Skip to Main Content

insightsarticles

Five IT risks everyone should be aware of

09.11.19

A version of this article was previously published on the Massachusetts Nonprofit Network

Editor’s note: while this blog is not technical in nature, you should read it if you are involved in IT security, auditing, and management of organizations that may participate in strategic planning and business activities where considerations of compliance and controls is required.

As we find ourselves in a fast-moving, strong business growth environment, there is no better time to consider the controls needed to enhance your IT security as you implement new, high-demand technology and software to allow your organization to thrive and grow. Here are five risks you need to take care of if you want to build or maintain strong IT security.

1. Third-party risk management―It’s still your fault

We rely daily on our business partners and vendors to make the work we do happen. With a focus on IT, third-party vendors are a potential weak link in the information security chain and may expose your organization to risk. However, though a data breach may be the fault of a third-party, you are still responsible for it. Potential data breaches and exposure of customer information may occur, leaving you to explain to customers and clients answers and explanations you may not have. 

Though software as a service (SaaS) providers, along with other IT third-party services, have been around for well over a decade now, we still neglect our businesses by not considering and addressing third-party risk. These third-party providers likely store, maintain, and access company data, which could potentially contain personally identifiable information (names, social security numbers, dates of birth, addresses), financial information (credit cards or banking information), and healthcare information of your customers. 

While many of the third-party providers have comprehensive security programs in place to protect that sensitive information, a study in 2017 found that 30% of data breaches were caused by employee error or while under the control of third-party vendors.1  This study reemphasizes that when data leaves your control, it is at risk of exposure. 

In many cases, procurement and contracting policies likely have language in contracts that already establish requirements for third-parties related to IT security; however the enforcement of such requirements and awareness of what is written in the contract is not enforced or is collected, put in a file, and not reviewed. What can you do about it?

Improved vendor management

It is paramount that all organizations (no matter their size) have a comprehensive vendor management program that goes beyond contracting requirements in place to defend themselves against third-party risk which includes:

  1. An inventory of all third-parties used and their criticality and risk ranking. Criticality should be assigned using a “critical, high, medium or low” scoring matrix. 
  2. At time of onboarding or RFP, develop a standardized approach for evaluating if potential vendors have sufficient IT security controls in place. This may be done through an IT questionnaire, review of a Systems and Organization Controls (SOC report) or other audit/certifications, and/or policy review. Additional research may be conducted that focuses on management and the company’s financial stability. 
  3. As a result of the steps in #2, develop a vendor risk assessment using a high, medium and low scoring approach. Higher risk vendors should have specific concerns addressed in contracts and are subject to more in depth annual due diligence procedures. 
  4. Reporting to senior management and/or the board annually on the vendors used by the organization, the services they perform, their risk, and ways the organization monitors the vendors. 

2. Regulation and privacy laws―They are coming 

2018 saw the implementation of the European Union’s General Data Privacy Regulation (GDPR) which was the first major data privacy law pushed onto any organization that possesses, handles, or has access to any citizen of EU’s personal information. Enforcement has started and the Information Commissioner’s Office has begun fining some of the world’s most famous companies, including substantial fines to Marriott International and British Airways of $125 million and $183 million Euros, respectively.2  Gone are the days where regulations lacked the teeth to force companies into compliance. 

With thanks to other major data breaches where hundreds of millions’ consumers private information was lost or obtained (e.g., Experian), more regulation is coming. Although there is little expectation of an American federal requirement for data protection, individual states and other regulating organizations are introducing requirements. Each new regulation seeks to protect consumer privacy but the specifics and enforcement of each differ. 

Expected to be most impactful in 2019 is the California Consumer Privacy Act,  which applies to organizations that handle, collect, or process consumer information and do business in the state of California (you do not have to be located in CA to be under the umbrella of enforcement).

In 2018, Maine passed the toughest law on telecommunications providers for selling consumer information. Massachusetts’ long standing privacy and data breach laws were amended with stronger requirements in January of 2019. Additional privacy and breach laws are in discussion or on the table for many states including Colorado, Delaware, Ohio, Oregon, Ohio, Vermont, and Washington, amongst others.      

Preparation and awareness are key

All organizations, no matter your line of business must be aware of and understand current laws and proposed legislation. New laws are expected to not only address the protection of customer data, but also employee information. All organizations should monitor proposed legislation and be aware of the potential enforceable requirements. The good news is that there are a lot of resources out there and, in most cases, legislative requirements allow for grace periods to allow organizations to develop a complete understanding of proposed laws and implement needed controls. 

3. Data management―Time to cut through the clutter 

We all work with people who have thousands of emails in their inbox (in some cases, dating back several years). Those users’ biggest fears may start to come to fruition―that their “organizational” approach of not deleting anything may come to an end with a simple email and data retention policy put in place by their employer. 

The amount of data we generate in a day is massive. Forbes estimates that we generate 2.5 quintillion bytes of data each day and that 90% of all the world’s data was generated in the last two years alone.3 While data is a gold mine for analytics and market research, it is also an increasing liability and security risk. 

Inc. Magazine says that 73% of the data we have available to us is not used.4 Within that data could be personally identifiable information (such as social security numbers, names, addresses, etc.); financial information (bank accounts, credit cards etc.); and/or confidential business data. That data is valuable to hackers and corporate spies and in many cases data’s existence and location is unknown by the organizations that have it. 

In addition to the security risk that all this data poses, it also may expose an organization to liability in the event of a lawsuit of investigation. Emails and other communications are a favorite target of subpoenas and investigations and should be deleted within 90 days (including deleted items folders). 

Take an inventory before you act

Organizations should first complete a full data inventory and understand what types of data they maintain and handle, and where and how they store that data. Next, organizations can develop a data retention policy that meets their needs. Utilizing backup storage media may be a solution that helps reduce the need to store and maintain a large amount of data on internal systems. 

4. Doing the basics right―The simple things work 

Across industries and regardless of organization size, the most common problem we see is the absence of basic controls for IT security. Every organization, no matter their size, should work to ensure they have controls in place. Some must-haves:

  • Established IT security policies
  • Routine, monitored patch management practices (for all servers and workstations)
  • Change management controls (for both software and hardware changes)
  • Anti-virus/malware on all servers and workstations
  • Specific IT security risk assessments 
  • User access reviews
  • System logging and monitoring 
  • Employee security training

Go back to the basics 

We often see organizations that focus on new and emerging technologies, but have not taken the time to put basic security controls in place. Simple deterrents will help thwarting hackers. I often tell my clients a locked car scares away most ill-willed people, but a thief can still smash the window.  

Smaller organizations can consider using third-party security providers, if they are not able to implement basic IT security measures. From our experience, small organizations are being held to the same data security and privacy expectations by their customers as larger competitors and need to be able to provide assurance that controls are in place.  

5. Employee retention and training 

Unemployment rates are at an all-time low, and the demand for IT security experts at an all-time high. In fact, Monster.com reported that in 2019 the unemployment rate for IT security professionals is 0%.5 

Organizations should be highly focused on employee retention and training to keep current employees up-to-speed on technology and security trends. One study found that only 15% of IT security professionals were not looking to switch jobs within one year.6  

Surprisingly, money is not the top factor for turnover―68% of respondents prioritized working for a company that takes their opinions seriously.6 

For years we have told our clients they need to create and foster a culture of security from the top down, and that IT security must be considered more than just an overhead cost. It needs to align with overall business strategy and goals. Organizations need to create designated roles and responsibilities for security that provide your security personnel with a sense of direction―and the ability to truly protect the organization, their people, and the data. 

Training and support goes a long way

Offering training to security personnel allows them to stay abreast of current topics, but it also shows those employees you value their knowledge and the work they do. You need to train technology workers to be aware of new threats, and on techniques to best defend and protect from such risks. 

Reducing turnover rate of IT personnel is critical to IT security success. Continuously having to retrain and onboard employees is both costly and time-consuming. High turnover impacts your culture and also hampers your ability to grow and expand a security program. 

Making the effort to empower and train all employees is a powerful way to demonstrate your appreciation and support of the employees within your organization—and keep your data more secure.  

Our IT security consultants can help

Ensuring that you have a stable and established IT security program in place by considering the above risks will help your organization adapt to technology changes and create more than just an IT security program, but a culture of security minded employees. 

Our team of IT security and control experts can help your organization create and implement controls needed to consider emerging IT risks. For more information, contact the team
 

Sources:
[1] https://iapp.org/news/a/surprising-stats-on-third-party-vendor-risk-and-breach-likelihood/  
[2] https://resources.infosecinstitute.com/first-big-gdpr-fines/
[3] https://www.forbes.com/sites/bernardmarr/2018/05/21/how-much-data-do-we-create-every-day-the-mind-blowing-stats-everyone-should-read/#458b58860ba9
[4] https://www.inc.com/jeff-barrett/misusing-data-could-be-costing-your-business-heres-how.html
[5] https://www.monster.com/career-advice/article/tech-cybersecurity-zero-percent-unemployment-1016
[6] https://www.securitymagazine.com/articles/88833-what-will-improve-cyber-talent-retention

Related Services

Assurance

Related Professionals

Is your organization a service provider that hosts or supports sensitive customer data, (e.g., personal health information (PHI), personally identifiable information (PII))? If so, you need to be aware of a recent decision by the American Institute of Certified Public Accountants that may affect how your organization manages its systems and data.

In April, the AICPA’s Assurance Executive Committee decided to replace the five Trust Service Principles (TSPs) with Trust Services Criteria (TSC), requiring service organizations to completely rework their internal controls, and present SOC 2 findings in a revised format. This switch may sound frustrating or intimidating, but we can help you understand the difference between the principles and the criteria.

The SOC 2 Today
Service providers design and implement internal controls to protect customer data and comply with certain regulations. Typically, a service provider hires an independent auditor to conduct an annual Service Organization Control (SOC) 2 examination to help ensure that controls work as intended. Among other things, the resulting SOC 2 report assures stakeholders (customers and business partners) the organization is reducing data risk and exposure.

Currently, SOC 2 reports focus on five Trust Services Principles (TSP):

  • Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that can compromise the availability, integrity, confidentiality, and privacy of information or systems — and affect the entity's ability to meet its objectives.

  • Availability: Information and systems are available for operation and use to meet the entity's objectives.

  • Processing Integrity: System processing is complete, valid, accurate, timely, and authorized to meet the entity's objectives.

  • Confidentiality: Information designated as confidential is protected to meet the entity's objectives.

  • Privacy: Personal information is collected, used, retained, disclosed, and disposed of to meet the entity's objectives.

New SOC 2 Format
The TSC directly relate to the 17 principles found in the Committee of Sponsoring Organization (COSO)’s 2013 Framework for evaluating internal controls, and include additional criteria related to COSO Principle 12. The new TSC are:

  • Control Environment: emphasis on ethical values, board oversight, authority and responsibilities, workforce competence, and accountability.
  • Risk Assessment: emphasis on the risk assessment process, how to identify and analyze risks, fraud-related risks, and how changes in risk impact internal controls.
  • Control Activities: Emphasis on how you develop controls to mitigate risk, how you develop technology controls, and how you deploy controls to an organization through the use of policies and procedures.
  • Information and Communication: Emphasis on how you communicate internal of the organization to internal and external parties.
  • Monitoring: Emphasis on how you evaluate internal controls and how you communicate and address any control deficiencies.

The AICPA has provided nearly 300 Points of Focus (POF), supporting controls that organizations should consider when addressing the TSC. The POF offer guidance and considerations for controls that address the specifics of the TSC, but they are not required.

Points of Focus
Organizations now have some work to do to meet the guidelines. The good news: there’s still plenty of time to make necessary changes. You can use the current TSP format before December 15, 2018. Any SOC 2 report presented after December 15, 2018, must incorporate the new TSC format. The AICPA has provided a mapping spreadsheet to help service organizations move from TSP to the TSC format.

Contact Chris Ellingwood to learn more about how we can help you gain control of your SOC 2 reporting efforts. 
 

Article
The SOC 2 update — how will it affect you?

As the technology we use for work and at home becomes increasingly intertwined, security issues that affect one also affect the other and we must address security risks at both levels.

This year’s top security risks are the first in our series that are both prevalent to us as consumers of technology and to us as business owners and security administrators. Our homes and offices connect to devices, referred to the Internet of Things (IoT), that make our lives and jobs easier and more efficient, but securing those devices from outside access is becoming paramount to IT security.

Many of this year’s risks focus on deception. Through deception, hackers can get information and access to systems, which can harm our wallets and our businesses.

In our 2017 Top 10 IT Security Risks e-book we share with you how to understand these emerging risks, the consequences and impacts these risks may have on your business, and approaches to help mitigate the risks and their impact. Some of the key ways to address these risks are:           

  1. Do your homework — change your default passwords (the one that came with your wireless router, for instance), and also make sure that your Amazon Alexa, Google Home, or other smart devices have complex passwords. In addition, turning off devices when they are not in use, or when you are gone, helps secure your home.
  1. If you work from home, or have employees who do, set up and use secure connections with dual authentication methods to help protect your networks. Remote employees should be required to use the same security measures as on-site employees.
  1. Protect your smartphone at work and at play—smartphones have become one of our most important possessions, and we use the same device for both work and personal applications, yet we don’t protect them as well we should. Password protection is step one. Consider uploading new antivirus software to corporate smartphones and using container apps for corporate emails and documents. These apps allow users to securely connect to a company’s server and reduce the possible exposure of data.
  1. Train, inform, repeat. Create a vigilant workforce—through continuous and consistent training and information sharing, you can reduce the occurrence of phishing, hacking and other attacks against your systems.
  1. Conduct IT security risk assessments annually to help you identify gaps, fix them, and prepare for any incidents that may occur.
  1. Monitor and protect your reputation through tools to identify news on your company and understand the sources of the information.

Our 2017 Top 10 IT Security Risks takes a deeper look at the IoT and other risk issues that pose a threat this year, and what you can do to minimize your own and your organization’s IT security risks.

Article
The 2017 top IT security risks: Everything is connected

During my lunch in sunny Florida while traveling for business, enjoying a nice reprieve from another cold Maine winter, I checked my social media account. I noticed several postings about people having nothing to do at work because their company’s systems were down, the result of a major outage at one of three Amazon Web Services (AWS)’ Data Centers and web hosting operations. Company sites were down directly or indirectly through a software as a service (SaaS) provider hosted at the AWS data center.

The crash lasted for four hours and affected hundreds of thousands sites, including Airbnb, Expedia, Netflix, Quora, Slack, and others. The impact of such crashes can be devastating to organizations that rely on their website for revenue, such as online retailers and users of SaaS providers that may rely on a hosted system to conduct day-to-day business.

We advise our clients who consider hosting services in the cloud to weigh the option seriously and understand potential challenges in doing so. Here are some steps you can take to prevent future outages and loss of valuable uptime:

  1. Know the risks and weigh them against the benefits.  Ask questions about the system you are thinking of having hosted. Is the system critical to business? Without the system, do you lose revenue and productivity? Is the company providing the SaaS service hosting their own systems, or are they hosted at a data center like AWS? Does the SaaS provider have failover sites at other, separate data centers that are geographically distant from another?
  2. Have a backup plan. If your business conducts e-commerce or needs SaaS service to function, consider hosting your web servers and other data at two different providers. Though costly, the downtime impact is highly reduced.
  3. Consider hosting yourself. In some cases, we advise against relying on a third-party hosted data center. We do this when the criticality of the function is so high that having your own full-time dedicated support personnel, with multiple internet service providers available, allows you to address outages in-house and reduce the risk of outages.
  4. Have a service level agreement. Having a service level agreement with the hosted third party establishes expectations for uptime and downtime. In many instances where uptime is critical, you may consider incorporating liquidated damage clauses (fines and penalties) for downtime. Often when revenue is involved, the hosted party will take deeper measures to ensure uptime.

These types of outages are rare, but significant and while most organizations should not be scrambling to host their own systems and cancel all hosted agreements, it’s a good idea to take a hard look at your cyber security and IT risk management plan. Then, like me, when the clouds clear and you are in warm and sunny Florida, you can take a long lunch and enjoy the day.

Article
When the skies clear: Web-hosting outage hits Amazon data centers

Read this if you have a responsibility for victim notification.

Is your state complying with state and federal victim notification system statutes? How do you know if you are (or aren’t)? The federal government passed the Victims’ Rights and Restitution Act in 1990. This act requires all federal law enforcement officers and employees to make their best efforts to accord victims of crime with the right to be notified of offender status changes (i.e., movement from incarceration to the community). All states have similar statutes; many are more prescriptive and specific to each state.

You may be thinking “we have implemented a victim notification system, we’re all set.” To be sure, it’s best practice to ask yourself these questions:

  • Does my state use multiple victim notification systems, possibly one for the Department of Corrections, and others in use for jails, courts, or by the prosecutor’s office?
  • Do victims understand how to register and use the system(s)?
  • If you have multiple systems in use across your state, do victims know they must register in each (assuming that the offender is nomadic)?
  • Are the systems interfacing with the victim notification system to provide real-time updates regarding offender status changes and movements, or is the data reliant on human entry alone?
  • Is there redundancy in your victim notification approach? Are you relying solely on the victim notification system for statutory compliance, or are there other measures in place?
  • Have you defined the term “victim” in your state? How do you distinguish “known victims” from “interested parties”? Are these two groups treated equally in your victim notification systems and processes?

As we have explored these questions with various corrections clients, we’ve found that states address them in unique ways. In many cases, initial information regarding victims is captured on a pad of paper; in some, that information is never transposed into electronic form. Smaller, rural jails are more inclined to manually reach out to victims in their tight-knit communities, while jails in larger jurisdictions may not have the capacity to do so, and rely much more heavily on automation to comply with victim notification requirements. 

Many states use multiple victim notification systems (jails may use one system, while prisons use another), without integrating them to share data about offender movements and victim registrations. This results in a gap of service to victims likely unaware of the ramifications of having multiple, disparate victim notification systems. Many mature victim notification systems have the ability to interface with systems such as offender management systems (typically managed by the state’s department of corrections), jail management systems (typically managed by each county sheriff’s office), prosecution systems, and others. 

These system integrations are critical to reducing redundancy and increasing the timeliness with which both offender and victim data is entered into the victim notification system and used to trigger the notifications themselves.

So how can you assess your processes? The first step is to determine if your state has a problem with, or compliance gap between current practices and victim notification statutes. Here are some steps you can take to assess your situation:

  1. Review the victim notification statutes in your state
  2. Inventory the victim notification systems in use across your state, including any interfaces that may exist with the systems described earlier
  3. Talk to victim advocates to learn more about how they use the systems to augment their efforts
  4. Connect with representatives within your state department of corrections, sheriff’s offices, prosecutors, courts, probation, and other groups that may be providing some level of victim advocacy and learn more about their concerns

If this is all overwhelming, try and take it one step at a time. You can also engage a professional consulting firm that can help you organize and systematically assess the problem, then collaborate with you to develop a plan to close the gaps. 

If you have questions about your specific situation, please contact our Justice & Public Safety team. We're here to help. To learn more about other choices in victim notification procedures and systems, stay tuned for our second article in this series, where we explore options for acquiring and implementing a statewide victim notification system.

Article
Risky business: Multiple jurisdictional Victim Notification Systems

Read this if you administer a 401(k) plan.

On December 20, 2019, the Setting Every Community up for Retirement Enhancement (SECURE) Act was signed into law. The SECURE Act makes several changes to 401(k) plan requirements. Among those changes is a change to the permissible minimum service requirements.  
 
Many 401(k) retirement plan sponsors have elected to set up minimum service requirements for their plan. Such requirements help eliminate administrative burden of offering participation to part-time employees who may then participate in the plan for a short period of time and then keep their balance within the plan. Although plan sponsors do have the ability to process force-out distributions for smaller account balances, a minimum service requirement, such as one year of service, can help eliminate this situation altogether.  

Long-term part-time employees now eligible

The SECURE Act will now require that long-term part-time employees be offered participation in 401(k) plans if they are over the age of 21. The idea behind the requirement is that 401(k) plans are responsible for an increasingly larger amount of employees’ retirement income. Therefore, it is essential that part-time employees, some of which may not have a full-time job, have the ability to save for retirement.  
 
Long-term is defined as any employee who works three consecutive years with 500 or more hours worked each year. This new secondary service requirement becomes effective January 1, 2021. Previous employment will not count towards the three-year requirement. Therefore, the earliest a long-term part-time employee may become eligible to participate in a plan under the secondary service requirement is January 1, 2024.  

403(b) plans not affected 

Please note this provision is only applicable for 401(k) plans and does not impact 403(b) plans, which are subject to universal availability. Furthermore, although long-term part-time employees will be allowed to make elective deferrals into 401(k) plans, management may choose whether to provide non-elective or matching contributions to such participants. These participants also may be excluded from nondiscrimination and top-heavy requirements.  
 
This requirement will create unique tracking challenges as plans will need to track hours worked for recurring part-time employees over multiple years. For instance, seasonal employees who elect to work multiple seasons may inadvertently become eligible. We recommend plans work with their record keepers and/or third-party administrators to implement a tracking system to ensure participation is offered to those who meet this new secondary service requirement. If a feasible tracking solution does not exist, or plans do not want to deal with the burden of tracking such information, plans may also consider amending their minimum service requirements by reducing the hours of service requirement from 1,000 hours to 500 hours or less. However, this may allow more employees to participate than under the three-year, 500-hour requirement and may increase the employer contributions each year. 

If you have questions regarding your particular situation, please contact our Employee Benefit Audits team. We’re here to help.

Article
New permissible minimum service requirements for 401(k) plans

Read this is you are a business owner or an advisor to business owners.

With continued uncertainty in the business environment stemming from the COVID-19 pandemic, now may be a good time to utilize trust, gift, and estate strategies in the transfer of privately held business interests. 

As discussed in our May 26, 2020 article 2020 estate strategies in times of uncertainty for privately held business owners, there may be opportunity to free up considerable portions of lifetime gift and estate tax exemption amounts. This is possible due to suppressed values of privately held businesses and the uncertainty surrounding the impact of the 2020 presidential election on tax rates and future exemption and exclusion thresholds.

An element to consider is the ability to transfer non-controlling interests in a business. These interests are potentially subject to discounts for lack of control and lack of marketability. The discounts may further reduce the overall value transferred through a given strategy, potentially offloading a larger percentage of ownership in a business while retaining large portions of the gift and estate lifetime exemption. Part I of this series focused on the discount for lack of control. In Part II, let’s focus on the discount for lack of marketability.

Discount for lack of marketability

In the context of a hypothetical willing buyer and willing seller, the buyer may place a greater value on an ownership interest of an investment that is “marketable.” Marketable investments can be bought and sold easily and offer the ability to extract liquidity compared to an interest where transferability and marketability are limited. 

Simply put, buyers would rather own investments they can sell easily, and will pay less for the investment if it lacks this ability. Non-controlling interests in private businesses lack marketability—few people are interested in investing in a business where control rests in someone else’s hands. Discounts for lack of control commonly reduce the value of the transferred interest by 5% to 15%, discounts for lack of marketability can drop value of the business by 25% to 35%.

Market-based evidence of proxies for discounts for lack of marketability can be found within the following resources, studies, and methods (including, but not limited to):

  • Various restricted stock studies
  • The Quantitative Marketability Discount Model (QMDM) developed by Z. Christopher Mercer
  • Various pre-initial public offering studies
  • Option pricing models
  • Other discounted cash flow models

In addition to these resources, to fully assess the degree of discount applicable to a subject interest, consider company-specific factors when estimating the discount for lack of marketability. The degree of marketability is dependent upon a wide range of factors, such as the payment of dividends, the existence of a pool of prospective buyers, the size of the interest, any restrictions on transfer, and other factors. 

To establish a comprehensive view on the applicable degree of discount, here are more things go consider. In a ruling on the case Mandelbaum v. Commissioner1, Judge David Laro outlined the primary company-specific factors affecting the discount for lack of marketability, including:

  1. Restrictions on transferability and withdrawal
  2. Financial statement analysis
  3. Dividend policy
  4. The size and nature of the interest
  5. Management decisions
  6. Amount of control in the transferred shares

Conclusion

Business owners are knowledgeable of the facts and circumstances surrounding a business interest. They take a close look at what they are buying before they make an offer. Like most people, they prefer investments they can readily convert into cash, and are therefore generally not willing to pay the pro-rata value for a minority interest in a business when the interest lacks marketability. To assess an appropriate discount for lack of marketability, consider resources such as those referred to above, then ensure selected discounts are appropriate based on the factors specific to the company and interest being valued. 

Our mission at BerryDunn remains constant in helping each client create, grow, and protect value. If you have questions about your unique situation, or would like more information, please contact the business valuation consulting team.

Part III of this series will focus on the application of DLOC and DLOM to a subject interest.

1Mandelbaum v. Commissioner, T.C. Memo 1995-255 (June 13, 1995).

Article
Discounts for lack of control and marketability in business valuations (Part II)

Read this is you are a business owner or an advisor to business owners.

With continued uncertainty in the business environment stemming from the COVID-19 pandemic, now may be a good time to utilize trust, gift, and estate strategies in the transfer of privately held business interests. 

As discussed in our May 26, 2020 blog post 2020 estate strategies in times of uncertainty for privately held business owners, there may be opportunity to free up considerable portions of lifetime gift and estate tax exemption amounts through transfers due to suppressed values of privately held businesses, and the uncertainty surrounding the impact of the 2020 presidential election on tax rates and future exemption and exclusion thresholds. 

An element to consider when building on this opportunity is the ability to transfer non-controlling interests in a business. These interests are potentially subject to discounts for lack of control and lack of marketability. This may further reduce the overall value transferred through a given strategy, potentially offloading a larger percentage of ownership in a business while retaining large portions of the gift and estate lifetime exemption. Let’s focus on the discount for lack of control (DLOC).

Discount for lack of control

In the context of a hypothetical willing buyer and willing seller, the buyer may place a greater value on an ownership interest with the ability to make changes at their discretion, compared to an alternative ownership interest lacking control. Simply put, buyers like to be in control, and they will pay less for the investment if the interest lacks these characteristics. 

When valuing non-controlling business interests there is an inherent discount to full value recognized to reflect the fact that the subject interest does not hold a controlling position. As a result of this discount, the value of a non-controlling interest in a company will differ from the pro-rata value per share of the entire company. DLOCs alone commonly reduce the value of the transferred interest by 5% to 15%.

All else being equal, a non-controlling ownership position is less desirable (valuable) than a controlling position. This is because of the majority owner’s right to control any or all of the following activities: managing the assets or selecting agents for this purpose, controlling major business decisions, asset allocation choices, setting salary levels, admitting new investors, acquiring assets, selling the company, and declaring/paying distributions.
 
Market-based evidence of proxies for DLOCs can be found within the following subscription-based databases (including, but not limited to): 

  • Control premium studies published in the Mergerstat® Review series by FactSet Mergerstat/Business Valuation Resources
  • Closed-end fund data
  • The Partnership Profiles, Inc. Minority Interest Database and Executive Summary Report on Re-Sale Discounts for applicable entity types

In addition to these resources, to fully assess the degree of discount applicable to a subject interest, consider company-specific factors when estimating the DLOC. The degree of control for a subject interest may be impacted by relevant state statutes and the governing documents of the subject company. These factors are analyzed in conjunction with the current operational and financial policies established and implemented in practice by management to establish a comprehensive view on the applicable degree of discount.

Conclusion

Hypothetical business owners are knowledgeable of the facts and circumstances surrounding a business interest. They take a close look at what they are buying before they make an offer. Like most people, they like to be in charge, and are therefore generally not willing to pay the pro-rata value for a minority interest in a business when the interest lacks control. To assess an appropriate discount for lack of control, consider resources such as those referred to above, then ensure the selected discounts are appropriate based on the factors specific to the company and interest being valued. 

Our mission at BerryDunn remains constant in helping each client create, grow, and protect value. If you have questions about your unique situation, or would like more information, please contact the business valuation consulting team.

Article
Discounts for lack of control and marketability in business valuations

Read this if you use, manage, or procure public safety and corrections technology.

Recently we discussed the benefits of developing a strong, succinct Request for Proposal (RFP) that attracts Offender Management Systems (OMS) vendors through a competitive solicitation. Conversely, we explored the advantages and disadvantages of leading a non-competitive solicitation. Industry standards and best practices serve as the common thread between competitive and non-competitive solicitations for standard implementations. So, how does an agency prepare to navigate the nuances and avoid the “gotchas” of a non-standard implementation in the corrections realm?

Functional areas in the corrections industry exist in an ever-evolving state. The ongoing functional area refinements serve to overcome potential gaps between standardizing organizations (e.g., CTA, APPA) and your agency’s operations. For example, CTA does not distinguish incidents from disciplines as distinct functional areas. While merging workflows for incidents and disciplines may align with one agency’s practice, your agency may not always correlate the two functions (e.g., disciplinary action might not always result from an incident). Moreover, your agency may not have a need for every functional area, such as community corrections, depending on the scale of your operation.

Your agency should view the industry standards as a guide rather than the source of truth, which helps you cultivate a less parochial approach driven solely by standards and follow instead a more pragmatic plan, comprised of your unique operations and best practices. CTA and APPA specifications alone will result in comprehensive solicitation. For that reason, agencies can enhance an OMS modernization initiative by enhancing solicitation requirements to include jurisdictional specifications resulting from interviews with end-users and policy research. 

Upcoming OMS webinar

On Thursday, November 5, our consulting team will host a webinar on navigating a solicitation for a new OMS. During the webinar, our team will revisit the benefits of an independent third-party on your solicitation and review industry standards, and will discuss:

  1. Crafting requirements that address common OMS functions, as well as jurisdiction-specific functions (i.e., those that address the unique statutes of the state). Crafting requirements helps your agency to ensure a replacement system addresses core business functions, provides a modern technical infrastructure, and complies with local, state, and federal regulations.
  2. Thriving with a collaborative approach when acquiring and implementing an OMS system, helping to ensure all stakeholders not only participate in the project but also buy into the critical success factors.

If you have questions about your specific situation with OMS implementations, or would like to receive more information about the webinar, please contact one of our public safety consultants.
 

Article
Managing non-standard Offender Management System (OMS) implementations