Summing It Up https://blog.freedmaxick.com/summing-it-up Up to date information and guidance on accounting, tax, audit and financial issues - Freed Maxick CPAs - Buffalo Rochester Syracuse NY en-us Wed, 07 Dec 2022 15:00:00 GMT 2022-12-07T15:00:00Z en-us To Coin an Oprah Phrase… “You get ERTC and You Get ERTC and Everybody Gets ERTC!!!!” https://blog.freedmaxick.com/summing-it-up/to-coin-an-oprah-phrase-you-get-ertc-and-you-get-ertc-and-everybody-gets-ertc <div class="hs-featured-image-wrapper"> <a href="https://blog.freedmaxick.com/summing-it-up/to-coin-an-oprah-phrase-you-get-ertc-and-you-get-ertc-and-everybody-gets-ertc" title="" class="hs-featured-image-link"> <img src="https://blog.freedmaxick.com/hubfs/IRS-Fraud-ERTC.jpg" alt="To Coin an Oprah Phrase… “You get ERTC and You Get ERTC and Everybody Gets ERTC!!!!”" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <h3><span style="font-size: 18px;"></span></h3> <h3><span style="font-size: 18px;">Not so Fast…. Fraudulent ERTC Claims are in the IRS’ Crosshairs</span></h3> <p>The <a href="https://blog.freedmaxick.com/summing-it-up/employee-retention-credit-2021-update">Employee Retention Tax Credit (ERTC)</a> has provided Federal Tax Credits to employers for periods during COVID-19 where they may have suffered from government shutdowns at the entity level, supply chain level issues, or a significant and detrimental revenue decline.</p> <h3><span style="font-size: 18px;"><img src="https://blog.freedmaxick.com/hs-fs/hubfs/IRS-Fraud-ERTC.jpg?width=652&amp;height=326&amp;name=IRS-Fraud-ERTC.jpg" alt="IRS-Fraud-ERTC" width="652" height="326" style="height: auto; max-width: 100%; width: 652px;"></span></h3> <h3><span style="font-size: 18px;">Not so Fast…. Fraudulent ERTC Claims are in the IRS’ Crosshairs</span></h3> <p><img src="https://blog.freedmaxick.com/hs-fs/hubfs/In%20a%20report%20issued%20in%20August%20of%202022%20by%20the%20Treasury%20Inspector%20General%20for%20Tax%20Administration%20it%20was%20estimated%20that%20over%20$2%20trillion%20of%20potentially%20fraudulent%20ERTC%20claims%20had%20been%20identified%20and%20an%20additio.png?width=300&amp;height=259&amp;name=In%20a%20report%20issued%20in%20August%20of%202022%20by%20the%20Treasury%20Inspector%20General%20for%20Tax%20Administration%20it%20was%20estimated%20that%20over%20$2%20trillion%20of%20potentially%20fraudulent%20ERTC%20claims%20had%20been%20identified%20and%20an%20additio.png" alt="In a report issued in August of 2022 by the Treasury Inspector General for Tax Administration it was estimated that over $2 trillion of potentially fraudulent ERTC claims had been identified and an additio" width="300" height="259" style="height: auto; max-width: 100%; width: 300px; float: right; margin: 0px 5px 10px 15px;">The <a href="https://blog.freedmaxick.com/summing-it-up/employee-retention-credit-2021-update">Employee Retention Tax Credit (ERTC)</a> has provided Federal Tax Credits to employers for periods during COVID-19 where they may have suffered from government shutdowns at the entity level, supply chain level issues, or a significant and detrimental revenue decline.</p> <p>If you have applied and received an employee retention tax credit, particularly if you have depended on a payroll company or so-called “tax credit consulting firm” to help you apply for the credit (for a percentage of the credit secured), you may have subjected yourself to being charged with fraud by the IRS, and the consequences of having to deal with that fraud.</p> <p>Are you in the IRS’ crosshairs?</p> <h3 style="font-size: 18px; line-height: 1.5;">ERTC Fraud and Scams: Can You Really Claim a Supply Chain Interruption for ERTC Purposes?</h3> <p>Initially, companies taking advantage of <a href="https://blog.freedmaxick.com/summing-it-up/topic/paycheck-protection-program">Paycheck Protection Program (PPP) loans</a> were ineligible to also claim ERTC. Revised legislation reversed this and granted businesses the right to claim ERTC in any periods that PPP dollars were not used to cover payroll.</p> <p>As with any guidance from the government that changes and morphs over its life, “updates” provided room for many tax credit companies and affiliated payroll processing companies to full-court press businesses by telling them that they absolutely qualify for credits <span style="font-weight: bold;"><em><span style="text-decoration: underline;">even in many instances where they may not.</span></em></span> The IRS is keenly aware of this potential abuse, and fraud that is running rampant as more and more claims are being submitted by these companies on behalf of businesses that do not even have a full understanding of what the qualifications are and if they meet them.</p> <p>I am the first one to advocate for, and assist my clients in, accessing all government assistance to which they are entitled. I also work closely with them to review the qualifications for these credits to accurately arrive at a conclusion that is supportable for making a valid claim.</p> <p>But many tax credit companies and payroll affiliates are contacting businesses directly and claiming that under the “partial suspension and supply chain interruption” section of the ERTC, they may qualify for the credit. Frankly, this is a gray area that has now opened up floodgates for suspicious and unqualified claims. For many businesses, this just isn’t the case – even though the supply chain shutdown parameters are being touted as a slam dunk, they really have some clearly defined criteria.</p> <p>Unfortunately, quite a few businesses are relying on the supply chain loophole to claim a credit, even if they did not experience a government shutdown, fully funded the payroll during shutdown with PPP dollars or did not have an overall revenue decline.</p> <p>If an actual supply chain disruption occurred, your business would need to be able to support that your supplier was shut down by government order, that they could not gain access through any other supplier for the required product, and that the disruption caused a revenue decline in “more than a nominal segment of the business operations.”</p> <p>The IRS notice relative to this defines a “more than nominal” segment to mean more than 10% of total business gross receipts or 10% of payroll allocation of the total employee hours.</p> <p>This is the area where the largest amount of potential abuse and fraud is being detected. The tax credit companies, while clearly stating they “cannot offer tax advice,” are calling and emailing businesses urging them to get on the bandwagon for this free ride without any responsibility of protecting them from future audits or reversal of fraudulent and unsupportable claims.</p> <h3 style="font-size: 18px; line-height: 1.5;">And Then, There’s the Other Low-Hanging Fruit... Aggregation Rules and Family Wages Related to ETRC Claims</h3> <p>Another area the IRS is likely to target for fraud is the Aggregation Rules and Family Wage exclusion that applies to claiming ERTC. It appears that many tax credit consultants may be ill-advising clients and subsequently processing ineligible claims for taxpayers in violation of these exclusions.</p> <p>The aggregation guideline delineates that businesses with common ownership must be considered in aggregate when assessing qualification for a valid ERTC claim. Family or related individual wages specifically excluded from eligible wages for ERTC include relatives of majority entity owners; children or descendants of a child; brothers; sisters; stepbrother or sisters; step-parents; nieces; nephews; aunts; uncles; sons or daughters-in-law; fathers or mothers-in-law; and brothers or sisters-in-law.</p> <p>In many cases, my clients have reached out to me after receiving a phone call from tax credit consultants or payroll companies soliciting businesses to process an ERTC claim on their behalf. My clients tell me they are not even being asked if they have family or relative wages, or any other commonly owned businesses. I have had to reach out directly to these “consultants” who have filed erroneous claims that included ineligible family-paid wages … even when and where they were specifically told upfront by my client to be respectful of the ineligibilities.&nbsp;</p> <p>Here's a “real kicker”: one consulting firm tried to bill my client for the claim and the required amendment to the claim! It is clear to me that these tax credit agencies are not aware of the full set of guidelines, or just not “in the business” of making sure the taxpayers are aware of these considerations, or more likely, are only concerned with getting their fees for processing as many claims as possible.</p> <h3 style="font-size: 18px;">I Am Fiercely Protective of My Clients, So …</h3> <p>I realize I am fiercely protective of my clients and want to ensure anything I advise them on is something they can rest assured I will support and prevail on if the IRS were to audit and decide to look at closely. I have had quite a few meetings with clients enchanted with hearing about these huge ERTC credit dollars that could be theirs “with minimal risk, minimal effort, and no out-of-pocket dollars.”</p> <p>The process of educating them on Employee Retention Tax Credit qualifications can be disappointing when they are being hounded by soliciting processing companies telling them they can easily build a case for making the claims. I advise my clients to pull all the specific data and make sure under scrutiny they have all the appropriate documentation ready to support any claims submitted.</p> <p>The filing and submission of these claims does not include the reasoning or basis the business is utilizing to substantiate the claim, so the IRS is blindly issuing refunds, but I promise you, they are laying the groundwork to begin auditing claims where they have information that business revenues, in fact, increased during any claim periods and large ERTC dollars have been issued.</p> <p><a href="https://www.tigta.gov/">In an August 2022 report by the Treasury Inspector General for Tax Administration</a>, it was estimated that over $2 trillion of potentially fraudulent claims had been identified and an additional $124 million of ineligible government entity claims cited. These figures hit hard in our struggling economy and leave me wondering if everyone is aware that in the end, we, the taxpayers, are paying for these fraudulent claims.</p> <h3 style="font-size: 18px;">If You Think You Have Submitted a “Suspicious” ERTC Claim</h3> <p><img src="https://blog.freedmaxick.com/hs-fs/hubfs/FM%20Blog%20Graphics%20(2).png?width=255&amp;height=237&amp;name=FM%20Blog%20Graphics%20(2).png" alt="FM Blog Graphics (2)" width="255" height="237" style="height: auto; max-width: 100%; width: 255px; float: right; margin: 0px 5px 10px 15px;">In the event you have been convinced to file claims that may not be supportable, there are looming consequences that could be more severe than just paying the dollars back. At a minimum, interest and penalties will be assessed on any audited claims that result in a determination of fraud. Civil and criminal penalties could also be imposed depending on the facts, circumstances and dollar amounts involved.</p> <p>There is speculation that the IRS may implement a voluntary disclosure program relative to the onslaught of taxpayers that have filed claims that may not qualify under the ERTC regulations. If this program is adopted, I advise any taxpayer that has made claims they are unsure about to review the qualifications in detail and participate in the program if they feel their claims were unsupported.</p> <p>I never want to see taxpayers of integrity being coerced into making bad decisions to submit claims when they have not been expertly educated on the qualification criteria. I strongly urge every taxpayer to consult with their trusted tax professional if they are considering acting on making ERTC claims, especially when being courted by an outside agency to do so.</p> <p>I am happy to consult with anyone that has questions about the validity of their submitted or potential ERTC claims. If you would like a review of your ERTC claim to make sure you are qualified and in <span style="font-size: 16px; background-color: transparent;">compliance with the program, please </span><a href="https://blog.freedmaxick.com/contact" style="font-size: 16px;">contact me</a><span style="font-size: 16px; background-color: transparent;"> via email at </span><a href="mailto:jennifer.bean@freedmaxick.com" style="font-size: 16px;">jennifer.bean@freedmaxick.com</a><span style="font-size: 16px; background-color: transparent;">.</span></p> <img src="https://track.hubspot.com/__ptq.gif?a=108075&amp;k=14&amp;r=https%3A%2F%2Fblog.freedmaxick.com%2Fsumming-it-up%2Fto-coin-an-oprah-phrase-you-get-ertc-and-you-get-ertc-and-everybody-gets-ertc&amp;bu=https%253A%252F%252Fblog.freedmaxick.com%252Fsumming-it-up&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Tax Wed, 07 Dec 2022 15:00:00 GMT https://blog.freedmaxick.com/summing-it-up/to-coin-an-oprah-phrase-you-get-ertc-and-you-get-ertc-and-everybody-gets-ertc 2022-12-07T15:00:00Z Jenny Bean, CPA New York State Tax Update: IRS Provides Tax Relief | Freed Maxick https://blog.freedmaxick.com/summing-it-up/new-york-state-tax-update-irs-provides-tax-relief-for-recent-western-new-york-snowstorm <div class="hs-featured-image-wrapper"> <a href="https://blog.freedmaxick.com/summing-it-up/new-york-state-tax-update-irs-provides-tax-relief-for-recent-western-new-york-snowstorm" title="" class="hs-featured-image-link"> <img src="https://blog.freedmaxick.com/hubfs/Winter-Storm-Relief.jpg" alt="New York State Tax Update: IRS Provides Tax Relief | Freed Maxick" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p>On December 2, 2022, <a href="https://www.irs.gov/newsroom/irs-announces-tax-relief-for-severe-winter-storm-and-snowstorm-in-new-york">the IRS issued NY-2022-08</a>, which provides relief for victims of a severe winter storm that began on 11/18/2022. This relief provides an extension of time to file returns and pay any taxes that were or are due during the relief period, for individuals that reside or have a business in Cattaraugus, Chautauqua, Erie, Genesee, Jefferson, Lewis, Niagara, Oneida, Oswego, St. Lawrence, and Wyoming counties. The relief period generally includes all returns normally due on or after 11/18/22 and before 3/15/2023, including:</p> <p><img src="https://blog.freedmaxick.com/hs-fs/hubfs/Winter-Storm-Relief.jpg?width=652&amp;height=326&amp;name=Winter-Storm-Relief.jpg" alt="Winter-Storm-Relief" width="652" height="326" style="height: auto; max-width: 100%; width: 652px;"></p> <p>On December 2, 2022, <a href="https://www.irs.gov/newsroom/irs-announces-tax-relief-for-severe-winter-storm-and-snowstorm-in-new-york">the IRS issued NY-2022-08</a>, which provides relief for victims of a severe winter storm that began on 11/18/2022. This relief provides an extension of time to file returns and pay any taxes that were or are due during the relief period, for individuals that reside or have a business in Cattaraugus, Chautauqua, Erie, Genesee, Jefferson, Lewis, Niagara, Oneida, Oswego, St. Lawrence, and Wyoming counties. The relief period generally includes all returns normally due on or after 11/18/22 and before 3/15/2023, including:</p> <ul> <li>Quarterly estimated income tax payments</li> <li>Quarterly payroll and excise tax returns</li> <li>Individual and business returns with original or extended due dates within the relief period</li> </ul> <p>Additionally, penalties on payroll and excise tax deposits due on or after 11/18/22 and before 12/5/2022 will be abated if the deposits are made by 12/5/2022 (check with your payroll provider).</p> <p>This is a fluid situation, as we receive additional guidance, we will communicate it to you. As of this date, NYS has not announced conformity with this notice.</p> <p>If you have any questions or would like additional information, <a href="https://blog.freedmaxick.com/contact">please contact</a> a member of our <a href="https://www.freedmaxick.com/services/tax/">tax team</a> at <a href="mailto:info@freedmaxick.com">info@freedmaxick.com</a> or call 716-847-2651.</p> <img src="https://track.hubspot.com/__ptq.gif?a=108075&amp;k=14&amp;r=https%3A%2F%2Fblog.freedmaxick.com%2Fsumming-it-up%2Fnew-york-state-tax-update-irs-provides-tax-relief-for-recent-western-new-york-snowstorm&amp;bu=https%253A%252F%252Fblog.freedmaxick.com%252Fsumming-it-up&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Tax Tue, 06 Dec 2022 18:00:00 GMT https://blog.freedmaxick.com/summing-it-up/new-york-state-tax-update-irs-provides-tax-relief-for-recent-western-new-york-snowstorm 2022-12-06T18:00:00Z Freed Maxick Tax Team Accurate Numbers | Outsourced Accounting Solutions | MAXIS® by Freed Maxick https://blog.freedmaxick.com/summing-it-up/count-on-accuracy-for-more-than-just-accounting-services <div class="hs-featured-image-wrapper"> <a href="https://blog.freedmaxick.com/summing-it-up/count-on-accuracy-for-more-than-just-accounting-services" title="" class="hs-featured-image-link"> <img src="https://blog.freedmaxick.com/hubfs/holiday-accurate-numbers.jpg" alt="Accurate Numbers | Outsourced Accounting Solutions | MAXIS® by Freed Maxick " class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <h3 style="font-size: 20px;"></h3> <h3 style="font-size: 20px;">Precision with numbers makes life better</h3> <p>As our seasons change from pumpkin to peppermint, we thought we’d share something fun! We often take numbers, other than basic math, for granted. But did you ever stop to think just how <a href="https://blog.freedmaxick.com/summing-it-up/better-decisions-make-for-stronger-organizations">important accurate numbers really are</a>, such as measurements and temperatures? In the spirit of the holiday season, let’s look at three examples of how and why exact numbers are important for the best outcome.</p> <h3 style="font-size: 20px;"><img src="https://blog.freedmaxick.com/hs-fs/hubfs/holiday-accurate-numbers.jpg?width=652&amp;height=326&amp;name=holiday-accurate-numbers.jpg" alt="holiday-accurate-numbers" width="652" height="326" style="height: auto; max-width: 100%; width: 652px;"></h3> <h3 style="font-size: 20px;">Precision with numbers makes life better</h3> <p>As our seasons change from pumpkin to peppermint, we thought we’d share something fun! We often take numbers, other than basic math, for granted. But did you ever stop to think just how <a href="https://blog.freedmaxick.com/summing-it-up/better-decisions-make-for-stronger-organizations">important accurate numbers really are</a>, such as measurements and temperatures? In the spirit of the holiday season, let’s look at three examples of how and why exact numbers are important for the best outcome.</p> <h3 style="font-size: 18px;">Coffee &amp; Co.</h3> <p>Believe it or not, the recipe for a perfect cup of coffee is an actual science. It requires water to achieve an ideal temperature to <a href="https://www.coffeebean.com/blog/our-coffee/water-and-coffee-understanding-how-temperature-affects-your-cup">extract the flavor</a> from the beans. According to the <a href="https://www.ncausa.org">National Coffee Association</a>, that temperature is between 195°F and 205°F. Any higher (the boiling point of water is 212°F) and you risk over-extraction and a bitter cup of coffee.</p> <p>One <a href="https://www.sciencedirect.com/science/article/abs/pii/S0305417907002550?via=ihub">study found that hot drinks</a> are most frequently served at 160°F to 185°F. Fortunately, they quickly achieve a burn-free, comfortable 136-140ºF, which is what the study concluded was an optimal drinking temperature. When it comes to other drinks, hot apple cider is best served at a simmer (~180°F), and <a href="https://blog.thermoworks.com/beverages/hot-chocolate-best-serving-temperature/">hot chocolate</a> between 160°F and 185°F so as not to disturb the integrity of the ingredients. Regardless of the drink, heat loss will occur&nbsp;between preparation and consumption. The late <a href="https://www.townandcountrymag.com/society/tradition/a40691553/queen-elizabeth-tea-preferences-royal-chef-quote/">Queen Elizabeth</a> is said to have required that her tea be made with “absolute boiling water” and steeped for five minutes, which presumably cooled her “<a href="https://www.merriam-webster.com/dictionary/cuppa">cuppa</a>”.</p> <p>So how do you know if you’re drinking your coffee right? The good news, in this case, is that the best judge is tastebuds.</p> <h3 style="font-size: 18px;">Baking</h3> <p>How is it that you can have a chocolate chip cookie that’s cakey, chewy, OR crunchy? It’s because baking is a science that is dependent upon chemical reactions to produce a specific result. And those reactions occur as the result of precise measurements of the ingredients in the recipe. The way in which the <a href="https://en.wikipedia.org/wiki/Cake">ingredients</a> (such as liquids, leaveners, fats) interact with each other and, more often than not, temperatures (room temp, freeze, bake); techniques (cream, melt, fold); and conditions (humidity, elevation) is what attains the perfect outcome. See what happens when you modify <a href="https://www.verybestbaking.com/toll-house/baking-101/cookie-tips/">NESTLÉ® TOLL HOUSE® Chocolate Chip Cookies</a> dough and find your perfect cookie.</p> <h3><span style="font-size: 18px;">Cocktails </span></h3> <p>Did you ever wonder why James Bond insisted his martini be "shaken not stirred”? Like baking, crafting cocktails requires the perfect chemistry. Using ingredients such as hibiscus syrup, rosemary, and liquid smoke, and assigning a <a href="http://www.cocktailsandbars.com/how-to-name-a-cocktail/">hip name</a>, modern-day mixologies are making cocktails artsy and hip. But in addition to unique, complimentary flavors, balancing proportions is the science that makes a cocktail drink worthy. Measuring each shot, dash, or splash can influence the resulting libation and subsequent experience. As can the temperature (properly chilled) and presentation (glass). Try a unique <a href="https://www.liquor.com/slideshows/new-years-eve-cocktail-parties/">creation</a> of <a href="https://www.dictionary.com/e/how-to-name-a-cocktail/">your own</a>! (Please drink responsibly.) Even <a href="https://www.bonappetit.com/gallery/best-mocktail-recipes">mocktails</a> are all the rage! As for <a href="mailto:https://www.newsweek.com/james-bond-vodka-gin-vesper-martini-recipes-1634576">007</a>, only he knows.</p> <p><span style="font-weight: bold;">Are your numbers working for you? Learn how MAXIS delivers <a href="https://www.maxisbyfm.com/p/1">outsourced accounting solutions</a> that help you to attain the best outcome.</span> <a href="https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fblog.freedmaxick.com%2Fmaxis-talk-to-an-expert&amp;data=05%7C01%7CLeia.Marino%40freedmaxick.com%7C9148ce0354c04d6842f508dac27e2c71%7C2cc46ff1b60041048600d8acb0b4e19a%7C0%7C0%7C638036144418620560%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=jbAbw5hSOmkhFS1pVuaQq%2FZfdoaM0MsLhwkSI4%2F9HRI%3D&amp;reserved=0">Contact Alexis Becker for a complimentary consultation</a> at <a href="mailto:alexis.becker@freedmaxick.com">alexis.becker@freedmaxick.com</a>.</p> <p style="margin-top: 1pt; margin-right: 0in; margin-bottom: 1pt; padding-left: 0in;"><a class="cta_button" href="https://blog.freedmaxick.com/cs/ci/?pg=d53cb46d-653d-4d35-9751-aa1f2979b1ef&amp;pid=108075&amp;ecid=&amp;hseid=&amp;hsic="><img class="hs-cta-img " style="border-width: 0px; /*hs-extra-styles*/; " alt="New call-to-action" src="https://no-cache.hubspot.com/cta/default/108075/d53cb46d-653d-4d35-9751-aa1f2979b1ef.png"></a></p> <img src="https://track.hubspot.com/__ptq.gif?a=108075&amp;k=14&amp;r=https%3A%2F%2Fblog.freedmaxick.com%2Fsumming-it-up%2Fcount-on-accuracy-for-more-than-just-accounting-services&amp;bu=https%253A%252F%252Fblog.freedmaxick.com%252Fsumming-it-up&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> MAXIS® Wed, 30 Nov 2022 15:00:00 GMT https://blog.freedmaxick.com/summing-it-up/count-on-accuracy-for-more-than-just-accounting-services 2022-11-30T15:00:00Z Alexis S. Becker Cyber Attacks on Small Businesses | MAXIS® by Freed Maxick https://blog.freedmaxick.com/summing-it-up/cyber-attacks-on-small-business-equal-big-money-for-cybercriminals <div class="hs-featured-image-wrapper"> <a href="https://blog.freedmaxick.com/summing-it-up/cyber-attacks-on-small-business-equal-big-money-for-cybercriminals" title="" class="hs-featured-image-link"> <img src="https://blog.freedmaxick.com/hubfs/small-biz-cyberattack.jpg" alt="Cyber Attacks on Small Businesses | MAXIS® by Freed Maxick " class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <h3 style="font-size: 20px;"></h3> <h3 style="font-size: 20px;">Cyberattacks are expensive business</h3> <p>Small and medium size businesses (SMBs) continue to <a href="https://blog.freedmaxick.com/summing-it-up/how-vulnerable-is-your-business-to-a-cyberattack">face a growing threat from cyberattacks</a>. With few resources and a lack of appropriate security, SMBs are left more vulnerable and made easy targets for hackers. By some estimations, small businesses are <a href="https://www.forbes.com/sites/edwardsegal/2022/03/30/cyber-criminals/?sh=477bcb7952ae">three times more likely</a> to be targeted by criminals than larger companies.</p> <h3 style="font-size: 20px;"><img src="https://blog.freedmaxick.com/hs-fs/hubfs/small-biz-cyberattack.jpg?width=652&amp;height=326&amp;name=small-biz-cyberattack.jpg" alt="small-biz-cyberattack" width="652" height="326" style="height: auto; max-width: 100%; width: 652px;"></h3> <h3 style="font-size: 20px;">Cyberattacks are expensive business</h3> <p>Small and medium size businesses (SMBs) continue to <a href="https://blog.freedmaxick.com/summing-it-up/how-vulnerable-is-your-business-to-a-cyberattack">face a growing threat from cyberattacks</a>. With few resources and a lack of appropriate security, SMBs are left more vulnerable and made easy targets for hackers. By some estimations, small businesses are <a href="https://www.forbes.com/sites/edwardsegal/2022/03/30/cyber-criminals/?sh=477bcb7952ae">three times more likely</a> to be targeted by criminals than larger companies.</p> As threats become more sophisticated and the consequences more dire, an investment in establishing a resilient cybersecurity environment far outweighs recovery expenses. <a href="https://blog.freedmaxick.com/summing-it-up/topic/maxis">MAXIS</a> <a href="https://blog.freedmaxick.com/summing-it-up/topic/maxis">®</a> <a href="https://blog.freedmaxick.com/summing-it-up/topic/maxis"> by Freed Maxick</a> helps SMB owners and leaders prevent and protect their digital ecosystems from costly data breaches. <h3 style="font-size: 18px;">What’s at Risk: Small Business Cyber Attack Statistics</h3> <p>In a <a href="https://netdiligence.com/cyber-claims-study-2022-report/" style="font-style: italic;">2022 NetDiligence<sup>® </sup>Cyber Claims Study</a>, which analyzed 7,500 cyber claims for incidents occurring during the five-year period 2017–2021, the average cost of a ransomware incident that includes business interruption and recovery costs is $623K for SMBs. The report states that in this period, 98% of cyber insurance claims came from SMBs. And the Small Business Administration (SBA) reports that, “<a href="https://www.sba.gov/event/5453">small businesses</a> are the target of 43% of all data breaches.” The SBA also reports that “60% of small businesses go out of business within 6 months after a significant cyber attack.”</p> <h3 style="margin-top: 1pt; margin-right: 0in; margin-bottom: 1pt; padding-left: 0in; font-size: 18px;">Partners in Crime: Cyber Attack Prevention</h3> <p>Theoretically, cyber responsibility is everyone’s job. But without protocols, employee and third-party partners (i.e. vendors, suppliers) are catalysts for easy entry and present significant liabilities.</p> <ul> <li style="margin-top: 1pt; margin-right: 0in; margin-bottom: 1pt;"><span style="font-size: 14px;"> </span>Human error is the number one point of entry. In its <a href="https://www.verizon.com/business/resources/reports/dbir/">2022 Data Breach Investigations Report (DBIR)</a>, Verizon shows that 82%, or eight in 10, data breaches involved human-related vulnerabilities.<br><br></li> <li>Whether enabling unsecured WiFi or downloading a game, employees (or their kids) can unknowingly provide an opportunity for access to a corporate network through <a href="https://www.cisa.gov/uscert/sites/default/files/publications/cyber_threats_to_mobile_phones.pdf">mobile phones</a>.<br><br></li> <li>More complex attacks happen when a third-party’s technology (i.e. payroll, banking, ordering) provides digital access. Accenture reports that <a href="https://www.accenture.com/us-en/insights/security/invest-cyber-resilience">supply chain breaches</a> increased from 44% in 2020 to 61% in 2021. <br><br></li> <li>In 2021, <a href="https://www.fbi.gov/how-we-can-help-you/safety-resources/scams-and-safety/common-scams-and-crimes/business-email-compromise">business email compromise</a> (BEC), the exploitation of (employee, vendor, customer) email, was “one of the most widely reported cyber security issues,” according to the FBI. The agency calls BEC, “… one of the most financially damaging online crimes.”</li> </ul> <p>Once criminals locate vulnerabilities, most need only 5 hours — or less — to break into an organization.</p> <h3 style="margin-top: 1pt; margin-right: 0in; margin-bottom: 1pt; padding-left: 0in; font-size: 18px;">Teams, Tools, and Tech: Cybersecurity Planning</h3> <p>As the cost of timely recovery and the threat of demise present real challenges, the case for vigilance in planning and preparing becomes stronger.</p> <p>The <a href="https://blog.freedmaxick.com/summing-it-up/topic/maxis">MAXIS</a> <a href="https://www.maxisbyfm.com/">outsourced accounting team</a> develops processes and execution with controls and protocols in mind, which in turn enhances security for clients (especially those clients on Netsuite with additional Oracle cloud security protocols). Custom plans mitigate risk, safeguard assets, and ensure continuity of operations. We work alongside the <a href="https://www.freedmaxick.com/services/consulting/technology/information-systems-it-security-and-controls-consulting/">Freed Maxick Cybersecurity</a> team to assess, implement, and monitor secure systems and processes for effective prevention and the protection of individuals and businesses.</p> <p>As the NetDiligence report states: “Organizations with a robust and tested cyber resiliency plan will potentially mitigate the risk of longer interruptions and high recovery costs, reducing the overall impact to the business. The idea is not only to recover, but to recover expeditiously – which can only be accomplished with a proper cyber resiliency and crisis management plan.”</p> <p>As we continue to become dependent on technology for connectivity, productivity, and profitability, it is imperative that SMBs strengthen their security and build cyber resilience.</p> <p><span style="font-weight: bold;">Proactive cybersecurity planning and preparation can help protect organizations from small business cyberattacks, business interruption, and costly recovery.</span> To learn more about how MAXIS can help, <a href="https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fblog.freedmaxick.com%2Fmaxis-talk-to-an-expert&amp;data=05%7C01%7CLeia.Marino%40freedmaxick.com%7C227294cc6aa0447ca1ea08dac11df0c2%7C2cc46ff1b60041048600d8acb0b4e19a%7C0%7C0%7C638034631597750105%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=ePo7Dh2aKzLg2kRnPo2IYihei6elv7VT5vNEhvLfw4I%3D&amp;reserved=0">contact Alexis Becker for a complimentary consultation </a>at <a href="mailto:alexis.becker@freedmaxick.com">alexis.becker@freedmaxick.com</a>. Or reach out to Dave Hansen to talk about risk management at <a href="mailto:david.hansen@FreedMaxick.com">david.hansen@FreedMaxick.com</a>.</p> <p><a class="cta_button" href="https://blog.freedmaxick.com/cs/ci/?pg=d53cb46d-653d-4d35-9751-aa1f2979b1ef&amp;pid=108075&amp;ecid=&amp;hseid=&amp;hsic="><img class="hs-cta-img " style="border-width: 0px; /*hs-extra-styles*/; " alt="New call-to-action" src="https://no-cache.hubspot.com/cta/default/108075/d53cb46d-653d-4d35-9751-aa1f2979b1ef.png"></a></p> <img src="https://track.hubspot.com/__ptq.gif?a=108075&amp;k=14&amp;r=https%3A%2F%2Fblog.freedmaxick.com%2Fsumming-it-up%2Fcyber-attacks-on-small-business-equal-big-money-for-cybercriminals&amp;bu=https%253A%252F%252Fblog.freedmaxick.com%252Fsumming-it-up&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Cybersecurity MAXIS® Accounting & Advisory Wed, 16 Nov 2022 15:00:00 GMT https://blog.freedmaxick.com/summing-it-up/cyber-attacks-on-small-business-equal-big-money-for-cybercriminals 2022-11-16T15:00:00Z David Hansen, CPA, CISSP, QSA, CISA What is the OpenSSL Punycode Vulnerability? | Freed Maxick https://blog.freedmaxick.com/summing-it-up/what-is-the-openssl-punycode-vulnerability <div class="hs-featured-image-wrapper"> <a href="https://blog.freedmaxick.com/summing-it-up/what-is-the-openssl-punycode-vulnerability" title="" class="hs-featured-image-link"> <img src="https://blog.freedmaxick.com/hubfs/openssl-vulnerability.jpg" alt="What is the OpenSSL Punycode Vulnerability? | Freed Maxick" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p>On November 1, 2022, OpenSSL published version 3.0.7 to address a buffer overflow vulnerability in OpenSSL 3.0. The vulnerability exploits a weakness in the certificate verification functions and can be used to write arbitrary information to system memory.</p> <p><img src="https://blog.freedmaxick.com/hs-fs/hubfs/openssl-vulnerability.jpg?width=652&amp;height=326&amp;name=openssl-vulnerability.jpg" alt="openssl-vulnerability" width="652" height="326" style="height: auto; max-width: 100%; width: 652px;"></p> <p>On November 1, 2022, OpenSSL published version 3.0.7 to address a buffer overflow vulnerability in OpenSSL 3.0. The vulnerability exploits a weakness in the certificate verification functions and can be used to write arbitrary information to system memory.</p> <h3 style="font-size: 18px;">What is the Risk of the OpenSSL Punycode Vulnerability?</h3> <p>The vulnerability was originally touted to be a critical risk-rated vulnerability but was downgraded to a high risk-rated vulnerability upon details being released. The vulnerability relies on some uncommon conditions including:</p> <ul> <li>The vulnerability exists in the certificate verification process for accepting client certificates which most TLS servers do not use or accept. Most servers only utilize server-side certificates.</li> <li>Other parts of the process can prevent the vulnerability from being triggered.</li> <li>Modern systems can have protections in place to prevent buffer overflows outside of the vulnerability.</li> </ul> <h3 style="font-size: 18px;">What technology is affected by the OpenSSL Punycode Vulnerability?</h3> <p>OpenSSL is used in a number of major companies’ products and technologies including Canonical, Red Hat, VMWare, Node.js and AWS. Companies now are working to investigate whether they are running affected versions and issue patches if necessary. The positive is that there are two major versions of OpenSSL in use in production systems: 3.0 and 1.1.1. The 1.1.1 version of OpenSSL is not vulnerable to this potential attack and is more common in production systems.</p> <h3 style="font-size: 18px;">How do I identify if the OpenSSL Punycode Vulnerability is on my network?</h3> <p><a href="https://www.freedmaxick.com/services/consulting/technology/information-systems-it-security-and-controls-consulting/">Freed Maxick’s cybersecurity team</a> recommends due to the vulnerability having a high-risk rating that if it is found on a system that it is remediated within 30 days. For systems and networks that you have control of, it is recommended that a vulnerability scan be performed with special focus on discovering whether OpenSSL is in use on the system and whether or not it is a vulnerable version. Additionally, for any systems not directly under your company’s control, it is recommended that the listing maintained by National Cybersecurity Center of the Netherlands be referenced to determine if you have a system in use that is affected or currently under investigation. Once a fix has been released by the system vendor it is recommended that it be applied as soon as possible.</p> <p>Freed Maxick’s cybersecurity team can provide expertise to your company to help augment your ability to identify and prioritize this vulnerability along with others through a comprehensive network vulnerability assessment and penetration test. <a href="https://blog.freedmaxick.com/contact">Please reach out</a> if you have any questions or are interested in discussing further.</p> <h3 style="font-size: 18px;">OpenSSL Punycode Vulnerability Resources:</h3> <p>OpenSSL Published Details: <a href="https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/">https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/</a></p> <p>NCSC-NL Listing: <a href="https://github.com/NCSC-NL/OpenSSL-2022">https://github.com/NCSC-NL/OpenSSL-2022</a></p> <p>CVE-2022-3602 National Vulnerability Database: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-3602">https://nvd.nist.gov/vuln/detail/CVE-2022-3602</a></p> <p>CVE-2022-3786 National Vulnerability Database: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-3786">https://nvd.nist.gov/vuln/detail/CVE-2022-3786</a></p> <p>&nbsp;</p> <img src="https://track.hubspot.com/__ptq.gif?a=108075&amp;k=14&amp;r=https%3A%2F%2Fblog.freedmaxick.com%2Fsumming-it-up%2Fwhat-is-the-openssl-punycode-vulnerability&amp;bu=https%253A%252F%252Fblog.freedmaxick.com%252Fsumming-it-up&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Cybersecurity Mon, 07 Nov 2022 18:00:00 GMT https://blog.freedmaxick.com/summing-it-up/what-is-the-openssl-punycode-vulnerability 2022-11-07T18:00:00Z Alex Bliss Outsourced Bookkeeping Technology by MAXIS | MAXIS® by Freed Maxick https://blog.freedmaxick.com/summing-it-up/outsourced-bookkeeping-technology-by-maxis <div class="hs-featured-image-wrapper"> <a href="https://blog.freedmaxick.com/summing-it-up/outsourced-bookkeeping-technology-by-maxis" title="" class="hs-featured-image-link"> <img src="https://blog.freedmaxick.com/hubfs/Bookkeeping-MAXIS.jpg" alt="Outsourced Bookkeeping Technology by MAXIS | MAXIS® by Freed Maxick" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <h3 style="font-size: 18px; line-height: 1.5;"></h3> <h3 style="font-size: 18px; line-height: 1.5;">How MAXIS Works to Improve Bookkeeping Performance</h3> <p>There are many wonderful reasons why you started a business. And many more why you work tirelessly to grow it. We understand that day-to-day accounting isn’t one of them. Which is why we created <a href="https://www.maxisbyfm.com/p/1">MAXIS® by Freed Maxick</a>.</p> <h3 style="font-size: 18px; line-height: 1.5;"><img src="https://blog.freedmaxick.com/hs-fs/hubfs/Bookkeeping-MAXIS.jpg?width=652&amp;height=326&amp;name=Bookkeeping-MAXIS.jpg" alt="Bookkeeping-MAXIS" width="652" height="326" style="height: auto; max-width: 100%; width: 652px;"></h3> <h3 style="font-size: 18px; line-height: 1.5;">How MAXIS Works to Improve Bookkeeping Performance</h3> <p>There are many wonderful reasons why you started a business. And many more why you work tirelessly to grow it. We understand that day-to-day accounting isn’t one of them. Which is why we created <a href="https://www.maxisbyfm.com/p/1">MAXIS® by Freed Maxick</a>.</p> <p>Business owners generally like to be in complete control of every aspect of their business. Yet their finance and accounting skill level and expertise varies. With MAXIS, you can improve your confidence as an owner and the financial performance of the company.</p> <p>With all of the other obligations you have as a business owner, bookkeeping can be a tedious task that drains your valuable time. In our experience, business owners tend to experience a lot of confusion understanding cash flow, receivables, and paperwork. <a href="https://www.maxisbyfm.com/p/1">MAXIS lightens your bookkeeping workload</a> and allows you to reclaim time spent where you need it.</p> <p>MAXIS creates a customized financial hub with which to automate repetitive, mundane tasks and create <a href="https://blog.freedmaxick.com/summing-it-up/how-to-make-strategic-business-decisions-that-propel-your-goals">advanced reporting that supports timely and confident decision making</a>. The outsourced bookkeeping technology is user-friendly and the professionals at MAXIS by Freed Maxick support your journey every step of the way.</p> <div class="hs-embed-wrapper" style="position: relative; overflow: hidden; width: 100%; height: auto; padding: 0px; max-width: 600px; min-width: 256px; display: block; margin: 25px auto;"> <div class="hs-embed-content-wrapper"> <div style="position: relative; overflow: hidden; max-width: 100%; padding-bottom: 56.25%; margin: 0px;"> <iframe width="560" height="315" src="https://www.youtube.com/embed/5OiIIiWbNz0" frameborder="0" allowfullscreen style="position: absolute; top: 0px; left: 0px; width: 100%; height: 100%; border: none;"></iframe> </div> </div> </div> <p>How does MAXIS simplify bookkeeping?</p> <ul> <li>Ensures appropriate entity structure</li> <li>Reduces accounting mistakes</li> <li>Produces P&amp;L statements</li> <li>Manages inventory (where applicable)</li> <li>Maintains accurate records</li> <li>Performs reconciliations</li> <li>Manages bill pay process</li> <li>Monitors AP</li> <li>Monitors budget to actual P&amp;L</li> <li>Projects accurate tax payments (where applicable)</li> <li>Saves you time!</li> </ul> <p><br>MAXIS is:</p> <ul> <li>Scalable - As you grow, MAXIS can add functions and tailor reports to meet the needs where <em>you</em> are</li> <li>Scenario enabled - Scope various scenarios to analyze potential outcomes before making an important decision</li> </ul> <p>Our hands-on, high-tech outsourced bookkeeping solution starts with a comprehensive process assessment where MAXIS professionals dive into your business and current accounting workflow to design an optimized process plan based on measurable goals. Then the expert teams sets you up with powerful, cloud-based financial software that syncs all your accounts and becomes a central hub for your finances.</p> <p>With MAXIS, the days of accounting hanging over your head are over. <a href="https://blog.freedmaxick.com/maxis-talk-to-an-expert">Talk to a MAXIS practice leader</a> to learn more about our forward-thinking approach to simplifying your bookkeeping today.</p> <p><a class="cta_button" href="https://blog.freedmaxick.com/cs/ci/?pg=d53cb46d-653d-4d35-9751-aa1f2979b1ef&amp;pid=108075&amp;ecid=&amp;hseid=&amp;hsic="><img class="hs-cta-img " style="border-width: 0px; /*hs-extra-styles*/; " alt="New call-to-action" src="https://no-cache.hubspot.com/cta/default/108075/d53cb46d-653d-4d35-9751-aa1f2979b1ef.png"></a></p> <img src="https://track.hubspot.com/__ptq.gif?a=108075&amp;k=14&amp;r=https%3A%2F%2Fblog.freedmaxick.com%2Fsumming-it-up%2Foutsourced-bookkeeping-technology-by-maxis&amp;bu=https%253A%252F%252Fblog.freedmaxick.com%252Fsumming-it-up&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Technology MAXIS® Accounting & Advisory Wed, 02 Nov 2022 14:00:00 GMT https://blog.freedmaxick.com/summing-it-up/outsourced-bookkeeping-technology-by-maxis 2022-11-02T14:00:00Z Alexis S. Becker Getting Started with Leases https://blog.freedmaxick.com/summing-it-up/getting-started-with-leases <div class="hs-featured-image-wrapper"> <a href="https://blog.freedmaxick.com/summing-it-up/getting-started-with-leases" title="" class="hs-featured-image-link"> <img src="https://blog.freedmaxick.com/hubfs/lease-accounting-standards.jpg" alt="Getting Started with Leases" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p>By now, almost all of us have heard about the new accounting lease standards (ASC 842 / GASB 87 / IFRS 16), but are you ready for your year-end reporting? Join Freed Maxick for a one-hour workshop on leases, including a demonstration of our recommended software solution, LeaseCrunch.</p> <p><img src="https://blog.freedmaxick.com/hs-fs/hubfs/lease-accounting-standards.jpg?width=652&amp;height=326&amp;name=lease-accounting-standards.jpg" alt="lease-accounting-standards" width="652" height="326" style="height: auto; max-width: 100%; width: 652px;"></p> <p>By now, almost all of us have heard about the new accounting lease standards (ASC 842 / GASB 87 / IFRS 16), but are you ready for your year-end reporting? Join Freed Maxick for a one-hour workshop on leases, including a demonstration of our recommended software solution, LeaseCrunch.</p> <p>Hosted by Chirico Rozsa and Joe Smidt from Freed Maxick’s Lease Committee and joined by Jess Vento, Senior Director of Accounting and Client Success at LeaseCrunch, the workshop on November 9th from 11:00 am – 12:00 pm EST will focus on questions like:</p> <ul> <li>What is a lease under the new guidance?</li> <li>What types of disclosures are required in my year-end reporting?</li> <li>What effect will this have on my debt compliance?</li> <li>Can I just use Excel to calculate my lease portfolio?</li> </ul> <h3 style="font-size: 18px;">What are the Lease Standards about?</h3> <p>Under legacy accounting standards, leases previously classified as “operating leases” were considered off-balance-sheet and recognized as period expenses on an organization’s income statement. The lease accounting standards require all leases with terms greater than 12 months to be recorded as assets and liabilities on the balance sheet. The purpose of these standards was to foster more transparency between investors and companies.&nbsp;</p> <p style="font-size: 16px;"><span style="color: #8dc63f;"><a href="https://www.surveymonkey.com/r/MVLNCYF" style="font-weight: bold; text-decoration: underline; color: #8dc63f;">CLICK HERE</a></span> to register for the CPE eligible virtual lease training.</p> <img src="https://track.hubspot.com/__ptq.gif?a=108075&amp;k=14&amp;r=https%3A%2F%2Fblog.freedmaxick.com%2Fsumming-it-up%2Fgetting-started-with-leases&amp;bu=https%253A%252F%252Fblog.freedmaxick.com%252Fsumming-it-up&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Lease Accounting Standards Wed, 02 Nov 2022 13:13:31 GMT https://blog.freedmaxick.com/summing-it-up/getting-started-with-leases 2022-11-02T13:13:31Z Joseph R. Smidt, CPA & Chirico J. Rozsa, CPA PCI DSS 4.0 Compliance Will Not Be as Onerous as You Might Think | Freed Maxick https://blog.freedmaxick.com/summing-it-up/pci-dss-4.0-compliance-will-not-be-as-onerous-or-costly-as-you-might-think <div class="hs-featured-image-wrapper"> <a href="https://blog.freedmaxick.com/summing-it-up/pci-dss-4.0-compliance-will-not-be-as-onerous-or-costly-as-you-might-think" title="" class="hs-featured-image-link"> <img src="https://blog.freedmaxick.com/hubfs/PCI-DSS-4.0.jpg" alt="PCI DSS 4.0 Compliance Will Not Be as Onerous as You Might Think | Freed Maxick" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <h3 style="font-size: 18px; line-height: 1.25;"></h3> <h3 style="font-size: 18px; line-height: 1.5;">If you’ve navigated PCI DSS 3.2.1, transitioning to 4.0 might be less effort than you thought</h3> <h3 style="font-size: 18px; line-height: 1.25;"><img src="https://blog.freedmaxick.com/hs-fs/hubfs/PCI-DSS-4.0.jpg?width=652&amp;name=PCI-DSS-4.0.jpg" alt="PCI-DSS-4.0" width="652" style="width: 652px;"></h3> <h3 style="font-size: 18px; line-height: 1.5;">If you’ve navigated PCI DSS 3.2.1, transitioning to 4.0 might be less effort than you thought</h3> <p>We’ve heard the rumblings for years now, and the time has finally come – it’s time to begin your organization’s transition from PCI DSS 3.2.1 to PCI DSS 4.0. After numerous discussions with clients and colleagues alike, I’ve heard a spectrum of concerns for what this transition to a new standard will encompass. How different will the experience be? Will I need to dedicate more resources to my audits? How much preparation should I be making to get ready for this?</p> <div style="overflow-x: auto; max-width: 100%; width: 42%; float: right; margin-left: 10px; margin-right: 0px;"> <table style="width: 100%; border-collapse: collapse; table-layout: fixed; border: 3px solid #ffffff; height: 314px;"> <tbody> <tr style="height: 311px;"> <td style="width: 100%; padding: 4px; height: 311px; vertical-align: middle; border: 1px solid #ffffff; background-color: #00447c;"> <h3 style="font-size: 18px; text-align: center;"><span style="text-decoration: underline;"><strong><span style="color: #ffffff; text-decoration: underline;">PCI DSS 4.0 Resources</span></strong></span></h3> <p style="text-align: center; line-height: 1.25;"><span style="color: #ffffff;"><a href="https://blog.freedmaxick.com/hubfs/pci-dss-4.0-changes-list-of-the-new-requirements.pdf" style="text-decoration: underline; color: #ffffff;"><strong>A list of the New Requirements of PCI-DSS 4.0</strong></a></span></p> <p style="text-align: center; line-height: 1.25;"><span style="color: #ffffff;"><strong><br><span style="color: #ffffff;"><a href="https://blog.freedmaxick.com/hubfs/pci-dss-4.0-changes-compliance-timeline-clarifications-FM.pdf" style="color: #ffffff; text-decoration: underline;">PCI 4.0 Compliance Timeline Updates</a>&nbsp;</span></strong></span></p> <p style="font-size: 14px; font-weight: normal; text-align: center;"><em><span style="color: #ffffff;"><br>Complements of Freed Maxick's Cybersecurity Team</span></em></p> </td> </tr> </tbody> </table> </div> <p>These questions generally arose because the person I was talking to still hadn’t fully researched the new standards. My key insight: the big unknowns – how costly and how difficult - does not need to be a major source of anxiety for those tasked with <a href="https://www.freedmaxick.com/services/consulting/technology/pci-data-security-payment-card-industry-security-standards/">PCI compliance</a>.</p> <p>I know that you’ll agree that the <a href="https://listings.pcisecuritystandards.org/documents/PCI-DSS-v4_0.pdf">PCI DSS 4.0</a> isn’t exactly a New York Times bestseller. With the utmost perseverance and diligence, I’ve read the standard in its entirety, absorbed supplemental information provided by the PCI Security Standards Council, and participated in the PCI North America Community meeting in Toronto this September.</p> <p>I can confidently give you my personal take on the transition, and it might be slightly controversial to some:</p> <p>It’s really not going to be that bad. If you’ve navigated 3.2.1 thus far, transitioning to 4.0 should not be a difficult move.</p> <h3 style="font-size: 18px; line-height: 1.5;">PCI DSS 3.2.1 vs 4.0: The Same Broad 12 PCIS DSS Requirements Remain in Effect, but…</h3> <p>In many ways, the new standard remains materially consistent with the previous standard – the same 12 broad requirements are in play, the assessment process remains largely the same, and you’ll still issue an Attestation of Compliance (AOC) for your Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ). No new SAQs were introduced or previously existing SAQs removed.</p> <p>Many of the changes are on the reporting side or help clarify ambiguities present in the previous standard. These changes are more relevant to your QSA than to you as the company subject to PCI.</p> <h3 style="text-align: justify; line-height: 1.25;"><span style="font-size: 18px;">How Many PCI DSS Requirements Are There? &nbsp;</span>&nbsp;&nbsp;&nbsp;&nbsp;</h3> <p>Make no mistake, there are new requirements in PCI DSS 4.0 – a total of 64 of them. Of those, only 13 need to be met upfront for any PCI DSS 4.0 assessment, and of those 13, 10 deal directly with formally defining roles and responsibilities for requirements (something relatively easy in the grand scheme of PCI). The remaining 3 are also not a particularly difficult lift. The remaining 51 new requirements become effective March 31, 2025, leaving you with time to determine your approach and implement controls and processes where necessary.</p> <p>Don’t get me wrong, there’s still a good degree of effort required to bring your organization up to par with PCI DSS 4.0. There are nuanced wording changes that you’ll want to be familiar with and ensure the control you had in place to meet 3.2.1 will suffice for 4.0. There will be controls you’ll need to implement. My point is the effort is incremental to what you’ve already done to maintain compliance with 3.2.1, and the expectation isn’t that all this is done by this year. Not even by next year. It’s a manageable workload, and you have time.</p> <p>That being said, you’ll want to start now by gaining an understanding of the changes involved with 4.0. I strongly recommend bringing in a QSA as early as possible to appropriately interpret the changes and get the appropriate level of expertise on what you need to do to be compliant.&nbsp;&nbsp;</p> <p>I’ve listed key details below that should hopefully assuage some of the anxiety you may be feeling relative to PCI DSS 4.0.</p> <h3 style="font-size: 18px; line-height: 1.5;">Important PCI DSS 4.0 Dates: Be Prepared to Deal with a Reasonable Implementation Timeframe</h3> <p>Issued along with the new standard was an implementation guideline that outlines key dates, summarized below:</p> <ul> <li>Entities can continue to issue their assessments under the 3.2.1 standard until March 31, 2024, at which point the 3.2.1 standard will be retired. If your ROC or SAQ is filed in the later 3 quarters of each year, you’ll want to use 2023 as the formal transition year.</li> <li>Entities can elect to issue their assessment under the 4.0 standard immediately. If using a QSA, the QSA must have passed the PCI SSC’s formal 4.0 training in order to sign off on the assessment.</li> <li>Almost all of the future dated sub-requirements in 4.0 are considered ‘best practices' for any assessment issued until March 31, 2025, after which these sub-requirements become mandatory, and failure to adhere to them can result in a non-compliant assessment.</li> </ul> <h3 style="line-height: 1.25;"><span style="font-size: 18px;">PCI DSS 4.0 Summary of Changes: Three Broad Classes</span></h3> <p style="text-align: left;">There are three broad classes of changes implemented in PCI DSS 4.0:</p> <ul> <li><strong>Evolving Requirements</strong> – <em>“Changes to ensure that the standard is up to date with emerging threats and technologies, and changes in the payment industry. Examples include new or modified requirements or testing procedures, or the removal of a requirement.”<br><br></em>Technology has evolved rapidly since PCI DSS 3.0 was introduced in 2014. The new standard includes updates to testing procedures to better assess sub-requirements, and modification of changes to be more reflective of current operating environments. This includes new sub-requirements referred to above.<br><br></li> <li><strong>Clarification or Process</strong> – <em>“Updates to wording, explanation, definition, additional guidance, and/or instruction to increase understanding or provide further information or guidance on a particular topic.”<br><br></em>Feedback from stakeholders throughout the assessment process was incorporated into the new 4.0 standard. Frequently asked questions from the previous standard have been included to assist stakeholders in the interpretation, implementation, and testing of the standard. To me, these clarifications are a positive, as they reduce the ambiguity in some of the 3.2.1 requirements.<br><br></li> <li><strong>Structure or Format</strong> – <em>“Reorganization of content, including combining, separating, and renumbering of requirements to align content.”<br><br></em>Content of certain sub-requirements was restructured to better align content in areas where it was more practical to do so. These changes are mostly impactful on the completion and writing of the Report and don’t introduce new obligations for entities undergoing a PCI DSS assessment. Again, I interpret these changes to be a net positive to the process, ultimately reducing duplicative work and streamlining reporting.</li> </ul> <h3 style="font-size: 18px;">At Last, Clarification on PCI DSS 4.0 Timelines</h3> <p>One notable clarification is the specific timeframes used in the assessment. In 3.2.1, timeframes such as ‘quarterly,’ were left undefined, leaving it up to interpretation on the actual frequency that something was required.</p> <p>Timeframes for sub-requirements are now explicitly defined, vastly narrowing the window of time you’ll have to perform required processes. For example, what was defined simply as ‘quarterly’ in 3.2.1 is now specifically defined as “at least once every 90 to 92 days or the nth day of each third month.” These changes can impact your compliance status if left unheeded, so it's important to be aware of their impact.<br><br></p> <p><a class="cta_button" href="https://blog.freedmaxick.com/cs/ci/?pg=4dc61828-4e37-44f1-be93-0136a4d32fe9&amp;pid=108075&amp;ecid=&amp;hseid=&amp;hsic="><img class="hs-cta-img " style="border-width: 0px; /*hs-extra-styles*/; " alt="Download a summary of these updated PCI DSS 4.0 timeframes." src="https://no-cache.hubspot.com/cta/default/108075/4dc61828-4e37-44f1-be93-0136a4d32fe9.png"></a></p> <h3 style="font-size: 18px; line-height: 1.5;"><br>An Important Clerical Change Relative to PCI 4.0 Assessment Finding Requirements</h3> <p>There were two changes to the Assessment Findings (e.g. in Place, Not in Place, Not Applicable, etc.) that can be selected in the assessment of each individual sub-requirement:</p> <ul> <li>Previously, ‘In Place with a Compensating Control Worksheet’ was an available finding. You’ll still have to complete a compensating control worksheet (CCW) for any sub-requirements where one was necessary, but doing so would be marked as ‘In Place’ in the assessment itself.</li> <li>“In Place with Remediation” has been added as a finding. This is considered a compliant finding, and is selected to identify sub-requirements that required remediation to achieve compliance during the assessment.</li> </ul> <p style="text-align: justify; padding-left: 0in;">Per the 4.0 standard, the “In Place with Remediation” requirement is met when:</p> <p style="text-align: left;"><em>“The requirement was Not in Place at some point during the PCI DSS assessment period of the entity, but where the entity remediated the issue such that the requirement was In Place before completion of the assessment. In all cases of In Place with Remediation, the assessor must have assurance that the entity has identified and addressed the reason that the control failed, has implemented the control, and has implemented ongoing processes to prevent re-occurrence of the control failure.”</em></p> <p style="text-align: left;">This to me is a clerical change and only impacts drafting of the ROC or SAQ. As it’s considered a ‘compliant’ finding, it may also give you and your QSA more flexibility in some of the black and white areas previously existing within 3.2.1.</p> <h3 style="font-size: 18px; line-height: 1.5;">New Flexibility for the PCI DSS 4.0 Assessment Process: Defined or Customized Approach?</h3> <p style="text-align: left;">New to PCI DSS 4.0 is the bifurcation of approaches to compliance – the “Defined Approach” and the “Customized approach.” The Defined Approach is the same approach utilized in 3.2.1. Newly implemented is the “Customized approach,” which has been added to add flexibility into the assessment process when technology advancements outpace updates to the standard. Per PCI DSS, the Customized Approach is:</p> <p style="text-align: left; padding-left: 40px;"><em>“Intended for entities that decide to meet a PCI DSS requirement’s stated Customized Approach Objective in a way that does not strictly follow the defined requirement. The customized approach allows an entity to take a strategic approach to meeting a requirement’s Customized Approach Objective, so it can determine and design the security controls needed to meet the objective in a manner unique for that organization.”</em></p> <p>The customized approach is intended for entities with more mature risk structures in place, and can only be utilized in ROCs completed by a QSA. The Security Standards Council made it clear in this year’s North America Community Meeting - this approach is for organizations with mature risk management processes in place, and will be a more complex examination than using the traditional defined approach.</p> <p>I absolutely recommend inquiring with your QSA if you’re considering this approach.</p> <h3 style="font-size: 18px; line-height: 1.5;">My Recommendation for PCI DSS 4.0 Changes: Start Working on the 64 New Sub-requirements Now</h3> <p>As mentioned in my introduction, there are 64 new sub-requirements in 4.0 that were added to address the modern threat landscape. If your organization is subject to PCI DSS, you’ll want to implement these required processes over the next several years to ensure you’ll remain compliant. The vast majority of these will be best practices until March 31, 2025.<br><br></p> <p><a class="cta_button" href="https://blog.freedmaxick.com/cs/ci/?pg=4047ed92-560c-4bd7-833e-cc81530970c5&amp;pid=108075&amp;ecid=&amp;hseid=&amp;hsic="><img class="hs-cta-img " style="border-width: 0px; /*hs-extra-styles*/; " alt="Download a listing of these new sub-requirements." src="https://no-cache.hubspot.com/cta/default/108075/4047ed92-560c-4bd7-833e-cc81530970c5.png"></a></p> <h3 style="font-size: 18px; line-height: 1.5;"><br>PCI DSS 4.0 Compliance is Hard Work, but Not Anxiety Laden as You Might Think</h3> <p>My insights aren’t intended to lull anyone into a false sense of security - PCI DSS is hard work, there’s no doubt about it. PCI DSS is something to be taken very seriously. Your company’s specific circumstances may be very complicated, in which case these changes may require complex solutions.</p> <p>I did want to quell some of the hysteria I’m seeing from PCI consultants and hearing from companies about the changes. My take: if you look at them as a manageable group of incremental changes, they are not as scary as you may believe.</p> <p>There’s still plenty of runway until these changes in 4.0 become full compliance requirements. Starting the transition process now will be critical for a smooth transition over the next several years.</p> <p><a href="https://blog.freedmaxick.com/contact">Contact me</a> for a discussion of your situation, new requirements, and <a href="https://www.freedmaxick.com/services/consulting/technology/pci-data-security-payment-card-industry-security-standards/">approaches for meeting deadlines required by PCI 4.0</a>. You can reach me via email at <a href="mailto:Justin.Bonk@freedmaxick.com">Justin.Bonk@freedmaxick.com</a> or call me at 716.332.2680.</p> <img src="https://track.hubspot.com/__ptq.gif?a=108075&amp;k=14&amp;r=https%3A%2F%2Fblog.freedmaxick.com%2Fsumming-it-up%2Fpci-dss-4.0-compliance-will-not-be-as-onerous-or-costly-as-you-might-think&amp;bu=https%253A%252F%252Fblog.freedmaxick.com%252Fsumming-it-up&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Cybersecurity Thu, 27 Oct 2022 19:45:00 GMT https://blog.freedmaxick.com/summing-it-up/pci-dss-4.0-compliance-will-not-be-as-onerous-or-costly-as-you-might-think 2022-10-27T19:45:00Z Justin Bonk, CISSP, PCI-QSA, CIA, CFE, CISA, CIPP/US Business Budget Planning | Business Budget Basics | MAXIS® by Freed Maxick https://blog.freedmaxick.com/summing-it-up/business-budget-planning-basics-every-business-owner-should-know <div class="hs-featured-image-wrapper"> <a href="https://blog.freedmaxick.com/summing-it-up/business-budget-planning-basics-every-business-owner-should-know" title="" class="hs-featured-image-link"> <img src="https://blog.freedmaxick.com/hubfs/business-budget.jpg" alt="Business Budget Planning | Business Budget Basics | MAXIS® by Freed Maxick" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p>By the fourth quarter, business owners are already eyeing the coming year, which is why the fall is the ideal time to begin the budgeting process. This season, however, has been made more complicated by alarming headlines highlighting: talent shortages, ‘imminent’ layoffs, inflationary impacts, an ‘impending’ recession, international wars, souring global economies, and a lingering, morphing pandemic. Many owners aren’t certain what to plan for let alone where to begin.</p> <p><img src="https://blog.freedmaxick.com/hs-fs/hubfs/business-budget.jpg?width=652&amp;name=business-budget.jpg" alt="business-budget" width="652" style="width: 652px;"></p> <p>By the fourth quarter, business owners are already eyeing the coming year, which is why the fall is the ideal time to begin the budgeting process. This season, however, has been made more complicated by alarming headlines highlighting: talent shortages, ‘imminent’ layoffs, inflationary impacts, an ‘impending’ recession, international wars, souring global economies, and a lingering, morphing pandemic. Many owners aren’t certain what to plan for let alone where to begin.</p> <p>While many organizations have a vision and a <a href="https://www.freedmaxick.com/services/consulting/financial/strategic-planning/">long-range strategic plan</a>, leaders struggle to hold themselves accountable to those goals in a tactical manner. Many struggle to keep up with their day-to-day accounting and bill-pay tasks, let alone finding the time to create and maintain an annual budget. And for those who are able to make the time, it’s often just an amalgamation of information that becomes difficult to maintain in a spreadsheet and/or is not formatted in a manner that makes it easy to track against actual performance.</p> <p>We can help.</p> <h3 style="font-size: 18px;"><strong>Annual Budget Planning: Beginning at the Beginning</strong></h3> <p>Developing your budget early affords you the time to engage in dynamic conversations with managers and senior leadership and to align expectations and financial goals. But first, let’s review the main types of budget every business owner should know:&nbsp;</p> <p style="padding-left: 40px;"><span style="font-weight: normal;">1.</span> <strong>Operating Budget </strong>usually consists of projected <a href="https://blog.freedmaxick.com/summing-it-up/startup-strategies-common-financial-statement-challenges-for-startups"><span>income statements and a series of supporting statements</span></a>, including items such as sales forecasts, cost of goods sold expenses, salaries, benefits, general and administrative costs.</p> <p style="padding-left: 40px;"><span style="font-weight: normal;">2.</span> <strong>Capital Budget</strong> portrays the organization’s planned and approved capital expenditures for periods from one to ten years and includes large asset purchases, renovations, <a href="https://www.freedmaxick.com/services/consulting/technology/strategic-information-technology-it/"><span>investments in IT systems or equipment</span></a>.</p> <p style="padding-left: 40px;"><span style="font-weight: normal;">3.</span> <strong style="background-color: transparent; font-size: 16px;">Cash Budget</strong><span style="background-color: transparent; font-size: 16px;"> brings the operating budget and cash budget together to take into account timing of cash disbursements and receipts from sales to help determine the prioritization and use of cash or need for additional funding.</span></p> <p>There are different methods to develop a budget for your business. Most businesses create a budget with last year’s numbers and add an incremental percentage increase. A zero-based budget, however, is an approach that starts fresh from scratch, or “zero,” at the beginning of each period.&nbsp;&nbsp;</p> <p>Most importantly, if you don’t plan to track actual results vs. budgets and keep the reporting up to date in a timely manner, reconsider even creating one. Having one and failing to manage it appropriately renders the budget worthless and is a waste of your valuable time.</p> <h3 style="font-size: 18px;"><strong>Business Budgeting Tools of the Trade</strong></h3> <p><a href="https://www.maxisbyfm.com/p/1">MAXIS<sup>®</sup> by Freed Maxick is a forward-focused, hands-on, high-tech outsourced bookkeeping solution</a> that supports organizations’ needs for comprehensive, user-friendly budgets. With powerful, cloud-based financial software that syncs all your accounts, <a href="https://www.maxisbyfm.com/p/2"><span>you can access real-time data and lightning-quick financial reporting</span></a> through a central hub for a real-time snapshot of your finances.&nbsp;</p> <p>Our experts work closely with you to create a budget and then help you to track actual results. MAXIS is user-friendly, <a href="https://blog.freedmaxick.com/summing-it-up/business-analytics-for-strategic-decisions-maxis-freed-maxick"><span>creates easy-to-read reports</span></a>, and <a href="https://blog.freedmaxick.com/summing-it-up/how-to-make-strategic-business-decisions-that-propel-your-goals"><span>enables you to make timely and confident business decisions</span></a>.</p> <p>Start-ups, small, and medium size companies all benefit from automated, real-time data and in-depth financial reporting to make smarter, faster decisions. It’s scalable to grow as you do. Importantly, MAXIS lightens your workload by assuming the repetitive, mundane tasks that absorb your valuable time, freeing you up to allocate it where it’s needed most.</p> <h3 style="font-size: 18px;"><strong>Budgets are Important Business</strong></h3> <p>Regardless of how you go about creating a budget, it is important to keep in mind these fundamental budget planning tips:</p> <p style="padding-left: 40px;">1. Be realistic, but not necessarily overly conservative or improbable.</p> <p style="padding-left: 40px;">2. Keep it simple. It’s meant to be an estimate and approximation.</p> <p style="padding-left: 40px;"><span style="background-color: transparent; font-size: 16px;">3. Be transparent with managers about the financial goals and targets for accountability and clear communication.</span></p> <p>There are <a href="https://online.hbs.edu/blog/post/importance-of-budgeting-in-business"><span>few tools as important as a budget</span></a>. As a business owner, budgeting is a tedious but necessary task, one that should be undertaken to <a href="https://hbr.org/1977/07/conflicting-roles-in-budgeting-for-operations"><span>"assure that resources are obtained and used efficiently and effectively in the accomplishment of the organization’s objectives</span></a>." (Harvard Business Review)</p> <p>Don’t even know how to begin planning a budget for your business? <a href="https://blog.freedmaxick.com/maxis-talk-to-an-expert"><span>Contact Alexis Becker</span></a> at <a href="mailto:alexis.becker@freedmaxick.com"><span>alexis.becker@freedmaxick.com</span></a> for a complimentary conversation about MAXIS’ approach to delivering what you need to make you a better leader.</p> <p><a class="cta_button" href="https://blog.freedmaxick.com/cs/ci/?pg=d53cb46d-653d-4d35-9751-aa1f2979b1ef&amp;pid=108075&amp;ecid=&amp;hseid=&amp;hsic="><img class="hs-cta-img " style="border-width: 0px; /*hs-extra-styles*/; " alt="New call-to-action" src="https://no-cache.hubspot.com/cta/default/108075/d53cb46d-653d-4d35-9751-aa1f2979b1ef.png"></a></p> <img src="https://track.hubspot.com/__ptq.gif?a=108075&amp;k=14&amp;r=https%3A%2F%2Fblog.freedmaxick.com%2Fsumming-it-up%2Fbusiness-budget-planning-basics-every-business-owner-should-know&amp;bu=https%253A%252F%252Fblog.freedmaxick.com%252Fsumming-it-up&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> MAXIS® Wed, 19 Oct 2022 14:00:00 GMT https://blog.freedmaxick.com/summing-it-up/business-budget-planning-basics-every-business-owner-should-know 2022-10-19T14:00:00Z Alexis S. Becker What to Expect with Cybersecurity Due Diligence | MAXIS® by Freed Maxick https://blog.freedmaxick.com/summing-it-up/why-cybersecurity-due-diligence-is-critical-when-selling-a-business <div class="hs-featured-image-wrapper"> <a href="https://blog.freedmaxick.com/summing-it-up/why-cybersecurity-due-diligence-is-critical-when-selling-a-business" title="" class="hs-featured-image-link"> <img src="https://blog.freedmaxick.com/hubfs/Cybersecurity-Selling-Business.jpg" alt="Cybersecurity Due Diligence" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <h3 style="font-size: 18px;"></h3> <h3 style="font-size: 18px;">Is cybersecurity worth the investment?</h3> <p>So you’ve decided to sell your business. What’s next?&nbsp;</p> <h3 style="font-size: 18px;"><img src="https://blog.freedmaxick.com/hs-fs/hubfs/Cybersecurity-Selling-Business.jpg?width=652&amp;name=Cybersecurity-Selling-Business.jpg" alt="Cybersecurity-Selling-Business" width="652" style="width: 652px;"></h3> <h3 style="font-size: 18px;">Is cybersecurity worth the investment?</h3> <p>So you’ve decided to sell your business. What’s next?&nbsp;</p> <p>First, the buyer will want assurance that the investment is likely to pay off, perhaps even yield a higher-than-expected return. So wanting evidence that your financial health, legal standing, and industry reputation are stellar is to be expected. As such, due diligence will be performed. Naturally, a contingent of consultants will be retained to assess the target and advise on the value of the acquisition.&nbsp;</p> <h3 style="font-size: 18px;"><strong>The Value of a Strong Bench in M&amp;A Transactions</strong></h3> <p>You, too, will need a team. In addition to assessing the worth of the organization, retained accountants will prove your financial performance is sound and a legal team will review contracts to make sure there are no strings to hold back a profitable transaction.</p> <p>Yet there is often an overlooked strategic partner whose participation may impact the value the acquirer places on your company and on the way it may structure the deal. A thorough analysis of technology by a team of cybersecurity experts can ease uncertainty about value and reputation.&nbsp;</p> <p>At Freed Maxick, we have a <a href="https://www.freedmaxick.com/services/consulting/technology/information-systems-it-security-and-controls-consulting/"><span>dedicated team of cybersecurity professionals</span></a> who provide detailed insights, meticulous analysis, unbiased perspective, and more effective solutions.&nbsp;Our professionals bring trustworthy skills, knowledge, and expertise to protect people, organizations, and reputations from potential theft, exploitation, and long-term damage.&nbsp;</p> <h3 style="font-size: 18px;"><strong>The Impact of a Cyberattack on Business Valuation and M&amp;A</strong></h3> <p>Nothing threatens a potential M&amp;A opportunity more than a cyberattack. A <a href="https://www.gartner.com/doc/reprints?id=1-29FBE5ZT&amp;ct=220317&amp;st=sb"><span>study by Gartner</span></a>, “<em>Predicts 2022: Cybersecurity Leaders Are Losing Control in a Distributed Ecosystem</em>,” found that 88% of respondents viewed “cybersecurity-related risk as a business risk, not just a technology risk.” <span style="background-color: #fcfcfc;">And while many think larger companies are more lucrative to criminals, small and medium-sized businesses (SMBs) are easier targets as they lack the appropriate security and are more apt to pay ransom quickly to avoid costly business disruption.&nbsp;</span></p> <p>An article on <a href="https://www.americanbar.org/groups/business_law/publications/blt/2017/09/04_trope/"><span>AmericanBar.org</span></a> affirms: “Omitting cybersecurity assessments in M&amp;A due diligence, conducting superficial evaluations, or limiting such due diligence to a company’s IT systems rather than treating cybersecurity as a risk category in its own right means ignoring the serious risks that cyber threats pose to all companies and to M&amp;A deals involving them.”&nbsp;</p> <h3 style="font-size: 18px;"><strong>Is Cybersecurity a Good Investment?</strong></h3> <p>“Most companies have yet to reach the <a href="https://www.mckinsey.com/business-functions/risk-and-resilience/our-insights/organizational-cyber-maturity-a-survey-of-industries"><span>advanced levels of cybersecurity management</span></a> demanded by today’s business environment,” so due diligence of every aspect of an organization’s technology is critical. Most of the investigation is very technical in nature, like conducting <a href="https://blog.freedmaxick.com/summing-it-up/vulnerability-assessment-vs-penetration-testing-whats-the-difference"><span>penetration testing</span></a>, and issues are more often than not uncovered.</p> <p>For example, we recently completed a deal with a client attempting to sell to a private equity firm (PE). As part of the due diligence process, the PE did a code review and discovered old, unsupported software libraries being used. Old libraries could cause vulnerabilities in the future, impact the ability to update other components of the software, limit the ability to scale software, and more.&nbsp;Needless to say, the seller needed to invest resources to upgrade the codebase before the acquisition closed. &nbsp;</p> <h3 style="font-size: 18px;"><strong>State of Readiness for an M&amp;A Transaction</strong></h3> <p>Preparation is key to a more seamless M&amp;A experience. Listed here are suggested cybersecurity due diligence questions to answer prior to the acquirer’s review of your company:</p> <p><strong>History</strong>: Have there been past data breaches? Are there known vulnerabilities?&nbsp;</p> <p><strong>Budget</strong>: How much is spent annually on IT, and what percentage is dedicated to security? <span style="background-color: #fcfcfc;">What is the maintenance budget?</span></p> <p><strong><span style="background-color: #fcfcfc;">Assets</span></strong><span style="background-color: #fcfcfc;">: Is intellectual property (IP) protected? Do you have cyber insurance to protect those assets?</span></p> <p><strong><span style="background-color: #fcfcfc;">Use</span></strong><span style="background-color: #fcfcfc;">: How secure are any Internet-facing web applications? Are those systems maintained, monitored, and assessed periodically? How are transactions conducted and if sensitive customer data is obtained, is it protected? Are industry regulations being adhered to?</span></p> <p><strong><span style="background-color: #fcfcfc;">Accountability</span></strong><span style="background-color: #fcfcfc;">: Is technology (updates, upgrades, etc.) reliant on one person? What does the IT organizational chart look like? Are there defined roles and responsibilities? What is the level of reliance on people and who is critical in their position — is there a single point of failure if they leave? What about IT oversight and governance throughout the organization?</span></p> <p><strong><span style="background-color: #fcfcfc;">Culture:</span></strong><span style="background-color: #fcfcfc;"> How reliant is the organization on technology? Are the employees tech-savvy and are they open to change? How accepting of new technology is the leadership? What kind of training is provided? How frequently? Is the company security-minded — are employees cognizant of security protocols (i.e. passwords)?</span></p> <p><strong><span style="background-color: #fcfcfc;">Security</span></strong><span style="background-color: #fcfcfc;">: How prevalent is privileged access, or does the company subscribe to the </span><a href="https://www.cisa.gov/uscert/bsi/articles/knowledge/principles/least-privilege"><span>Principle of Least Privilege</span></a><span style="background-color: #fcfcfc;"> access? Is access role-based? Does employee access get immediately removed upon termination? Are logging and monitoring systems deployed across the network and critical applications? What measures are in place to reduce risks of compromise, like vulnerability scanning, network defenses and end-user education?</span></p> <p><strong>V</strong><strong><span style="background-color: #fcfcfc;">endors</span></strong><span style="background-color: #fcfcfc;">: Who are they and what are they responsible for (web hosting, software)? How critical are third-parties to run the company day-to-day? Is the relationship monitored? Is there a point person for issues or do they contact a help desk with multiple representatives? Has the contract been reviewed and are formal Service Level Agreements in place?</span></p> <p><strong><span style="background-color: #fcfcfc;">Equipment</span></strong><span style="background-color: #fcfcfc;">: Is there an inventory of physical, digital, data assets? What is the age of the equipment? How frequently is it serviced? What do you own, lease, subscribe to?</span></p> <p><strong><span style="background-color: #fcfcfc;">Data: </span></strong><span style="background-color: #fcfcfc;">What types of data are being maintained? Is anything sensitive? How is it protected? Are analytics used, dashboards available, and KPIs identified? How/how often is data backed up?&nbsp;</span></p> <p><strong><span style="background-color: #fcfcfc;">Applications</span></strong><span style="background-color: #fcfcfc;">: What software systems are currently being used? Are ERP and CRM systems critical to the organization? How are they supported? What communication platforms does the organization engage? For tools like email, what security is in place? Does the organization utilize the cloud?</span></p> <h3 style="font-size: 18px;"><strong>Maintaining Your Business Value</strong></h3> <p>A cyberattack can very quickly bring down the value of your company, compromise your reputation, and erode customer trust. And the cost to remediate could be damaging to business sustainability. Whether you are preparing your company for a sale now or plan to do so in the future, don’t overlook the fact that a sophisticated buyer will evaluate all of your technology and its related security. Remember that regardless of who is “in charge” of IT and security, accountability resides in the C-Suite.</p> <h3 style="font-size: 18px;"><strong>Taking Cybersecurity Preventative Action Prior to Selling a Business</strong></h3> <p>If you are considering selling your company and want to talk about the smartest way to safeguard your digital assets, contact David Hansen, Director of <a href="https://www.freedmaxick.com/services/consulting/risk/"><span>Risk Advisory Services</span></a>, for a complimentary consultation. He can be reached directly at 585-360-1481 or <a href="mailto:DHansen@FreedMaxick.com"><span>david.hansen@FreedMaxick.com</span></a>.</p> <img src="https://track.hubspot.com/__ptq.gif?a=108075&amp;k=14&amp;r=https%3A%2F%2Fblog.freedmaxick.com%2Fsumming-it-up%2Fwhy-cybersecurity-due-diligence-is-critical-when-selling-a-business&amp;bu=https%253A%252F%252Fblog.freedmaxick.com%252Fsumming-it-up&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Cybersecurity MAXIS® Mon, 17 Oct 2022 14:00:00 GMT https://blog.freedmaxick.com/summing-it-up/why-cybersecurity-due-diligence-is-critical-when-selling-a-business 2022-10-17T14:00:00Z David Hansen, CPA, CISSP, QSA, CISA