Skip to Main Content

insightsarticles

Five IT risks everyone should be aware of

09.11.19

A version of this article was previously published on the Massachusetts Nonprofit Network

Editor’s note: while this blog is not technical in nature, you should read it if you are involved in IT security, auditing, and management of organizations that may participate in strategic planning and business activities where considerations of compliance and controls is required.

As we find ourselves in a fast-moving, strong business growth environment, there is no better time to consider the controls needed to enhance your IT security as you implement new, high-demand technology and software to allow your organization to thrive and grow. Here are five risks you need to take care of if you want to build or maintain strong IT security.

1. Third-party risk management―It’s still your fault

We rely daily on our business partners and vendors to make the work we do happen. With a focus on IT, third-party vendors are a potential weak link in the information security chain and may expose your organization to risk. However, though a data breach may be the fault of a third-party, you are still responsible for it. Potential data breaches and exposure of customer information may occur, leaving you to explain to customers and clients answers and explanations you may not have. 

Though software as a service (SaaS) providers, along with other IT third-party services, have been around for well over a decade now, we still neglect our businesses by not considering and addressing third-party risk. These third-party providers likely store, maintain, and access company data, which could potentially contain personally identifiable information (names, social security numbers, dates of birth, addresses), financial information (credit cards or banking information), and healthcare information of your customers. 

While many of the third-party providers have comprehensive security programs in place to protect that sensitive information, a study in 2017 found that 30% of data breaches were caused by employee error or while under the control of third-party vendors.1  This study reemphasizes that when data leaves your control, it is at risk of exposure. 

In many cases, procurement and contracting policies likely have language in contracts that already establish requirements for third-parties related to IT security; however the enforcement of such requirements and awareness of what is written in the contract is not enforced or is collected, put in a file, and not reviewed. What can you do about it?

Improved vendor management

It is paramount that all organizations (no matter their size) have a comprehensive vendor management program that goes beyond contracting requirements in place to defend themselves against third-party risk which includes:

  1. An inventory of all third-parties used and their criticality and risk ranking. Criticality should be assigned using a “critical, high, medium or low” scoring matrix. 
  2. At time of onboarding or RFP, develop a standardized approach for evaluating if potential vendors have sufficient IT security controls in place. This may be done through an IT questionnaire, review of a Systems and Organization Controls (SOC report) or other audit/certifications, and/or policy review. Additional research may be conducted that focuses on management and the company’s financial stability. 
  3. As a result of the steps in #2, develop a vendor risk assessment using a high, medium and low scoring approach. Higher risk vendors should have specific concerns addressed in contracts and are subject to more in depth annual due diligence procedures. 
  4. Reporting to senior management and/or the board annually on the vendors used by the organization, the services they perform, their risk, and ways the organization monitors the vendors. 

2. Regulation and privacy laws―They are coming 

2018 saw the implementation of the European Union’s General Data Privacy Regulation (GDPR) which was the first major data privacy law pushed onto any organization that possesses, handles, or has access to any citizen of EU’s personal information. Enforcement has started and the Information Commissioner’s Office has begun fining some of the world’s most famous companies, including substantial fines to Marriott International and British Airways of $125 million and $183 million Euros, respectively.2  Gone are the days where regulations lacked the teeth to force companies into compliance. 

With thanks to other major data breaches where hundreds of millions’ consumers private information was lost or obtained (e.g., Experian), more regulation is coming. Although there is little expectation of an American federal requirement for data protection, individual states and other regulating organizations are introducing requirements. Each new regulation seeks to protect consumer privacy but the specifics and enforcement of each differ. 

Expected to be most impactful in 2019 is the California Consumer Privacy Act,  which applies to organizations that handle, collect, or process consumer information and do business in the state of California (you do not have to be located in CA to be under the umbrella of enforcement).

In 2018, Maine passed the toughest law on telecommunications providers for selling consumer information. Massachusetts’ long standing privacy and data breach laws were amended with stronger requirements in January of 2019. Additional privacy and breach laws are in discussion or on the table for many states including Colorado, Delaware, Ohio, Oregon, Ohio, Vermont, and Washington, amongst others.      

Preparation and awareness are key

All organizations, no matter your line of business must be aware of and understand current laws and proposed legislation. New laws are expected to not only address the protection of customer data, but also employee information. All organizations should monitor proposed legislation and be aware of the potential enforceable requirements. The good news is that there are a lot of resources out there and, in most cases, legislative requirements allow for grace periods to allow organizations to develop a complete understanding of proposed laws and implement needed controls. 

3. Data management―Time to cut through the clutter 

We all work with people who have thousands of emails in their inbox (in some cases, dating back several years). Those users’ biggest fears may start to come to fruition―that their “organizational” approach of not deleting anything may come to an end with a simple email and data retention policy put in place by their employer. 

The amount of data we generate in a day is massive. Forbes estimates that we generate 2.5 quintillion bytes of data each day and that 90% of all the world’s data was generated in the last two years alone.3 While data is a gold mine for analytics and market research, it is also an increasing liability and security risk. 

Inc. Magazine says that 73% of the data we have available to us is not used.4 Within that data could be personally identifiable information (such as social security numbers, names, addresses, etc.); financial information (bank accounts, credit cards etc.); and/or confidential business data. That data is valuable to hackers and corporate spies and in many cases data’s existence and location is unknown by the organizations that have it. 

In addition to the security risk that all this data poses, it also may expose an organization to liability in the event of a lawsuit of investigation. Emails and other communications are a favorite target of subpoenas and investigations and should be deleted within 90 days (including deleted items folders). 

Take an inventory before you act

Organizations should first complete a full data inventory and understand what types of data they maintain and handle, and where and how they store that data. Next, organizations can develop a data retention policy that meets their needs. Utilizing backup storage media may be a solution that helps reduce the need to store and maintain a large amount of data on internal systems. 

4. Doing the basics right―The simple things work 

Across industries and regardless of organization size, the most common problem we see is the absence of basic controls for IT security. Every organization, no matter their size, should work to ensure they have controls in place. Some must-haves:

  • Established IT security policies
  • Routine, monitored patch management practices (for all servers and workstations)
  • Change management controls (for both software and hardware changes)
  • Anti-virus/malware on all servers and workstations
  • Specific IT security risk assessments 
  • User access reviews
  • System logging and monitoring 
  • Employee security training

Go back to the basics 

We often see organizations that focus on new and emerging technologies, but have not taken the time to put basic security controls in place. Simple deterrents will help thwarting hackers. I often tell my clients a locked car scares away most ill-willed people, but a thief can still smash the window.  

Smaller organizations can consider using third-party security providers, if they are not able to implement basic IT security measures. From our experience, small organizations are being held to the same data security and privacy expectations by their customers as larger competitors and need to be able to provide assurance that controls are in place.  

5. Employee retention and training 

Unemployment rates are at an all-time low, and the demand for IT security experts at an all-time high. In fact, Monster.com reported that in 2019 the unemployment rate for IT security professionals is 0%.5 

Organizations should be highly focused on employee retention and training to keep current employees up-to-speed on technology and security trends. One study found that only 15% of IT security professionals were not looking to switch jobs within one year.6  

Surprisingly, money is not the top factor for turnover―68% of respondents prioritized working for a company that takes their opinions seriously.6 

For years we have told our clients they need to create and foster a culture of security from the top down, and that IT security must be considered more than just an overhead cost. It needs to align with overall business strategy and goals. Organizations need to create designated roles and responsibilities for security that provide your security personnel with a sense of direction―and the ability to truly protect the organization, their people, and the data. 

Training and support goes a long way

Offering training to security personnel allows them to stay abreast of current topics, but it also shows those employees you value their knowledge and the work they do. You need to train technology workers to be aware of new threats, and on techniques to best defend and protect from such risks. 

Reducing turnover rate of IT personnel is critical to IT security success. Continuously having to retrain and onboard employees is both costly and time-consuming. High turnover impacts your culture and also hampers your ability to grow and expand a security program. 

Making the effort to empower and train all employees is a powerful way to demonstrate your appreciation and support of the employees within your organization—and keep your data more secure.  

Our IT security consultants can help

Ensuring that you have a stable and established IT security program in place by considering the above risks will help your organization adapt to technology changes and create more than just an IT security program, but a culture of security minded employees. 

Our team of IT security and control experts can help your organization create and implement controls needed to consider emerging IT risks. For more information, contact the team
 

Sources:
[1] https://iapp.org/news/a/surprising-stats-on-third-party-vendor-risk-and-breach-likelihood/  
[2] https://resources.infosecinstitute.com/first-big-gdpr-fines/
[3] https://www.forbes.com/sites/bernardmarr/2018/05/21/how-much-data-do-we-create-every-day-the-mind-blowing-stats-everyone-should-read/#458b58860ba9
[4] https://www.inc.com/jeff-barrett/misusing-data-could-be-costing-your-business-heres-how.html
[5] https://www.monster.com/career-advice/article/tech-cybersecurity-zero-percent-unemployment-1016
[6] https://www.securitymagazine.com/articles/88833-what-will-improve-cyber-talent-retention

Related Services

Assurance

Related Professionals

Principals

BerryDunn experts and consultants

Is your organization a service provider that hosts or supports sensitive customer data, (e.g., personal health information (PHI), personally identifiable information (PII))? If so, you need to be aware of a recent decision by the American Institute of Certified Public Accountants that may affect how your organization manages its systems and data.

In April, the AICPA’s Assurance Executive Committee decided to replace the five Trust Service Principles (TSPs) with Trust Services Criteria (TSC), requiring service organizations to completely rework their internal controls, and present SOC 2 findings in a revised format. This switch may sound frustrating or intimidating, but we can help you understand the difference between the principles and the criteria.

The SOC 2 Today
Service providers design and implement internal controls to protect customer data and comply with certain regulations. Typically, a service provider hires an independent auditor to conduct an annual Service Organization Control (SOC) 2 examination to help ensure that controls work as intended. Among other things, the resulting SOC 2 report assures stakeholders (customers and business partners) the organization is reducing data risk and exposure.

Currently, SOC 2 reports focus on five Trust Services Principles (TSP):

  • Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that can compromise the availability, integrity, confidentiality, and privacy of information or systems — and affect the entity's ability to meet its objectives.

  • Availability: Information and systems are available for operation and use to meet the entity's objectives.

  • Processing Integrity: System processing is complete, valid, accurate, timely, and authorized to meet the entity's objectives.

  • Confidentiality: Information designated as confidential is protected to meet the entity's objectives.

  • Privacy: Personal information is collected, used, retained, disclosed, and disposed of to meet the entity's objectives.

New SOC 2 Format
The TSC directly relate to the 17 principles found in the Committee of Sponsoring Organization (COSO)’s 2013 Framework for evaluating internal controls, and include additional criteria related to COSO Principle 12. The new TSC are:

  • Control Environment: emphasis on ethical values, board oversight, authority and responsibilities, workforce competence, and accountability.
  • Risk Assessment: emphasis on the risk assessment process, how to identify and analyze risks, fraud-related risks, and how changes in risk impact internal controls.
  • Control Activities: Emphasis on how you develop controls to mitigate risk, how you develop technology controls, and how you deploy controls to an organization through the use of policies and procedures.
  • Information and Communication: Emphasis on how you communicate internal of the organization to internal and external parties.
  • Monitoring: Emphasis on how you evaluate internal controls and how you communicate and address any control deficiencies.

The AICPA has provided nearly 300 Points of Focus (POF), supporting controls that organizations should consider when addressing the TSC. The POF offer guidance and considerations for controls that address the specifics of the TSC, but they are not required.

Points of Focus
Organizations now have some work to do to meet the guidelines. The good news: there’s still plenty of time to make necessary changes. You can use the current TSP format before December 15, 2018. Any SOC 2 report presented after December 15, 2018, must incorporate the new TSC format. The AICPA has provided a mapping spreadsheet to help service organizations move from TSP to the TSC format.

Contact Chris Ellingwood to learn more about how we can help you gain control of your SOC 2 reporting efforts. 
 

Article
The SOC 2 update — how will it affect you?

As the technology we use for work and at home becomes increasingly intertwined, security issues that affect one also affect the other and we must address security risks at both levels.

This year’s top security risks are the first in our series that are both prevalent to us as consumers of technology and to us as business owners and security administrators. Our homes and offices connect to devices, referred to the Internet of Things (IoT), that make our lives and jobs easier and more efficient, but securing those devices from outside access is becoming paramount to IT security.

Many of this year’s risks focus on deception. Through deception, hackers can get information and access to systems, which can harm our wallets and our businesses.

In our 2017 Top 10 IT Security Risks e-book we share with you how to understand these emerging risks, the consequences and impacts these risks may have on your business, and approaches to help mitigate the risks and their impact. Some of the key ways to address these risks are:           

  1. Do your homework — change your default passwords (the one that came with your wireless router, for instance), and also make sure that your Amazon Alexa, Google Home, or other smart devices have complex passwords. In addition, turning off devices when they are not in use, or when you are gone, helps secure your home.
  1. If you work from home, or have employees who do, set up and use secure connections with dual authentication methods to help protect your networks. Remote employees should be required to use the same security measures as on-site employees.
  1. Protect your smartphone at work and at play—smartphones have become one of our most important possessions, and we use the same device for both work and personal applications, yet we don’t protect them as well we should. Password protection is step one. Consider uploading new antivirus software to corporate smartphones and using container apps for corporate emails and documents. These apps allow users to securely connect to a company’s server and reduce the possible exposure of data.
  1. Train, inform, repeat. Create a vigilant workforce—through continuous and consistent training and information sharing, you can reduce the occurrence of phishing, hacking and other attacks against your systems.
  1. Conduct IT security risk assessments annually to help you identify gaps, fix them, and prepare for any incidents that may occur.
  1. Monitor and protect your reputation through tools to identify news on your company and understand the sources of the information.

Our 2017 Top 10 IT Security Risks takes a deeper look at the IoT and other risk issues that pose a threat this year, and what you can do to minimize your own and your organization’s IT security risks.

Article
The 2017 top IT security risks: Everything is connected

During my lunch in sunny Florida while traveling for business, enjoying a nice reprieve from another cold Maine winter, I checked my social media account. I noticed several postings about people having nothing to do at work because their company’s systems were down, the result of a major outage at one of three Amazon Web Services (AWS)’ Data Centers and web hosting operations. Company sites were down directly or indirectly through a software as a service (SaaS) provider hosted at the AWS data center.

The crash lasted for four hours and affected hundreds of thousands sites, including Airbnb, Expedia, Netflix, Quora, Slack, and others. The impact of such crashes can be devastating to organizations that rely on their website for revenue, such as online retailers and users of SaaS providers that may rely on a hosted system to conduct day-to-day business.

We advise our clients who consider hosting services in the cloud to weigh the option seriously and understand potential challenges in doing so. Here are some steps you can take to prevent future outages and loss of valuable uptime:

  1. Know the risks and weigh them against the benefits.  Ask questions about the system you are thinking of having hosted. Is the system critical to business? Without the system, do you lose revenue and productivity? Is the company providing the SaaS service hosting their own systems, or are they hosted at a data center like AWS? Does the SaaS provider have failover sites at other, separate data centers that are geographically distant from another?
  2. Have a backup plan. If your business conducts e-commerce or needs SaaS service to function, consider hosting your web servers and other data at two different providers. Though costly, the downtime impact is highly reduced.
  3. Consider hosting yourself. In some cases, we advise against relying on a third-party hosted data center. We do this when the criticality of the function is so high that having your own full-time dedicated support personnel, with multiple internet service providers available, allows you to address outages in-house and reduce the risk of outages.
  4. Have a service level agreement. Having a service level agreement with the hosted third party establishes expectations for uptime and downtime. In many instances where uptime is critical, you may consider incorporating liquidated damage clauses (fines and penalties) for downtime. Often when revenue is involved, the hosted party will take deeper measures to ensure uptime.

These types of outages are rare, but significant and while most organizations should not be scrambling to host their own systems and cancel all hosted agreements, it’s a good idea to take a hard look at your cyber security and IT risk management plan. Then, like me, when the clouds clear and you are in warm and sunny Florida, you can take a long lunch and enjoy the day.

Article
When the skies clear: Web-hosting outage hits Amazon data centers

Read this if you are a not-for-profit organization. 

Due to the impacts of COVID-19, on June 3, 2020, FASB issued an Accounting Standards Update (ASU) that granted a one-year effective date delay for NFPs to adopt the new revenue recognition standards (Topic 606). The ASU permitted NFPs that had not yet applied the revenue recognition standard to do so for annual reporting periods beginning after December 15, 2019. Many NFP’s choose to take advantage of this delay. 

However, the clock is ticking on FASB’s revenue recognition changes, as most NFP’s will have to adopt the revenue recognition changes shortly. With that in mind – let’s revisit Topic 606 and what it could mean for your organization. 

The overarching goal of the changes to revenue recognition is to converge disparate standards across industries, all while making the information more useful to users. The core principle of the standard is that “the organization should recognize revenue to depict the transfer of goods or service in an amount that reflects the payment for which the organization expects to be entitled for those goods and services.” 

A five-step process and a simplified approach 

To achieve that core principle, your organization will need to apply a five-step model to some of your revenues streams:

  1. Identify the contract(s) with a customer
  2. Identify the separate performance obligations
  3. Determine the transaction price
  4. Allocate the transaction price to the separate performance obligations
  5. Recognize revenue when or as a performance obligation is satisfied

While the process can be broken down into five simple steps, the task of reviewing revenue streams and specific contracts can be quite daunting in implementation.

Additional disclosures needed

Whether your organization is currently implementing, or soon will, you will want to make sure you understand the extensive disclosures required under the standards. Annual disclosures include the following:

  • Qualitative information about how economic factors affect the nature, amount, timing, and uncertainty of revenue and cash flow
  • Opening and closing balances of contract assets, contract liabilities, and receivables from contracts with customers
  • Descriptions of performance obligations

We are here to help

We recognize the difficult task ahead for our clients in analyzing their multiple contract vehicles and revenue streams in implementing the new standards. To help our clients through the process, we are offering revenue standard workshops. This workshop can be tailored to your needs, with an in-depth meeting to review the standard, consider your significant revenue streams, and a walkthrough the five-step process. We will leave you with an easy to use template for analyzing future revenue streams along with recommendations for your current revenue recognition system and process. 

Don’t wait until the financial year has come to a close to review your processes and systems in place, we are available now to work with you to prepare for the new standard. Contact Chris Mouradian or Sarah Belliveau to find out how you can join the list of organizations getting ahead of the new standard.

Article
Financial Accounting Standards Board (FASB) revenue recognition changes: What it means for NFPs

Read this if your company uses QuickBooks Online.

QuickBooks Online offers numerous ways to help you track your sales, expenses, and profitability. If you’re using QuickBooks Online Plus or Advanced, you can create and assign Classes to transactions to differentiate between, for example, store departments or product lines. Some of the site’s reports are designed specifically for these tools, like sales by class and profit and loss by class. 
 
You can assign categories to products and services to gain insight into your sales and inventory. There’s a different set of categories that you’ll use when you record bills and expenses. These are important for reporting and tax purposes. You can also add a location field to sales transactions so you can track sales by stores, sales regions, or counties, for example.

What are tags and how do you use them?

Tags are fairly new to QuickBooks Online. They are customizable labels you can assign to transactions (invoices, expenses, and bills). They’re more flexible than the tools we’ve already mentioned—they allow you to track your money any way you want. They don’t affect your books, and they’re not included in the customization criteria for reports. But there are two reports specifically designed for them: profit and loss by tag group and transaction list by tag group.

Creating your own tags

Before you create a tag, you need to create a group. Groups consist of related tags that share a common theme. For example, say you do some event planning. You might have a group titled events. Individual events might read, for example, Grayson Wedding, Spring Art Show, and Hillman Conference.

To get started, click the gear icon in the upper right. Under lists, click tags to get to the tool’s home page. (You can also click on the transactions link in the toolbar, then click the tags tab.) Click new, then tag group. A vertical panel slides out from the right. Enter a name in the group name field. Click the down arrow to select a color, then click save. 

Enter your tags one by one in the fields labeled tag name. Click add after each one until your list is complete. Click the edit button to make any changes. When you’re finished, click done. The main tags page will open again, and you’ll see your new group under tags and tag groups. Repeat to add as many as you’d like, up to 300 tags.

Making the most of the tags in QuickBooks Online

 

You can add tags to any transaction that contains a field for them

Let’s look at how you’d use tags in an expense. Click the expenses link in the toolbar, then new transaction | expense in the upper right. Click the down arrow in the payee field in the upper left and select + add new. Enter Billy’s Bridal in the name field. Leave the type as vendor and click save. Back on the expense screen, select the payment account, payment date, and payment method for the expense (reference number is optional).

Directly below those fields, you’ll see the tags field. Click manage tags if you need to add or edit one; the right vertical pane you saw before will slide out. Otherwise, click in the field below tags. Your list of tags will drop down. Select Grayson Wedding to move it into the field. You can assign as many tags as you’d like to transactions, but you can only select one tag from each group. Finish the expense and save it. 

Go back to the tags home page, and you’ll see that there’s a link to one transaction in the events row. At the end of each row is the action column, where you can run a report, add a tag, and enter or delete a group. Your expense total appears in the money out (by tag) box above it. 

Tags are a great addition to the tools QuickBooks Online provides to help you track incoming and outgoing funds. If you’re not familiar with the others mentioned at the beginning of this column and want to learn how to explore them, let us know. We're here to help.

Article
Tag, you're it: Making the most out of QuickBooks Online tags

Read this if you are an employer with a defined contribution plan.

This article is the fourth in a series to help employee benefit plan fiduciaries better understand their responsibilities and manage the risks of non-compliance with Employee Retirement Income Security Act (ERISA) requirements. You can read the previous articles here.

One of the most common errors we identify during an audit of defined contribution plans is the definition of compensation outlined in the adoption agreement or plan document is not consistently or accurately applied by the plan sponsor. This can be a serious problem, as operational failures will require correction and those errors can become costly for plan sponsors. 

Calculation challenges and other common errors

It is important plan sponsors understand the options selected for the calculation of employee elective deferrals and employer non-elective and matching contributions into the plan. While calculating compensation sounds straightforward, it is often complicated by the fact that your adoption agreement or plan document may use different definitions of compensation for different purposes.

For example, the definition of compensation used to calculate deferrals could differ from the definition used for nondiscrimination testing and allocation purposes. Therefore, determining the correct amount of compensation requires a strong understanding of both your entity’s payroll structure and adoption agreement or plan document. Plan sponsors should work with both in-house personnel and plan administrators to ensure definitions of compensation are appropriately applied, and that any changes are quickly communicated to all involved.  

During an audit, we commonly identify pay types excluded from the definition of compensation in the adoption agreement or plan document that are incorrectly included in the compensation used in the calculation of employee deferrals and employer contributions. Taxable group term life insurance is a common example of compensation that is improperly included in the definition of compensation. Alternatively, we also identify codes for certain types of pay excluded from the calculation of employee deferrals and employer contributions that should be included based on the applicable definition of compensation. For example, retro pay, bonus payments, and manual checks are often incorrectly excluded in the definition of compensation.

Corrective actions

If errors are identified, we recommend that corrective actions including contributions, reallocation, or distributions are made in accordance with the Department of Labor regulations in a timely fashion.

If appropriate, the plan sponsor should consider amending the plan to align with the definition of plan compensation currently used in practice. We also recommend plan sponsors perform annual reviews of plan operations to ensure compliance and avoid the costs that can accompany non-compliance.

If you have questions about your specific situation, please contact our Employee Benefits consulting team. We’re here to help.

Article
Plan compensation and contributions: Common errors and solutions to fix them

Read this if you are an employer with employees on COBRA. There are tax credits available to you. 

The American Rescue Plan Act of 2021 (ARP) creates a requirement that employers treat the total payment for Consolidated Omnibus Budget Reconciliation Act (COBRA) continuation coverage due from certain eligible individuals as being “paid in full” for April 1 through September 30, 2021 (Subsidy Period). The eligible individuals with COBRA coverage will not receive the subsidy directly from the government; rather, they will have a premium holiday during which time the employer pays 100% of the applicable COBRA premium. The employer will be reimbursed in full through refundable payroll tax credits.

The ARP provisions do not apply to all COBRA-eligible individuals; eligibility is limited to employees who lost health care benefits due to an involuntary termination or reduction in hours. While the loss of coverage event can be linked to COVID-19, it is not required to be. A loss of coverage event could have occurred as far back as November 1, 2019, since the law requires an employer to offer a continuation of COBRA coverage for 18 months after an involuntary termination (18 months from November 1, 2019 is April 30, 2021). Eligible individuals who opted not to pay for COBRA coverage will be given another opportunity to elect the free coverage.

Employers and COBRA administrators should prepare to distribute new COBRA election and subsidy notices and to make operational changes soon after further guidance is released. Eligible individuals not already on COBRA will need to act quickly after receiving the notice to elect subsidized COBRA coverage. Failing to timely elect COBRA coverage could result in forfeiting this valuable benefit.

It is expected many people will rush to take advantage of this opportunity, which can provide up to six months of health insurance at no cost. However, employers should keep in mind that the subsidy is available only for certain limited situations.

Which employers are eligible for the new subsidy?

Employers subject to federal COBRA provisions or to a state program that provides comparable group health care continuation coverage are not allowed to charge eligible individuals for COBRA coverage during the Subsidy Period. The subsidy applies to workers in every industry, most tax-exempt employers (except churches who are exempt from COBRA) and union, governmental, and Indian tribal government workers. The federal COBRA provisions generally apply to all private-sector group health plans maintained by employers that had at least 20 employees on more than 50% of its typical business days in the previous calendar year. Both full- and part-time employees are counted to determine whether a plan is subject to federal COBRA coverage. Many states have “mini-COBRA” laws that apply to employers who have fewer than 20 employees. The subsidy is mandatory for all employer-sponsored group health plans (i.e., all employers must offer the subsidy, regardless of whether the plan is fully or partially insured, or self-insured).

During the Subsidy Period, generally, the federal government will reimburse COBRA costs to employers by allowing credits against employers' Medicare (not Social Security or income) taxes (but for union plans, the plan would receive the subsidy and for insured, state “mini-COBRA” plans, the insurer would receive the subsidy). Guidance is needed to clarify how the flow of funds for the subsidy would work. The full cost of COBRA continuation coverage (including up to a 2% administrative fee) at any coverage level (e.g., single, “single-plus-one”, or family coverage) for employees and former employees and their spouses and dependents is eligible for the subsidy via the payroll tax credit. The subsidy applies to health, prescription drug, dental and vision plans, but does not apply to health flexible spending accounts (FSAs), health savings accounts (HSAs), or long-term care plans (further guidance is needed to clarify the scope of the subsidy).  

Due to the fact that most individuals who elect COBRA group health care continuation coverage usually pay 100% of those premiums (and in many cases they must also pay up to a 2% administrative fee), the new subsidy via the employment tax credit keeps the free COBRA coverage at zero cost to the employer. While the employment tax credit is taxable income, it will be offset by the employer’s deductible payment of the healthcare premiums.

Impact on eligible individuals

An eligible individual with an existing or new COBRA election will be provided tax-free health care coverage (both the premium and any administrative charge) at no charge for their remaining COBRA period that overlaps with the Subsidy Period.   

The free COBRA provided during the Subsidy Period would be “affordable” coverage under the Affordable Care Act (ACA). But it is not clear how this “affordable” coverage affects an individual who has purchased coverage on the exchange before they had an offer of affordable coverage.

A recipient of the free health care coverage must notify the employer or plan administrator when they become eligible for Medicare or another group health plan—other than coverage under an excepted benefit, an FSA or a qualified small employer health reimbursement arrangement (QSEHRA). Individuals who fail to promptly give this notice could be subject to a $250 fine and other penalties.

Who is eligible?

Generally, individuals are eligible for free COBRA coverage if (1) they are involuntarily terminated or have a reduction in hours that qualifies them for federal or state COBRA coverage and (2) the Subsidy Period overlaps with their COBRA coverage period.

The new COBRA premium assistance is not available to the following individuals:

  • Employees who are terminated for gross misconduct.
  • Employees who voluntarily terminated their employment or who retired.
  • Individuals who are eligible for COBRA due to other reasons, like divorce, death, or loss of dependency status.
  • Individuals who are eligible for other group health care coverage (such as from a new employer) or Medicare.
  • Individuals who are beyond their normal COBRA coverage period connected to the original qualifying event (i.e., the employee’s involuntary termination or reduction in hours that caused a loss of group health plan coverage).
  • Domestic partners who are not federal income tax dependents of the employee.

What’s the coverage?

Generally, the COBRA coverage will be the same as the coverage elected just prior to the involuntary termination or reduction in hours. However, employers can (but are not required to) allow individuals who are eligible for premium assistance to change their coverage provided it does not result in an increased premium cost. Further guidance is needed regarding the scope of who can change to a lower cost health plan as a result of the new law.

Eligible individuals who lost health care coverage after October 31, 2019 but do not have COBRA coverage on April 1, 2021 due to nonelection or lapse of payment will have a new, 60-day opportunity to elect COBRA coverage. If timely elected, the COBRA covered period will begin on the date of the individual’s qualifying event, but it appears that no payment is due for months prior to April 2021 and no claims can be filed prior to April 1, 2021. For the months remaining in the COBRA period that coincide with April 1 through September 30, 2021, the employee makes no payment but will have claims paid in accordance with the plan’s provisions. To have continued coverage after September 30, 2021, the employee must make the payments required under the plan. If the individual finds this unaffordable, they can simply drop the coverage.

What notices are needed?

The federal government is expected to issue model required notices addressing the existence of the subsidy, the availability of the 60-day election period and advance notice of when the Subsidy Period will be ending. In the meantime, employers should prepare for the following new notice requirements.

  • Group health plans must modify their COBRA election notices for individuals who become eligible for federal or state COBRA during the Subsidy Period to notify them of the premium assistance (and, if applicable, the option to enroll in a lower priced plan).
  • By May 31, 2021, individuals who previously rejected (or terminated) COBRA coverage and to whom a new election period must be offered, must be notified of their new election period and the availability of the premium assistance. This essentially creates a special COBRA enrollment period for such individuals.
  • Between August 17 and September 15, 2021, group health plans must provide a notice to individuals receiving the premium assistance stating that the subsidy will expire on September 30, 2021, and that they may be eligible for COBRA coverage without the subsidy. But if the subsidy would end earlier for any individual, the plan must provide a notice that the subsidy is expiring no earlier than 45 days and no later than 15 days before the subsidy expiration date.

It is not clear how these required notices must be delivered (sending paper mail to former employees may be needed).

How does the subsidy work?

Individuals who are eligible for COBRA premium assistance do not receive a payment from the federal government, group health plan, employer, or insurer. Rather, their COBRA costs are waived during the Subsidy Period.

Employers that sponsor a fully insured plan would continue paying the full premium to the insurer for the assistance eligible participants. Employers that sponsor a self-insured plan would pay the claims incurred by the assistance eligible participants. In both cases, the employer would receive no payment from the eligible individual during the Subsidy Period but would instead recover its COBRA costs (102% of the COBRA premium) for the assistance-eligible individuals by claiming a refundable federal tax credit against the employer’s Medicare taxes.

The COBRA subsidy is prospective only and cannot begin before April 1, 2021.

Although the law does not require employers to pay for any COBRA coverage, some employers pay for some or all of COBRA coverage (for example, as part of a severance package). Such employers can cease those contributions during the Subsidy Period and the federal government will provide the subsidy for 6 months. And although the subsidy is tax-free to employees, employers who take the COBRA premium tax credit must increase their gross income by the amount of such credit for the taxable year which includes the last day of any calendar quarter with respect to which such credit is allowed.
 
Also, under a “no double dipping” rule, employers cannot take the COBRA premium tax credit for any amount which is taken into account as qualified wages for the employee retention credit (ERC) under the Coronavirus Aid, Relief, and Economic Security Act (CARES) and Consolidated Appropriations Act, 2021 (CAA), or as qualified health plan expenses for the Families First Coronavirus Response Act (FFCRA), as amended by CAA and ARP. Likewise, amounts attributable to the COBRA premium tax credit would not be eligible payroll costs under the Paycheck Protection Program (PPP).

Guidance from the Internal Revenue Service (IRS) is needed to clarify how exactly employers would claim the tax credit, but it appears that employers would claim the credit on their quarterly IRS Form 941 or in advance on IRS Form 7200 if the actual or estimated amount of the credit exceeds the employer's Medicare taxes for any calendar quarter. Further guidance is also needed regarding the mechanics of the subsidy for employers that have insured state COBRA coverage, since under Section 9501(b) of the ARP the tax credits reimbursements would go to the insurer, not the employer.

Other considerations

For past COVID-19 relief tax credits, such as the ERC and FFCRA, IRS guidance allowed employers to dip into withheld income and Social Security taxes as a source of claiming those refundable tax credits. But the IRS has not yet authorized such actions for the ARP COBRA subsidy tax credit. Social Security taxes may not be available as a source for the new COBRA tax credits, since the ARP was enacted under budget reconciliation rules which prohibit any changes to Social Security.

Employers are not allowed to voluntarily expand the group of people who are eligible for the special COBRA premium subsidy, because the federal government is paying the full COBRA premium for the designated class of assistance-eligible individuals.

We expect the IRS to issue FAQs on the new COBRA Medicare tax credits, similar to the FAQs that the IRS issued on the ERC and FFCRA payroll tax credits.

This new COBRA subsidy may be economically more valuable than using qualified health care expenses for the ERC, because ERC nets 70% on the dollar whereas the COBRA subsidy is 102% (premium plus administrative charge).

What should employers do now?

Employers should immediately identify all employees who lost group health plan coverage after October 31, 2019 due to an involuntary termination or reduction in hours, without regard to their COBRA elections, because such event would have entitled the individual to 18 months of COBRA coverage (i.e., through April 30, 2021). Guidance is needed on whether notices must be given to individuals in this group that declined COBRA due to eligibility in another employer’s plan or Medicare. Employers will need to notify individuals who have an unexpired COBRA period that premium assistance is available, and they have a right to reconsider their original COBRA election.  

Employers will also need to review and perhaps modify any existing, automatic processes that might otherwise terminate COBRA coverage when premiums are not received during the Subsidy Period.

Year-end reporting on health benefits should also be reviewed to ensure these increased COBRA participants receive the appropriate Form 1095-B or C for 2021.

Employers should develop a procedure to identify COBRA recipients who are eligible for the premium assistance and those who do not qualify (for example, employers will need to distinguish a voluntary quit from an involuntary termination of employment and whether the employee was fired for gross misconduct). For premium-assistance eligible individuals, employers must refund within 60 days any premiums paid during the Subsidy Period. Not all COBRA participants will qualify for the subsidy, so the plan administrator will still need to handle some premium payments from non-eligible individuals.

Vendor outreach

Many employers use outside service providers for their COBRA administration, so employers should reach out to their vendors as soon as possible to coordinate their response to the ARP changes to current COBRA rules, especially the special election period for certain assistance-eligible individuals.

Keep in mind that, separate from the ARP COBRA subsidy, many employees (and their family members) may currently have extended COBRA election rights due to COVID-19 deadline extensions. For example, ERISA Disaster Relief Notice 2021-1 issued on February 26, 2021, announced an individualized one-year deadline extension for COBRA elections, which begins on the date the clock for the particular deadline would have started running (i.e., the one-year extension is applied on a rolling basis to each deadline for each affected individual). But individuals electing retroactive COBRA coverage under those extended deadlines will generally have to pay the full COBRA premiums for such periods. Guidance is needed on how the deadline extension coordinates with the new COBRA subsidy.

Employers may recall that in February 2009, under the American Recovery and Reinvestment Act of 2009 (ARRA), the federal government subsidized 65% of COBRA premiums for certain individuals who were terminated or laid off between September 1, 2008 and March 31, 2010 due to the financial crisis linked to the bursting of the home mortgage lending bubble. The ARRA subsidy was extended through May 31, 2010, so perhaps with Democrats currently controlling both Congress and the White House, the ARP COBRA subsidy may be extended beyond September 30, 2021. Also, the ARRA may be a model for how the flow of funds will work for the ARP premium tax credits for insured state COBRA coverage.

If you have specific questions about your situation, please contact our Employee Benefits consulting team. We’re here to help. 

Article
"Free" COBRA for some employees: Employers may benefit, too

Read this if you are an employer with basic knowledge of benefit plans and want to learn more. 

This article is the third in a series to help employee benefit plan fiduciaries better understand their responsibilities and manage the risks of non-compliance with Employee Retirement Income Security Act (ERISA) requirements. Our first article covers the background of ERISA, while our second article covers the definitions and rules of parties-in-interest and prohibited transactions.

Form 5500 is an informational return filed annually with the US Department of Labor (DOL). The purpose of Form 5500 is to report information concerning the operation, funding, assets, and investments of pension and other employee benefit plans to the Internal Revenue Service (IRS) and DOL. All pension benefit plans covered by the Employee Retirement Income Security Act (ERISA), and, generally, health and welfare plans covering 100 or more participants are subject to filing Form 5500. Any retirement plan covering less than 100 participants at the beginning of the plan year may be able to file Form 5500-SF, Short Form Annual Return/Report of Small Employee Benefit Plan. Read on for important filing requirements, as noncompliance can result in substantial penalties assessed by both the DOL and IRS. 

Who has to file, and which Form 5500 is required?

Pension plans

The most common types of pension benefit plan filers include:

  • Retirement plans qualified under Internal Revenue Code (IRC) § 401(a)
  • Tax sheltered annuity plans under IRC § 403(b)(1) and 403(b)(7)
  • SIMPLE 401(k) Plan under IRC § 401(k)(11)
  • Direct Filing Entity (DFE)

Which Form 5500 you should file depends on the type of plan. Small plans covering less than 100 participants as of the beginning of the plan year will normally file a Form 5500-SF. Conversely, large plans, mainly those plans covering 100 or more participants as of the beginning of the plan year, will file Form 5500 as a general rule. 

Participants include all current employees eligible for the plan, former employees still covered, and deceased employees who have one or more beneficiaries eligible for or receiving benefits under the plan.

Welfare plans

Generally, all welfare benefit plans covered by ERISA are required to file a Form 5500. Common types of welfare benefit plans include but are not limited to medical, dental, life insurance, severance pay, disability, and scholarship funds.

Similar to pension plans, the required Form 5500 to be filed typically depends on whether the plan is a small plan with less than 100 participants at the beginning of the year, or a large plan with 100 or more participants at the beginning of the plan year. However, certain welfare benefit plans are not required to file an annual Form 5500, including, but not limited to:

  • Plans with fewer than 100 participants at the beginning of the plan year and that are unfunded, fully insured, or a combination of the two
  • Governmental plans 
  • Employee benefit plans maintained only to comply with workers’ compensation, unemployment compensation, or disability insurance laws

Participants for welfare benefit plans include current employees covered by the plan, former employees still covered, and deceased employees who have one or more beneficiaries receiving or entitled to receive benefits under the plan (e.g., COBRA). 

Required financial schedules for Form 5500

Small plans that do not file Form 5500-SF require the following schedules to be filed along with the Form 5500:

  • Schedule A—Insurance information
  • Schedule D—DFE/Participating plan information
  • Schedule I—Financial information for a small plan

Large plans require the following schedules in addition to small plan schedules:

  • Plan Audit (Accountant’s Opinion)
  • Schedule C—Service provider information
  • Schedule G—Financial transaction schedules
  • Schedule H—Financial information (instead of Schedule I)

Welfare plans with 100 or more participants that are unfunded, fully insured or a combination of the two are not required to attach Schedule H or an Accountant’s Opinion. Also, pension plans will attach Schedule SB or MB reporting actuarial information, if required, along with Schedule R reporting retirement plan information.

When to File

Form 5500 must be filed electronically by the last day of the seventh calendar month after the end of the plan year. However, a two and one-half months’ extension of time to file can be requested. Penalties may be assessed by both the IRS and the DOL for failure to file an annual Form 5500-series return. For 2020, the IRS penalty for late filing is $250 per day, up to a maximum of $150,000 (applies only to retirement plans), and the DOL penalty can run up to $2,233 per day, with no maximum. Therefore, it is very important to track participant counts and ensure compliance with filing deadlines.

If you have questions about your specific situation, please contact our employee benefit consulting team. We’re here to help.

Article
Form 5500: An overview