Skip to Main Content

insightsarticles

Cyberattacks in higher education—How prepared are you?

08.30.19

In light of the recent cyberattacks in higher education across the US, more and more institutions are finding themselves no longer immune to these activities. Security by obscurity is no longer an effective approach—all  institutions are potential targets. Colleges and universities must take action to ensure processes and documentation are in place to prepare for and respond appropriately to a potential cybersecurity incident.

BerryDunn’s Rick Gamache recently published several blog articles on incident response that are relevant to the recent cyberattacks. Below I have provided several of his points tailored to higher education leaders to help them prepare for cybersecurity incidents at their institutions.

What are some examples of incidents that managers need to prepare for?

Examples range from external breaches and insider threats to instances of malfeasance or incompetence. Different types of incidents lead to the same types of results—yet you can’t have a broad view of incidents. Managers should work with their teams to create incident response plans that reflect the threats associated with higher education institutions. A handful of general incident response plans isn’t going to cut it.

Managers need to work with their teams to develop a specific incident response plan for each specific type of incident. Why? Well, think of it this way: Your response to a careless employee should be different from your response to a malicious employee, for a whole host of legal reasons. Incident response is not a cookie-cutter process. In fact, it is quite the opposite. This is one of the reasons I highly suggest security teams include staff members outside of IT. When you’re responding to incidents, you want people who can look at a problem or situation from an external perspective, not just a technical or operational perspective within IT. These team members can help answer questions such as, what does the world see when they look at our institution? What institutional information might be valuable to, or targeted by, malicious actors? You’ll get some valuable fresh perspectives.

How short or long should the typical incident response plan be?

I often see good incident response plans no more than three or four pages in length. However, it is important that incident response plans are task oriented, so that it is clear who does what next. And when people follow an incident response plan, they should physically or digitally check off each activity, then record each activity.

What system or software do you recommend for recording incidents and responses?

There are all types of help desk software you can use, including free and open source software. I recommend using help desk software with workflow capabilities, so your team can assign and track tasks.

Any other tips for developing incident response plans?

First, managers should work with, and solicit feedback from across the academic and administrative areas within the institution when developing incident response plans. If you create these documents in a vacuum, they will be useless.

Second, managers and their teams should take their time and develop the most “solid” incident response plans possible. Don’t rush the process. The effectiveness of your incident response plans will be critical in assessing your institution’s ability to survive a breach. Because of this, you should be measuring your response plans through periodic testing, like conducting tabletop exercises.

Third, keep your students and external stakeholders in mind when developing these plans. You want to make sure external communications are consistent, accurate, and within the legal requirements for your institution. The last thing you want is students and stakeholders receiving conflicting messages about the incident. 

Are there any decent incident response plans in the public domain that managers and their teams can adapt for their own purposes?

Yes. My default reference is the National Institute of Standards and Technology (NIST). NIST has many special publications that describe the incident response process, how to develop a solid plan, and how to test your plan.

Should institutions have dedicated incident response teams?

Definitely. Institutions should identify and staff teams using internal resources. Some institutions may want to consider hiring a reputable third party to act as an incident response team. The key with hiring a third party? Don’t wait until an incident occurs! If you wait, you’re going to panic, and make panic-based decisions. Be proactive and hire a third party on retainer.

That said, institutions should consider hiring a third party on an annual basis to review incident response plans and processes. Why? Because every institution can grow complacent, and complacency kills. A third party can help gauge the strengths and weaknesses of your internal incident response teams, and provide suggestions for general or specific training. A third party can also educate your institution about the latest and greatest cyber threats.

Should managers empower their teams to conduct internal “hackathons” in order to test incident response?

Sure! It’s good practice, and it can be a lot of fun for team members. There are a few caveats. First, don’t call it a hackathon. The word can elicit negative or concerned reactions. Call it “active testing” or “continuous improvement exercises.” These activities allow team members to think creatively, and are opportunities for them to boost their cybersecurity knowledge. Second, be prepared for pushback. Some managers worry if team members gain more cybersecurity skills, then they’ll eventually leave the institution for another, higher-paying job. I think you should be committed to the growth of your team members―it’ll only make your institution more secure.

What are some best practices managers should follow when reporting incidents to their leadership?

Keep the update quick, brief, and to the point. Leave all the technical jargon out, and keep everything in an institutional context. This way leadership can grasp the ramifications of the event and understand what matters. Be prepared to outline how you’re responding and what actions leadership can take to support the incident response team and protect the institution. In the last chapter, I mentioned what I call the General Colin Powell method of reporting, and I suggest using that method when informing leadership. Tell them what you know, what you don’t know, what you think, and what you recommend. Have answers, or at least a plan.

How much institution-wide communication should there be about incidents?

That’s a great question, but a tough one to answer. Transparency is good, but it can also unintentionally lead to further incidents. Do you really want to let your whole institution know about an exploitable weakness? Also, employees can spread information about incidents on social media, which can actually lead to the spread of misinformation. If you are in doubt about whether or not to inform the entire institution about an incident, refer to your Legal Department. In general, institution-wide communication should be direct: We’ve had an incident; these are the facts; this is what you are allowed to say on social media; and this is what you’re not allowed to say on social media.

Another great but tough question: When do you tell the public about an incident? For this type of communication, you’re going to need buy-in from various sources: senior leadership, Legal, HR, and your PR team or external PR partners. You have to make sure the public messaging is consistent. Otherwise, citizens and the media will try to poke holes in your official story. And that can lead to even more issues.

What are the key takeaways for higher education leaders?

Here are key takeaways to help higher education leaders prepare for and respond appropriately to cybersecurity incidents:

  1. Understand your institution’s current cybersecurity environment. 
    Questions to consider: Do you have Chief Information Security Officer (CISO) and/or a dedicated cybersecurity team at your institution? Have you conducted the appropriate audits and assessments to understand your institution’s vulnerabilities and risks?
  2. Ensure you are prepared for cybersecurity incidents. 
    Questions to consider: Do you have a cybersecurity plan with the appropriate response, communication, and recovery plans/processes? Are you practicing your plan by walking through tabletop exercises? Do you have incident response teams?

Higher education continues to face growing threats of cybersecurity attacks – and it’s no longer a matter of if, but when. Leaders can help mitigate the risk to their institutions by proactively planning with incident response plans, communication plans, and table-top exercises. If you need help creating an incident response plan or wish to speak to us regarding preparing for cybersecurity threats, please reach out to us.
 

Related Industries

Related Professionals

Principals

BerryDunn experts and consultants

Read this if you are a CIO, CFO, Provost, or President at a higher education institution.

In my conversations with CIO friends over the past weeks, it is obvious that the COVID-19 pandemic has forced a lot of change for institutions. Information technology is the underlying foundation for supporting much of this change, and as such, IT leaders face a variety of new demands now and into the future. Here are important considerations going forward.

Swift impact to IT and rapid response

The COVID-19 pandemic has had a significant impact on higher education. At the onset of this pandemic, institutions found themselves quickly pivoting to work from home (WFH), moving to remote campus operations, remote instruction within a few weeks, and in some cases, a few days. Most CIOs I spoke with indicated that they were prepared, to some extent, thanks to Cloud services and online class offerings already in place—it was mostly a matter of scaling the services across the entire campus and being prepared for returning students and faculty on the heels of an extended spring break.

Services that were not in place required creative and rapid deployment to meet the new demand. For example, one CIO mentioned the capability to have staff accept calls from home. The need for softphones to accommodate student service and helpdesk calls at staff homes required rapid purchase, deployment, and training.

Most institutions have laptop loan programs in place but not scaled to the size needed during this pandemic. Students who choose to attend college on campus are now forced to attend school from home and may not have the technology they need. The need for laptop loans increased significantly. Some institutions purchased and shipped laptops directly to students’ homes. 

CIO insights about people

CIOs shared seeing positive outcomes with their staff. Almost all of the CIOs I spoke with mentioned how the pandemic has spawned creativity and problem solving across their organizations. In some cases, past staffing challenges were put on hold as managers and staff have stepped up and engaged constructively. Some other positive changes shared by CIOs:

  • Communication has improved—a more intentional exchange, a greater sense of urgency, and problem solving have created opportunities for staff to get engaged during video calls.
  • Teams focusing on high priority initiatives and fewer projects have yielded successful results. 
  • People feel a stronger connection with each other because they are uniting behind a common purpose.

Perhaps this has reduced the noise that most staff seem to hear daily about competing priorities and incoming requests that seem to never end.

Key considerations and a framework for IT leaders 

It is too early to fully understand the impact on IT during this phase of the pandemic. However, we are beginning to see budgetary concerns that will impact all institutions in some way. As campuses work to get their budgets settled, cuts could affect most departments—IT included. In light of the increased demand for technology, cuts could be less than anticipated to help ensure critical services and support are uninterrupted. Other future impacts to IT will likely include:

  • Support for a longer term WFH model and hybrid options
  • Opportunities for greater efficiencies and possible collaborative agreements between institutions to reduce costs
  • Increased budgets for online services, licenses, and technologies
  • Need for remote helpdesk support, library services, and staffing
  • Increased training needs for collaborative and instructional software
  • Increased need for change management to help support and engage staff in the new ways of providing services and support
  • Re-evaluation of organizational structure and roles to right-size and refocus positions in a more virtual environment
  • Security and risk management implications with remote workers
    • Accessibility to systems and classes 

IT leaders should examine these potential changes over the next three to nine months using a phased approach. The diagram below describes two phases of impact and areas of focus for consideration. 

Higher Education IT Leadership Phases

As IT leaders continue to support their institutions through these phases, focusing on meeting the needs of faculty, staff, and students will be key in the success of their institutions. Over time, as IT leaders move from surviving to thriving, they will have opportunities to be strategic and create new ways of supporting teaching and learning. While it remains to be seen what the future holds, change is here. 

How prepared are you to support your institution? 

If we can help you navigate through these phases, have perspective to share, or any questions, please contact us. We’re here to help.

Article
COVID-19: Key considerations for IT leaders in Higher Ed

Editor’s note: If you are a higher education CFO, CIO, CTO or other C-suite leader, this blog is for you.

The Gramm-Leach-Bliley Act (GLBA) has been in the news recently as the Federal Trade Commission (FTC) has agreed to extend a deadline for public comment regarding proposed changes to the Safeguards Rule. Here’s what you need to know.

GLBA, also known as the Financial Modernization Act, is a 1999 federal law providing rules to financial institutions for protecting consumer information. Colleges and universities fall under this act because they conduct financial activities (e.g., administration of financial aid, loans, and other financial services).

Under the Safeguards Rule financial Institutions must develop, implement, and maintain a comprehensive information security program that consists of safeguards to handle customer information.

Proposed changes

The FTC is proposing five modifications to the Safeguards Rule. The new act will:

  • Provide more detailed guidance to impacted institutions regarding how to develop and implement specific aspects of an overall information security program.
  • Improve the accountability of an institution’s information security programs.
  • Exempt small business from certain requirements.
  • Expand the definition of “financial institutions” to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities.
  • Propose to include the definition of “financial institutions” and related examples in the rule itself rather than cross-reference them from a related FTC rule (Privacy of Consumer Financial Information Rule).

Potential impacts for your institution

The Federal Register, Volume 84, Number 65, published the notice of proposed changes that once approved by the FTC would add more prescriptive rules that could have significant impact on your institution. For example, these rules would require institutions to:

  1. Expand existing security programs with additional resources.
  2. Produce additional documentation.
  3. Create and implement additional policies and procedures.
  4. Offer various forms of training and education for security personnel.

The proposed rules could require institutions to increase their commitment in time and staffing, and may create hardships for institutions with limited or challenging resources.

Prepare now

While these changes are not final and the FTC is requesting public comment, here are some things you can do to prepare for these potential changes:

  • Evaluate whether your institution is compliant to the current Safeguards Rule.
  • Identify gaps between current status and proposed changes.
  • Perform a risk assessment.
  • Ensure there is an employee designated to lead the information security program.
  • Monitor the FTC site for final Safeguard Rules updates.

In the meantime, reach out to us if you would like to discuss the impact GLBA will have on your institution or if you would like assistance with any of the recommendations above. You can view a comprehensive list of potential changes here.

Source: Federal Trade Commission. Safeguards Rule. Federal Register, Vol. 84, No. 65. FTC.gov. April 4, 2019. https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/safeguards-rule

Article
Higher ed: GLBA is the new four-letter word, but it's not as bad as you think

Focus on the people: How higher ed institutions can successfully make an ERP system change

The enterprise resource planning (ERP) system is the heart of an institution’s business, maintaining all aspects of day-to-day operations, from student registration to staff payroll. Many institutions have used the same ERP systems for decades and face challenges to meet the changing demands of staff and students. As new ERP vendors enter the marketplace with new features and functionality, institutions are considering a change. Some things to consider:

  1. Don’t just focus on the technology and make change management an afterthought. Transitioning to a new ERP system takes considerable effort, and has the potential to go horribly wrong if sponsorship, good planning, and communication channels are not in place. The new technology is the easy part of a transition—the primary challenge is often rooted in people’s natural resistance to change.  
  2. Overcoming resistance to change requires a thoughtful and intentional approach that focuses on change at the individual level. Understanding this helps leadership focus their attention and energy to best raise awareness and desire for the change.
  3. One effective tool that provides a good framework for successful change is the Prosci ADKAR® model. This framework has five distinct phases that align with ERP change:

These phases provide an approach for developing activities for change management, preparing leadership to lead and sponsor change and supporting employees through the implementation of the change.

The three essential steps to leveraging this framework:

  1. Perform a baseline assessment to establish an understanding of how ready the organization is for an ERP change
  2. Provide sponsorship, training, and communication to drive employee adoption
  3. Prepare and support activities to implement, celebrate, and sustain participation throughout the ERP transition

Following this approach with a change management framework such as the Prosci ADKAR® model can help an organization prepare, guide, and adopt ERP change more easily and successfully. 

If you’re considering a change, but need to prepare your institution for a healthy ERP transition using change management, chart yourself on this ADKAR framework—what is your organization’s change readiness? Do you have appropriate buy-in? What problems will you face?

You now know that this framework can help your changes stick, and have an idea of where you might face resistance. We’re certified Prosci ADKAR® practitioners and have experience guiding Higher Ed leaders like you through these steps. Get in touch—we’re happy to help and have the experience and training to back it up. Please contact the team with any questions you may have.

1Prosci ADKAR®from http://www.prosci.com

Article
Perspectives of an Ex-CIO

Cloud services are becoming more and more omnipresent, and rapidly changing how companies and organizations conduct their day-to-day business.

Many higher education institutions currently utilize cloud services for learning management systems (LMS) and student email systems. Yet there are some common misunderstandings and assumptions about cloud services, especially among higher education administrative leaders who may lack IT knowledge. The following information will provide these leaders with a better understanding of cloud services and how to develop a cloud services strategy.

What are cloud services?

Cloud services are internet-based technology services provided and/or hosted by offsite vendors. Cloud services can include a variety of applications, resources, and services, and are designed to be easily scalable, cost effective, and fully managed by the cloud services vendor.

What are the different types?

Cloud services are generally categorized by what they provide. Today, there are four primary types of cloud services:

Cloud Service Types 

Cloud services can be further categorized by how they are provided:

  1. Private cloud services are dedicated to only one client. Security and control is the biggest value for using a private cloud service.
  2. Public cloud services are shared across multiple clients. Cost effectiveness is the best value of public cloud services because resources are shared among a large number of clients.
  3. Hybrid cloud services are combinations of on-premise software and cloud services. The value of hybrid cloud services is the ability to adopt new cloud services (private or public) slowly while maintaining on-premise services that continue to provide value.

How do cloud services benefit higher education institutions?

Higher education administrative leaders should understand that cloud services provide multiple benefits.
Some examples:

Cloud-Services-for-Higher-Education


What possible problems do cloud services present to higher education institutions?

At the dawn of the cloud era, many of the problems were technical or operational in nature. As cloud services have become more sophisticated, the problems have become more security and business related. Today, higher education institutions have to tackle challenges such as cybersecurity/disaster recovery, data ownership, data governance, data compliance, and integration complexities.

While these problems and questions may be daunting, they can be overcome with strong leadership and best-practice policies, processes, and controls.

How can higher education administrative leaders develop a cloud services strategy?

You should work closely with IT leadership to complete this five-step planning checklist to develop a cloud services strategy: 

1. 

Identify new services to be added or consolidated; build a business case and identify the return on investment (ROI) for moving to the cloud, in order to answer:

• 

What cloud services does your institution already have?

• 

What cloud services does your institution already have?

• 

What services should you consider replacing with cloud services, and why?

• 

How are data decisions being made?

2. 

Identify design, technical, network, and security requirements (e.g., private or public; are there cloud services already in place that can be expanded upon, such as a private cloud service), in order to answer:

• 

Is your IT staff ready to migrate, manage, and support cloud services?

• 

Do your business processes align with using cloud services?

• 

Do cloud service-provided policies align with your institution’s security policies?

• 

Do you have the in-house expertise to integrate cloud services with existing on-premise services?

3. 

Decide where data will be stored; data governance (e.g., on-premise, off-premise data center, cloud), in order to answer:

• 

Who owns the data in the institution’s cloud, and where?

• 

Who is accountable for data decisions?

4. 

Integrate with current infrastructure; ensure cloud strategy easily allows scalability for expansion and additional services, in order to answer:

• 

What integration points will you have between on-premise and cloud applications or services, and can the institution easily implement, manage, and support them?

5. 

Identify business requirements — budget, timing, practices, policies, and controls required for cloud services and compliance, in order to answer:

• 

Will your business model need to change in order to support a different cost model for cloud services (i.e., less capital for equipment purchases every three to five years versus a steady monthly/yearly operating cost model for cloud services)?

• 

Does your institution understand the current state and federal compliance and privacy regulations as they relate to data?

• 

Do you have a contingency plan if its primary cloud services provider goes out of business?

• 

Do your contracts align with institutional, state, and federal guidelines?

Need assistance?

BerryDunn’s higher education team focuses on advising colleges and universities in improving services, reducing costs, and adding value. Our team is well qualified to assist in understanding the cloud “skyscape.” If your institution seeks to maximize the value of cloud services or develop a cloud services strategy, please contact me.

Article
Cloud services 101: An almanac for higher education leaders

Read this if you are at a not-for-profit organization.

There is no question the investment landscape is forever changing. Even before COVID-19 placed a vice grip on all aspects of society, many not-for-profit organizations were looking for ways to maximize the value of their current investment holdings. One such way of accomplishing this is through the use of alternative investments, defined for our purposes as investments outside of standard assets such as traditional stocks and bonds. Alternative investments have become increasingly specialized and are often seen in the form of foreign corporations or partnerships (often times domiciled in locales such as the Cayman Islands where tax laws are more favorable to investors) and are much more commonplace than ever before.

While promises of higher rates of return are received warmly by not-for-profit organizations, alternative investments often carry with them the potential for additional compliance costs in the form of tax filing obligations and substantial penalties should those filings be overlooked.

This article will highlight some of those potential foreign filings, as well as highlight potential consequences they carry and what you need to know in order to avoid the pitfalls. 

Potential foreign filings related to investment activities

Not-for profit organizations should be aware of the potential filings/disclosures required in regards to their ownership of investments located outside of the United States. The federal government uses a variety of forms to track transfers of property, ownership, and account balances related to foreign activity/investments. A list of some of the potential foreign filings are detailed below (not an all-inclusive list):

Form 926 – Return by a US Transferor of Property to a Foreign Corporation

This form is generally required when a US investor transfers more than $100,000 in a 12-month period, or any other contribution when the investor owns 10% or more of a foreign corporation. The requirement to file this form can be via a direct investment in the foreign corporation, or indirectly through another entity (such as a partnership interest). The penalty for failure to file is equal to 10 percent of the transfer amount, up to $100,000 per missed filing.

Form 8865 – Return of US Persons with Respect to Certain Foreign Partnerships

Similar to Form 926, this filing arises when a US person (which includes not-for-profit organizations) transfers $100,000 or more in a given year, or if they own 10% or more of the foreign partnership. There are different levels of disclosure required for different categories of filers. Filings are also triggered by both direct and indirect investments. The penalty for failure to file varies by category type, ranging from $10,000 to up to $100,000 per missed filing.

FinCEN Form 114 – Report of Foreign Bank and Financial Accounts

Commonly referred to as the FBAR, this form tracks assets that US taxpayers hold in offshore accounts, whether they be foreign bank accounts, brokerage accounts, or mutual funds. This form is required when the aggregate value of all foreign financial accounts exceeds $10,000 at any time during the calendar year. Further, any individual or entity that owns more than 50 percent of the account directly or indirectly must file the form. Lastly, individuals who have signature authority over accounts held by the organization are also required to file the FinCEN Form 114 with their individual income tax return. The penalty for failure to file can vary, but can be as high as 50 percent of the account’s value.

Please note: there is a specific definition of the term “foreign financial account” which excludes certain items from the definition. Organizations are encouraged to consult their tax advisors for more information.

Form 5471 – Information Return of US Persons with Respect to Certain Foreign Corporations

Form 5471 is required to be filed when ownership is at least 10% in a foreign corporation. There are different disclosures required for different categories of ownership. Organizations required to file Form 5471 are typically operating internationally and have ownership of a foreign corporation which triggers the filing, but this form would also apply to investments in foreign corporations if ownership is at least 10%. The penalty for failure to file is typically $10,000 per missed filing.

Recommendations to avoid the pitfalls of alternative investments

In order to avoid missed filing requirements, exempt organizations should ask their investment advisors if any investment will involve organizations outside of the United States. If the answer is “yes,” then your organization needs to understand any additional filing requirements up front in order to take into consideration any additional compliance costs related to foreign filings. You should review and share all relevant investment documentation and subsequent information (e.g., prospectus and any other offering materials) with your finance/accounting department, as well as your tax advisors—prior to investment.

We also recommend you engage in open and frequent communication with your investment managers and advisors (both within and outside the organization). Those who manage the entity’s investments should also stay in close contact with fund managers who can help communicate when assets are invested in a way that might trigger a foreign filing obligation.

As investment practices and strategies become increasingly complex, organizations need to stay vigilant and aware in this forever changing landscape. We’re here to help. If you have any questions or concerns about current investment holdings and potential foreign filings, please do not hesitate to reach out to a member of our not-for-profit tax team.

Article
Alternative investments: Potential pitfalls not-for-profit organizations need to know

Read this if you are an employee benefit plan fiduciary.

Fiduciary risk management

This is the final article in a series to help employee benefit plan fiduciaries better understand their responsibilities and manage the risks of non-compliance with ERISA requirements. You can find the full series here.

If, as part of your involvement with an employee benefit plan, you have decision-making ability; you advise those with decision-making ability; or someone tasks you with decision-making related to the plan, you are more likely than not, a fiduciary. As discussed in the first article of the series, this status comes with responsibilities and, therefore, risks and consequences.

The general approach to handling risk is a cycle of identifying, assessing, controlling, and reviewing controls over risks. Based on the assessment of a given risk, there are four ways to manage it: you can avoid, reduce, transfer, or accept the risk. 

Identifying and assessing fiduciary risk1 

The risks facing a plan fiduciary include, but are not limited to, the following:

Removal of fiduciary

In appropriate cases, a fiduciary may be removed and permanently prohibited from acting as a fiduciary or from providing services to ERISA plans.

Civil penalties

Among other penalties, the DOL may assess a civil penalty equal to 20% of the amounts recovered for the plan through litigation or settlement.

Criminal prosecution

Upon a conviction for a willful violation of ERISA’s reporting and disclosure requirements, a fiduciary may be subject to fines and/or imprisonment for not more than ten years. There is also a provision in ERISA that applies to any person, not just ERISA fiduciaries, that makes coercive interference with ERISA rights a criminal offense punishable by fines and/or imprisonment for up to ten years. In addition, outside of ERISA, there are a number of criminal statutes that apply to any person, not just ERISA fiduciaries, including criminal statutes for embezzling from an ERISA plan, making false statements in ERISA documents, and taking illegal kickbacks in connection with an ERISA plan.

Participant lawsuits

Additionally, plan participants may file a lawsuit against the fiduciary for breach of their fiduciary duty. Over the past few years, this has become more common and has generally been related to the fiduciary’s failure to adequately negotiate and monitor plan fees. 

Co-fiduciary liability

ERISA's unique co-fiduciary liability provisions make each fiduciary responsible for the actions of the other plan fiduciaries but only under certain circumstances. As a general rule, fiduciaries aren’t responsible for the breach of another fiduciary unless:

  • They participate knowingly in, or knowingly undertake to conceal, an act or omission of such other fiduciary, knowing such act or omission is a breach;
  • Their failure to be prudent in the administration of their own fiduciary responsibilities enables the other fiduciary to commit a breach; or
  • They have knowledge of a breach by such other fiduciary and don’t make reasonable efforts under the circumstances to remedy the breach.

Controlling fiduciary risk

There are several ways to effectively manage fiduciary risk. When used together, they give you solid controls to greatly reduce your level of risk.

Plan documentation

A fiduciary and/or plan sponsor should reduce their exposure to the risks identified above and their first line of defense is through plan documentation (discussed in depth here). Broadly speaking, the organizers and fiduciaries of the plan should ensure that policies and procedures are laid out to ensure proper oversight and internal controls are in place to prevent any voluntary or involuntary noncompliance with ERISA and the DOL.

Oversight

Fiduciaries should meet formally on a regular basis to review the plan’s offerings, service providers, fees, and other issues that may affect the plan. A single individual who is the sole fiduciary for a plan may not have the knowledge or bandwidth to appropriately fulfill the responsibilities of the plan. Additionally, having an auditor come in and audit the plan can help identify some of the risks identified above, although an audit of the plan does not reduce your responsibility to monitor and review the plan’s activity on an ongoing basis.

Third Party Administrators (TPA) & recordkeepers

Fiduciaries may also be able to mitigate some of the risks identified above through use of a TPA and/or recordkeeper. While TPAs and recordkeepers are not generally considered fiduciaries or co-fiduciaries, TPAs have varying service offerings, including recordkeeping, that are powerful tools to plan administrators to review and operate the plan. For example, depending on the plan sponsor’s existing payroll and HR structure, inclusive of TPAs and recordkeepers, fiduciaries may be able to automate the transfer of contributions to ensure timeliness of deposits. The plan may also be able to add another layer of internal controls by incorporating the TPA’s or recordkeeper’s internal controls into the plan’s control environment assuming the fiduciary has gained an understanding and comfort around the controls present at the TPA and/or recordkeeper.

Professional investment advisors and co-fiduciaries

Employee benefit plans must meet certain requirements with regard to their investment offerings. For instance, the plan must allow participants to invest in a diversified portfolio. The plan may try to transfer some of these risks and employ the help of a professional investment advisor to help ensure the plan’s investment offerings meet such criteria. This could involve hiring either an ERISA 3(21) fiduciary or an ERISA 3(38) fiduciary. The former serves as an advisor and a co-fiduciary, but does not have any authority by themselves, while the latter is an investment manager and therefore authorized to select investments for the plan. Doing so may help demonstrate to regulators that a fiduciary has fulfilled their duty in this regard. Alternatively, a plan may hire a 3(16) Fiduciary. 3(16) Fiduciaries are individuals or organizations that are charged with running plans as the plan administrator. A company may be able to shift most of their fiduciary risk to such a fiduciary. 

In any case, the plan fiduciary must continue to monitor a 3(16), 3(21) or 3(38) advisor to make sure it is still prudent to use that advisor.

Bonding and fiduciary liability insurance

Bonding is required for most EB plans and does not protect the fiduciary from any risk. It does however protect the plan from fraud or dishonesty. On the other hand, fiduciary liability insurance can protect the fiduciary in the case of breach of fiduciary duty. This type of insurance is not required but is another option to transfer fiduciary risk.

As mentioned in our second article, much like owning a car, regular preventative maintenance can help you avoid the need for costly repairs. Plan fiduciaries should periodically refresh their understanding of ERISA requirements and re-evaluate their current and future business activities on an ongoing basis. Doing so will help mitigate any risks associated with non-compliance with the DOL and IRS and keep the plan running smoothly. 

Need help navigating the fiduciary road? Reach out to the BerryDunn employee benefit consulting team today.

1From Fidelity’s Plan Sponsor Webstation: Consequences of breach of fiduciary duties 

Article
Fiduciary risk: Five ways to control and reduce it

Read this if you are an employer that gives employee gifts.

The holiday season is officially in full swing! Unlike Ebenezer Scrooge, many employers are looking for ways to recognize the dedication and hard work of their employees. This gratitude often comes in the form of a holiday gift of some fashion. While this generosity is well-intended, gifts to employees can be fraught with potential tax consequences organizations should be aware of. This article will attempt to demystify the rules surrounding employee gifts to ensure organizations and their employees have a joyous holiday season.

Holiday gifts: Taxable or not?

So, are holiday gifts to employees taxable? The answer, as is so often the case with tax questions, is it depends. The IRS is very clear that cash and cash equivalents (specifically including gift cards) are always included as taxable income when they are provided by the employer, regardless of amount, with no exceptions. This means that if you plan to give your employees cash or a gift card this year, the value must be included in the employees’ wages and is subject to all payroll taxes. Bah humbug indeed!

Nontaxable gift options

There are however, a few ways to make nontaxable gifts to employees. In each instance the gift must be noncash (nor convertible to cash). IRS Publication 15 offers a variety of examples of de minimis (minimal) benefits, defined as any property or service you provide to an employee that has a minimal value, making the accounting for it unreasonable and administratively impracticable. Examples include holiday or birthday gifts with a low market value (a card and flowers, fruit baskets, a box of chocolates, etc.), or occasional tickets for theater or sporting events, among others. Again, cash and cash equivalents never qualify. The key is that the gift must be occasional or unusual in its frequency and must not be a form of disguised compensation. While de minimis benefits can be a gray area, the IRS has generally deemed items with a value exceeding $100 as too large to qualify as de minimis.

Holiday gifts can also be nontaxable if they are in the form of a gift coupon, if given for a specific item (with no redeemable cash value). A common example would be issuing a coupon to your employee for a free ham or turkey redeemable at the local grocery store. Nontaxable employee gifts can also come in the form of achievement awards, either for length of service or for safety achievements. The proverbial gold watch upon retirement is a classic example of such a gift. Here too, the award must always be tangible personal property—never cash or a cash equivalent. There are additional rules and value thresholds on any such gift. Please contact a member of your tax team to discuss these specific details further.

Whether employers are considering supplying gift cards, turkeys, or something in between, we hope all find this guidance helpful and still in the giving spirit! Coincidentally, at the end of A Christmas Carol, Ebenezer himself gives Bob Cratchit a turkey on Christmas day. Of course Mr. Scrooge would be aware of the potential tax consequences! We wish you all a very happy and healthy holiday season!

Not-for-profit resources

If you are a not-for-profit organization receiving charitable gifts, read Donor Acknowledgements: We have to file what?

Article
What employers need to know before making gifts to employees

Read this if you are responsible for cybersecurity at your organization. 

During the financial audit process auditors are required to develop and confirm their understanding of Information Technology (IT) and cybersecurity practices as it relates to financial reporting to better understand risks and because of auditors’ heavy reliance on data pulled from accounting information systems. As auditors, we have seen a significant increase in the amount of impactful incidents affecting not-for-profit organizations and our IT security experts often share valuable advisory comments in annual audit communications with our clients. With recent incidents and a very rapidly changing business environment, here are the three most important from the last six months that impact all not-for-profits. 

Board oversight of cybersecurity 

Cybersecurity gaps within an organization’s systems may lead to risk exposure and have material impacts on all aspects of operations. Responsibility for cybersecurity controls and for establishing a culture of awareness and security should come from the Board and senior leadership. Board members and senior leaders should stay apprised of cybersecurity efforts on a regular basis and incidents should be summarized and reported on a quarterly basis. 

The Board should also consider adding a member who is a professional with IT and cybersecurity experience to help manage and understand the specific risks to the organization and help drive and support cybersecurity efforts.

Ransomware threats and preventive controls

The use of ransomware as a profitable attack on organizations by hackers continues to rapidly increase. Within the last year there have been multiple high-profile incidents that illustrate the impact of a successful attack. These impacts fall into two main areas. One impact may be financial, as millions of dollars are paid to the bad actors as ransom in hopes of being able to regain control of systems. The second impact is operational, resulting in a loss of control of systems and data during the event. Potentially, an unsuccessful data restoration could result in the total loss of information and data maintained on your networks. 

Though no organization may be able to prevent a ransomware attack from occurring entirely, there are basic cybersecurity controls that help reduce the likelihood and impact of an attack. Preventive controls may include: 

  • Security awareness training on phishing emails and overall IT security practices for all organization users
  • Multi-factor authentication 
  • Access controls that prevent users from installing unapproved software onto organization-owned workstations and networks
  • Anti-malware software installed on devices that connect to organization systems 
  • Use of Zero Trust data management tools for backups
  • Disabling macros in emails (prevents back-end processes from automatically running) 

In addition to including these preventive controls to your cybersecurity program, your organization should assess current corrective controls already in place to react to a ransomware event if one is detected or reported. Corrective controls may include:

  • Disaster recovery plans/business continuity plans 
  • Incident response plans
  • Backup controls and restoration tests 

As the risk of ransomware continues to increase and the types of attacks continue to increase in sophistication, your organization should consider regular assessments of IT controls and cybersecurity practices on a regular basis. Such assessments may be performed in conjunction with annual financial statement audits as an expanded scope and/or as a separate annual IT assessment. 

COVID-19 IT considerations 

The global COVID-19 pandemic significantly impacted nearly every aspect of modern life, including the way we work. As personnel were sent home and literally became a remote workforce overnight, changes to IT systems and controls rapidly adjusted to accommodate this new way of business. 

Where controls and procedures were adjusted, if not suspended, your organization should review those changes and determine if controls should revert back to the pre-pandemic process—or be formally changed and documented as policy. 

Guidance from the American Institute of Certified Public Accountants (AICPA) dictates that a gap in controls associated with the pandemic is not a legitimate reason for not completing a control and that any changes must be documented and properly managed.  

Well over a year into the pandemic, the concept of a hybrid workforce has emerged as the predominant way employees and businesses want to work. Your organization should review current policies and procedures that may pre-date the pandemic to ensure that the updates both document and consider the current business environment. 

Additionally, with personnel working remotely or in a hybrid model, or a combination of both, you should assess practices for managing remote access and a hybrid workforce and, where needed, implement industry best-practice tools and procedures to accommodate a remote workforce while maintaining security controls. If you have questions regarding you cybersecurity procedures or want to learn more, please contact our team. We’re here to help. 
 

Article
Cybersecurity update for organizations: Considerations for boards and senior management

Read this if you are a Chief Financial Officer, Chief Compliance Officer, FINOP, or charged with governance of a broker-dealer.

The results of the Public Company Accounting Oversight Board’s (PCAOB) 2020 inspections are included in its 2020 Annual Report on the Interim Inspection Program Related to Audits of Brokers and Dealers. There were 65 audit firms inspected in 2020 by the PCAOB and, although deficiencies declined 11% from 2019, 51 firms still had deficiencies. This high level of deficiencies, as well as the nature of the deficiencies, provides insight into audit quality for broker-dealer stakeholders. Those charged with governance should be having conversations with their auditor to see how they are addressing these commonly found deficiencies and asking if the PCAOB identified any deficiencies in the auditor’s most recent examination. 

If there were deficiencies identified, what actions have been taken to eliminate these deficiencies going forward? Although the annual report on the Interim Inspection Program acts as an auditor report card, the results may have implications for the broker-dealer, as gaps in audit quality may mean internal control weaknesses or misstatements go undetected.

Attestation Standard (AT) No. 1 examination engagements test compliance with the financial responsibility rules and the internal controls surrounding compliance with the financial responsibility rules. The PCAOB examined 21 of these engagements and found 14 of them to have deficiencies. The PCAOB continued to find high deficiency rates in testing internal control over compliance (ICOC). They specifically found that many audit firms did not obtain sufficient, appropriate evidence about the operating effectiveness of controls important to the auditor’s conclusions regarding the effectiveness of ICOC. This insufficiency was widespread in all four areas of the financial responsibility rules: the Reserve Requirement rule, possession or control requirements of the Customer Protection Rule, Account Statement Rule, and the Quarterly Security Counts Rule.

The PCAOB also identified a firm that included a statement in its examination report that referred to an assertion by the broker-dealer that its ICOC was effective as of its fiscal year-end; however, the broker-dealer did not include that required assertion in its compliance report.

AT No. 2 review engagements test compliance with the broker-dealer’s exemption provisions. The PCAOB examined 83 AT No. 2 engagements and found 19 of them to have deficiencies. The most significant deficiencies were that audit firms:

  • Did not make required inquiries, including inquiries about controls in place to maintain compliance with the exemption provisions, and those involving the nature, frequency, and results of related monitoring activities.
  • Similar to AT No. 1 engagements, included a statement in their review reports that referred to an assertion by the broker-dealer that it met the identified exemption provisions throughout the most recent fiscal year without exception; however, the broker-dealers did not include that required assertion in their exemption reports.

The majority of the deficiencies found were in the audits of the financial statements. The PCAOB did not examine every aspect of the financial statement audit, but focused on key areas. These areas were: revenue, evaluating audit results, identifying and assessing risks of material misstatement, related party relationships and transactions, receivables and payables, consideration of an entity’s ability to continue as a going concern, consideration of materiality in planning and performing an audit, leases, and fair value measurements. Of these areas, revenue and evaluating audit results had the most deficiencies, with 45 and 27 deficiencies, or 47% and 26% of engagements examined, respectively.

Auditing standards indicate there is a rebuttable presumption that improper revenue recognition is a fraud risk. In the PCAOB’s examinations, most audit firms either identified a fraud risk related to revenue or did not rebut the presumption of revenue recognition as a fraud risk. These firms should have addressed the risk of material misstatement through appropriate substantive procedures that included tests of details. The PCAOB noted there were instances of firms that did not perform any procedures for one or more significant revenue accounts, or did not perform procedures to address the assessed risks of material misstatement for one or more relevant assertions for revenue. The PCAOB also identified deficiencies related to revenue in audit firms’ sampling methodologies and substantive analytical procedures. Other deficiencies of note, that were not revenue related, included:

  • Incomplete qualitative and quantitative disclosure information, specifically in regards to revenue from contracts with customers and leases.
  • Missing required elements from the auditor’s report.
  • Missing auditor communications:
    • Not inquiring of the audit committee (or equivalent body) about whether it was aware of matters relevant to the audit.
    • Not communicating the audit strategy and results of the audit to the audit committee (or equivalent body).
  • Engagement quality reviews were not performed for some audit and attestation engagements.
  • Audit firms assisted in the preparation of broker-dealer financial statements and supplemental information.

Although there have been improvements in the amounts of deficiencies found in the PCAOB’s examinations, the 2020 annual report shows that there is still work to be done by audit firms. Just like auditors should be inquiring of broker-dealer clients about the results of their most recent FINRA examination, broker-dealers should be inquiring of auditors about the results of their most recent PCAOB examination. Doing so will help broker-dealers identify where their auditor may reside on the audit quality spectrum. If you have any questions, please don’t hesitate to reach out to our broker-dealer services team.

Article
2020 Annual Report on the Interim Inspection Program Related to Audits of Brokers and Dealers