Skip to Main Content

insightsarticles

IRS guidance: Retroactively claiming the 2020 ERC

03.09.21

Read this if you are an employer looking for more information on the Employee Retention Credit (ERC).

As we previously wrote, the Consolidated Appropriations Act, 2021 expanded, retroactively to March 12th, 2020, the Employee Retention Credit (ERC) to include those otherwise eligible employers who also received Paycheck Protection Program (PPP) loans. For those employers, wages qualifying for the ERC include wages that were not paid for with proceeds from a forgiven PPP loan. 

IRS guidance released

Recently, the Internal Revenue Service (IRS) released guidance under Notice 2021-20 (the Notice) clarifying how eligible employers who also received a PPP loan during 2020 can retroactively claim the ERC. The Notice also formalizes and expands on prior IRS responses to FAQs and addresses changes made since the enactment of the Act; it contains 71 FAQs. The IRS has stated it will address calendar quarters in 2021 in later guidance.

Under the 2020 ERC rules, an eligible employer may receive a refundable credit equal to 50% of qualified wages and healthcare expenses (up to $10,000 of wages/health care expenses per employee in 2020) paid by a business or not-for-profit organization that experienced a full or partial suspension of their operations or a significant decline in gross receipts. For employers that received a PPP loan, Q&A 49 of the Notice outlines the IRS’ position on the interaction with the ERC for 2020. 

An eligible employer can elect which wages are used to calculate the ERC and which wages are used for PPP loan forgiveness. The Notice provides for a deemed election for any qualified wages  included in the amount reported as payroll costs on the PPP Loan Forgiveness Application, unless the included payroll costs exceed the amount needed for full forgiveness when considering only the entries on the application. The text of Q&A 49 appears to treat the minimum amount of payroll costs required for PPP loan forgiveness (i.e., 60%) as being the deemed election as long as there are other eligible non-payroll expenses reported on the application to account for the other 40% of loan forgiveness expenses.

Payroll costs reported on the PPP Loan Forgiveness Application: Examples

The examples make it clear the payroll costs reported on the PPP Loan Forgiveness Application and needed for loan forgiveness are generally excluded from the ERC calculations. The qualified wages included on the PPP Loan Forgiveness Application that may be included in the ERC calculations are partially impacted by the documented non-payroll expenses included in the PPP Loan Forgiveness Application. Following are a few examples from the Notice. Each example outlines the interaction between payroll costs reported on the PPP Loan Forgiveness Application and the qualified wages for the ERC.

Example #1: An employer received a PPP loan of $100,000 and has both payroll and non-payroll costs that far exceed the borrowed amount. The employer only reports payroll costs of $100,000 on the PPP Loan Forgiveness application to simplify the forgiveness process. The employer cannot use any of the $100,000 of payroll costs to claim the ERC. This is notwithstanding the fact that 100% forgiveness may have been achieved by reporting only $60,000 of payroll costs and the remaining $40,000 from non-payroll costs.   

Example #2: An employer received a PPP loan of $200,000. The employer submitted a PPP Loan Forgiveness Application and reported $250,000 of qualified wages as payroll costs in support of forgiveness of the entire PPP loan. The employer is deemed to have made an election not to take into account $200,000 of the qualified wages for purposes of the ERC, which was the amount of qualified wages included in the payroll costs reported on the PPP Loan Forgiveness Application up to (but not exceeding) the minimum amount of payroll costs. The employer is not treated as making a deemed election with respect to $50,000 of the qualified wages ($250,000 reported on the PPP Loan Forgiveness Application, minus the $200,000 PPP loan amount forgiven), and it may treat that amount as qualified wages for purposes of the ERC.

Example #3: An employer received a PPP loan of $200,000. The employer is an eligible employer and paid $200,000 of qualified wages that would qualify for the employee retention credit during the second and third quarters of 2020. The employer also paid other eligible expenses of $70,000. The employer submitted a PPP Loan Forgiveness Application and reported the $200,000 of qualified wages as payroll costs, as well as the $70,000 of other eligible expenses, in support of forgiveness of the entire PPP loan. In this case, the employer is deemed to have made an election not to take into account $130,000 of qualified wages for purposes of the ERC, which was the amount of qualified wages included in the payroll costs reported on the PPP Loan Forgiveness Application up to (but not exceeding) the minimum amount of payroll costs, together with the $70,000 of other eligible expenses reported on the PPP Loan Forgiveness Application, sufficient to support the amount of the PPP loan that was forgiven. As a result, $70,000 of the qualified wages reported as payroll costs may be treated as qualified wages for purposes of the ERC.

Key takeaway:

For purposes of PPP loan forgiveness, an employer must generally submit payroll expenses equal to at least 60% of the loan amount to maximize loan forgiveness and to maximize the available wages for the ERC. If an employer does not report non-payroll costs (or limits the amount it reports) on the PPP Loan Forgiveness Application then doing so will have a direct impact on the wages available for the ERC. 

An employer must also consider the payroll costs reported on the PPP Loan Forgiveness Application and the payroll costs necessary to maximize the ERC. For example, if an employer does not qualify for the ERC until the third quarter of 2020, it should consider limiting the amount of wages reported on the PPP Loan Forgiveness Application that are attributable to the third quarter in order to maximize the wages available for the ERC.

How to claim the Employee Retention Credit

An eligible employer that received a PPP loan and did not claim the ERC may file a Form 941-X, Adjusted Employer’s Quarterly Federal Tax Return for the relevant calendar quarters in which the employer paid qualified wages, but only for qualified wages for which no deemed election was made. 

Form 941-X may also be used by eligible employers who did not receive a PPP loan for 2020, but subsequently decide to claim any ERC to which they are entitled for 2020. 

The deadline for filing Form 941-X is generally within three years of the date Form 941 was filed or two years from the date you paid the tax reported on Form 941, whichever is later.

For more information

If you have more questions, or have a specific question about your situation, please call us. We’re here to help.

Related Services

Accounting and Assurance

Related Professionals

Principals

  • William Enck
    Principal
    Financial Services, Insurance Agencies
    T 207.541.2300
  • David Erb
    Principal
    Manufacturing, Technology
    T 207.541.2255
  • Matthew Litz
    Principal
    Natural Resources, Renewable Energy
    T 207.541.2361

BerryDunn experts and consultants

Are you spending enough time on your paid time off plan?
Many questions arise regarding paid time off (PTO) plans and the constructive receipt of income, which can cause payroll complications for employers and phantom income inclusion for employees. In order to avoid being subject to penalties for not withholding income and payroll taxes and having employees be subject to tax on cash they have not received, certain steps need be followed if an employer wants to properly allow employees to cash-out PTO.

What the IRS is looking for.
The Internal Revenue Service (IRS) has issued a number of Private Letter Rulings (PLRs) that examine earned time cash-out programs. While such rulings don’t serve as precedent, it appears the IRS has come up with the following factors that it deems important in order to avoid constructive receipt in a PTO cash-out situation:

  1. Employees must make a written election before the end of December in the year prior to the year they will be earning and receiving the accrued earned time to be cashed-out.  This is an election to receive a cash payout of the earned time to be accrued in the following year.
  2. The election must be irrevocable.
  3. The payout can only happen once the employee has actually earned and accrued the earned time in the following year. Payouts are generally once or twice per year, but may happen more frequently.

The IRS appears to generally require that the earned time being paid out be substantially less than the accrued earned time owed to the employee. This is to ensure that the earned time program remains a bona fide sick or vacation pay plan and not a plan of deferred compensation. This particular requirement can get tricky and may be different in each employer’s case.

Why does it matter?
The danger of failing to follow IRS guidelines regarding earned time cash-outs is that the IRS could claim that the employees offered a choice to cash-out are in constructive receipt of their accrued earned time balances regardless of their choice. This would result in immediate taxation of all accrued amounts to the employees, even if they hadn’t received the cash. The employer would also be subject to penalties for not properly withholding federal and state taxes.

It is important to review your PTO plan to be sure there are no issues regarding constructive receipt and to make sure your payroll systems are correctly reporting income.

The IRS issued proposed regulations under Code Section 457 in June of 2016 regarding, in part, non-qualified deferred compensation plans of not-for-profit (NFP) organizations. Those regulations contain guidance regarding the cash-out of sick and vacation time and the possibility that certain cash-out provisions may create a plan of deferred compensation and not a bona fide sick leave or vacation leave plan. As noted above, such a determination would be disastrous as all amounts accrued would become immediately taxable. NFP organizations and their advisors should keep a close eye on the proposed Section 457 regulations to see how they develop in final form. Once the regulations are finalized, NFP organizations may need to make changes to their cash-out provisions.

Please note that the above information is general in nature and is not meant to provide guidance on any particular case. If you have any questions about your PTO plan, please contact Bill Enck.

Article
Paid time off plans: IRS guidelines and why they matter

When it comes to offering non-qualified deferred compensation to executives of not-for-profit organizations, there aren’t many options. Your organization must follow the rules and related guidance outlined in Internal Revenue Code Sections 457 and 409A. There are two types of non-qualified deferred compensation plans: Eligible (457(b) plans) and ineligible (457(f) plans)

  • 457(b) plans operate very similarly to 403(b) or 401(k) plans and have an annual benefit limit.
  • 457(f) plans have no annual benefit limit but the participants must include the benefits in taxable income when the substantial risk of forfeiture lapses.

Changes are on the table
And that's largely a good thing.The proposed regulations provide guidance in several key areas used to determine whether a substantial risk of forfeiture exists or not. For the most part, the proposed guidance is welcome news and provides an employer with more flexibility than originally expected.

Earlier this year, the IRS issued proposed regulations which describe just what constitutes a substantial risk of forfeiture under an ineligible 457(f) plan and what types of benefits are not considered to be ineligible 457(f) plans. Because of the tax implications to the executive, this is important for your organization to understand and communicate.

What the proposed regulations cover:

  1. Non-compete agreements
  2. Rolling risks of forfeiture (e.g., rolling vesting schedules)
  3. Determining the present value of accrued benefits
  4. Plans that are not considered 457(f) plans, including bona fide severance pay plans

In each of these areas, the proposed regulations provide employers with specific rules to follow in order to design and operate a plan, whether it's an existing plan or one adopted before or after the rules are finalized. Current plans will not have grandfathered status. 

What you need to do
For existing deferred compensation arrangements or employment contracts that provide for severance pay for deferred compensation arrangements,you must:

  • Take inventory of the types of benefits you provide (e.g., severance pay, 457(b), 457(f) plans)
  • Review plan provisions and determine the changes you need to make in order for them to be in compliance with the guidelines. 
  • Make the appropriate changes to the plan or employment contract provisions before the final regulations are effective.
  • The final regulations generally will not be effective until 90 days after they've been published. You may rely on them in the interim.

If you have questions or concerns
We've helped many not-for-profit organizations design and develop executive compensation packages, including deferred compensation plans. Our Benefits Compensation experts are well versed in the rules that apply to deferred compensation and severance pay plans and can help guide you through the process to:

  1. Create a plan that meets the needs of your executive and your organization
  2. Determine if any changes must be made to the benefits you’re currently offering

Contact Bill Enck if you have questions or need help.

Article
Do you sponsor a 457(f) plan? If so, keep reading!

Read this if your CFO has recently departed, or if you're looking for a replacement.

With the post-Covid labor shortage, “the Great Resignation,” an aging workforce, and ongoing staffing concerns, almost every industry is facing challenges in hiring talented staff. To address these challenges, many organizations are hiring temporary or interim help—even for C-suite positions such as Chief Financial Officers (CFOs).

You may be thinking, “The CFO is a key business partner in advising and collaborating with the CEO and developing a long-term strategy for the organization; why would I hire a contractor to fill this most-important role?” Hiring an interim CFO may be a good option to consider in certain circumstances. Here are three situations where temporary help might be the best solution for your organization.

Your organization has grown

If your company has grown since you created your finance department, or your controller isn’t ready or suited for a promotion, bringing on an interim CFO can be a natural next step in your company’s evolution, without having to make a long-term commitment. It can allow you to take the time and fully understand what you need from the role — and what kind of person is the best fit for your company’s future.

BerryDunn's Kathy Parker, leader of the Boston-based Outsourced Accounting group, has worked with many companies to help them through periods of transition. "As companies grow, many need team members at various skill levels, which requires more money to pay for multiple full-time roles," she shared. "Obtaining interim CFO services allows a company to access different skill levels while paying a fraction of the cost. As the company grows, they can always scale its resources; the beauty of this model is the flexibility."

If your company is looking for greater financial skill or advice to expand into a new market, or turn around an underperforming division, you may want to bring on an outsourced CFO with a specific set of objectives and timeline in mind. You can bring someone on board to develop growth strategies, make course corrections, bring in new financing, and update operational processes, without necessarily needing to keep those skills in the organization once they finish their assignment. Your company benefits from this very specific skill set without the expense of having a talented but expensive resource on your permanent payroll.

Your CFO has resigned

The best-laid succession plans often go astray. If that’s the case when your CFO departs, your organization may need to outsource the CFO function to fill the gap. When your company loses the leader of company-wide financial functions, you may need to find someone who can come in with those skills and get right to work. While they may need guidance and support on specifics to your company, they should be able to adapt quickly and keep financial operations running smoothly. Articulating short-term goals and setting deadlines for naming a new CFO can help lay the foundation for a successful engagement.

You don’t have the budget for a full-time CFO

If your company is the right size to have a part-time CFO, outsourcing CFO functions can be less expensive than bringing on a full-time in-house CFO. Depending on your operational and financial rhythms, you may need the CFO role full-time in parts of the year, and not in others. Initially, an interim CFO can bring a new perspective from a professional who is coming in with fresh eyes and experience outside of your company.

After the immediate need or initial crisis passes, you can review your options. Once the temporary CFO’s agreement expires, you can bring someone new in depending on your needs, or keep the contract CFO in place by extending their assignment.

Considerations for hiring an interim CFO

Making the decision between hiring someone full-time or bringing in temporary contract help can be difficult. Although it oversimplifies the decision a bit, a good rule of thumb is: the more strategic the role will be, the more important it is that you have a long-term person in the job. CFOs can have a wide range of duties, including, but not limited to:

  • Financial risk management, including planning and record-keeping
  • Management of compliance and regulatory requirements
  • Creating and monitoring reliable control systems
  • Debt and equity financing
  • Financial reporting to the Board of Directors

If the focus is primarily overseeing the financial functions of the organization and/or developing a skilled finance department, you can rely — at least initially — on a CFO for hire.

Regardless of what you choose to do, your decision will have an impact on the financial health of your organization — from avoiding finance department dissatisfaction or turnover to capitalizing on new market opportunities. Getting outside advice or a more objective view may be an important part of making the right choice for your company.

BerryDunn can help whether you need extra assistance in your office during peak times or interim leadership support during periods of transition. We offer the expertise of a fully staffed accounting department for short-term assignments or long-term engagements―so you can focus on your business. Meet our interim assistance experts.

Article
Three reasons to consider hiring an interim CFO

This is our second of five articles addressing the many aspects of business valuation. In the first article, we presented an overview of the three stages of the value acceleration process (Discover, Prepare, and Decide). In this article we are going to look more closely at the Discover stage of the process.

In the Discover stage, business owners take inventory of their personal, financial, and business goals, noting ways to increase alignment and reduce risk. The objective of the Discover stage is to gather data and assemble information into a prioritized action plan, using the following general framework.

Every client we have talked to so far has plans and priorities outside of their business. Accordingly, the first topic in the Discover stage is to explore your personal plans and how they may affect business goals and operations. What do you want to do next in your personal life? How will you get it done?

Another area to explore is your personal financial plan, and how this interacts with your personal goals and business plans. What do you currently have? How much do you need to fund your other goals?

The third leg of the value acceleration “three-legged stool” is business goals. How much can the business contribute to your other goals? How much do you need from your business? What are the strengths and weaknesses of your business? How do these compare to other businesses? How can business value be enhanced? A business valuation can help you to answer these questions.

A business valuation can clarify the standing of your business regarding the qualities buyers find attractive. Relevant business attractiveness factors include the following:

  • Market factors, such as barriers to entry, competitive advantages, market leadership, economic prosperity, and market growth
  • Forecast factors, such as potential profit and revenue growth, revenue stream predictability, and whether or not revenue comes from recurring sources
  • Business factors, such as years of operation, management strength, customer loyalty, branding, customer database, intellectual property/technology, staff contracts, location, business owner reliance, marketing systems, and business systems

Your company’s performance in these areas may lead to a gap between what your business is worth and what it could be worth. Armed with the information from this assessment, you can prepare a plan to address this “value gap” and look toward your plans for the future.

If you are interested in learning more about value acceleration, please contact the business valuation services team. We would be happy to meet with you, answer any questions you may have, and provide you with information on upcoming value acceleration presentations.

Next up in our value acceleration series is all about what we call the four C's of the value acceleration process. 

Article
The discover stage: Value acceleration series part two (of five)

This is the first article in our five-article series that reviews the art and science of business valuation. The series is based on an in-person program we offer from time to time.  

Did you know that just 12 months after selling, three out of four business owners surveyed “profoundly regretted” their decision? Situations like these highlight the importance of the value acceleration process, which focuses on increasing value and aligning business, personal, and financial goals. Through this process, business owners will be better prepared for business transitions, and therefore be significantly more satisfied with their decisions.

Here is a high-level overview of the value acceleration process. This process has three stages, diagrammed here:

The Discover stage is also called the “triggering event.” This is where business owners take inventory of their situation, focusing on risk reduction and alignment of their business, personal, and financial goals. The information gleaned in this stage is then compiled into a prioritized action plan utilized in future stages.

In the Prepare stage, business owners follow through on business improvement and personal/financial planning action items formed in the discover stage. Examples of action items include the following:

  • Addressing weaknesses identified in the Discover stage, in the business, or in personal financial planning
  • Protecting value through planning documents and making sure appropriate insurance is in place
  • Analyzing and prioritizing projects to improve the value of the business, as identified in Discover stage
  • Developing strategies to increase liquidity and retirement savings

The last stage in the process is the Decide stage. At this point, business owners choose between continuing to drive additional value into the business or to sell it.

Through the value acceleration process, we help business owners build value into their businesses and liquidity into their lives.

If you are interested in learning more about value acceleration, please contact the business valuation services team. We would be happy to meet with you, answer any questions you may have, and provide you with information on upcoming value acceleration presentations.

Read more! In our next installment of the value acceleration blog series, we cover the Discover stage.

Article
The process: Value acceleration series part one (of five)

Read this if your company is considering outsourced information technology services.

For management, it’s the perennial question: Keep things in-house or outsource?

For management, it’s the perennial question: Keep things in-house or outsource? Most companies or organizations have outsourcing opportunities, from revenue cycle to payment processing to IT security. When deciding whether to outsource, you weigh the trade-offs and benefits by considering variables such as cost, internal expertise, cross coverage, and organizational risk.

In IT services, outsourcing may win out as technology becomes more complex. Maintaining expertise and depth for all the IT components in an environment can be resource-intensive.

Outsourced solutions allow IT teams to shift some of their focus from maintaining infrastructure to getting more value out of existing systems, increasing data analytics, and better linking technology to business objectives. The same can be applied to revenue cycle outsourcing, shifting the focus from getting clean bills out and cash coming in, to looking at the financial health of the organization, analyzing service lines, patient experience, or advancing projects.  

Once you’ve decided, there’s another question you need to ask
Lost sometimes in the discussion of whether to use outsourced services is how. Even after you’ve done your due diligence and chosen a great vendor, you need to stay involved. It can be easy to think, “Vendor XYZ is monitoring our servers or our days in AR, so we should be all set. I can stop worrying at night about our system reliability or our cash flow.” Not true.

You may be outsourcing a component of your technology environment or collections, but you are not outsourcing the accountability for it—from an internal administrative standpoint or (in many cases) from a legal standpoint.

Beware of a false state of confidence
No matter how clear the expectations and rules of engagement with your vendor at the onset of a partnership, circumstances can change—regulatory updates, technology advancements, and old-fashioned vendor neglect. In hiring the vendor, you are accountable for oversight of the partnership. Be actively engaged in the ongoing execution of the services. Also, periodically revisit the contract, make sure the vendor is following all terms, and confirm (with an outside audit, when appropriate) that you are getting the services you need.

Take, for example, server monitoring, which applies to every organization or company, large or small, with data on a server. When a managed service vendor wants to contract with you to provide monitoring services, the vendor’s salesperson will likely assure you that you need not worry about the stability of your server infrastructure, that the monitoring will catch issues before they occur, and that any issues that do arise will be resolved before the end user is impacted. Ideally, this is true, but you need to confirm.

Here’s how to stay involved with your vendor
Ask lots of questions. There’s never a question too small. Here are samples of how precisely you should drill down:

  • What metrics will be monitored, specifically?
  • Why do the metrics being monitored matter to our own business objectives?
  • What thresholds must be met to notify us or produce an alert?
  • What does exceeding a threshold mean to our business?
  • Who on our team will be notified if an alert is warranted?
  • What corrective action will be taken?

Ask uncomfortable questions
Being willing to ask challenging questions of your vendors, even when you are not an expert, is critical. You may feel uncomfortable but asking vendors to explain something to you in terms you understand is very reasonable. They’re the experts; you’re not expected to already understand every detail or you wouldn’t have needed to hire them. It’s their job to explain it to you. Without asking these questions, you may end up with a fairly generic solution that does produce a service or monitor something, but not necessarily all the things you need.

Ask obvious questions
You don’t want anything to slip by simply because you or the vendor took it for granted. It is common to assume that more is being done by a vendor than actually is. By asking even obvious questions, you can avoid this trap. All too often we conduct an IT assessment and are told that a vendor is providing a service, only to discover that the tasks are not happening as expected.

You are accountable for your whole team—in-house and outsourced members
An outsourced solution is an extension of your team. Taking an active and engaged role in an outsourcing partnership remains consistent with your management responsibilities. At the end of the day, management is responsible for achieving business objectives and mission. Regularly check in to make sure that the vendor stays focused on that same mission.

Article
Oxymoron of the month: Outsourced accountability

More and more emphasis is being put on cybersecurity by companies of all sizes. Whether it’s the news headlines of notable IT incidents, greater emphasis on the value of data, or the monetization of certain types of attacks, an increasing amount of energy and money is going towards security. Security has the attention of leadership and the board and it is not going away. One of the biggest risks to and vulnerabilities of any organization’s security continues to be its people. Innovative approaches and new technology can reduce risk but they still don’t prevent the damage that can be inflicted by an employee simply opening an attachment or following a link. This is more likely to happen than you may think.

Technology also doesn’t prepare a management team for how to handle the IT response, communication effort, and workforce management required during and after an event. Technology doesn’t lessen the operational impact that your organization will feel when, not if, you experience an event.

So let’s examine the human and operational side of cybersecurity. Below are three factors you should address to reduce risk and prepare your organization for an event:

  1. People: Create and maintain a vigilant workforce
    Ask yourself, “How prepared is our workforce when it comes to security threats and protecting our data? How likely would it be for one of our team members to click on a link or open an attachment that appear to be from our CFO? Would our team members look closely enough at the email address and notice that the organization name is different by one letter?”
     

    According to the 2016 Verizon Data Breach Report, 30% of phishing messages were opened by the target across all campaigns and 12% went on to click on the attachment or link.

    Phishing email attacks directed at your company through your team range from very obvious to extremely believable. Some attempts are sent widely and are looking for just one person to click, while others are extremely targeted and deliberate. In either case, it is vital that each employee takes enough time to realize that the email request is unusual. Perhaps there are strange typos in the request or it is odd the CFO is emailing while on vacation. That moment your employees take to pause and decide whether to click on the link/attachment could mean the difference between experiencing an event or not.

    So how do you create and cultivate this type of thought process in your workforce? Lots of education and awareness efforts. This goes beyond just an annual in-service training on HIPAA. It may include education sessions, emails with tips and tricks, posters describing the risk, and also exercises to test your workforce against phishing and security exploits. It also takes leadership embracing security as a strategic imperative and leading the organization to take it seriously. Once you have these efforts in place, you can create culture change to build and maintain an environment where an employee is not embarrassed to check with the CFO’s office to see if they really did send an email from Bora Bora.
  1. Plan: Implement a disaster recovery and incident response plan 
    Through the years, disaster recovery plans have been the usual response. Mostly, the emphasis has been on recovering data after a non-security IT event, often discussed in context of a fire, power loss, or hardware failure. Increasingly, cyber-attacks are creeping into the forefront of planning efforts. The challenge with cyber-events is that they are murkier to understand – and harder for leadership – to assist with.

    It’s easier to understand the concept of a fire destroying your server room and the plan entailing acquiring new equipment, recovering data from backup, restoring operations, having good downtime procedures, and communicating the restoration efforts along the way. What is much more challenging is if the event begins with a suspicion by employees, customers, or vendors who believe their data has been stolen without any conclusive information that your company is the originating point of the data loss. How do you take action if you know very little about the situation? What do you communicate if you are not sure what to say? It is this level of uncertainty that makes it so difficult. Do you have a plan in place for how to respond to an incident? Here are some questions to consider:
     
    1. How will we communicate internally with our staff about the incident?
    2. How will we communicate with our clients? Our patients? Our community?
    3. When should we call our insurance company? Our attorney?
    4. Is reception prepared to describe what is going on if someone visits our office?
    5. Do we have the technical expertise to diagnose the issue?
    6. Do we have set protocols in place for when to bring our systems off-line and are our downtime procedures ready to use?
    7. When the press gets wind of the situation, who will communicate with them and what will we share?
    8. If our telephone system and network is taken offline, how we will we communicate with our leadership team and workforce?

By starting to ask these questions, you can ascertain how ready you may, or may not be, for a cyber-attack when it comes.

  1. Practice: Prepare your team with table top exercises  
    Given the complexity and diversity of the threats people are encountering today, no single written plan can account for all of the possible combinations of cyber-attacks. A plan can give guidance, set communication protocols, and structure your approach to your response. But by conducting exercises against hypothetical situations, you can test your plan, identify weaknesses in the plan, and also provide your leadership team with insight and experience – before it counts.

    A table top exercise entails one team member (perhaps from IT or from an outside firm) coming up with a hypothetical situation and a series of facts and clues about the situation that are given to your leadership team over time. Your team then implements the existing plans to respond to the incident and make decisions. There are no right or wrong answers in this scenario. Rather, the goal is to practice the decision-making and response process to determine where improvements are needed.

    Maybe you run an exercise and realize that you have not communicated to your staff that no mention of the event should be shared by employees on social media. Maybe the exercise makes you realize that the network administrator who is on vacation at the time is the only one who knows how to log onto the firewall. You might identify specific gaps that are lacking in your cybersecurity coverage. There is much to learn that can help you prepare for the real thing.

As you know, there are many different threats and risks facing organizations. Some are from inside an organization while others come from outside. Simply throwing additional technology at the problem will not sufficiently address the risks. While your people continue to be one of the biggest threats, they can also be one of your biggest assets, in both preventing issues from occurring and then responding quickly and appropriately when they do. Remember focus on your People, Your Plan, and Your Practice.

Article
The three P's of improving your company's cybersecurity soft skills