The Journal Spring 2015 Issue
Protecting Your Organization from Cyberthreats
A cybersecurity attack entails an unauthorized user accessing information systems and removing, copying or manipulating any stored data. Hacking groups that obtain this information may elect to leverage it for personal financial gain or even just to prove to themselves or others that a device or software can be infiltrated.
John Bolton, former U.S. ambassador to the United Nations, was the keynote speaker at the annual luncheon of the Morris County Chamber of Commerce to talk about cybersecurity. While he noted that many cyberattacks have been thwarted or contained, he believes that most people aren’t highly concerned about preventative measures against hackers. “It’s important in understanding the risks we face in cybersecurity. For a lot of people, it’s hard to imagine the Internet as a threat like war…but its potential consequences are enormous.”
But what if your organization doesn’t have an army of information technology (IT) professionals, lawyers and accountants to combat, defend and assess the damage done by cyber criminals? If you’re unsure of how you would handle a data breach, you might want to ask a few key questions about your organization:
WHAT IS THE NATURE OF THE DATA STORED IN MY ORGANIZATION’S INFORMATION SYSTEMS?
This should be fairly straight-forward, especially if you are retaining customer information. Sensitive customer data such as addresses, phone numbers and credit card numbers are valuable to hackers. Keeping organizational information such as legal documentation, medical history and financial data confidential is also important.
DO THE BENEFITS OF MY CYBERSECURITY PROTECTION OUTWEIGH MY COSTS?
For any business process, an organization should implement a process if the benefits, explicit or implicit, outweigh the costs. A simple solution to combat the threat of cybersecurity attacks is to require unique, strong user names and passwords.
ARE MY INFORMATION SYSTEMS CONSISTENTLY BEING MONITORED AND EVALUATED?
If your organization is going to invest the time, energy and funding towards protecting your information, you should outline the controls in place to monitor security threats and periodically review the plan with all phases of management, especially IT.
IS MY SOFTWARE OR HARDWARE SUSCEPTIBLE TO INCREASED HACKER ACTIVITY?
Devices and software that are older are typically targeted by cyber criminals. Many publicly-traded retail companies use older models of payment devices. These so-called “legacy machines” may have bugs in their networking code that can be easier to penetrate. Hackers may also have access to a script that can retrieve data quickly and stealthily. Remember —we live in the information age.
Being proactive and taking the proper steps necessary to safeguard your organization against cyberthreats can save your business time, money and lots of headaches.
| TIMELINE | |
|---|---|
 |
DECEMBER 2013 Target’s security and payment system was infiltrated by malware designed to retrieve the credit card information of every shopper through the holiday season. The breach affected over 100 million customers and cost Target over $248 million through Q3 2014. Don’t worry—insurance picked up $90 million of that. |
 |
MAY 2014 eBay discovered that two employee log-in credentials were stolen. Although the hackers stole encrypted passwords, eBay urged its 148 million users to reset their passwords because other information such as addresses and birthdays were stored as plain text by eBay and subsequently retrieved by unauthorized users. eBay’s subsidiary, PayPal, was unaffected by the breach; its data is kept separately. |
 |
SEPTEMBER 2014 Cyber criminals stole credit card information of nearly 56 million customers from Home Depot’s credit card terminals. Per Home Depot’s fourth quarter results, the home improvement retailer is unable to estimate the cost or range of costs related to the breach. Dozens of lawsuits have been filed alleging it failed to comply with security standards adequate enough to protect consumers’ personal information. Proceedings are expected to begin May 2015. |
 |
NOVEMBER 2014 Sony Pictures’ hack was probably the most prolific in recent memory due to the tangent between Hollywood and the political landscape involving North Korea. Although employee social security numbers and medical history were stolen, which resulted in lawsuits filed against Sony Pictures, a lot of the damage was done from the emails sent from Sony employees. The topics included some choice words about Angelina Jolie, U.S. President Barack Obama and Jennifer Lawrence. Some have estimated that Sony Pictures will spend $100 million to get back to square one. Sony Pictures has already earmarked $15 million towards repairing the damage of the cyberattack. |
 |
Solomon Feraidoon, CPA 732-828-1614 [email protected]  |
Managing B2B Risks: How a SOC 2 Report Can Help Secure Customer Information
[author-style]Anthony J. Chapman, III, CPA, CITP, Partner[/author-style]
In fact, many companies will not even contract with a service provider if it does not have third-party verification of its controls involved in the security and confidentiality of customer data.
If your company provides B2B services that involve the collecting, processing, storage, organization, maintenance, transmission or disposal of customer information, you can meet your customers’ vendor management requirements through a service organization controls (SOC 2) report. A SOC 2 report is the result of specialized audit procedures performed on your IT and related business process controls, addressing your customers’ information. This audit can be performed on one or more of the following principles, based on applicability:
| SECURITY |
|---|
| The system is protected against unauthorized access; |
| CONFIDENTIALITY |
| Information designated as confidential is protected as committed or agreed; |
| PROCESSING INTEGRITY |
| All system processing is complete, accurate, timely and authorized; |
| AVAILABILITY |
| The system is available for operation and use as committed or agreed; and |
| PRIVACY |
| Personal information is collected, used, retained, disclosed and destroyed in conformity with the commitments in your privacy notice and with criteria consistent with Generally Accepted Privacy Principles. |
The appropriate principle or principles to select depend on the nature of the services being provided, the nature of the underlying data and the contract agreement service level requirements. Each principle has its own set of criteria that needs to be addressed with specific controls. For organizations that have not had a SOC 2 audit previously, a readiness assessment consulting engagement is strongly recommended. The goal of the SOC 2 readiness assessment is to assist your company in the documentation of relevant existing processes, underlying information technology control activities and in performing gap analysis.
The SOC 2 readiness assessment is performed by an accountant and identifies existing IT and business process controls based on a detailed review of your system and controls for all in-scope activities. Once identified, these controls are mapped to the relevant criteria for each principle to be evaluated. A gap analysis is then performed to identify control weaknesses and assist management in the design and implementation of new “rightsized” control activities that will be effective in remediating identified control weaknesses.
At the conclusion of the consulting engagement, all control gaps related to the applicable criteria will then be remediated, and the SOC 2 audit period can commence. The resulting SOC 2 audit report will provide your clients and potential clients with assurances that your company has utilized current best practices to protect the security, confidentiality, processing integrity, availability and privacy of their data. With a SOC 2 report you will not only address your customers’ vendor management concerns, but you will give your company a competitive advantage in the marketplace, demonstrating to potential customers that you have proactively addressed cybersecurity and related risks inherent in securing your customers’ information.
SELECTING THE RIGHT EXPERTS
Helping organizations prepare for and undergo a SOC 2 audit on security, confidentiality, process integrity, availability and privacy requires unique skills and experience. WS+B’s dedicated SOC Services Group can assist you in this highly specialized area. For more information on the benefits of SOC audits, please contact Tony Chapman, CPA, CITP, SOC Specialist, at 609.520.1188.
 |
Anthony J. Chapman III, CPA, Partner 609-520-1188 [email protected] View Experiences |
Separating Commonly-Owned Property From Operations (Again)
[author-style]Alfred Erdmann, CPA, MS, Partner[/author-style]
About ten years ago, thanks to the Enron debacle, the Financial Accounting Standards Board (FASB) issued a statement requiring operating companies in the above scenario to include the separate real estate entity in its consolidated financial statements. This was not quite the intended purpose of the pronouncement, but it was an unfortunate by-product. This proved problematic for many operating businesses, particularly those that had other operating debt, as various ratios were put in jeopardy (debt-to-equity and working capital, for example). Companies either had to obtain waivers or have their covenants rewritten to contend with this presentation.
Fast forward to 2014 —the FASB has provided relief to nonpublic companies in this situation. In an update issued in 2014, the FASB now permits qualifying entities to NOT consolidate the separate real estate entity simply because of the existence of the guaranty. To qualify for non-consolidation treatment, the entities must meet four criteria, as follows:
- The lessee and lessor must be under common control;
- There must be a lease arrangement between the lessee and the lessor;
- Substantially all activities between the lessee and the lessor are related to leasing activities (including supporting leasing activities) between those two entities; and
- The amount guaranteed does not exceed the value of the asset leased at the time the guaranty was made.
It is pretty clear that the situation described above meets the criteria. The two entities are obviously under common control, and there would certainly be a lease between the entities. In this specific situation, it is also clear that there are no other activities between the two entities, as the lessor merely holds the building and has no other operations. But, what about the last criterion? When the operating entity is the sole tenant, the answer is easy since the lender would not lend in excess of the property value. However, there may be a situation where the operating entity only occupies a portion of the property, and the rest of the property is leased to unrelated entities. For example, the operating entity leases 30% of the property, while guarantying the entire mortgage, presumably 70%-80% of the property value. On the surface, it would seem that the situation would not qualify. Thankfully, the FASB update addressed this exact scenario. The lessee need not occupy the entire space, but only some space within the property subject to the mortgage.
This pronouncement is effective for annual periods beginning with calendar year 2015. However, early application is permitted. If you are interested in reporting operations separate from the property, as we could prior to ten years ago, the opportunity has returned.
 |
Alfred Erdmann, CPA, MS, Partner 212-751-9100 [email protected] View Experiences |
NYC Commercial Rent Tax
[author-style]Thomas A. Girone, CPA[/author-style]
The CRT rate is 6% of the base rent. The base rent includes: standard rental payments, the value of any services provided by the landlord, payments required to be made by the tenant on behalf of the landlord for real estate taxes, water and sewer charges, insurance, or any other expenses normally payable by a landlord with the exception of improvements or repairs and maintenance.
The base rent is reduced by 35% to determine the taxable rent amount. For example, if the annual base rent is $500,000 then the taxable rent is $325,000. The $325,000 is then taxed at a flat 6%, which in this example, would result in a tax liability of $19,500.
There are exceptions to the CRT that are outlined in the instructions to the Form CR-A and noted below:
- Your annualized base rent is less than $250,000 before applying the 35% rent reduction and the NYC Commercial Revitalization Program special reduction. However, you are required to file a tax return if your annual gross rent paid is more than $200,000.
- You are renting premises for 14 days or less during the tax year.
- You are a tenant who uses at least 75% of the floor space to rent to others for residential purposes. This does not include operators of hotels.
- You are renting property for certain theatrical productions. The exemption will be for the first 52 weeks after the production begins.
- You are a governmental body or a nonprofit religious, charitable or educational organization. Other types of nonprofit organizations will be exempt as long as the property is not used for commercial purposes and they receive a written tax exemption from finance.
- You are located in the “World Trade Center Area.”
- You occupy a property that is located in the Commercial Revitalization Program abatement zone and is being used for retail sales purposes.
The CRT returns are due on or before June 20 covering the prior year, from June to May 31. Quarterly filings and payments are also required. If you have not filed and paid the CRT, the city of New York is running a voluntary disclosure program that, if accepted into the program, would significantly reduce or eliminate the assessment of penalties. The penalties can include: 10% for the underpayment of tax, 25% for failing to file, 5% for negligence and a penalty equal to 50% of any interest due.
For additional information on the New York City Commercial Rent Tax, please contact a member of our State and Local Tax Services Group.
 |
Thomas Girone, CPA 732-842-3113 [email protected]  |
WS+B Merges with Boston CPA Firm
“We have been seeking the right strategic partner to expand our geographic reach to the Greater Boston area, and we found the perfect match with Walsh, Jastrem & Browne in terms of expertise, location and culture,” states Bill Hagaman, CEO and managing partner of WS+B. “They are equally excited to now have direct access to the metro New York-New Jersey-Philadelphia marketplace, as well as an expanded suite of services we can offer to their clients.” Both firms are thrilled with the endless possibilities this merger creates.
With WJB on board, WS+B will add 15 professionals to its roster, including three partners: Thomas F. Walsh, CPA, who has been serving as WJB’s managing partner for 15 years; James D. Browne, CPA; and Stephen R. Yardumian, CPA. WJB has a solid reputation in its marketplace, with expertise in financial services, private investment partnerships, employee benefit plans, nonprofit organizations, individuals and estates. Their office is located at 155 Seaport Boulevard, Boston, MA, and will remain at that location under the WithumSmith+Brown name.
