Tag: COVID-19

COVID-19 Cybersecurity Recommendations

Posted on by info

Globally, industries have seen a sharp rise in cyber-attacks since the Chinese government disclosed the spread of the coronavirus or COVID-19 within China and internationally. Especially, cyber-attacks focused on health-care systems using spear-phishing and ransomware, impersonation attacks combined with business email compromise (BEC) targeting financial systems, supply-chain cyber-attacks focused on re-directed manufacturing operations outside of China, and distributed denial of service (DDoS) cyber-attacks on the energy, hospitality, and travel industries.

With the spread of COVID-19, increased demands for information technology (IT) support services are occurring across nearly all industries, as worldwide employees, students, university faculty, and others are being asked or required to work or study remotely from their homes to reduce the spread of the virus. As a result, nation-state cyber-attack groups and criminal cyber-attack groups are taking maximum advantage to target cyber vulnerabilities in select industries, especially those most impacted by the current crisis.

Realizing that 40% or more of cyber vulnerabilities are directly linked to employee behavior, per Gartner’s latest studies, it is vital that organizations focus more on their employees via cybersecurity awareness, education, training, and use of simulations to create a stronger human firewall to protect their vital digital assets.  After all, according to IBM Security’s latest findings, the average cost of a cyber data breach is now $8.2M.

Cybersecurity Top Five Recommendations

 To reduce both the probability of a cyber-attack or significant data breach and mitigate the negative financial and reputational impacts, we offer the following cybersecurity recommendations which are clearly applicable to all industries:

1) Create an organizational culture of cybersecurity – Ensure the C-Suite consistently promotes and supports all employees practicing effective cybersecurity policies, processes, and procedures via a comprehensive cybersecurity awareness, education, and training program including spear-phishing campaigns and cyber data breach table-top exercises.

2) Implement advanced cyber diagnostic assessments, on a regular basis, including:

  • Email Cyber-Attack Assessments
  • Network & Endpoint Cyber-Attack Assessments
  • Vulnerability Scanning Assessments
  • Penetration Testing
  • Spear-Phishing Campaigns

3) Establish a Rapid Cyber-Attack Incident Response Plan – Develop and periodically test an enterprise-wide well-coordinated information system incident response plan to quickly identify, contain, eradicate, and recover from cyber-attacks.

4) Conduct 24 x 7 x 365 Monitoring, Detection, & Response (MDR) – It is essential to continually monitor, detect, and respond to all cyber incidents including: email system, network, software applications, and all information system endpoints using advanced security information event management (SIEM) software, data visualization tools, automation, and artificial intelligence (AI) capabilities.  

5) Ensure information system resilience – Implement and periodically test an enterprise-wide business continuity plan (BCP) and disaster recovery plan (DRP).

Please contact your engagement professional or our front desk if you need more information on cybersecurity services.

How to Determine if an Employer has “Less Than 500 Employees” For COVID-19 Federal Paid Sick and Family Leave Mandates

Posted on by info

The Families First Coronavirus Response Act (H.R. 6201) became law on March 18, 2020. Among other things, the Act requires employers with “fewer than 500 employees” to provide two new benefits: (1) federal emergency paid sick leave and (2) federal emergency paid family and medical leave (FMLA). As a result, employers need to know immediately how to determine if they have “fewer than 500 employees.”

Questions remain about how to calculate whether an employer has “fewer than 500 employees” and which measurement period or date should be used. These questions are particularly important, as many employers are currently making difficult decisions, which could lead to dramatic cuts to their employee headcount due to the COVID-19 pandemic.

Insight

Some employers may want their headcount to be fewer than 500 so that they can obtain assistance from the government to provide their employees with paid leave benefits. Those employers will benefit from a methodology that does not require employees of related companies or consolidated group members to be counted. Many small employers would like to assist their employees but cannot afford paid leave without federal assistance.

In contrast, other employers may prefer to avoid the mandatory paid leave requirements and would benefit from a more inclusive employee count.

Because these new mandates are grounded in two different federal laws, it seems that there are two different sets of rules for counting “fewer than 500 employees.”  Specifically, as described below, one method must be used for federal emergency paid sick leave while another method must be used for the federal emergency paid FMLA leave.
 

Counting Employees for Federal Paid Sick Leave

No controlled group concept. The Fair Labor Standards Act (FLSA) definition of “employer” applies for federal emergency paid sick leave. FLSA does not seem to have a controlled group concept. Likewise, the new legislation simply says “employer” and does not include references to any sections of the Internal Revenue Code that would require all entities under common control be treated as if they were a single employer. Often (but not always), the Code requires related employers to be treated as if they were a single employer (for example, see Sections 1563 and 414(b), (c), (m), etc.). Also, the Code often (but not always) imposes ownership attribution rules (for example, under Sections 267(b) or 318). Congress certainly knew about the controlled group and ownership attribution concepts, which were used most recently in the SECURE Act and the Tax Cuts and Jobs Act, as well as many other laws. By not specifically including cross-references to any of those existing Code sections, it seems Congress did not intend for controlled group or ownership attribution concepts to apply when determining whether an employer has “fewer than 500 employees” for purposes of the new federal paid sick leave mandate. We have submitted this question to the IRS as needing priority guidance.

As of what date should the headcount be made? Since H.R. 6201 does not specify the date for the employee count and the FLSA applies to almost all employers all the time, guidance is needed to determine as of which date employers would be treated as having “fewer than 500 employees” for purposes of the new federal emergency sick leave benefit.
 

Counting Employees for Federal Paid FMLA Leave

Integrated employers. The FMLA definition of “employer” applies for federal emergency paid FMLA leave. That definition includes an “integrated employer” concept, which is similar to (but not the same as) the Code’s “controlled group” concept. Employers would apply the following four factors to determine if common law employers are required to be aggregated for FMLA purposes:

  • Common management
  • Interrelation between operations
  • Centralized control of labor relations and
  • Degree of common ownership/financial control

FMLA regulations say that no single factor is determinative. Rather, the entire relationship must be reviewed in its totality. In other words, do the two entities work “hand in glove” so to speak? Do they share the same leadership? Ownership? The more intertwined, the more likely they are “integrated employers” for purposes of the new federal paid FMLA mandate.

For purposes of determining employer coverage under the FMLA, the employees of all entities making up the integrated employer must be counted.

Insight

Employers who use professional employer organizations, or PEOs, need to take special care to determine how FMLA applies. FMLA includes a “joint employer” concept, so each employer may have a separate duty to provide the FMLA benefits. FMLA rules also include a “successor employer” concept.
 

There is no “one size fits all” answer, since there is no bright-line, numerical ownership percentage test (like tax professionals are used to analyzing). It seems that FMLA may treat entities as employers, even if they are disregarded entities for tax purposes (such as partnerships or limited liability companies taxed as partnerships).
 
Who counts as an employee?
Employees who must be counted include:

  • Any employee who works in the United States, or any territory or possession of the United States
  • Any employee whose name appears on payroll records, whether or not any compensation is received for the workweek
  • Any employee on paid or unpaid leave (including FMLA leave, leaves of absences, disciplinary suspension, etc.), as long as there is a reasonable expectation the employee will return to active employment
  • Employees of foreign firms operating in the United States
  • Part-time, temporary, seasonal, and full-time employees

Do not count:

  • Employees with whom the employment relationship has ended, such as employees who have been laid off
  • Unpaid volunteers who do not appear on the payroll and do not meet the definition of an employee
  • Employees of United States firms stationed at worksites outside the United States, its territories, or possessions
  • Employees of foreign firms working outside the United States

 
As of what date should the headcount be made? Generally, a private sector employer is subject to FMLA if it employs 50 or more employees for each working day during each of 20 or more calendar workweeks in the current or preceding calendar year. Although it is not clear, the same measurement period could be used to determine if an employer has “fewer than 500 employees” for purposes of the federal emergency paid FMLA leave. Guidance from the U.S. Department of Labor would be helpful in this regard, which hopefully would be more lenient, to take into account the rapid reduction in workforce that came without much warning for many employers, due to COVID-19.

Insight

Because the FMLA rules have been in existence for years, employers may want to ask their human resources department or employment legal counsel to determine how the employer has historically complied with these rules. Such past practice could be applied to interpreting the new federal FMLA mandate with respect to determining if the entities must be aggregated for the “fewer than 500 employees” rule.

Since enactment of the new law, in our discussions with clients, we are finding that the very low FMLA threshold of 50 employees often did not require much analysis of “integrated employer” concept. For example, if there are 5 entities that have some of the characteristics of being “integrated” with each of them having at least 50 employees, they never had to make the determination about being integrated because the answer would not change. Look for any entity that had fewer than 49 employees to see if it extended FMLA to its employees. Now that the threshold is 500, this could be the first time that the “integrated employer” concept becomes relevant.

Impact Risk and Response Guide To COVID-19

Posted on by info

About This Guide

This guide aims to provide insights into the relevant impacts of COVID-19. It gives general risk response guidance for companies to consider when deploying business continuity planning (BCP) measures to combat the pandemic and, more importantly, to maintain the agility to overcome the difficulties faced.

We understand that a single set of procedures or responses might not fit all organizations or each company’s individual situation, however in this guide we outline impact and risk response for high-level consideration.

Impact and Risk Response

In the face of the growing spread of COVID-19, many businesses are formulating action plans to mitigate the potential impact on business operations, while at the same time meeting the needs of their customers and other stakeholders.

It is too early to assess the ultimate consequences on U.S. businesses, as the situation is still evolving. We are seeing volatility in the stock markets, travel restrictions, cancellation of events, school closings, constant news coverage and social media obsession with COVID-19. 

And while there’s still much uncertainty, prudent leaders should be well-prepared.
 

Impact on Health and Safety

COVID-19 is an infectious disease. 
The virus is thought to spread mainly from person-to-person through respiratory droplets when an infected person coughs or sneezes. It is also possible that a person may catch coronavirus by touching something that has the virus on it and then touching their own mouth, nose or their eyes. Gathering employees together at the workplace or large corporate events may put them at risk of exposure to the virus. The nature of the virus makes it challenging for companies to strike a balance between maintaining productivity and efficiency and providing a safe working environment for their employees. Early adoption of adequate preventive measures and maintaining an effective communicable illness policy can help ensure a safe work environment for employees, customers and clients.

RISK RESPONSE
To protect employee and customer safety while minimizing adverse economic impacts on the business, companies should consider the following actions, among others:

  • Remind employees about the importance of maintaining personal hygiene and thoroughly washing hands and/or using hand sanitizer. Refer to guidance provided by the WHO, the CDC and local authorities.
  • Encourage employees to stay home at the first onset of any cold or flu-like symptoms.
  • Disseminate information on precautions to help stop the spread of the virus.
  • Continually update records of travel and monitor employees’ potential exposure to COVID-19.
  • Reconsider any non-essential travel plans, especially to events with large groups of people. Social distancing is encouraged at this time.
  • Review and evaluate remote work policies and capabilities.
  • Provide sufficient and accessible infection control supplies (e.g. hand sanitizer) and ensure cleaning services are properly cleaning and disinfecting frequently-touched objects and surfaces.
  • Coordinate with Human Resources to establish procedures for how to respond to any symptoms displayed by employees.

Impact on Governance

The organization’s management is responsible for identifying, assessing and responding to risks. These include emerging and atypical risks, as well as risks which are newly developing and difficult to fully assess but could affect the viability of an organization’s strategy.  

The board of directors has a fiduciary duty to ensure the organization acts in the best interest of its stakeholders. Board members should oversee the organization’s ability to successfully identify and respond to emerging risks, as well as provide timely and transparent information to internal and external stakeholders.

RISK RESPONSE
During times of crisis, people look to their leaders for strength and stability. Leaders do not wish to be caught off guard, especially when a situation escalates and thrusts the organization into chaos. Management and the board must work together to ensure a strong culture and effective communication is maintained throughout the process. Consider the following steps:

  • Review the operational risk management capabilities, such as crisis management, business continuity, third-party risk and insurance. Verify that all key members of the team have been identified and fully understand their duties and are confident in their ability to carry out the responsibilities. If the operational risk management capabilities do not exist or are insufficient, consider involving risk management and internal audit professionals to assist in rapid development.
  • Encourage collaboration across the organization to develop a strategy for adjustments to business continuity plans that adapt to evolving conditions.
  • Center your focus on key business outcomes. This may require a different cadence, specific measurements for remote teams, and empathy during difficult situations. Focusing on your communications plan and your work culture will allow you to manage through distractions.
  • Establish clear responsibilities between the board, audit and risk committees, and management team. Assess whether management has adequate resources internally or externally to help in assessing and mitigating risk.
  • Ensure timely and relevant information is being received by the board.
  • Develop centralized, timely messaging from leaders disseminated to employees to instill confidence and calm, and counter fear and misinformation.
  • Require transparency in communications and set expectations for the frequency of communications.
  • Ensure there is a platform or communication channel (e.g. hotline or website) to timely communicate information about COVID-19 inside and outside the organization.

Impact on Financial Reporting 

Operations for some organizations will be negatively impacted by the COVID-19 situation. Companies should consider the additional risks involved and the impact on the company. In some cases, the impact may necessitate adjustments to accurately reflect the financial situation of the organization. 

On Feb. 19, 2020, the SEC and the Public Company Accounting Oversight Board (PCAOB) issued a joint statement regarding certain matters, including financial reporting considerations related to COVID-19. The statement was intended to remind issuers of its policy to grant relief from filing deadlines in certain situations, including audit firm access to information and company personnel. They also emphasized the need for issuers to consider relevant financial statement disclosures related to the potential effects of COVID-19, including the impact of subsequent events to the organization.

RISK RESPONSE

  • Evaluate potential disclosure of subsequent events in the notes to the financial statements, as well as how the organization plans to respond to the events as they unfold, which can be material to an investment decision.
  • Due to COVID-19, the SEC has granted relief related to financial reporting and has established a protocol. Contact the SEC staff regarding guidance.
  • Reassess the reasonableness of allowance and/or reserve balances, as these may be impacted. For instance, the company could have large accounts receivable amounts from a certain customer who may have incurred severe impact on their business due to COVID-19, causing an inability to pay and thus necessitating an increase in the allowance for doubtful accounts.
  • Examine all actions taken by the organization in response to COVID-19. Consider the impact to the financial statement, and ensure appropriate entries are recorded in the general ledger to accurately capture the impact.
  • Assess deferred tax assets – the need for a valuation allowance (or the magnitude of an existing valuation allowance) may need to be re-evaluated.
  • Assess derivatives and hedging – forecasted purchases and sales and hedging of these activities may be impacted. These factors should be taken into consideration in the valuation of the contracts, and may cause problems from a hedge accounting standpoint as forecasted transactions are no longer probable of occurring. There may be legal questions on whether force majeure clauses are tripped.
  • Public companies should consider whether updates are needed to Risk Factors, MD&A (known trends and uncertainties, potential impacts to guidance, capital expenditures, collectability issues, any impacts to cash flows, etc.), and other parts of filings

Impact on Economic Sustainability

As the number of COVID-19 cases continues to climb both in the U.S. and across the  globe, businesses of all sizes and across all industries are feeling a significant impact.

Mass cancellations and travel restrictions are having a big impact on the airline industry. U.S. hospitality businesses have seen a sharp decline in their customer numbers. Supply chain disruption is pervasive and only getting more difficult to navigate.

Organizations may be faced with tough decisions to alter operations temporarily, modify business hours, or operate below capacity due to the impact on their workforce, customers or suppliers. We recommend you consider contingency planning and “what if” scenarios to establish back-up plans.

These issues may lead to falling revenue, reduced financial liquidity and the going concerns of key business partners, negatively impacting companies’ sustainability.

RISK RESPONSE
It is difficult to assess how long the novel coronavirus will cause significant disruption. In the meantime, cash is king: The critical element in any time of uncertainty is to ensure that the company’s liquidity position can be maintained and to buy time for the company to recover.  

We recommend that company management establish a task force to monitor the level of impact on the business and periodically report to the board on the status of the key performance indicators for critical business units. Companies may also consider the following actions, among others:

  • Conduct a thorough risk assessment of business operations, taking a holistic approach across the globe rather than focusing on certain regions, to assess the level of possible interruption and formulate measures to mitigate potential impacts.
  • Perform financial scenario, sensitivity and ratio analysis, examining the overall threat to the organization should sales and/or production decrease at various percentage rates. Determine what actions may need to be taken at certain stages to reduce further losses.
  • Plan for voluntary/involuntary employee absenteeism and reduction in workforce, which will impact production and service levels. Consider alternative work arrangements such as relocation (working from home or other locations), reassignment of workflow (altering shifts), or reallocation of production.
  • Review the pace of expenditure in relation to the company’s expansion plans and existing development projects (if any) and slow down the cash burn rate.
  • Re-prioritize the allocation of resources to unaffected business lines.
  • Assess any impact relative to customer behaviors or sales over the past month(s) to determine if adjustments should be made to the level of staff needed or business hours.
  • Explore and identify business transformation opportunities and models to reduce over-reliance on existing business segments.
  • Identify measures for controlling budgets and increasing cost savings, such as assessing the possibility of outsourcing or reduction of non-critical business activities.
  • Explore opportunities for collaboration with new strategic business partners for new market development and to meet customers’ needs.
  • Identify alternative solutions if forced to suspend operations at the business premises.

Impact on Contract Compliance

Companies are experiencing an impact on sales, production and supply chain,  among others, as a result of COVID-19-related issues from business interruptions. These impacts have a cascading effect on the ability to meet contractual obligations. 

RISK RESPONSE
We recommend that companies consult their legal advisors and review their contracts to determine what, if any, contractual obligations may be impacted and the rights and remedies they have as a result of the delayed performance of contracts.  

Companies should also take (and document) reasonable steps to mitigate the impact of COVID-19. If companies cannot fulfill their contractual obligations, they may need to quantify the amount of financial damage and the impact on their long-term business relationships.  

Companies should review their existing insurance policies to find out whether any losses they incur relating to COVID-19 can be covered under existing terms or whether they need to adjust their coverage for additional protection.

Impact on Supply Chain

China is well known as the largest supplier of goods to the U.S. 

In 2019, the U.S. imported more than $450 billion from the country. All industries—particularly healthcare, life sciences, retail, hospitality and travel—have already been highly impacted. Consider that 40% of U.S. apparel is sourced from China, 21% of microchips for PCs, servers and mobile phones come from China, and China exports around $35 billion in auto parts and accessories around the world. Governments around the world have begun to take measures that limit the movement of goods and people across borders. Restrictions imposed by the Chinese government, for example, have included quarantine mandates and factory shutdowns across the country. As China is the factory of the world, supply chains are deeply affected. 

RISK RESPONSE
If management believes there is a risk of disruption to their supply chains, they should take the following steps, among others, to mitigate the potential consequences:

  • Understand the behavior of disruptive models applied to the supply chain and establish the point in time at which such disruption is located.
  • Consider re-prioritizing the production line to respond to market impacts associated with the threat, increasing safety stock levels, and stockpiling essential supplies and resources.
  • Determine which vendors may be most severely impacted and if alternative vendors can provide a solution to meet business needs.
  • Pre-qualify alternative domestic or international suppliers and outsourced vendors in case primary suppliers can no longer provide support.
  • Assess if suppliers have documented plans for business unit continuity and information technology disaster recovery, including for critical business.
  • Formulate contingency measures, give first response and anticipate possible failures in the supply chain. For example, examine the capacity of other suppliers in other geographical areas, change the production mix and plan for new delivery methods to reach customers.
  • Take into consideration the absence of a large number of critical staff over an extended period.
  • Estimate the recovery time for the supplier’s “mission-critical” business processes.
  • Develop actions for business recovery. For example, find and approve new suppliers and alternative modes of transport, then identify which of those options are available, and sell products on that basis.

Impact on Technology 

Many organizations will activate contingency and business continuity measures to allow employees to work from home to limit the spread of the virus. A significant number of remotely-connected employees, for an extended period, may put a strain on the company’s network.

Furthermore, as U.S. businesses and employees are determining the potential impacts of COVID-19 on their operations, some cybercriminals are exploiting the hysteria. There are reports of phishing emails masquerading as guidance about COVID-19, as hackers disguise malware in email attachments purporting to contain information to protect against its spread.

RISK RESPONSE

  • Assess whether security settings for remote connections and secured individual access mechanisms are in place and operating effectively.
  • Determine sufficiency of network capabilities if a large number of employees are expected to be working remotely for an extended period.
  • Enable staff to utilize equipment and tools to maximize their productivity while working remotely, such as video calling, cloud-based collaboration software, and online document authoring.
  • Consider moving appropriate applications and decision support systems to the cloud to enhance your ability to not only manage through difficult times, but also harness the innovation, compliance and security features provided by global public cloud vendors.
  • Adopt and/or verify enforcement of multi-factor authentication for employees who are logging into the company network.
  • Review communications and information technology infrastructures as needed to support employee telecommuting and remote customer access.
  • Enhance user awareness of cyber-attacks and provide frequent alerts to employees to enhance cyber vigilance.
  • Educate employees on red flags to look out for within phishing emails.
  • Practice consistency in communication methods and protocols to heighten an employee’s awareness of phishing attempts.
  • Monitor the use of unauthorized computers (especially for companies that have adopted a Bring Your Own Device policy) and their access to the network.
  • Review the data backup policy and the frequency