Skip to Main Content

insightsarticles

Tapping your internal capacity for better results: Cybersecurity playbook for management #3

01.31.18

It may be hard to believe some seasons, but every professional sports team currently has the necessary resources — talent, plays, and equipment — to win. The challenge is to identify and leverage them for maximum benefit. And every organization has the necessary resources to improve its cybersecurity. Chapter 3 in BerryDunn’s Cybersecurity Playbook for Management looks at how managers can best identify and leverage these resources, known collectively as internal capacity.

The previous two chapters focused on using maturity models to improve an organization’s cybersecurity. The next two are about capacity. What is the difference, and connection, between maturity and capacity, and why is it important? 
RG: Maturity refers to the “as is” state of an organization’s cybersecurity program compared to its desired “to be” state. Capacity refers to the resources an organization can use to reach the “to be” state. There are two categories of capacity: external and internal. External capacity refers to outside resources — people, processes, and tools — you can hire or purchase to improve maturity. (We’ll discuss external capacity more in our next installment.) Internal capacity refers to in-house people, processes, and tools you can leverage to improve maturity. 

Managers often have an unclear picture of how to use resources to improve cybersecurity. This is mainly because of the many demands found in today's business environments. I recommend managers conduct internal capacity planning. In other words, they need to assess the internal capacity needed to increase cybersecurity maturity. Internal capacity planning can answer three important questions:

1. What are the capabilities of our people?
2. What processes do we need to improve?
3. What tools do we have that can help improve processes and strengthen staff capability?

What does the internal capacity planning process look like?
RG
: Internal capacity planning is pretty easy to conduct, but there’s no standard model. It’s not a noun, like a formal report. It’s a verb — an act of reflection. It’s a subjective assessment of your team members’ abilities and their capacity to perform a set of required tasks to mature the cybersecurity program. These are not easy questions to ask, and the answers can be equally difficult to obtain. This is why you should be honest in your assessment and urge your people to be honest with themselves as well. Without this candor, your organization will spin its wheels reaching its desired “to be” state.

Let’s start with the “people” part of internal capacity. How can managers assess staff?RG: It’s all about communication. Talk to your staff, listen to them, and get a sense of who has the ability and desire for improving cybersecurity maturity in certain subject areas or domains, like Risk Management or Event and Incident Response. If you work at a small organization,  start by talking to your IT manager or director. This person may not have a lot of cybersecurity experience, but he or she will have a lot of operational risk experience. IT managers and directors tend to gravitate toward security because it’s a part of their overall responsibilities. It also ensures they have a voice in the maturing process.

In the end, you need to match staff expertise and skillsets to the maturity subject areas or domains you want to improve. While an effective manager already has a sense of staff expertise and skillsets, you can add a SWOT analysis to clarify staff strengths, weaknesses, opportunities, and threats.

The good news: In my experience, most organizations have staff who will take to new maturity tasks pretty quickly, so you don’t need to hire a bunch of new people.

What’s the best way to assess processes?
RG
: Again, it’s all about communication. Talk to the people currently performing the processes, listen to them, and confirm they are giving you honest feedback. You can have all the talent in the world, and all the tools in the world — but if your processes are terrible, your talent and tools won’t connect. I’ve seen organizations with millions of dollars’ worth of tools without the right people to use the tools, and vice versa. In both situations, processes suffer. They are the connective tissue between people and tools. And keep in mind, even if your current ones are good, most  tend to grow stale. Once you assess, you probably need to develop some new processes or improve the ones in place.

How should managers and staff develop new processes?
RG
: Developing new ones can be difficult  we’re talking change, right? As a manager, you have to make sure the staff tasked with developing them are savvy enough to make sure the processes improve your organization’s maturity. Just developing a new one, with little or no connection to maturity, is a waste of time and money. Just because measuring maturity is iterative, doesn’t mean your approach to maturing cybersecurity has to be. You need to take a holistic approach across a wide range of cybersecurity domains or subject areas. Avoid any quick, one-and-done processes. New ones should be functional, repeatable, and sustainable; if not, you’ll overburden your team. And remember, it takes time to develop new ones. If you have an IT staff that’s already struggling to keep up with their operational responsibilities, and you ask them to develop a new process, you’re going to get a lot of pushback. You and the IT staff may need to get creative — or look toward outside resources, which we’ll discuss in chapter 4.

What’s the best way to assess tools?
RG
: Many organizations buy many tools, rarely maximize their potential. And on occasion, organizations buy tools but never install them. The best way to assess tools is to select staff to first measure the organization’s inventory of tools, and then analyze them to see how they can help improve maturity for a certain domain or subject area. Ask questions: Are we really getting the maximum outputs those tools offer? Are they being used as intended?

I’ll give you an example. There’s a company called SolarWinds that creates excellent IT management tools. I have found many organizations use SolarWinds tools in very specific, but narrow, ways. If your organization has SolarWinds tools, I suggest reaching out to your IT staff to see if the organization is leveraging the tools to the greatest extent possible. SolarWinds can do so much that many organizations rarely leverage all its valuable feature.

What are some pitfalls to avoid when conducting internal capacity planning?
RG
: Don’t assign maturity tasks to people who have been with the organization for a really long time and are very set in their ways, because they may be reluctant to change. As improving maturity is a disruptive process, you want to assign tasks to staff eager to implement change. If you are delegating the supervision of the maturity project, don’t delegate it to a technology-oriented person. Instead, use a business-oriented person. This person doesn’t need to know a lot about cybersecurity — but they need to know, from a business perspective, why you need to implement the changes. Otherwise, your changes will be more technical in nature than strategic. Finally, don’t delegate the project to someone who is already fully engaged on other projects. You want to make sure this person has time to supervise the project.

Is there ever a danger of receiving incorrect information about resource capacity?
RG
: Yes, but you’ll know really quickly if a certain resource doesn’t help improve your maturity. It will be obvious, especially when you run the maturity model again. Additionally, there is a danger of staff advocating for the purchase of expensive tools your organization may not really need to manage the maturity process. Managers should insist that staff strongly and clearly make the case for such tools, illustrating how they will close specific maturity gaps.

When purchasing tools a good rule of thumb is: are you going to get three times the return on investment? Will it decrease cost or time by three times, or quantifiably reduce risk by three times? This ties in to the larger idea that cybersecurity is ultimately a function of business, not a function of IT. It also conveniently ties in with external capacity, the topic for chapter four.

Read our next cybersecurity playbook article, External capacity: Cybersecurity playbook for management #4here.

Related Services

Accounting and Assurance

Consulting

Cybersecurity is the responsibility of all employees and managers: it takes a team

When a breach occurs, people tend to focus on what goes wrong at the technical level and often fail to see that cybersecurity begins at the strategic level. 

BerryDunn’s cybersecurity playbook outlines the activities managers need to take to properly oversee cybersecurity. Read the full series:

  1. Maturity modeling
  2. Selecting and implementing a maturity model
  3. Tapping your internal capacity for better results
  4. External capacity
  5. Discovery
  6. The workflow
  7. Incident response
  8. Incident recovery
Cybersecurity playbook
Access the full series

Read this if you are a financial institution with income tax credit investments.

Financial institutions and other businesses that participate in tax credit investments designed to incentivize projects that produce social, economic, or environmental benefits could benefit from proposed rules that simplify the accounting treatment of such investments and result in a clearer picture of how these investments impact their bottom lines.

FASB proposal

On August 22, 2022, the Financial Accounting Standards Board (FASB), issued a proposal that would broaden the application of the accounting method currently available to account for investments in low-income housing tax credit (LIHTC) programs to other equity investments used to generate income tax credits. The proposal, titled “Investments – Equity Method and Joint Ventures (Topic 323): Accounting for Investments in Tax Credit Structures Using the Proportional Amortization Method”, would expand the eligibility of the proportional amortization method of accounting beyond LIHTC programs to other tax credit structures that meet certain eligibility criteria.  

FASB introduced the option to apply the proportional amortization method to account for investments made primarily for the purpose of receiving income tax credits and other income tax benefits in ASU 2014-01. However, the guidance limited the proportional amortization method to investments in LIHTC structures.

The proportional amortization method is a simplified approach for accounting for LIHTC investments in which the initial cost of the investment is amortized in proportion to the income tax credits and other benefits received (allocable share of depreciation deductions). The cost basis amortization and income tax credits received are presented net on the investor’s income statement as a component of income tax expense (benefit). Under existing guidance, investments in non-LIHTC projects are accounted for using either the equity method or cost method, depending on certain factors. 

The proposal aims to address the concerns that the equity and cost methods do not offer a fair representation of the economic characteristics for investments for which returns are primarily related to federal income tax credits. Supporters of the proposal argue that the accounting method applied should not be determined by the legislative program under which the tax credits are authorized, but instead by the economic intent under which the investment was made. The hope is the FASB proposal will create a heightened sense of uniformity in accounting for investments in income tax credit structures. 

Additional provisions

Other provisions within the proposal would require a reporting entity to “make an accounting policy election to apply the proportional amortization method on a tax-credit-program-by-tax-credit-program basis” and disclose the nature of its tax equity investments and the impact on its financial position and results of operations. 

The significance of this proposal is amplified by the uptick in tax credit programs in recent years, including the New Markets Tax Credit (NMTC), Historic Rehabilitation Tax Credit (HTC), and Renewable Energy Tax Credit (RETC). While the FASB has yet to declare an effective date for the implementation of the proposal, comment letters from stakeholders were due October 6, 2022. 

For more information

To discuss the impact this new accounting pronouncement may have on your financial institution, please contact the BerryDunn Financial Services team. We’re here to help.

Article
FASB proposes changes to accounting for income tax credits

On November 8, 2022, Massachusetts voters approved a constitutional amendment to alter the state’s flat 5% income tax to add a 4% surtax on annual income exceeding $1 million. The so-called “millionaires tax,” also referred to as the “Fair Share Amendment,” is effective for tax years beginning on or after Jan. 1, 2023. The annual income level subject to the surtax would be adjusted yearly to reflect increases in the cost of living.

This measure is expected to bring in revenue of between $1.2 and $2 billion annually. The proceeds from the increased tax collections will support state budgets in the areas of education, roads, bridges, and public transportation. The measure passed with 52% voter support and is the sixth attempt to change the state’s flat income tax rate since 1962. This amendment is expected to affect about 0.6% of the state’s population, or about 20,000 taxpayers.

If you expect your income to exceed $1 million in 2023 and have questions regarding the recent legislation, please contact a member of our state and local tax team.

Article
Massachusetts voters pass "Millionaires tax"

Read this if you are responsible for cybersecurity or are a member of a board of directors.

The board’s role in the oversight of organizational risk is increasingly complicated by cybersecurity concerns. Cybersecurity risk is pervasive and will affect companies in a variety of ways. The responsibility for detailed cyber risk oversight within the board should be well documented and communicated, and may often touch various committees across the board, including but not limited to risk, audit, and compliance. With the increasing complexity surrounding cybersecurity, it is also important for the board to evaluate existing experience and skills, identify gaps, and address those gaps through succession planning or leveraging advisors.

Additionally, all directors need to maintain continual knowledge about evolving cyber issues and management’s plans for allocating resources with respect to the preparedness in responding to cyber risks. Such knowledge helps boards assess the priority-driven and investment decisions put forth by management needed in critical areas.

Here are some critical questions that boards and management should be considering with respect to mitigating cyber security risk for their organizations. They may be useful as a starting point for boards to use in their discussions and as a guide when looking at their oversight of management’s plans for addressing potential cyber risks.

General

  • What is the threat profile and risk tolerance of our organization based on our business model and the type of data our organization holds?
  • Is the cyber risk management plan documented, including the identification, protection, and disposal of data?
  • Has the cyber risk management plan been tested?
  • Does our organization’s cybersecurity strategy align with our threat profile and risk tolerance?
  • Is our cybersecurity risk viewed as an enterprise-wide issue and incorporated into our overall risk identification, management, and mitigation process?
  • What percentage of our IT budget is dedicated to cybersecurity?
  • Does that allocation conform to industry standards?
  • Is it adequate based on our threat profile?
  • What are stakeholder demands and priorities for cybersecurity? Data privacy? Data governance? What interactions has the company or board had with shareholders regarding cybersecurity?
  • What is the interaction model between senior management and the board for communications regarding cybersecurity?
  • Has the regulatory focus on the board’s cybersecurity responsibility been increasing? If so, what is driving that focus?

Board cybersecurity oversight

  • How is oversight of cybersecurity structured (committee vs. full board) and why? Is this structure well documented in the appropriate governance charters?
  • Is cybersecurity an area considered and reported as a director competency? If so, have skill/experience gaps been identified together with plans to resolve those gaps?
  • Is there a cybersecurity expert on the board?

Overall cybersecurity strategy

  • Does the board play an active part in determining an organization’s cybersecurity strategy?
  • What are the key elements of a good cybersecurity strategy?
  • Is the organization’s cybersecurity preparedness receiving the appropriate level of time and attention from management and the board (or appropriate board committee)?
  • How do management and the board (or appropriate board committee) make this process part of the organization’s enterprise-wide governance framework?
  • How do management and the board (or appropriate board committee) support improvements to the organization’s process for conducting a cybersecurity assessment?

Risk assessment: risk profile

  • What are the potential cyber threats to the organization?
  • Who is responsible for management oversight of cyber risk?
  • Has a formal cyber assessment been performed? Does it need to be updated?
  • Do management and the board understand the organization’s vulnerabilities and how it may be targeted for cyber-attacks?
  • What do the results of the cybersecurity assessment mean to the organization as it looks at its overall risk profile?
  • Is management regularly updating the organization’s inherent risk profile to reflect changes in activities, services, and products?

Risk assessment: cyber maturity oversight

  • Who is accountable for assessing, managing, and monitoring the risks posed by changes to the business strategy or technology and are those individuals empowered to carry out those responsibilities?
  • Is there someone dedicated full-time to our cybersecurity mission and function, such as a Chief Information Security Officer (CISO)?
  • Is our cybersecurity function properly aligned within the organization? (Aligning the CISO under the CIO may not always be the best model as it may present a conflict. Many organizations align this function under the risk, compliance, audit, or legal functions, while others with a direct or “dotted line” reporting to the CEO.)
  • Do the inherent risk profile and cybersecurity maturity levels meet risk management expectations from management, the board, and shareholders? If there is misalignment, what are the proposed plans to bring them into alignment?

 Cybersecurity controls

  • Do the organization’s policies and procedures demonstrate management’s commitment to sustaining appropriate cybersecurity maturity levels?
  • What is the ongoing practice for gathering, monitoring, analyzing, and reporting risks?
  • How effective are the organization’s risk management activities and controls identified in the assessment?
  • Are there more efficient or effective means for achieving or improving the organization’s risk management and control objectives?
  • Are there controls in place to ensure adequate, accurate and timely reporting of cybersecurity related content?
  • How does the company remain apprised of laws and regulations and ensure compliance?
  • What cloud services does our organization use and how risky are they?
  • How are we protecting sensitive data?

Threat intelligence and collaboration

  • What is the process for gathering and validating inherent risk profile and cybersecurity maturity information?
  • Does our organization share threat intelligence with law enforcement?
  • What third parties does the organization rely on to support critical activities and does the organization regularly audit their level of access?
  • What is the process to oversee third parties and understand their inherent risks and cybersecurity maturity?

Cybersecurity metrics

  • Have we defined appropriate cybersecurity metrics, the format, and who should be reporting to the board?
  • How regularly should a board obtain IT metric information?
  • Is the information meaningful in a way that invokes a reaction and provides a clear understanding of the level of risk willing to be accepted, transferred, or mitigated?
  • How is the board actively monitoring progress or lack of progress and holding management accountable?

Cyber incident management and resilience

  • How does management validate the type and volume of cyber-attacks?
  • Does the organization have a comprehensive cyber incident response and recovery plan? Does it involve all key stakeholders—both internal and external? Does it include a business disaster recovery communication process?
  • How does an incident response and recovery plan fit into the overall cybersecurity strategy?
  • Is the board’s response role clearly defined?
  • Is the cyber incident response reviewed and rehearsed at least annually? Do rehearsals include cyber incident exercises?
  • Is there a culture of cyber awareness and reporting at all levels of the company?
  • Is the company adequately insured and is coverage reviewed at least annually?

Cybersecurity education

  • How does the board remain current on cybersecurity developments in the market and the regulatory environment?
  • Currently, how does the board evaluate directors' knowledge of the current cyber environment and cybersecurity issues impacting their organizations?
  • Do boards currently have the skill sets necessary to adequately oversee cybersecurity? How is the board identifying and evaluating the necessary director skills and experience in this area?
  • Are directors provided with educational opportunities in this area?
  • Is regular cybersecurity education provided to the entire organization?

Cybersecurity disclosure

  • Has oversight of cybersecurity reporting been defined for management and the board?
  • Are company policies and procedures to identify and manage cybersecurity risk, management’s role in implementing cybersecurity policies and procedures, board of directors’ cybersecurity expertise and its oversight of cybersecurity risk, being included within the financial statement and proxy disclosures?
  • Does the company have a mechanism for timely reporting of material cybersecurity incidents?
  • Have updates about previously reported material cybersecurity threats and incidents been included in the financial statements?

If you have any questions about cybersecurity programs, communicating with your board about cybersecurity, or have a specific question about your company or organization, please contact our IT security experts. We're here to help. 

Article
Board oversight of cybersecurity: Questions to ask

Read this if you think your organization may have to prepare an HRSA audit.

Many healthcare providers who have never done an audit before may be required by the Health Resources and Services Administration (HRSA) agency to do so this year because they received Provider Relief Funding (PRF). We’re helping you prepare by answering some common queries about the PRF audit:

Will my organization have to complete a PRF audit?

The HRSA requires organizations to complete a federal single audit when they expend more than $750,000 of federal funding in one year, regardless of whether those federally sourced funds came directly from the federal government or were passed from a state or local government. Healthcare providers who received $10,000 or more from the PRF during a given period must report on usage.

For many providers, this is the first time they’ve received over $750,000 in federal funding. As a result, these providers will need to complete the single audit for the first time.

Other providers, especially physician practices, may not meet the single audit expense threshold, but that doesn’t mean they’re free from audit obligations. While they may not have to complete a single audit, if they received funding from the PRF, they may need to complete a HRSA-required audit—and the data requests for these audits are, in some cases, more involved than those for the single audit.

What will the HRSA’s PRF audit look like?

The audit will address the data used by the providers to report on their usage of PRF money. That means they will need to provide support for lost revenue and expenses that justify the use of the funds that they received.

The HRSA is going to drill down on the revenue numbers, specifically looking at the general ledger (GL) and other select revenue tests. On the expenses side, they’re going to look at the GL, invoice dates, payments and more.

To complete this audit, HRSA will require a significant amount of supporting documentation. Ideally, most of these documents should already have been copied and set aside as support in anticipation of financial reporting requirements. Below is a partial list of items that could be requested during the audit:

  • General Ledger details
  • Listing of expenses reimbursed with PRF payments grouped into specified categories
  • Listing of patient care revenue by payer
  • Listing of other sources of assistance
  • Listing of expenses reimbursed with the other assistance received
  • Detailed inventory listing of IT supplies
  • Budget attestation from CEO or CFO and board minutes showing ratification of the budget before March 27, 2020
  • Documentation of lost revenue methodologies
  • Audit financial statements
  • CMS cost reports for Medicare and Medicaid
  • Other supporting documentation

If certain documentation isn’t available, providers will need to request copies from their vendors. Missing documentation may make it difficult to justify the use of funds, in which case, providers may have to repay a portion or all of their provider relief funding.

It’s possible that certain expenses were not allowable under PRF. However, that doesn’t necessarily mean providers will have to repay their funds. Providers may have other lost revenue or expenses that would be allowed under PRF—but only if they have the documentation to prove it. That’s why it’s crucial that providers have all relevant documentation for expenses and lost revenue over the periods they received provider relief funding.

What challenges should I anticipate when it comes to completing the audit?

According to the 2022 BDO Healthcare CFO Outlook Survey, 35% of respondents identified CARES Act/PRF reporting as a regulatory concern.

Much of this concern likely stems from a lack of resources as well as audit inexperience. Many providers who will have to complete an HRSA audit don’t have the necessary resources to dedicate to navigating the process. In addition, they may not know the type, scope, or time frame of documentation they need to pull. They may also struggle to locate certain documentation, especially documentation that’s more than two years old.

Finding the right people to sift through the information to ensure its accuracy can be extremely difficult, especially if the documents are not filed electronically. This problem is even greater right now, given the professional services labor shortage that makes it difficult to hire the right people for the job if they aren’t already employed at your organization.

What should my next steps be?

To get ready for a potential HRSA audit, there are at least three immediate steps you should take:

  1. Select a responsible point person. One person should be responsible for coordinating the process to ensure that nothing falls through the cracks or is overlooked.
  2. Keep your PRF filing reports on hand. Pull any related supporting documentation and collate it into one place if it isn’t already.
  3. Identify what support is needed by doing a gap analysis. Determine where you need additional support or expertise and seek to close these gaps before the notification of any audit process.

Insufficient documentation may result in the recapture of provider relief funding by the HRSA. Fortunately, a lack of documentation is preventable with the right support and resources in place.

Article
HRSA audit preparation: All you need to know

Thanks to a little-known law, eligible Massachusetts taxpayers will receive a tax credit in the form of a refund this fall—just in time for holiday shopping. Chapter 62F of the Massachusetts General Laws, a voter passed initiative from 1986, states that if state tax revenue collections exceed a cap tied to wage and salary growth, the surplus must be returned to the taxpayers. This tax credit was only triggered once before – 35 years ago.

According to the Mass.gov website, in Fiscal Year 2022, state tax revenues exceeded the cap by $2.941 billion—the sum of which will be returned to taxpayers by check or direct deposit in the coming months.

Governor Baker stated that a preliminary estimate of the refunds will be approximately 13% of the taxpayer’s personal income tax liability in 2021, though they will update that estimate in late October, once all 2021 tax returns have been filed.

More details on the tax refund:

  • Taxpayers, both resident and non-resident, who have filed a 2021 state tax return on or before September 15, 2023, are eligible for the refund.
  • The expected time frame for the issuance of refunds is expected to begin November 2022.
  • Individual refunds may be reduced by refund intercepts, such as unpaid child support or unpaid tax liability.
  • Massachusetts taxpayers can use this online refund estimator to calculate their estimated refund using information from their 2021 tax returns.

If you have questions, please contact a member of our state and local tax team.

Article
Chapter 62F law to give Massachusetts taxpayers a bonus refund

Read this if you are responsible for cybersecurity at your organization.

Cybersecurity threats aren’t just increasing in number—they’re also becoming more dangerous and expensive. Cyberattacks affect organizations around the globe, but the most expensive attacks occur in the US, where the average cost of a data breach is $9.44 million, according to IBM’s 2022 Cost of a Data Breach Report. The same report shows that the cost of a breach is $10.10 million in the healthcare industry, $5.97 million in the financial industry, $5.01 million in the pharmaceuticals industry, and $4.97 million in the technology industry.

Cyber threat actors are a serious danger to your company, and your customers, stakeholders, and shareholders know this. They expect you to be prepared to defend against and manage cybersecurity threats. How can you demonstrate your cybersecurity controls are up to par? By obtaining a SOC for cybersecurity report.

What is a SOC for cybersecurity report?

It provides an independent assessment of an organization’s cybersecurity risk management program. Specifically, it determines how effectively the organization’s internal controls monitor, prevent, and address cybersecurity threats.

What’s included in a SOC for cybersecurity report?

The report is made up of three key components:

  1. Management’s description of their cybersecurity risk management program, aligned with a control framework (more on that below) and 19 description criteria laid out by the AICPA.
  2. Management’s assertion that controls are effective to achieve cybersecurity objectives.
  3. Service auditor’s opinion on both management’s description and management’s assertion.

Why should you consider a SOC for cybersecurity report?

A SOC for cybersecurity report offers several important benefits for your organization, which include:

  • Align with evolving regulatory requirements. The cybersecurity regulatory environment is constantly evolving. In particular, the SEC’s cybersecurity guidelines are becoming stricter over time. A SOC for cybersecurity report can demonstrate you’re aligned with these guidelines. If you’re a public company or are considering going public in the future, you need to be prepared to meet not just the SEC’s guidelines of today, but their evolved guidelines in the future.
  • Keep your board of directors informed. Your board is responsible for ensuring the business is effectively addressing and mitigating risks—and that includes cyber risk. A SOC for cybersecurity report offers your board a clear and practical illustration of your organization’s cybersecurity risk management controls.
  • Attract and retain more customers. It’s becoming increasingly common for companies to require that their vendors have a SOC for cybersecurity report. Even for companies that don’t require such a report, it’s important to know their vendors are keeping their data safe. Having this report differentiates you from vendors who have not prepared one.
  • Improve your cybersecurity posture. A SOC for cybersecurity report can identify current gaps in your cybersecurity risk management program. Once you’ve addressed these gaps, you can show your customers, stakeholders, and shareholders that you’re continuously improving and evolving your cybersecurity risk management approach.

How do I prepare for my SOC for cybersecurity assessment?

There are several steps you should take to prepare for your assessment.

  1. Choose your control framework. You have several options, including the NIST Cybersecurity Framework, ISO 27002, and the Secure Controls Framework (SCF). There are multiple online resources to help you choose the framework that’s right for your organization.
  2. Determine who your key internal stakeholders are for your cybersecurity risk management program. You’ll need to select a point person to be responsible for ensuring the independent services auditor has all the documentation they need to complete their assessment and act as liaison across internal and external stakeholders.
  3. Collect all cybersecurity-related documentation in one location. Make sure you have an organizational system that makes sense to your point person so it’s easy for them to pull the appropriate materials to give to the independent services auditor.
  4. Conduct a readiness assessment. You can work with an independent services auditor to conduct such an assessment which will identify gaps you can address before performing the attestation.
  5. Select an independent services auditor to perform the attestation. SOC for cybersecurity services are provided by independent CPAs approved by the AICPA. Ideally, you’ll want to select a firm that is experienced in your industry, has a diverse and robust team of cybersecurity professionals, and is accessible when and where you need them.

As always, if you have questions about your specific situation or would like more information about SOC for cybersecurity services, please contact our IT security experts. We’re here to help.

Article
Yes, you need a SOC for cybersecurity report—here's why

Read this if you are a community bank.

The Federal Deposit Insurance Corporation (FDIC) recently issued its second quarter 2022 Quarterly Banking Profile. The report provides financial information based on call reports filed by 4,771 FDIC-insured commercial banks and savings institutions. The report also contains a section specific to community bank performance. In second quarter 2022, this section included the financial information of 4,333 FDIC-insured community banks. BerryDunn’s key takeaways from the report are as follows:

Community banks see quarterly growth in net income despite year-over-year decline.

Community bank quarterly net income increased to $7.6 billion in second quarter 2022, despite being down $523.0 million from one year ago. Higher noninterest expense, lower noninterest income, and higher provision expense offset growth in net interest income. Nearly three-quarters of community banks reported higher net income than one quarter ago. More than two-thirds of community banks reported an increase in net interest income from the year-ago quarter.


Loan and lease balances continue to show widespread growth in second quarter 2022.

Community banks saw a $82.3 billion increase in loan and lease balances from first quarter 2022. All major loan categories except commercial & industrial (C&I) and agricultural production grew year over year, and 69.9% of community banks reported annual loan growth. Total loan and lease balances increased $125.4 billion, or 7.7%, from one year ago. Excluding Paycheck Protection Program loans, annual total loan growth would have been 14.0% and annual C&I growth would have been 21.9%.

Community bank net interest margin (NIM) increased to 3.33% due to strong interest income growth.

Community bank NIM increased eight basis points from the year-ago quarter and 22 basis points from first quarter 2022. Net interest income growth exceeded the pace of average earning asset growth. The average yield on earning assets rose 25 basis points while the average cost of funding earning assets rose three basis points from the previous quarter. The quarterly increase in NIM was the largest reported since second quarter 1985. However, NIM remains below the pre-pandemic average of 3.63%. 

Slightly more than half of community banks reported quarter-over-quarter reductions in noncurrent loan balances.

The allowance for credit losses (ACL) as a percentage of total loans and leases decreased six basis points from the year-ago quarter to 1.25%. The coverage ratio for community banks is 46.4 percentage points above the coverage ratio for noncommunity banks. The coverage ratio increased 54.1 percentage points from the year-ago quarter to 245.4%, a record high since Quarterly Banking Profile data collection began in first quarter 1984.

It has been a time of momentous change for the banking industry; this has been the case since the pandemic but continues to hold true. The Federal Open Market Committee (FOMC) had already risen the target federal funds rate by 225 basis points in 2022 at the time of writing this summary, with further increases throughout the remainder of 2022 anticipated. Although rising rates have been the largest contributor to strengthening net interest margins, the impact these rate increases will have on the long-term economy is still to be seen.

Inflation also continues to run rampant, with rate increases thus far seeming to be ineffective in slowing inflation. The continued inflation has many wondering if rate increases are not the answer and that there may be other, inalterable forces at play. If this is the case, the FOMC’s target rate increases could have the effect of worsening an economic slowdown. Furthermore, although loan growth remained relatively strong in quarter two, deposit growth waned. Community banks saw only a 0.4% increase in deposits from a quarter ago. This has put some institutions in a liquidity crunch, having to rely more heavily on wholesale funding to fund loan growth. However, making funding decisions has proven to be difficult, given the economic uncertainty and potential target rate increases.

Community banks will have to continue to remain vigilant and remain a resource to their customers. Banks’ customers are facing many of the same challenges that banks are facing—interest rate uncertainty, rising costs, staffing shortages, etc. Therefore, as we’ve previously mentioned, it continues to be important for banks to maintain open dialogue with customers. As always, please don’t hesitate to reach out to BerryDunn’s Financial Services team if you have any questions. You can also visit our Ask the Advisor page to submit your questions.

Article
FDIC Issues its Second Quarter 2022 Quarterly Banking Profile

Read this if you are a chief executive officer, chief operations officer, or chief retail officer at a financial institution.

There’s been much buzz around the recent announcement by the Biden administration that up to $20,000 in federal student loans will be cancelled for low- to middle-income families. And, rightfully so, as the debt cancellation is anticipated to be eligible for up to 43 million Americans with roughly 20 million borrowers expected to have their remaining student loan debt eliminated entirely.1 Although the relief does not apply to private loans, financial institutions should see this as an opportunity to enhance the customer experience. 

Trusted advisors 

Financial institutions are often seen as trusted advisors by their customers and may be a go-to resource for customers when making financial decisions. Debt cancellation of up to $20,000 can have a major financial impact on households, especially provided relief is only eligible to borrowers with household income below $250,000 ($125,000 for individuals).2 And, with roughly 20 million borrowers expected to have their remaining student loan debt eliminated, this may free up significant monthly cash flow for those borrowers. Even though student loan repayments have been on hold for the past couple of years for many borrowers, the cancellation of this debt may free up deposits those borrowers had set aside in anticipation of the recommencement of loan payments. Now that this remaining debt is expected to be forgiven, how might they use this debt forgiveness to better their financial health? Community banks and credit unions are in the driver’s seat to assist customers in making this decision.

Data analytics

With the onset of data analytics—the understanding of how transaction, financial, and other information may be used to understand customer needs—many financial institutions are well-positioned to recommend services tailored to each customer. Although making sense of this data and putting it into something actionable can be challenging, the rewards can be tremendous. For instance, analyzing spending habits or cash flow trends can equip an institution with the insights needed to assist a customer when asked how best to deploy this excess wealth. Do they have any loans with your institution they should pay off or pay down? Given the current interest rate environment, this may also prove to be beneficial for the institution, as it could then re-deploy these funds at a higher interest rate. 

Knowing your customer

A simpler approach than using data analytics to provide actionable insights is just simply knowing your customer. This is something community financial institutions excel at and is one of their biggest value propositions. When working on financial institution audits, we often ask about specific customers as part of our audit procedures. I am always awed by our clients’ ability to provide one of their customer's stories on a whim. Bankers have well-developed relationships with their customers. Customers are neighbors, restaurant servers, bartenders, firefighters, the list goes on. These are people bankers see out in their communities—you may even have children that go to the same school together. The point I am trying to make is that these relationships are much deeper than any relationship data analytics can provide. What major life events are your customers anticipating? A wedding? A child? A vacation? Needing a new car? These are all items that data analytics may not be able to tell you but personal relationships with your customer, and general knowledge about your community, will. How can you, as their trusted advisor, provide them opportunities to save for these major life events? I don’t want to discount the importance of data analytics but, I also want to stress the importance of these personal relationships. However, combined, they create a powerful tool for community bankers.

Knowing your customer—an example

As an example, you may know your customer is planning for a wedding and that they took some wedding wish-list items off their list because they couldn't afford them. Does the proposed debt cancellation allow your customer to now afford—or save for—some of these items? You may not know the answer simply based off previous conversations with the customer but, a quick phone call and discussion will provide you with an answer. And, even if the answer is: “No, this does not change my wedding budget,” it at least shows them that you were looking out for your customer and being proactive. 

Knowing your customer combined with data analytics—an example

Taking this example a step further, what if you had data analytics that displayed your customer’s spending habits? Is there a way to query payment transactions that would allow you to identify which customers have federal student loans? This information, paired with your knowledge gained from knowing the customer, allows you to provide targeted, actionable insights. Knowing their monthly cash flow, what loans they have outstanding (based on cash outflows), and deposit balances, you can be more strategic in your outreach, not only in who you reach out to but how you structure your outreach. For instance, could a customer benefit from using those forgiven student loan payments to now pay down other debt carried at higher interest rates?  Or, going back to an earlier example, if you know when the customer’s wedding is and their monthly net cash flow, is there a deposit product you could sign them up for that would allow them to work towards affording some of their wedding wish-list items that previously couldn’t be afforded?

Saving for retirement

Another aspect to consider is saving for retirement. Although borrowers are eligible for loan forgiveness of up to $20,000, most will likely only be eligible for $10,000 in forgiveness, as the $20,000 is only for Pell Grant recipients.2 To some customers, $10,000 may not seem like a lot. But, when considering the time value of money, a customer’s perception may change. Using an example from a recent Accounting Today article1, a 40-year-old man is expected to live to 81.5 years old. Therefore, assuming an annual return of 6% over 40 years, $10,000 can turn into more than $110,000 over four decades. Those who live to 90 can turn $10,000 into more than $200,000. Institutions with wealth management divisions may find colleagues who have great suggestions on how best to approach these conversations. Even if the customer has short-term spending needs/desires, as many do, steering these forgiven student loan payments towards retirement may be the most prudent decision. But sometimes a customer needs to see the potential impact plotted out and hear it from an outside, trusted source.

Customers with loan repayments restarting

To this point, the discussion has been on those customers that will benefit from loan forgiveness. But what about those that will not benefit as well as those that will only partially benefit (i.e., the entirety of their loan balance will not be forgiven)? Loan repayments are set to recommence in January 2023. Many borrowers haven’t had to make loan payments for over two years and some newer college graduates have never had to make a loan payment. These loan payments could come as a shock to those who have never made such a payment, as well as to those who previously had, if their spending habits have changed due to loan forbearance. There are two different perspectives to consider for these customers: credit risk and, sticking with the theme of the article, the customer experience.

Credit risk

The end of the loan forbearance period could have a significant impact on certain customers’ financial situations. For some, it could be the make-or-break point on being able to make their loan payments on other loans, possibly some of which are with your institution. Does the recommencement of these student loan payments change your customer’s risk profile? Do they now require closer monitoring?

Customer experience

Closely linked to credit risk, financial institutions should also see the recommencement of student loan payments as an opportunity to enhance the customer experience. Financial institutions should be proactive in reaching out to customers they know will be impacted to see if they feel prepared. This may be a difficult conversation to have but, it is one your customers will likely appreciate. If they aren’t prepared, are there steps the institution can take to assist the customer? Deposit products may again be worth mentioning to customers. Or, for those severely impacted, does the institution need to consider workout agreements with such customers? This provides a prime opportunity to work with your institution’s collections and credit risk departments. Keeping them in the loop (and vice versa) will help provide a seamless customer experience.

Institutions should also consider if this presents itself as a larger marketing opportunity, to attract new business. Although marketing decisions are generally based on potential return on investment (ROI), the ROI in this case may not quite be there, given the relatively small amounts. However, is this an opportunity for your institution to highlight its financial advisory services? 

In closing

For something that seems so simple on the surface, there is a lot to consider once you start diving in. Financial institutions have a big role to play and should see this as an opportunity to increase what are hopefully already strong relationships with customers. For those customers anticipating debt cancellation, financial institutions should essentially ask themselves: how can customers utilize their debt cancellation in a way that makes the most sense for them given their current financial situation and anticipated life events? For those that aren’t anticipating debt cancellation, financial institutions have an opportunity to be proactive. This proactivity will not only benefit the institution but will also show the institution is prepared and cares about assisting their customers and helping them transition back into student loan payments as smoothly as possible. 

This is a lot to unravel, especially in such a short time. As always, your BerryDunn Financial Services team is here to assist. Also, please feel free to reach out via our Ask the Advisor feature.

1How student loan relief can turbocharge retirement savings | Accounting Today
2The Biden-Harris Administration's Student Debt Relief Plan Explained (studentaid.gov)

Article
Student loans: Forgiveness, the end of forbearance, and where financial institutions fit into all of this