Cybersecurity risk strategies for cost‑conscious nonprofits

Benchmarking doesn’t need to be time and resource consuming. Read on for four simple steps you can take to improve efficiency and maximize resources.

Stop us if you’ve heard this one before (from your Board of Trustees or Finance Committee): “I wish there was a way we could benchmark ourselves against our competitors.”

Have you ever wrestled with how to benchmark? Or struggled to identify what the Board wants to measure? Organizations can fall short on implementing effective methods to benchmark accurately. The good news? With a planned approach, you can overcome traditional obstacles and create tools to increase efficiency, improve operations and reporting, and maintain and monitor a comfortable risk level. All of this can help create a competitive advantage — and it  isn’t as hard as you might think.

Even with a structured process, remember that benchmarking data has pitfalls, including:

• Peer data can be difficult to find. Some industries are better than others at tracking this information. Some collect too much data that isn’t relevant, making it hard to find the data that is.
   
• The data can be dated. By the time you close your books for the year and data is available, you’re at least six months into the next fiscal year. Knowing this, you can still build year-over-year trending models that you can measure consistently.
   
• The underlying data may be tainted. As much as we’d like to rely on financial data from other organization and industry surveys, there’s no guarantee that all participants have applied accounting principles consistently, or calculated inputs (e.g., full-time equivalents) in the same way, making comparisons inaccurate.

Despite these pitfalls, benchmarking is a useful tool for your organization. Benchmarking lets you take stock of your current financial condition and risk profile, identify areas for improvement and find a realistic and measurable plan to strengthen your organization.

Here are four steps to take to start a successful benchmarking program and overcome these pitfalls:

1. Benchmark against yourself. Use year-over-year and month-to-month data to identify trends, inconsistencies and unexplained changes. Once you have the information, you can see where you want to direct improvement efforts.
2. Look to industry/peer data. We’d love to tell you that all financial statements and survey inputs are created equally, but we can’t. By understanding the source of your information, and the potential strengths and weaknesses in the data (e.g., too few peers, different size organizations and markets, etc.), you will better know how to use it. Understanding the data source allows you to weigh metrics that are more susceptible to inconsistencies.

3. Identify what is important to your organization and focus on it. Remove data points that have little relevance for your organization. Trying to address too many measures is one of the primary reasons benchmarking fails. Identify key metrics you will target, and watch them over time. Remember, keeping it simple allows you to put resources where you need them most.

4. Use the data as a tool to guide decisions. Identify aspects of the organization that lie beyond your risk tolerance and then define specific steps for improvement.

Once you take these steps, you can add other measurement strategies, including stress testing, monthly reporting, and use in budgeting and forecasting. By taking the time to create and use an effective methodology, this competitive advantage can be yours. Want to learn more? Check out our resources for not-for-profit organizations here.

Read this if you are interested in building a thriving workforce.

As businesses across the country continue to struggle to find and keep employees, it is time to build a workplace that sends a clear message to employees: “We care about you as a person. Your well-being matters.” 

Many leaders will send communications that emphasize the importance of people and the value of well-being. Despite this messaging, many organizations are missing opportunities to make well-being a natural part of the employee experience. The resulting disconnect between messaging and reality can result in frustration, disengagement, and cynicism. We’ve compiled a list of some of the most common workplace factors that can disrupt an organization’s intentions to build a strong well-being culture. 

Are you missing the mark with employee well-being? 

The chart below illustrates common ways that employers may be missing the mark on providing a supportive environment to employees. As you’ll see, they can be both large things like compensation and benefits, but they can also be small, potentially easy-to-fix things such as providing healthy snacks in the office instead of junk food. Look at this chart holistically for ways you may be able to change some negative influences into positive ones.

Overcoming the challenges to your well-being goals takes time. And while it is natural for organizations to think of employee well-being as the responsibility of human resources and leadership, in reality, well-being is a product of every part of the employee experience. In other words, it’s part of everyone’s job.

Well-being program considerations

Understanding the pain points for employees is an essential element of any successful well-being program, even if those pain points exist outside the domain of traditional well-being and wellness programs. Here are some things to consider:

• Find out what matters to your employees, as every organization is different. Use surveys, interviews, and focus groups to understand priorities and do something substantive with what you learn.
• Make a plan to address operational challenges. Put simply, outdated technology and inefficient business processes stress employees out.
• Assess your well-being approach to identify strengths, gaps, and opportunities for improvement.
• Develop, document, and implement a well-being plan that aligns with your organizational culture and goals. 
• In the midst of planning a big system implementation of organizational change? Consider ways to integrate well-being as part of high-stress initiatives. 

How mature is your organization’s well-being program?

Understanding the maturity level of your organization’s well-being program can help you benchmark, assess progress, and gain leadership support by showing a clear path to improvement. This maturity model can help you assess where you are now and how to incrementally improve.

Have questions or need ideas about your specific situation? Contact our well-being consulting team. We’re here to help.

Read this if your CFO has recently departed, or if you're looking for a replacement.

With the post-Covid labor shortage, “the Great Resignation,” an aging workforce, and ongoing staffing concerns, almost every industry is facing challenges in hiring talented staff. To address these challenges, many organizations are hiring temporary or interim help—even for C-suite positions such as Chief Financial Officers (CFOs).

You may be thinking, “The CFO is a key business partner in advising and collaborating with the CEO and developing a long-term strategy for the organization; why would I hire a contractor to fill this most-important role?” Hiring an interim CFO may be a good option to consider in certain circumstances. Here are three situations where temporary help might be the best solution for your organization.

Your organization has grown

If your company has grown since you created your finance department, or your controller isn’t ready or suited for a promotion, bringing on an interim CFO can be a natural next step in your company’s evolution, without having to make a long-term commitment. It can allow you to take the time and fully understand what you need from the role — and what kind of person is the best fit for your company’s future.

BerryDunn's Kathy Parker, leader of the Boston-based Outsourced Accounting group, has worked with many companies to help them through periods of transition. "As companies grow, many need team members at various skill levels, which requires more money to pay for multiple full-time roles," she shared. "Obtaining interim CFO services allows a company to access different skill levels while paying a fraction of the cost. As the company grows, they can always scale its resources; the beauty of this model is the flexibility."

If your company is looking for greater financial skill or advice to expand into a new market, or turn around an underperforming division, you may want to bring on an outsourced CFO with a specific set of objectives and timeline in mind. You can bring someone on board to develop growth strategies, make course corrections, bring in new financing, and update operational processes, without necessarily needing to keep those skills in the organization once they finish their assignment. Your company benefits from this very specific skill set without the expense of having a talented but expensive resource on your permanent payroll.

Your CFO has resigned

The best-laid succession plans often go astray. If that’s the case when your CFO departs, your organization may need to outsource the CFO function to fill the gap. When your company loses the leader of company-wide financial functions, you may need to find someone who can come in with those skills and get right to work. While they may need guidance and support on specifics to your company, they should be able to adapt quickly and keep financial operations running smoothly. Articulating short-term goals and setting deadlines for naming a new CFO can help lay the foundation for a successful engagement.

You don’t have the budget for a full-time CFO

If your company is the right size to have a part-time CFO, outsourcing CFO functions can be less expensive than bringing on a full-time in-house CFO. Depending on your operational and financial rhythms, you may need the CFO role full-time in parts of the year, and not in others. Initially, an interim CFO can bring a new perspective from a professional who is coming in with fresh eyes and experience outside of your company.

After the immediate need or initial crisis passes, you can review your options. Once the temporary CFO’s agreement expires, you can bring someone new in depending on your needs, or keep the contract CFO in place by extending their assignment.

Considerations for hiring an interim CFO

Making the decision between hiring someone full-time or bringing in temporary contract help can be difficult. Although it oversimplifies the decision a bit, a good rule of thumb is: the more strategic the role will be, the more important it is that you have a long-term person in the job. CFOs can have a wide range of duties, including, but not limited to:

• Financial risk management, including planning and record-keeping
• Management of compliance and regulatory requirements
• Creating and monitoring reliable control systems
• Debt and equity financing
• Financial reporting to the Board of Directors

If the focus is primarily overseeing the financial functions of the organization and/or developing a skilled finance department, you can rely — at least initially — on a CFO for hire.

Regardless of what you choose to do, your decision will have an impact on the financial health of your organization — from avoiding finance department dissatisfaction or turnover to capitalizing on new market opportunities. Getting outside advice or a more objective view may be an important part of making the right choice for your company.

BerryDunn can help whether you need extra assistance in your office during peak times or interim leadership support during periods of transition. We offer the expertise of a fully staffed accounting department for short-term assignments or long-term engagements―so you can focus on your business. Meet our interim assistance experts.

Read this if you work in finance or accounting or rely on financial reporting information.

Does your financial close process provide the information you need to make educated business decisions? 

Timely reporting of financial results is key to stakeholder decision making. As a result of market and regulatory obligations, companies and organizations are confronted with increasingly strict guidelines for the delivery of timely, accurate reports. Enormous amounts of information on transactions must be processed in a limited timeframe. This requires a great deal of effort on the part of your accounting and finance teams. 

The typical financial close process can be broken down into the following segments:

While this workflow seems straightforward enough, the financial close is not a single flat process, but the combination of many interrelated and often codependent processes—each with its own stages. The closing and reporting process is complex, and involves many different data suppliers and dependencies. Think your billing department, accounts payable, cash receipt, procurement, and more. All of these areas are likely to have data inputs that go into your financial close.
 

It often ends up looking like this when you consider each task:

 
To make the situation more challenging, as companies and organizations grow, the closing process can become more onerous and take longer to complete. Tasks in the financial close process are often added to an existing process—a process that may be more reactionary and based in historical practice, and may not have been well thought-out or planned for the current environment. Adding these tasks and increasing data inputs and outputs adds additional pressure to an incredibly important, but often forgotten task: analysis.

The majority of finance departments spend the bulk of their time on the financial close itself. Unfortunately, this can lead to delays, uncovering mistakes well after the fact, and reports lagging behind current business operations. The later the analysis is performed and the reports are distributed, the less useful they become for decision making. 

Financial close optimization

The good news? There is a strategy to optimize your financial close process, called financial close optimization, or fast closing. Fast closing is the periodic and structured closing and reporting process, in which all knowledge about the financial facts is collected and distributed to stakeholders more quickly.

There is an emerging trend for more frequent financial reporting, which allows companies and organizations to be more nimble and responsive to financial results, especially when facing an unprecedented crisis like the COVID-19 pandemic. Optimizing the financial close process allows for quicker reporting of business results to give stakeholders a more timely financial picture.

We understand the scarcity of human and financial resources continues to prove challenging to financial teams. Creating a culture of continuous improvement is a challenging task for almost any finance team—but given the benefits of a fast closing and the increased costs of a longer close, is this something that can be ignored any longer?

Look out for our next article on tips and strategies to optimize your financial close, which can lead to:

• Freeing up resources to provide finance teams more time for a deeper analysis of operating performance and other strategic objectives
• Providing more accurate and timely reporting
• Improving the organization’s audit readiness 
• Lessening the need for traditional routine tasks 
• Increasing focus on clients, patients, and customers by spending more time looking ahead to possible opportunities. 

If you have any questions on how to improve your financial close, please contact us. We’re here to help.

Read this if you are responsible for cybersecurity at your organization. 

During the financial audit process auditors are required to develop and confirm their understanding of Information Technology (IT) and cybersecurity practices as it relates to financial reporting to better understand risks and because of auditors’ heavy reliance on data pulled from accounting information systems. As auditors, we have seen a significant increase in the amount of impactful incidents affecting not-for-profit organizations and our IT security experts often share valuable advisory comments in annual audit communications with our clients. With recent incidents and a very rapidly changing business environment, here are the three most important from the last six months that impact all not-for-profits. 

Board oversight of cybersecurity 

Cybersecurity gaps within an organization’s systems may lead to risk exposure and have material impacts on all aspects of operations. Responsibility for cybersecurity controls and for establishing a culture of awareness and security should come from the Board and senior leadership. Board members and senior leaders should stay apprised of cybersecurity efforts on a regular basis and incidents should be summarized and reported on a quarterly basis. 

The Board should also consider adding a member who is a professional with IT and cybersecurity experience to help manage and understand the specific risks to the organization and help drive and support cybersecurity efforts.

Ransomware threats and preventive controls

The use of ransomware as a profitable attack on organizations by hackers continues to rapidly increase. Within the last year there have been multiple high-profile incidents that illustrate the impact of a successful attack. These impacts fall into two main areas. One impact may be financial, as millions of dollars are paid to the bad actors as ransom in hopes of being able to regain control of systems. The second impact is operational, resulting in a loss of control of systems and data during the event. Potentially, an unsuccessful data restoration could result in the total loss of information and data maintained on your networks. 

Though no organization may be able to prevent a ransomware attack from occurring entirely, there are basic cybersecurity controls that help reduce the likelihood and impact of an attack. Preventive controls may include: 

• Security awareness training on phishing emails and overall IT security practices for all organization users
• Multi-factor authentication 
• Access controls that prevent users from installing unapproved software onto organization-owned workstations and networks
• Anti-malware software installed on devices that connect to organization systems 
• Use of Zero Trust data management tools for backups
• Disabling macros in emails (prevents back-end processes from automatically running) 

In addition to including these preventive controls to your cybersecurity program, your organization should assess current corrective controls already in place to react to a ransomware event if one is detected or reported. Corrective controls may include:

• Disaster recovery plans/business continuity plans 
• Incident response plans
• Backup controls and restoration tests 

As the risk of ransomware continues to increase and the types of attacks continue to increase in sophistication, your organization should consider regular assessments of IT controls and cybersecurity practices on a regular basis. Such assessments may be performed in conjunction with annual financial statement audits as an expanded scope and/or as a separate annual IT assessment. 

COVID-19 IT considerations 

The global COVID-19 pandemic significantly impacted nearly every aspect of modern life, including the way we work. As personnel were sent home and literally became a remote workforce overnight, changes to IT systems and controls rapidly adjusted to accommodate this new way of business. 

Where controls and procedures were adjusted, if not suspended, your organization should review those changes and determine if controls should revert back to the pre-pandemic process—or be formally changed and documented as policy. 

Guidance from the American Institute of Certified Public Accountants (AICPA) dictates that a gap in controls associated with the pandemic is not a legitimate reason for not completing a control and that any changes must be documented and properly managed.  

Well over a year into the pandemic, the concept of a hybrid workforce has emerged as the predominant way employees and businesses want to work. Your organization should review current policies and procedures that may pre-date the pandemic to ensure that the updates both document and consider the current business environment. 

Additionally, with personnel working remotely or in a hybrid model, or a combination of both, you should assess practices for managing remote access and a hybrid workforce and, where needed, implement industry best-practice tools and procedures to accommodate a remote workforce while maintaining security controls. If you have questions regarding you cybersecurity procedures or want to learn more, please contact our team. We’re here to help. 
 

More and more emphasis is being put on cybersecurity by companies of all sizes. Whether it’s the news headlines of notable IT incidents, greater emphasis on the value of data, or the monetization of certain types of attacks, an increasing amount of energy and money is going towards security. Security has the attention of leadership and the board and it is not going away. One of the biggest risks to and vulnerabilities of any organization’s security continues to be its people. Innovative approaches and new technology can reduce risk but they still don’t prevent the damage that can be inflicted by an employee simply opening an attachment or following a link. This is more likely to happen than you may think.

Technology also doesn’t prepare a management team for how to handle the IT response, communication effort, and workforce management required during and after an event. Technology doesn’t lessen the operational impact that your organization will feel when, not if, you experience an event.

So let’s examine the human and operational side of cybersecurity. Below are three factors you should address to reduce risk and prepare your organization for an event:

1. People: Create and maintain a vigilant workforce
   Ask yourself, “How prepared is our workforce when it comes to security threats and protecting our data? How likely would it be for one of our team members to click on a link or open an attachment that appear to be from our CFO? Would our team members look closely enough at the email address and notice that the organization name is different by one letter?”
    

   According to the 2016 Verizon Data Breach Report, 30% of phishing messages were opened by the target across all campaigns and 12% went on to click on the attachment or link.

   Phishing email attacks directed at your company through your team range from very obvious to extremely believable. Some attempts are sent widely and are looking for just one person to click, while others are extremely targeted and deliberate. In either case, it is vital that each employee takes enough time to realize that the email request is unusual. Perhaps there are strange typos in the request or it is odd the CFO is emailing while on vacation. That moment your employees take to pause and decide whether to click on the link/attachment could mean the difference between experiencing an event or not.
   
   So how do you create and cultivate this type of thought process in your workforce? Lots of education and awareness efforts. This goes beyond just an annual in-service training on HIPAA. It may include education sessions, emails with tips and tricks, posters describing the risk, and also exercises to test your workforce against phishing and security exploits. It also takes leadership embracing security as a strategic imperative and leading the organization to take it seriously. Once you have these efforts in place, you can create culture change to build and maintain an environment where an employee is not embarrassed to check with the CFO’s office to see if they really did send an email from Bora Bora.

2. Plan: Implement a disaster recovery and incident response plan 
   Through the years, disaster recovery plans have been the usual response. Mostly, the emphasis has been on recovering data after a non-security IT event, often discussed in context of a fire, power loss, or hardware failure. Increasingly, cyber-attacks are creeping into the forefront of planning efforts. The challenge with cyber-events is that they are murkier to understand – and harder for leadership – to assist with.
   
   It’s easier to understand the concept of a fire destroying your server room and the plan entailing acquiring new equipment, recovering data from backup, restoring operations, having good downtime procedures, and communicating the restoration efforts along the way. What is much more challenging is if the event begins with a suspicion by employees, customers, or vendors who believe their data has been stolen without any conclusive information that your company is the originating point of the data loss. How do you take action if you know very little about the situation? What do you communicate if you are not sure what to say? It is this level of uncertainty that makes it so difficult. Do you have a plan in place for how to respond to an incident? Here are some questions to consider:
    
   1. How will we communicate internally with our staff about the incident?
   2. How will we communicate with our clients? Our patients? Our community?
   3. When should we call our insurance company? Our attorney?
   4. Is reception prepared to describe what is going on if someone visits our office?
   5. Do we have the technical expertise to diagnose the issue?
   6. Do we have set protocols in place for when to bring our systems off-line and are our downtime procedures ready to use?
   7. When the press gets wind of the situation, who will communicate with them and what will we share?
   8. If our telephone system and network is taken offline, how we will we communicate with our leadership team and workforce?

By starting to ask these questions, you can ascertain how ready you may, or may not be, for a cyber-attack when it comes.

3. Practice: Prepare your team with table top exercises  
   Given the complexity and diversity of the threats people are encountering today, no single written plan can account for all of the possible combinations of cyber-attacks. A plan can give guidance, set communication protocols, and structure your approach to your response. But by conducting exercises against hypothetical situations, you can test your plan, identify weaknesses in the plan, and also provide your leadership team with insight and experience – before it counts.
   
   A table top exercise entails one team member (perhaps from IT or from an outside firm) coming up with a hypothetical situation and a series of facts and clues about the situation that are given to your leadership team over time. Your team then implements the existing plans to respond to the incident and make decisions. There are no right or wrong answers in this scenario. Rather, the goal is to practice the decision-making and response process to determine where improvements are needed.
   
   Maybe you run an exercise and realize that you have not communicated to your staff that no mention of the event should be shared by employees on social media. Maybe the exercise makes you realize that the network administrator who is on vacation at the time is the only one who knows how to log onto the firewall. You might identify specific gaps that are lacking in your cybersecurity coverage. There is much to learn that can help you prepare for the real thing.

As you know, there are many different threats and risks facing organizations. Some are from inside an organization while others come from outside. Simply throwing additional technology at the problem will not sufficiently address the risks. While your people continue to be one of the biggest threats, they can also be one of your biggest assets, in both preventing issues from occurring and then responding quickly and appropriately when they do. Remember focus on your People, Your Plan, and Your Practice.

In light of the recent cyberattacks in higher education across the US, more and more institutions are finding themselves no longer immune to these activities. Security by obscurity is no longer an effective approach—all  institutions are potential targets. Colleges and universities must take action to ensure processes and documentation are in place to prepare for and respond appropriately to a potential cybersecurity incident.

What are some examples of incidents that managers need to prepare for?

Examples range from external breaches and insider threats to instances of malfeasance or incompetence. Different types of incidents lead to the same types of results—yet you can’t have a broad view of incidents. Managers should work with their teams to create incident response plans that reflect the threats associated with higher education institutions. A handful of general incident response plans isn’t going to cut it.

Managers need to work with their teams to develop a specific incident response plan for each specific type of incident. Why? Well, think of it this way: Your response to a careless employee should be different from your response to a malicious employee, for a whole host of legal reasons. Incident response is not a cookie-cutter process. In fact, it is quite the opposite. This is one of the reasons I highly suggest security teams include staff members outside of IT. When you’re responding to incidents, you want people who can look at a problem or situation from an external perspective, not just a technical or operational perspective within IT. These team members can help answer questions such as, what does the world see when they look at our institution? What institutional information might be valuable to, or targeted by, malicious actors? You’ll get some valuable fresh perspectives.

How short or long should the typical incident response plan be?

I often see good incident response plans no more than three or four pages in length. However, it is important that incident response plans are task oriented, so that it is clear who does what next. And when people follow an incident response plan, they should physically or digitally check off each activity, then record each activity.

What system or software do you recommend for recording incidents and responses?

There are all types of help desk software you can use, including free and open source software. I recommend using help desk software with workflow capabilities, so your team can assign and track tasks.

Any other tips for developing incident response plans?

First, managers should work with, and solicit feedback from across the academic and administrative areas within the institution when developing incident response plans. If you create these documents in a vacuum, they will be useless.

Second, managers and their teams should take their time and develop the most “solid” incident response plans possible. Don’t rush the process. The effectiveness of your incident response plans will be critical in assessing your institution’s ability to survive a breach. Because of this, you should be measuring your response plans through periodic testing, like conducting tabletop exercises.

Third, keep your students and external stakeholders in mind when developing these plans. You want to make sure external communications are consistent, accurate, and within the legal requirements for your institution. The last thing you want is students and stakeholders receiving conflicting messages about the incident. 

Are there any decent incident response plans in the public domain that managers and their teams can adapt for their own purposes?

Yes. My default reference is the National Institute of Standards and Technology (NIST). NIST has many special publications that describe the incident response process, how to develop a solid plan, and how to test your plan.

Should institutions have dedicated incident response teams?

Definitely. Institutions should identify and staff teams using internal resources. Some institutions may want to consider hiring a reputable third party to act as an incident response team. The key with hiring a third party? Don’t wait until an incident occurs! If you wait, you’re going to panic, and make panic-based decisions. Be proactive and hire a third party on retainer.

That said, institutions should consider hiring a third party on an annual basis to review incident response plans and processes. Why? Because every institution can grow complacent, and complacency kills. A third party can help gauge the strengths and weaknesses of your internal incident response teams, and provide suggestions for general or specific training. A third party can also educate your institution about the latest and greatest cyber threats.

Should managers empower their teams to conduct internal “hackathons” in order to test incident response?

Sure! It’s good practice, and it can be a lot of fun for team members. There are a few caveats. First, don’t call it a hackathon. The word can elicit negative or concerned reactions. Call it “active testing” or “continuous improvement exercises.” These activities allow team members to think creatively, and are opportunities for them to boost their cybersecurity knowledge. Second, be prepared for pushback. Some managers worry if team members gain more cybersecurity skills, then they’ll eventually leave the institution for another, higher-paying job. I think you should be committed to the growth of your team members―it’ll only make your institution more secure.

What are some best practices managers should follow when reporting incidents to their leadership?

Keep the update quick, brief, and to the point. Leave all the technical jargon out, and keep everything in an institutional context. This way leadership can grasp the ramifications of the event and understand what matters. Be prepared to outline how you’re responding and what actions leadership can take to support the incident response team and protect the institution. In the last chapter, I mentioned what I call the General Colin Powell method of reporting, and I suggest using that method when informing leadership. Tell them what you know, what you don’t know, what you think, and what you recommend. Have answers, or at least a plan.

How much institution-wide communication should there be about incidents?

That’s a great question, but a tough one to answer. Transparency is good, but it can also unintentionally lead to further incidents. Do you really want to let your whole institution know about an exploitable weakness? Also, employees can spread information about incidents on social media, which can actually lead to the spread of misinformation. If you are in doubt about whether or not to inform the entire institution about an incident, refer to your Legal Department. In general, institution-wide communication should be direct: We’ve had an incident; these are the facts; this is what you are allowed to say on social media; and this is what you’re not allowed to say on social media.

Another great but tough question: When do you tell the public about an incident? For this type of communication, you’re going to need buy-in from various sources: senior leadership, Legal, HR, and your PR team or external PR partners. You have to make sure the public messaging is consistent. Otherwise, citizens and the media will try to poke holes in your official story. And that can lead to even more issues.

What are the key takeaways for higher education leaders?

Here are key takeaways to help higher education leaders prepare for and respond appropriately to cybersecurity incidents:

1. Understand your institution’s current cybersecurity environment. 
   Questions to consider: Do you have Chief Information Security Officer (CISO) and/or a dedicated cybersecurity team at your institution? Have you conducted the appropriate audits and assessments to understand your institution’s vulnerabilities and risks?
2. Ensure you are prepared for cybersecurity incidents. 
   Questions to consider: Do you have a cybersecurity plan with the appropriate response, communication, and recovery plans/processes? Are you practicing your plan by walking through tabletop exercises? Do you have incident response teams?

Higher education continues to face growing threats of cybersecurity attacks – and it’s no longer a matter of if, but when. Leaders can help mitigate the risk to their institutions by proactively planning with incident response plans, communication plans, and table-top exercises. If you need help creating an incident response plan or wish to speak to us regarding preparing for cybersecurity threats, please reach out to us.
 

Best Practices for Educating Your Financial Institution’s Board of Directors on Cybersecurity

According to Cybersecurity Ventures, cybercrime will account for $6 trillion annually by 2021—that’s more than the global trade of all major illegal drugs combined. Data breaches and other information security events adversely impact organizations through significant losses in revenue, erosion of customer trust, substantial remediation costs, increased insurance premiums, and more.

The financial services industry has always led the way with internal controls, vendor management, and now with cybersecurity for one simple reason—you are in the business of money and it is critical to protect it.

That said, cybersecurity controls require more than just a strong IT department—an effective cybersecurity program, much like ethical behavior, depends on culture. Since your organization’s leadership plays a key role in driving your cybersecurity culture, boards of directors and senior management need a solid understanding of cybersecurity risks and impacts.

According to a 2018 Technology Survey of bank directors by Bank Director, 79% say they need to enhance their level of technology expertise. Many board members come from non-technology backgrounds and careers, and though they are able to support their institution’s mission and drive growth, they may not be able to provide direction in the areas of information technology and security. They may also not recognize what attractive targets they make for phishing and other cybercrimes due to their high level of access to valuable information, their ability to send and receive data from financial institution personnel, and their potential exemption from certain employee policies.

Keeping board members up-to-date on the evolving landscape of cybersecurity risks can present a serious challenge due to board members’ time constraints. To help, here are some best practices you can follow to make educating your institution’s board and senior management a relatively simple and sustainable process.

Leverage Existing Cybersecurity Training Resources

In most cases, you already provide and require cybersecurity training for employees, typically through internal IT experts, third-party vendors, or self-paced courses available online. Board members should complete the same training at least annually.

Require Board Members to Comply with Information Security Policies

Despite their high-risk profile, board members are often exempted from policies applicable to employees, including password requirements and other critical information security policies. Given the sensitive information and levels of access board members have, it is imperative that they fully comply with all information security policies.

Facilitate Regular Review of Information Security Audits and Assessments

Information security audits and assessments provide valuable insights into areas for improvement. Keep your board members aware of any findings, recommendations, or potential risks noted in recent audits and assessments. Provide a regular status report to the board of ongoing efforts and progress to resolve or mitigate findings and risks. Use these regular communications as an opportunity to provide cybersecurity education to the board, and don’t hesitate to speak up about any specific areas and emerging risks you may be concerned about.

Regular Cybersecurity Updates and Discussions

Keep the board and senior management updated on cybersecurity threats, incidents, and any changes to the bank’s cybersecurity program. Provide this information on a quarterly basis and include the cause of and any remediation for such events, as well as any trends in incidents. Regular updates to the board and senior management provide guidance for budgets, goals, and overall strategic direction. With more awareness of security incidents and events, trends in occurrences, and potential risks, the board and senior management are more likely to support greater investments in the bank’s security efforts.

Annual Board Approval of Information Security Plans and Policies

The board should review and approve all information security policies and relevant procedures on an annual basis, as these board-approved policies will establish the financial institution’s directive for effective internal control and cybersecurity programs. Important examples include Information Security and Acceptable Use Policies, Cybersecurity Policy, Incident Response Plan, Business Continuity Plan, and Disaster Recovery Plan.

Knowing your current position and having a plan are key. Through continuous assessment of your board’s fluency with cybersecurity and establishing a process of ongoing education that’s both effective and manageable, your financial institution can improve its culture of cybersecurity awareness—helping reduce the likelihood of future security incidents and events that could adversely impact your board, your financial institution’s employees, and your customers.

Did you know that there was more than a 40% increase (from $4.3 billion to $6.0 billion) in civil penalties assessed by the IRS regarding employment tax, for the 2016 fiscal year?

A recent report from the Treasury Inspector General for Tax Administration calls for more cases to involve criminal investigation by the Department of Justice. This is significant because the requirements needed to prove a civil violation under Sec. 6672 are nearly identical to the requirements of a criminal violation under Sec. 7202, and a criminal violation can result, among other penalties, in imprisonment for up to five years.

The issue of employment taxes encompasses all businesses, even tax-exempt entities. For fiscal year 2016, employment tax issues were involved in over 26% of audits of exempt organizations. One main reason why employment tax is a major issue? Its role in funding our government: employment taxes make up $2.3 trillion dollars (70%) of the $3.3 trillion dollars collected by the IRS for fiscal year 2016.

And noncompliance is a major issue, with roughly $45.6 billion of unemployment taxes, interest and penalties still owed to the IRS as of December 2015. This trend of increasing noncompliance, combined with the vital role employment taxes has in funding our government helps explain why the IRS has increased focus and enforcement in this area.

Should your independent contractor truly be an employee? Did you properly report fringe benefits as taxable income to the individuals who received them? Knowing the answers to these questions can help you stay in compliance with the law. If you have any questions about your employment tax situation, or how we can help you ensure compliance on this and other tax issues, please contact your BerryDunn tax advisor.