A cybersecurity attack entails an unauthorized user accessing information systems and removing, copying or manipulating any stored data. Hacking groups that obtain this information may elect to leverage it for personal financial gain or even just to prove to themselves or others that a device or software can be infiltrated.
John Bolton, former U.S. ambassador to the United Nations, was the keynote speaker at the annual luncheon of the Morris County Chamber of Commerce to talk about cybersecurity. While he noted that many cyberattacks have been thwarted or contained, he believes that most people aren’t highly concerned about preventative measures against hackers. “It’s important in understanding the risks we face in cybersecurity. For a lot of people, it’s hard to imagine the Internet as a threat like war…but its potential consequences are enormous.”
But what if your organization doesn’t have an army of information technology (IT) professionals, lawyers and accountants to combat, defend and assess the damage done by cyber criminals? If you’re unsure of how you would handle a data breach, you might want to ask a few key questions about your organization:
This should be fairly straight-forward, especially if you are retaining customer information. Sensitive customer data such as addresses, phone numbers and credit card numbers are valuable to hackers. Keeping organizational information such as legal documentation, medical history and financial data confidential is also important.
For any business process, an organization should implement a process if the benefits, explicit or implicit, outweigh the costs. A simple solution to combat the threat of cybersecurity attacks is to require unique, strong user names and passwords.
If your organization is going to invest the time, energy and funding towards protecting your information, you should outline the controls in place to monitor security threats and periodically review the plan with all phases of management, especially IT.
Devices and software that are older are typically targeted by cyber criminals. Many publicly-traded retail companies use older models of payment devices. These so-called “legacy machines” may have bugs in their networking code that can be easier to penetrate. Hackers may also have access to a script that can retrieve data quickly and stealthily. Remember —we live in the information age.
Being proactive and taking the proper steps necessary to safeguard your organization against cyberthreats can save your business time, money and lots of headaches.
Target’s security and payment system was infiltrated by malware designed to retrieve the credit card information of every shopper through the holiday season. The breach affected over 100 million customers and cost Target over $248 million through Q3 2014. Don’t worry—insurance picked up $90 million of that.
eBay discovered that two employee log-in credentials were stolen. Although the hackers stole encrypted passwords, eBay urged its 148 million users to reset their passwords because other information such as addresses and birthdays were stored as plain text by eBay and subsequently retrieved by unauthorized users. eBay’s subsidiary, PayPal, was unaffected by the breach; its data is kept separately.
Cyber criminals stole credit card information of nearly 56 million customers from Home Depot’s credit card terminals. Per Home Depot’s fourth quarter results, the home improvement retailer is unable to estimate the cost or range of costs related to the breach. Dozens of lawsuits have been filed alleging it failed to comply with security standards adequate enough to protect consumers’ personal information. Proceedings are expected to begin May 2015.
Sony Pictures’ hack was probably the most prolific in recent memory due to the tangent between Hollywood and the political landscape involving North Korea. Although employee social security numbers and medical history were stolen, which resulted in lawsuits filed against Sony Pictures, a lot of the damage was done from the emails sent from Sony employees. The topics included some choice words about Angelina Jolie, U.S. President Barack Obama and Jennifer Lawrence. Some have estimated that Sony Pictures will spend $100 million to get back to square one. Sony Pictures has already earmarked $15 million towards repairing the damage of the cyberattack.
|Solomon Feraidoon, CPA
[author-style]Anthony J. Chapman, III, CPA, CITP, Partner[/author-style]
In fact, many companies will not even contract with a service provider if it does not have third-party verification of its controls involved in the security and confidentiality of customer data.
If your company provides B2B services that involve the collecting, processing, storage, organization, maintenance, transmission or disposal of customer information, you can meet your customers’ vendor management requirements through a service organization controls (SOC 2) report. A SOC 2 report is the result of specialized audit procedures performed on your IT and related business process controls, addressing your customers’ information. This audit can be performed on one or more of the following principles, based on applicability:
|The system is protected against unauthorized access;|
|Information designated as confidential is protected as committed or agreed;|
|All system processing is complete, accurate, timely and authorized;|
|The system is available for operation and use as committed or agreed; and|
|Personal information is collected, used, retained, disclosed and destroyed in conformity with the commitments in your privacy notice and with criteria consistent with Generally Accepted Privacy Principles.|
The appropriate principle or principles to select depend on the nature of the services being provided, the nature of the underlying data and the contract agreement service level requirements. Each principle has its own set of criteria that needs to be addressed with specific controls. For organizations that have not had a SOC 2 audit previously, a readiness assessment consulting engagement is strongly recommended. The goal of the SOC 2 readiness assessment is to assist your company in the documentation of relevant existing processes, underlying information technology control activities and in performing gap analysis.
The SOC 2 readiness assessment is performed by an accountant and identifies existing IT and business process controls based on a detailed review of your system and controls for all in-scope activities. Once identified, these controls are mapped to the relevant criteria for each principle to be evaluated. A gap analysis is then performed to identify control weaknesses and assist management in the design and implementation of new “rightsized” control activities that will be effective in remediating identified control weaknesses.
At the conclusion of the consulting engagement, all control gaps related to the applicable criteria will then be remediated, and the SOC 2 audit period can commence. The resulting SOC 2 audit report will provide your clients and potential clients with assurances that your company has utilized current best practices to protect the security, confidentiality, processing integrity, availability and privacy of their data. With a SOC 2 report you will not only address your customers’ vendor management concerns, but you will give your company a competitive advantage in the marketplace, demonstrating to potential customers that you have proactively addressed cybersecurity and related risks inherent in securing your customers’ information.
Helping organizations prepare for and undergo a SOC 2 audit on security, confidentiality, process integrity, availability and privacy requires unique skills and experience. WS+B’s dedicated SOC Services Group can assist you in this highly specialized area. For more information on the benefits of SOC audits, please contact Tony Chapman, CPA, CITP, SOC Specialist, at 609.520.1188.
|Anthony J. Chapman III, CPA, Partner
[author-style]Alfred Erdmann, CPA, MS, Partner[/author-style]
About ten years ago, thanks to the Enron debacle, the Financial Accounting Standards Board (FASB) issued a statement requiring operating companies in the above scenario to include the separate real estate entity in its consolidated financial statements. This was not quite the intended purpose of the pronouncement, but it was an unfortunate by-product. This proved problematic for many operating businesses, particularly those that had other operating debt, as various ratios were put in jeopardy (debt-to-equity and working capital, for example). Companies either had to obtain waivers or have their covenants rewritten to contend with this presentation.
Fast forward to 2014 —the FASB has provided relief to nonpublic companies in this situation. In an update issued in 2014, the FASB now permits qualifying entities to NOT consolidate the separate real estate entity simply because of the existence of the guaranty. To qualify for non-consolidation treatment, the entities must meet four criteria, as follows:
It is pretty clear that the situation described above meets the criteria. The two entities are obviously under common control, and there would certainly be a lease between the entities. In this specific situation, it is also clear that there are no other activities between the two entities, as the lessor merely holds the building and has no other operations. But, what about the last criterion? When the operating entity is the sole tenant, the answer is easy since the lender would not lend in excess of the property value. However, there may be a situation where the operating entity only occupies a portion of the property, and the rest of the property is leased to unrelated entities. For example, the operating entity leases 30% of the property, while guarantying the entire mortgage, presumably 70%-80% of the property value. On the surface, it would seem that the situation would not qualify. Thankfully, the FASB update addressed this exact scenario. The lessee need not occupy the entire space, but only some space within the property subject to the mortgage.
This pronouncement is effective for annual periods beginning with calendar year 2015. However, early application is permitted. If you are interested in reporting operations separate from the property, as we could prior to ten years ago, the opportunity has returned.
|Alfred Erdmann, CPA, MS, Partner
[author-style]Thomas A. Girone, CPA[/author-style]
The CRT rate is 6% of the base rent. The base rent includes: standard rental payments, the value of any services provided by the landlord, payments required to be made by the tenant on behalf of the landlord for real estate taxes, water and sewer charges, insurance, or any other expenses normally payable by a landlord with the exception of improvements or repairs and maintenance.
The base rent is reduced by 35% to determine the taxable rent amount. For example, if the annual base rent is $500,000 then the taxable rent is $325,000. The $325,000 is then taxed at a flat 6%, which in this example, would result in a tax liability of $19,500.
There are exceptions to the CRT that are outlined in the instructions to the Form CR-A and noted below:
The CRT returns are due on or before June 20 covering the prior year, from June to May 31. Quarterly filings and payments are also required. If you have not filed and paid the CRT, the city of New York is running a voluntary disclosure program that, if accepted into the program, would significantly reduce or eliminate the assessment of penalties. The penalties can include: 10% for the underpayment of tax, 25% for failing to file, 5% for negligence and a penalty equal to 50% of any interest due.
For additional information on the New York City Commercial Rent Tax, please contact a member of our State and Local Tax Services Group.
|Thomas Girone, CPA
“We have been seeking the right strategic partner to expand our geographic reach to the Greater Boston area, and we found the perfect match with Walsh, Jastrem & Browne in terms of expertise, location and culture,” states Bill Hagaman, CEO and managing partner of WS+B. “They are equally excited to now have direct access to the metro New York-New Jersey-Philadelphia marketplace, as well as an expanded suite of services we can offer to their clients.” Both firms are thrilled with the endless possibilities this merger creates.
With WJB on board, WS+B will add 15 professionals to its roster, including three partners: Thomas F. Walsh, CPA, who has been serving as WJB’s managing partner for 15 years; James D. Browne, CPA; and Stephen R. Yardumian, CPA. WJB has a solid reputation in its marketplace, with expertise in financial services, private investment partnerships, employee benefit plans, nonprofit organizations, individuals and estates. Their office is located at 155 Seaport Boulevard, Boston, MA, and will remain at that location under the WithumSmith+Brown name.