ethical values, board oversight, authority and responsibilities, workforce competence, and accountability.
  • Risk Assessment: emphasis on the risk assessment process, how to identify and analyze risks, fraud-related risks, and how changes in risk impact internal controls.
  • Control Activities: Emphasis on how you develop controls to mitigate risk, how you develop technology controls, and how you deploy controls to an organization through the use of policies and procedures.
  • Information and Communication: Emphasis on how you communicate internal of the organization to internal and external parties.
  • Monitoring: Emphasis on how you evaluate internal controls and how you communicate and address any control deficiencies.

The AICPA has provided nearly 300 Points of Focus (POF), supporting controls that organizations should consider when addressing the TSC. The POF offer guidance and considerations for controls that address the specifics of the TSC, but they are not required.

Points of Focus
Organizations now have some work to do to meet the guidelines. The good news: there’s still plenty of time to make necessary changes. You can use the current TSP format before December 15, 2018. Any SOC 2 report presented after December 15, 2018, must incorporate the new TSC format. The AICPA has provided a mapping spreadsheet to help service organizations move from TSP to the TSC format.

Contact Chris Ellingwood to learn more about how we can help you gain control of your SOC 2 reporting efforts. 
 

Article
The SOC 2 update — how will it affect you?

As the technology we use for work and at home becomes increasingly intertwined, security issues that affect one also affect the other and we must address security risks at both levels.

This year’s top security risks are the first in our series that are both prevalent to us as consumers of technology and to us as business owners and security administrators. Our homes and offices connect to devices, referred to the Internet of Things (IoT), that make our lives and jobs easier and more efficient, but securing those devices from outside access is becoming paramount to IT security.

Many of this year’s risks focus on deception. Through deception, hackers can get information and access to systems, which can harm our wallets and our businesses.

In our 2017 Top 10 IT Security Risks e-book we share with you how to understand these emerging risks, the consequences and impacts these risks may have on your business, and approaches to help mitigate the risks and their impact. Some of the key ways to address these risks are:           

  1. Do your homework — change your default passwords (the one that came with your wireless router, for instance), and also make sure that your Amazon Alexa, Google Home, or other smart devices have complex passwords. In addition, turning off devices when they are not in use, or when you are gone, helps secure your home.
  1. If you work from home, or have employees who do, set up and use secure connections with dual authentication methods to help protect your networks. Remote employees should be required to use the same security measures as on-site employees.
  1. Protect your smartphone at work and at play—smartphones have become one of our most important possessions, and we use the same device for both work and personal applications, yet we don’t protect them as well we should. Password protection is step one. Consider uploading new antivirus software to corporate smartphones and using container apps for corporate emails and documents. These apps allow users to securely connect to a company’s server and reduce the possible exposure of data.
  1. Train, inform, repeat. Create a vigilant workforce—through continuous and consistent training and information sharing, you can reduce the occurrence of phishing, hacking and other attacks against your systems.
  1. Conduct IT security risk assessments annually to help you identify gaps, fix them, and prepare for any incidents that may occur.
  1. Monitor and protect your reputation through tools to identify news on your company and understand the sources of the information.

Our 2017 Top 10 IT Security Risks takes a deeper look at the IoT and other risk issues that pose a threat this year, and what you can do to minimize your own and your organization’s IT security risks.

Article
The 2017 top IT security risks: Everything is connected

During my lunch in sunny Florida while traveling for business, enjoying a nice reprieve from another cold Maine winter, I checked my social media account. I noticed several postings about people having nothing to do at work because their company’s systems were down, the result of a major outage at one of three Amazon Web Services (AWS)’ Data Centers and web hosting operations. Company sites were down directly or indirectly through a software as a service (SaaS) provider hosted at the AWS data center.

The crash lasted for four hours and affected hundreds of thousands sites, including Airbnb, Expedia, Netflix, Quora, Slack, and others. The impact of such crashes can be devastating to organizations that rely on their website for revenue, such as online retailers and users of SaaS providers that may rely on a hosted system to conduct day-to-day business.

We advise our clients who consider hosting services in the cloud to weigh the option seriously and understand potential challenges in doing so. Here are some steps you can take to prevent future outages and loss of valuable uptime:

  1. Know the risks and weigh them against the benefits.  Ask questions about the system you are thinking of having hosted. Is the system critical to business? Without the system, do you lose revenue and productivity? Is the company providing the SaaS service hosting their own systems, or are they hosted at a data center like AWS? Does the SaaS provider have failover sites at other, separate data centers that are geographically distant from another?
  2. Have a backup plan. If your business conducts e-commerce or needs SaaS service to function, consider hosting your web servers and other data at two different providers. Though costly, the downtime impact is highly reduced.
  3. Consider hosting yourself. In some cases, we advise against relying on a third-party hosted data center. We do this when the criticality of the function is so high that having your own full-time dedicated support personnel, with multiple internet service providers available, allows you to address outages in-house and reduce the risk of outages.
  4. Have a service level agreement. Having a service level agreement with the hosted third party establishes expectations for uptime and downtime. In many instances where uptime is critical, you may consider incorporating liquidated damage clauses (fines and penalties) for downtime. Often when revenue is involved, the hosted party will take deeper measures to ensure uptime.

These types of outages are rare, but significant and while most organizations should not be scrambling to host their own systems and cancel all hosted agreements, it’s a good idea to take a hard look at your cyber security and IT risk management plan. Then, like me, when the clouds clear and you are in warm and sunny Florida, you can take a long lunch and enjoy the day.

Article
When the skies clear: Web-hosting outage hits Amazon data centers

Read this if you are interested in learning about ESG. 

Although tax credits as subsidies have been a cornerstone catalyst for advancing many environmental, social, and governance (ESG) policies and technologies over the last several years, tax is often forgotten or minimized in the process of creating and implementing corporate ESG and value creation strategies. Ignoring the symbiotic relationship between tax and ESG is a losing strategy, given increased awareness of the importance of tax transparency among shareholders and other stakeholders as a mechanism for holding companies accountable to their stated ESG commitments. A rise in media and rating agency reports on the topic indicate tax will continue to be under scrutiny in the future and may increasingly have significant corporate reputational impacts as well.

As leaders of an organization’s tax function, including as vice presidents of tax, tax directors, or CFOs among others, you are the stewards charged with ensuring tax strategy and operations appropriately intersect with the corporate ESG vision and meaningfully advance ESG commitments. However, the 2022 BDO Tax Outlook Survey found that while an overwhelming majority of senior tax executives expressed an understanding of the value of ESG, three quarters of those responsible for tax were not currently involved in the organization’s ESG strategy. The findings indicate that tax leaders will need to insert the tax function into the ESG planning and execution process and take ownership of tax’s role in ESG. Insights from the survey outline how tax fits into ESG, the core principles of an ESG-focused tax strategy and key considerations for transparent reporting.

How does tax overlap with ESG?

Because there is some misunderstanding about how tax relates to environmental, social, and governance issues, there is a high probability that tax may not be incorporated in responsible business strategy and planning. While not reflected in the ESG acronym, there is an element of tax that is central to each of these principles. For example, environmental behavioral taxes and incentives, such as carbon taxes on greenhouse gas emissions and tax incentives for green energy adoption, are crucial to driving behavior change toward more sustainable practices in the near term while many impacts of climate change are still experienced in indirect ways. In terms of the social element, taxes are a key mechanism for companies to contribute to the societies in which they operate and to build trust among members of the public as a responsible corporate actor. Finally, proper tax governance can ensure that there is appropriate oversight over an organization’s tax strategy and decisions, ensuring they align with overarching business objectives and stakeholder communications around tax reporting.

Using the tax ESG cipher to unlock a successful ESG-driven tax strategy

Aligning the tax function with an overarching ESG strategy across the business is a heavy lift. To build and implement a responsible tax program will take time and requires careful consideration of an organization’s overall approach to tax, tax governance and total tax contribution. Each company will have a unique tax strategy based on its business and stakeholder considerations and may be at varying points along its responsible tax journey. Whether you are just beginning or at the stage of reassessing your approach based on changing market conditions, updates to your ESG strategy, or regulations, the cypher below can be used to guide these critical considerations and help ensure tax is meaningfully incorporated in ESG strategy. The process should be iterative over time and when implemented successfully, will drive improved decision-making on risk mitigation, strengthen risk awareness and increase transparency and accountability.

Core principle one: Approach to tax

The first step to meaningfully incorporating tax in ESG strategy is understanding and articulating the purpose and values that guide the tax function. This process includes defining the organization’s approach to regulatory compliance and the interaction with tax authorities. Writing a tax policy and strategy is an important way to articulate the company’s tax priorities and educate all team members across the organization about the function’s principles. The statement may include commitments to communicate transparently with regulators and disclose more information than required by law in some cases, for example.

As the organization evolves due to changes in the industry, overall ESG commitments and sustainability strategies, the tax strategy statement should be updated accordingly. Regulatory changes will also necessitate continuous assessment and consideration of whether the strategy meets the current understandings of transparency, risk mitigation and accountability based on new information. Through this set of guiding principles, the tax function can help improve decision-making and reporting actions to align with changes in the broader corporate ESG strategy, purpose, and values. 

Core principle two: Tax governance and risk management

Establishing a robust governance, control, and risk management framework provides comfort and assurance that the reported approach to tax and tax strategy is well embedded in an organization’s substantiable business strategy and that there are mechanisms in place to effectively monitor its compliance obligations.

However, it’s important to remember that tax governance and risk management have broad considerations that go beyond the traditional frameworks governing internal controls over financial reporting (ICFR). A common pitfall for many is a narrow focus on governance strategies. Generally, ICFR focuses on accurate and complete reporting in financial statements. While this is an important area of governance, it does not account for or represent the many objectives included in a tax ESG control framework, which is typically broader as it focuses on how and why decisions regarding tax approaches and positions are made.

The objective of this core principle is to demonstrate to stakeholders how the organization’s tax governance, control and risk management function are in alignment with the values and principles outlined in the Approach to Tax statement. This can include establishing a risk advisory council, guidelines for including tax in ESG reporting deliverables and any corresponding regulatory requirements, and communications to relevant stakeholders on executive oversight activities related to the tax strategy.  

However, many organizations have not taken the time to document and define their risk mitigation and executive oversight strategy. Often this is left merely to control procedures that are mechanical and regulatory in nature. Instead, a tax governance and risk management strategy should aim to establish a framework focused on strengthening risk awareness and transparently communicating governance activities to both internal and external audiences when appropriate.

Core principle three: Total tax contribution

While quantifying and providing necessary qualitative context around an organization’s total tax contribution is not an easy task, today, stakeholders from employees and customers to investors and regulators expect transparency around tax strategies, tax-related risks, total tax contribution and country-by-country activities. Recently, tax has received increased scrutiny from these stakeholders because it is a core component of many ESG metrics used to evaluate a business’s tax behaviors and ensure there is accountability across its tax practices. The result is that how a company shares tax information with stakeholders and what it includes in reports has a significant impact on reputation and perceptions of corporate ESG statements.

However, the increased demand for tax transparency is not without its challenges. Nearly two-thirds of respondents in the 2022 BDO Tax Outlook Survey (62%) said data collection and analysis (the quantitative component of ESG-focused tax) is the greatest challenge of tax transparency reporting efforts, pointing to an underlying issue of tax data governance and fragmented systems. Often this is an area where tax leaders require outside assistance to establish automated processes that can collect tax data on a periodic basis for regular analysis. The importance of ESG and attention around the topic will only continue to increase over the next several years, so it is critical to begin thinking about adequate data collection and analytic capabilities for tax leaders looking to incorporate tax in ESG practices and strategy. For those just beginning the process, our advice is to partner with in-house IT functions or external consultants for assistance and support.

Collecting relevant tax data on a regular basis is a critical early step because it affords tax leaders the opportunity to determine which information will be disclosed to various stakeholders and which information can help shape and support broader ESG narratives being developed by corporate leadership. While determining data collection processes, it is also important to consider and seek counsel on communication and information delivery strategies that will best reach and address the concerns of priority stakeholder groups.   

Although this task can be a heavy lift, it may also result in significant business advantages. A key benefit is that the data and information gathered will help tax leaders further define and evolve ESG-driven tax strategies through tax monetization structures and company core value items, among others. Ultimately, organizations that better understand their total tax contribution across various taxing jurisdictions and country-by-country activities are best equipped to make data-driven tax strategy decisions that are aligned with broader ESG and sustainability objectives, while also avoiding value creation hinderances. 

Key reporting considerations

Once the quantitative data have been collected, the next step is to consider how you report the information. Communicating the numbers themselves is not enough. Communicating the narrative behind the numbers – the qualitative component of reporting – is extremely important. The narrative should always aim to communicate the company’s approach to tax, values guiding decision-making and the impact of the tax strategy to key stakeholders in a straightforward and transparent manner. However, qualitative reporting can vary by organization depending on several factors, from choice of standards to company philosophy.

The 2022 BDO Tax Outlook Survey also found that challenges and variance in tax transparency reporting are driven by a lack of universal reporting standards and clarity around which ESG frameworks to follow. In the meantime, the best reporting framework for any company is one that drives a deep understanding of the organization’s ESG philosophy and vision, which may require more investment in terms of time and effort. When determining a reporting approach, it is important to consider the goal of the report or disclosure and which data best demonstrate ESG progress and strategy. Because the ESG-related tax reporting is not a mandated process and is currently a voluntary disclosure in the U.S., it can often be helpful to review tax reports related to ESG from other companies already making these disclosures as a baseline.

Keep in mind that one of the main reasons businesses are electing to publish comprehensive ESG and Sustainability Tax Reports and Global Tax Footprints is to articulate their broader total tax contribution to ensure that the tax narrative speaks to the needs and demands of their stakeholders. Each report must be unique and relevant to the company in terms of content and method of disclosure.

Currently, there is a relatively small number of companies electing to make such disclosures, based on the findings of the 2022 BDO Tax Outlook Survey outlined below. Of the 150 senior tax executives polled, less than a quarter (23%) are implementing both qualitative and quantitative disclosures:

Tax transparency reporting disclosures

Today, tax is an essential component of the ESG metrics that determine how stakeholders perceive an organization. Despite this fact, the movement to incorporate tax in ESG planning and strategies is still in its infancy. This means leaders of tax functions still have time to begin the process of implementing ESG-driven tax strategies and operations to ensure the function evolves with the importance of ESG. While there is no simple one-size-fits-all solution, given the nuances and complications of the tax function for each organization, the general framework in the Tax ESG Cipher can help guide tax leaders at any point on the journey. The cipher outlines key considerations to ensure an organization’s ESG vision is well-structured and appropriately includes tax strategies. While the process requires long-term effort and dedication, it generates high returns in terms of accountability, transparency, and reputational and sustainable value.

As ESG takes center stage in a rapidly changing business landscape, how is your organization advancing toward true sustainability?

Written by Daniel Fuller and Jonathon Geisen. Copyright © 2022 BDO USA, LLP. All rights reserved. www.bdo.com  

Article
Navigating the intersection of tax and ESG

Read this if you file taxes with the IRS for yourself or other individuals.

To protect yourself from identity thieves filing fraudulent tax returns in your name, the IRS recommends using Identity Protection PINs. Available to anyone who can verify their identity online, by phone, or in person, these PINs provide extra security against tax fraud related to stolen social security numbers of Tax ID numbers.

According to the Security Summit—a group of experts from the IRS, state tax agencies, and the US tax industry—the IP PIN is the number one security tool currently available to taxpayers from the IRS.

The simplest way to obtain a PIN is on the IRS website’s Get an IP PIN page. There, you can create an account or log in to your existing IRS account and verify your identity by uploading an identity document such as a driver’s license, state ID, or passport. Then, you must take a “selfie” with your phone or your computer’s webcam as the final step in the verification process.

Important things to know about the IRS IP PIN:

  • You must set up the IP PIN yourself; your tax professional cannot set one up on your behalf.
  • Once set up, you should only share the PIN with your trusted tax prep provider.
  • The IP PIN is valid for one calendar year; you must obtain a new IP PIN each year.
  • The IRS will never call, email or text a request for the IP PIN.
  • The 6-digit IP PIN should be entered onto your electronic tax return when prompted by the software product or onto a paper return next to the signature line.

If you cannot verify your identity online, you have options:

  • Taxpayers with an income of $72,000 or less who are unable to verify their identity online can obtain an IP PIN for the next filing season by filing Form 15227. The IRS will validate the taxpayer’s identity through a phone call.
  • Those with an income more than $72,000, or any taxpayer who cannot verify their identity online or by phone, can make an appointment at a Taxpayer Assistance Center and bring a photo ID and an additional identity document to validate their identity. They’ll then receive the IP PIN by US mail within three weeks.
  • For more information about IRS Identity Protection PINs and to get your IP PIN online, visit the IRS website.

If you have questions about your specific situation, please contact our Tax Consulting and Compliance team. We’re here to help.

Article
The IRS Identity Protection PIN: What is it and why do you need one?

The Centers for Medicare & Medicaid Services (CMS) has issued the final rule for FY 2023 SNF PPS which was published in the Federal Register on August 3, 2022. The rule:

  • Updates the PPS rates for SNFs for FY 2023 using the market basket update and budget neutrality factors effective October 1, 2022;
  • Recalibrates the Patient Driven Payment Model (PDPM) parity adjustment;
  • Establishes a permanent 5% cap on annual wage index decreases;
  • Finalizes proposed changes in PDPM International Classification of Diseases, Version 10 (ICD-10) code mappings;
  • Updates the SNF Quality Reporting Program (SNF QRP); and
  • Updates the SNF Value-Based Purchasing (SNF VBP) Program.

2023 PPS rate calculations

The final rule provides a net market basket increase for SNFs of 5.1 percent beginning October 1, 2022 which reflects:

  • An unadjusted market basket increase of 3.9 percent adjusted upward by 1.5 percent associated with a forecast error adjustment;
  • A reduction of 0.3 percentage points in accordance with the multifactor productivity adjustment required by Section 3401(b) of the Affordable Care Act (ACA).

In addition, as discussed in the Recalibration of the PDPM parity adjustment section below, the net market basket increase of 5.1 percent is further reduced by 2.3 percent related to accounting for year one of a two-year PDPM parity adjustment phase-in.

CMS projects an overall increase in Medicare Part A SNF payments of approximately 2.7 percent or $904 million in FY 2023 related to the payment rate updates. The final rule also estimates an increase in costs to SNFs of $31 million related to the FY 2023 SNF QRP changes and an estimated reduction of $186 million in aggregate payments to SNFs during FY 2023 as a result of the changes to the SNF VBP program.

The projected overall impact to providers in urban and rural areas is an average increase of 2.7% and 2.5%, respectively, with a low of 1.4% for urban outlying providers and a high of 3.6% for urban Pacific providers―actual impact will vary. 

The applicable wage index continues to be based on the hospital wage data, unadjusted for occupational mix, rural floor, or outmigration adjustment (from FY 2019) in the absence of SNF specific data.

Recalibration of the PDPM parity adjustment

When CMS finalized PDPM in October 2019 it also finalized that this new case-mix classification model would be implemented in a budget neutral manner. However, since PDPM implementation, CMS has closely monitored SNF utilization data which has indicated an unintended increase in payments to providers. In order to achieve budget neutrality under PDPM, CMS is finalizing their proposal to recalibrate the PDPM parity adjustment using a factor of 4.6 percent (an impact of $1.5 billion) using the combined methodology of a subset population that excludes patients whose stay utilized a coronavirus (COVID-19) public health emergency (PHE)-related waiver or who were diagnosed with COVID-19 and control period data using months with low COVID-19. CMS is finalizing the implementation of the parity adjustment with a two-year phase-in period (2.3 percent applied in FY 2023, and 2.3 percent in FY 2024), which means that, for each of the PDPM case-mix adjusted components, CMS will lower the PDPM parity adjustment factor from 46 percent to 42 percent in FY 2023 and would further lower the PDPM parity adjustment factor from 42 percent to 38 percent in FY 2024. CMS applied the parity adjustment equally across all components.

Permanent cap on wage index decreases

To mitigate instability in SNF PPS payments due to significant wage index decreases that may affect providers in any given year, CMS is finalizing a permanent 5% cap on annual wage index decreases to smooth year-to-year changes in providers’ wage index payments.

Changes in PDPM ICD-10 code mappings

Beginning with the updates for FY 2020 nonsubstantive changes to the ICD-10 codes included on the PDPM code mappings and lists are applied through a subregulatory process consisting of posting updated code mappings and lists on the PDPM website. Substantive changes will be proposed through notice and comment rulemaking. The final rule finalized several proposed changes to the PDPM ICD-10 mappings.

SNF QRP update

CMS is finalizing the adoption of a new process measure, the Centers for Disease Control and Prevention (CDC)-developed Influenza Vaccination Coverage Among Healthcare Personnel (HCP) (NQF#0431) measure, beginning with the FY 2024 SNF QRP. The measure is intended to increase influenza vaccination coverage in SNFs, promote patient safety, and increase the transparency of quality of care in the SNF setting. Residents of long-term care facilities have greater susceptibility for acquiring influenza. Therefore, monitoring and reporting influenza vaccination rates among HCP is important as HCP are at risk for acquiring influenza from residents and exposing residents to influenza. The measure reports the percentage of HCP who receive an influenza vaccine. SNFs will submit the measure data through the CDC National Healthcare Safety Network.

CMS is also revising the compliance date for certain SNF QRP reporting requirements, including the Transfer of Health Information measures and certain standardized patient assessment data elements to October 1, 2023. This will align the collection of data with the Inpatient Rehabilitation Facilities and Long-Term Care Hospitals and Home Health Agencies.

SNF VBP program

The rule finalizes a proposal to suppress the SNF 30-Day All-Cause Readmission Measure (SNFRM) as part of the performance scoring for the FY 2023 SNF VBP program year due to the combination of fewer admissions to SNFs, regional differences in the prevalence of COVID-19 throughout the PHE and changes in hospitalization patterns in FY 2021 which has impacted the ability to use the SNFRM to calculate payments for the FY 2023 program year. For FY 2023, CMS will assign a performance score of zero to all participating SNFs and will reduce the otherwise applicable adjusted Federal per diem rate for each SNF by 2% and award SNFs 60% of that withhold, resulting in a 1.2% payback. Any SNFs that do not report a minimum of 25 stays for the SNFRM will be excluded from the VBP program for FY 2023.

In addition, Section 111(a)(2) of the Consolidated Appropriations Act, 2021 allows the secretary to add up to an additional nine new measures with respect to payments beginning in FY 2023 to the VBP program, which may include measures of functional status, patient safety, care coordination, or patient experience. CMS is using this authority to finalize the adoption of three new measures into the VBP program—two measures in FY 2026 and one measure in FY 2027.

CMS is also finalizing a number of updates to its scoring methodology:

  • Updating the policy for scoring SNFs that do not have sufficient baseline period data beginning with the FY 2026 VBP Program year.
  • Adoption of a measure minimum policy beginning with the FY 2026 SNF VBP program year which will require a two-measure minimum for a SNF to receive a SNF performance score for FY 2026 and a three-measure minimum for FY 2027.
  • Adoption of a case minimum policy for the SNFRM that replaces the Low-Volume Adjustment policy beginning with the FY 2023 program year. 
  • Adoption of a case minimum policy for the SNF HAI, Total Nurse Staffing, and DTS PAC SNF Measures beginning between FY 2026 and FY 2027.

Our experts at BerryDunn have created an interactive rate calculator to assist you with the calculation of your PPS rates for FY 2023. You can access the PPS rate calculator now:

Click to download SNF PPS Rate Calculator

Please note: The rates per our calculator are prior to any FY 2023 VBP adjustment based on the final rule which includes special scoring and payment policies for FY 2023. When CMS releases the final VBP incentive payment multipliers for FY 2023 by facility, we will update the interactive rate calculator as necessary.

If you have any specific questions about the final rule or how it might impact your facility, please contact Ashley Tkowski or Melissa Baez.

Article
Fiscal Year (FY) 2023 Skilled Nursing Facility (SNF) Prospective Payment System (PPS) final rule