Tag: Action Plan

Protect Cash Flow By Reviewing Expenses And Plan Design

Posted on by info

Managing cash flow is an ongoing priority for any business.  Protecting an organization’s cash flow in times of economic distress is paramount. To retain liquidity in the short term, many organizations are examining their retirement plans for flexibility in cash outflows.
 
Adjusting or temporarily putting a hold on employer contributions to retirement plans stands out as a prominent option for some, but other less obvious tools can help plan sponsors operate more efficiently during a crisis as well.
 
Before making any changes, employers need to consider both the short-term and long-term consequences of these actions. While such decisions can provide some immediate cash flow relief, they can also increase long-term costs or negatively impact an organization’s employee morale and competitive positioning.
 

Eliminating or Suspending the Employer Match

Eliminating or suspending the employer match, while a potentially effective tool employers can use to shore up cash, may not be an option, depending on how the plan document is written.   Plans that include an annual safe harbor 401(k) contribution may include restrictions relating to the suspension or elimination of these contributions. Plan documents must be thoroughly reviewed before reaching a decision.
 
Even if eliminating or suspending the employer match is an option, employers should approach these decisions with care as they may negatively affect an organization’s ability to attract new employees. This potential backlash may be the reason many employers are hesitating to suspend contributions, even as we anticipate a continued quarantine. A recent survey by the Plan Sponsor Council of America (PSCA) showed that only 16 percent of benefit plans expect to suspend contributions.
 

Eliminating Inactive Participants to Reduce Administrative Costs

Another option could be to reduce the number of participants in a plan to archive a lower administrative cost in upcoming quarters. Employers can achieve this is by removing inactive participants from the plan. The Internal Revenue Service (IRS) allows plan sponsors to cash out inactive participants with $1,000 or less in their accounts, and plan sponsors don’t need permission from the individual to do this. In addition, plan sponsors can roll accounts with balances of $5,000 or less into Individual Retirement Accounts (IRAs).
 
Participants with more than $5,000 in their accounts can’t be forced out of the plan, but plan sponsors are permitted to contact such participants and inquire if they would like to be cashed out. As always, it’s important for plan sponsors to refer to their plan documents before seeking to reduce the number of inactive participants or issue distributions.
 

Review “Lost Money” in the Plan

Several other tools exist that may help plan sponsors operate more efficiently:

  • Forfeitures: Partially vested employees who terminate employment are the most common source of forfeitures. Plan sponsors most commonly use forfeitures to offset employer contributions, but they can also be used to pay for certain permitted plan expenses.
  • ERISA Spending Accounts: ERISA spending accounts present an opportunity to reduce the total costs charged to the plan.  If there isn’t a spending account already, plan sponsors should communicate with service providers to determine whether there may be an opportunity to negotiate one.
  • Evaluate Fees: Plan sponsors have a fiduciary obligation to monitor fees to ensure they are reasonable. Plans should examine their investment, administrative, and consulting fees to determine if saving cash may be possible. Now may be a good time to reach out to service providers to ask for fee reductions. Plan sponsors can also consider shifting some administrative costs, such as audit expenses, from the company to the plan and using forfeitures or ERISA spending accounts for these costs.
  • Changing Eligibility and Matching Provisions: Changing eligibility requirements and / or matching provisions can also help to conserve cash. For example, plan sponsors could require employees to work for at least one year before becoming eligible for a retirement plan.

Insight: Evaluate Cash Conservation Tools Thoughtfully
 
When examining the potential tools at your disposal for conserving cash, it’s important that employers don’t make these decisions in a vacuum. While certain actions can be taken to improve cash flow now, they could lead to greater expenses in the long term—and changes to retirement savings plans may ultimately weaken an organization’s ability to recruit and retain talent.  
Your representative is available to help evaluate your plan and look for opportunities to create valuable flexibility while still being mindful of the long-term impacts of these changes.

7 Actionable Steps to Reducing Cyber Vulnerabilities

Posted on by info

Cybersecurity breaches are in the news daily, and as forensic investigation and incident response practitioners, we have seen several common themes among victim companies. Attackers often pass over larger companies with robust cybersecurity measures and instead prey upon small to mid-sized businesses that are softer targets with weaker security postures. These seven steps to reducing your cyberattack surfaces will help to strengthen your defenses.

  1. Raise Cybersecurity Awareness and Hold Employees Accountable

    The weakest link in any cybersecurity program is the human workforce operating within it. Phishing attacks–in which users are tricked or deceived into opening an unsafe email attachment or visiting a fraudulent website–are among the strongest weapons in an attacker’s arsenal because they work against people, not software. Institute a regular cybersecurity awareness program that includes not only instruction but also random testing throughout the year. Repeated failures of such random testing should be considered a notable area for improvement for employee progression. If your company lacks the resources or abilities to perform such training, several outsourced providers have these training and awareness platforms at the ready.
  2. Use Strong Passwords and Password Managers

    An attack known as “credential stuffing” is extremely effective at helping attackers gain access to multiple systems at once by taking valid username and password combinations (called “credentials”) stolen from one computer system or website and trying them against others such as corporate logins, online banking, and more. As people often reuse passwords across platforms to make remembering passwords easier, this also leaves systems—including the computers and accounts they use for work—vulnerable to compromise.

    To combat credential stuffing, an organization’s best defense today is the combination of strong passwords (long passwords with a mix of capital letters, lower case letters, numbers, and symbols) and password managers—secure programs designed to generate strong passwords and store them for easy recall, to make using unique strong passwords on every account and website easy. This also assists with “corporate memory” of shared or administrative passwords, as particular entries can be made accessible to a certain group of users. Password managers such as 1Password, LastPass, and Dashlane also have web browser extensions that make it extremely easy to have a different strong password for each website visited. They often also have the capability to provide for personal and professional password vaults to ensure that users have a common experience to improve the likelihood that they will adhere to using a password manager and not using only “password123.”
  3. Patch and Update Regularly

    Software developers—including those who write operating systems, office platforms, and even security software—are human, and bugs or vulnerabilities can exist in even the most secure computing platforms. As these issues are discovered, software manufacturers will fix and release new versions of these products. It’s critical that you have a regular cadence for updating the operating systems, applications, and security tools that your company depends upon. When responding to incidents, it’s not uncommon for responders to find several “critical” systems to an organization that are running on long outdated and unsupported versions of Windows or Linux servers. Outdated and unsupported operating systems often have several vulnerabilities and wide-open attack surfaces which serve as open doors for attackers.

    Needless to say, always make sure your organization’s antivirus (you do have an organization-wide antivirus in place already, yes?) is regularly updated to receive the freshest definitions and algorithms, but remember, antivirus only helps with malware-based attacks.
  4. Tighten Existing Controls

    In nearly every operating system, network, file system, and application, user accounts have varying degrees of permissions to accomplish tasks or access data. Administrators tend to have the most and standard users tend to have the least. Ensure that each user account, including system accounts used for handling automated tasks, has the amount of authority and permissions necessary to complete the job at hand—but no more. For example, while a company’s CEO might drive the policy and agenda for the entire organization, he or she doesn’t necessarily need access to detailed engineering plans or code repositories; they won’t use that data as a course of normal business, but it expands their attack surface tremendously and increases the potential for a catastrophic breach should their credentials be compromised by clicking on a nefarious link in an email message.
  5. Use Two-Factor Authentication Whenever Possible

    Operating systems, application platforms (such as Microsoft’s Office 365), and many websites provide enhanced security and authentication through “two-factor authentication.” Two-factor authentication often combines something you know (such as a password) with something you have (such as a one-time randomized key) to authorize credentials. At a minimum, two-factor authentication should be a requirement for any Office 365 Administrator account, and it’s no less recommended for standard user accounts as well.

    Two-factor authentication is often accomplished through a program that runs on one’s mobile phone, providing “one time passcodes” that rotate every thirty seconds with a unique number that will provide an additional verification your user credentials. Common two-factor authentication programs include Google Authenticator, Authy, and Microsoft Authenticator, and many password manager programs also can generate authentication passcodes as well.
  6. Have an Incident Response Plan, Even Minimally

    Due to the growth in cyberattacks and cybercrime, organizations are beginning to understand that it isn’t about if they’ll face a data breach, but when. As a result, the difference between catastrophic organizational damage and cyber resiliency can be the manner and speed in which an organization responds to a breach when it happens, along with the programs, procedures, and processes in place beforehand to best position the organization for recovery.

    While a full incident response plan with trained, dedicated staff at the ready is great, this is definitely an area where perfect shouldn’t be the enemy of good. Critical days or even weeks can be lost after a breach while a company looks for an incident response contractor, negotiates contracts (at panic pricing), and waits for the contractor to begin their response in an unfamiliar network belonging to an unfamiliar company. When you don’t have an active incident is the time to contract with an incident response and/or managed security services firm, because you can set fair pricing, reasonable retainers, and the contractor will have time to learn what’s “normal” in your company and network before a crisis happens. Even if your plan is to “call our account rep at our incident response contractor,” that can be enough to stop a security incident from becoming a security breach.
  7. Encrypt Data at Rest and In Transit

    Most desktop and server operating systems can encrypt the contents of their hard drives right out of the box. From a single user’s laptop to the information stored in your corporate-wide databases, encryption should be the standard, not the exception. Before a computing device is provided to an employee, activate the on-board disk encryption to reduce exposure to loss or theft, and ensure that your cloud computing platforms, corporate databases, and email servers are also covered by their encryption capabilities. Emergency decryption keys can be stored within the safety of your password manager for cases when an employee leaves suddenly, but not providing encryption on that employee’s laptop can be a disaster if it’s lost or stolen in an airport café.

    Speaking of travel, when employees are on the road, they should connect to the Internet through a Virtual Private Network (VPN), preferably one provided by and running through the corporate network to maintain control and assure data security. Open Wi-Fi access points may be a boon to travelers, but they’re also a goldmine for data thieves who may listen-in on unencrypted connections. In a pinch, commercial VPN services are also available on an individual basis, and computing enthusiasts can set-up their own using open-source platforms such as AlgoVPN for the price of a cup of coffee.

In summary, while there is no one end-all, be-all to cybersecurity, there are a number of simple, practical steps that organizations can take to dramatically improve their cybersecurity posture. Many of these options are free or come with the software you’ve already purchased. Others, while they do charge a fee, cost significantly less than the amounts associated with a data breach in loss of customer confidence, loss of intellectual property, incident response costs, fines, penalties, legal fees, and more. Cybersecurity should be another risk that needs to be quantified, monitored, and managed by your C-suite and Board, and policies must be drafted and enforced accordingly.

Middle Market Businesses Need a Plan Amid COVID-19 Crisis

Posted on by info

The highly contagious novel coronavirus has endangered countless lives and forced millions of people into self-isolation at home. This public health crisis has also shuttered non-essential businesses and upended economic activity across the country and around the world. These unprecedented challenges have negatively altered the daily patterns of families, communities and businesses alike.

Businesses in most industries must take the steps necessary to ride out this disruption, as the expected scope and duration of the COVID-19 pandemic remains unclear. Businesses suddenly face sinking revenues, which will likely lead to significant cash flow challenges. There are concrete steps that organizations can take to assess their needs, formulate a realistic cashflow forecast for the coming months and take the necessary steps to stem business losses and sustain operations.
 

Symptoms of Distress

Many middle market companies will face significant headwinds due to COVID-19. Key signs of distress to look for include:

Tight Liquidity

  • Business deemed non-essential and forced to close or limit business offerings
  • Insufficient cash on hand
  • Inability to obtain new financing for the business
  • Held checks and increasing payables
  • Slower turning inventory
  • Inability to pay debts as they come due
  • Inability to continue investing in the business


Fully Drawn on Credit Facilities

  • Covenant violations lower borrowing base availability
  • Reliance on “amendments” and/or forbearance agreements to remain compliant with loan documents
  • Deteriorating relationship with lenders


Declining Profitability

  • Business deemed non-essential and forced to close or limit business offerings
  • Significant decreases in revenue, cash flow, and EBITDA
  • Industry challenges magnified by COVID-19 impact and regulations (e.g., retail, restaurants, hospitality, leisure, nonprofits, oil and gas, et al.)


Debt in Excess of Book Value of Assets

  • Current and long-term debt exceeds value of assets (excluding goodwill or other intangibles)
  • Significant near-term debt maturities


Other Signs of Distress

  • Loss of key customers and vendors
  • Layoffs, product line reductions, etc.
  • Service lapses
  • Wide disparity in performance by location

An Action Plan for Companies Experiencing Distress

All organizations should be proactive in assessing their current financial health, and they need to develop an understanding of their future capital requirements to help ensure business continuity throughout these challenging times. There are three crucial steps to take now that provide the framework required to make informed decisions that create a meaningful action plan.

1. Take stock of the immediate impacts
First, examine where the business stands today.

What initial impact has COVID-19 had on business revenue so far? What interruptions to the supply chain and workforce have hindered the ability to generate revenue? Is the business able to negotiate to defer the payment of rent during the crisis? Has the business needed to make emergency expenditures to continue operations? Are there any credit facilities, SBA loans or other government funds available to draw from?

Government Relief for Qualifying Businesses under the CARES Act
Businesses can evaluate the options available to them through the Small Business Administration relief measures and government borrowing programs for economic stabilization in the wake of COVID-19. For example, the congressional stimulus package includes a Small Business Interruption Loan program designed to help businesses that satisfy industry-specific qualifications make ends meet on essential business continuity costs, such as payroll, rent, mortgage and utilities payments. Employers are incentivized to retain staff, with more 7(a) loan forgiveness available to those who do not reduce headcount.

2. Project the near-term cash flow needed to sustain through the downturn
Some businesses felt a sudden impact from COVID-19. Restaurants, bars and retailers were forced to shutter their doors in compliance with social distancing. Others may feel the impact over time as they run low on inventory or see customers tighten purse strings due to rising unemployment and economic turmoil.

Businesses should put together a realistic and detailed cash flow forecast for the next three to six months to get a full picture of what liquidity needs are likely going to be during this period. This will give leadership the necessary perspective on where to cut costs in the short term to try to minimize losses. Consider: What is the expected trajectory of COVID-19 within the business footprint? Does the business anticipate continued revenue reductions due to reduced demand or an inability to manufacture products, procure inventory or render services? How will the business respond if members of the workforce get sick?

3. Evaluate your options to ensure business continuity
Companies negatively impacted by COVID-19 need to take action to mitigate risk in this difficult climate. Those options may include:

  • Pivoting the business model to ensure revenue generation during this time (e.g., restaurants offering new delivery and take-out services, or retail stores moving to direct-toconsumer e-commerce models)
  • Reducing outflows by delaying rent payments, deferring state and federal taxes, and reducing headcount or furloughing workers
  • Reallocating resources to produce personal protective equipment
  • Applying for loans made available through the CARES Act stimulus package
  • Reaching out to lenders to tap into revolving credit, ask for leniency or additional loans
  • Seeking applicable refunds (i.e., tax refunds, or refunds on prepaid workers comp policies)

Once your business has assessed its current state and projected cash flow needs, you can proactively engage with current lenders to seek some level of covenant relief, support and, in some cases, additional liquidity. With the Treasury Department providing support to financial institutions, lenders may be willing to work with existing customers to help them through these pivotal months.

Business leaders should also be prepared to offer what they can do to help the situation, such as bringing in money from ownership, offering additional collateral or implementing a plan to reduce expenses and conserve value.

With the recent expansion of social distancing and other guidelines from the Centers for Disease Control and Prevention that impact the business landscape throughout the U.S., it is never too soon to develop an action plan to mitigate risks and continued losses.