CFO Consulting Partners LLC Cyber Security White Paper March 2015 1 Cyber Security: A fundamental component of Enterprise Risk Management (ERM)
Cyberattacks have hit virtually every industry and the two industries most impacted by incursions, breaches and theft of data are financial services and health care. Financial services and the medical world are inexorably connected to the internet, and they are therefore connected to hackers, cyber criminals and even nation states intent upon getting access to financial and medical records.
Banks are a particular focus of cyber criminals. In a recent speech OCC Head Thomas Curry said,” The financial-services industry is one of the more attractive targets of cyberattacks, and unfortunately the threat is growing.” Further, one growing area of concern is the potential for criminals to target smaller banks. In late 2014 New York State banking regulator Benjamin Lawsky asked the institutions he supervises to understand the increasing complexity and interconnectedness of the financial system, as well as the importance of strong controls and of carefully monitoring the ways in which they connect to third parties.
Banks routinely use advanced statistical models and behavior analytics programs that can spot possible fraud and, to some extent, have a cultural data governance advantage over other industries. Analysts at the Gartner research group estimate that the health care industry is generally about ten years behind the financial services sector in terms of protecting consumer information.
In the healthcare world, major cyber breaches go back to 2010 when the WellPoint medical records breach set two records: the number of members’ records exposed in a security breach, and the size of the settlement amount paid to the Federal Government. The WellPoint breach is estimated to have cost $143 million dollars. These costs were for legal recovery actions, new security control investments, and extended credit and protection services for victims. During an investigation of WellPoint’s information systems, The US Department of Health and Human Services (HHS) found that the Indianapolis-based insurer had not enacted the appropriate administrative, technical and physical safeguards for data which are required Health Insurance Portability and Accountability Act of 1996 (HIPPA).
More recently the dangers of health care cyberattacks were highlighted early in 2015 when Anthem, the nation’s second-largest health insurer, said hackers broke into a database storing information on eighty million people. The hack led to a particularly valuable trove of data because it exposed Social Security numbers.
Basic components of cyber controls framework, and ERM (Risk Management):
• Governance: Cyber Security Companies in all industries need to establish a cybersecurity governance framework which is a central component of the ERM infrastructure. Regular reporting to the Board of Directors will help assure active participation among the Board, Senior Management and IT Management. The visibility of the cybersecurity infrastructure and processes are an important driver of adequate resourcing, which is essential for companies to stay ahead of the many bad actors in the cyberattack world. CFO Consulting Partners LLC Cyber Security White Paper March 2015 2
• Cyber Risk Assessment: Through risk assessments, companies understand the specific risks to their organizational infrastructure and operations. Risk assessment processes identify and document vulnerabilities, highlight internal and external threats, and ultimately prioritize the risk and related responses. The related controls should be organized and implemented as preventive, detective and corrective.
• Technical Controls: The selection of specific controls by any company is dependent the company’s individual risk profile. Many companies use a “defense-in-depth” strategy in which they layer multiple independent security controls strategically throughout their technology systems. One way of looking at this approach is to view the components of a company’s technical infrastructure as residing in partially redundant layers.
• Vendor management: At every touch point vendors can introduce cyber threats (e.g. – viruses) into a company’s systems and data bases. While third party penetration testing is almost impossible with vendors, the company’s threat assessment must thoroughly evaluate each third party touch point for cyber risks.
• Incident Response Planning: An incident response plan is a framework to manage a cybersecurity event and limit the damage. A company’s incident response plan should establish a dedicated Cyber Security Incident Response Team, address all the possible attack vectors and take the legitimate concerns of third parties into account.
• Staff Training: Without adequate staff training and related awareness, the rest of a company’s cybersecurity program can be easily compromised. Companies must define cybersecurity training needs and requirements. Staff need to understand the possible vectors and techniques that the bad actors use to penetrate systems and data bases.
• Cyber Insurance: While almost unknown five years ago, many companies have chosen to obtain cyber risk insurance. Coverage is offered my most major insurance underwriters; premiums vary widely. Underwriting relies heavily on the quality of a company’s cyber control infrastructure. In other words, insurance premiums depend greatly on the quality and strength of the company’s cyber control infrastructure. Note: Cyber Control Framework items above extracted from FINRA 2014 “Report on Cybersecurity Practices”.
Cyber Security White Paper
Cyber Security: A fundamental component of Enterprise Risk Management (ERM)
While cyberattacks have hit virtually every industry, the two industries most impacted by cyber security incursions, breaches and theft of data, are financial services and health care. Financial services and the medical world are inexorably connected to the world-wide internet.
In a recent speech OCC Head Thomas Curry said,” The financial-services industry is one of the more attractive targets of cyberattacks, and unfortunately the threat is growing.” Further, one growing area of concern is the potential for criminals to target smaller banks.
Analysts at the Gartner research group estimate that the health care industry is generally about ten years behind the financial services sector in terms of protecting consumer information.
Basic components of cyber controls framework, and ERM (Risk Management):
- Governance: Cyber Security Companies in all industries need to establish a cybersecurity governance framework which is a central leg of the ERM infrastructure.
- Cyber Risk Assessment: Through risk assessments, companies understand the specific risks to their organizational infrastructure and operations.
- Technical Controls: The selection of specific controls by any company is dependent the company’s individual risks.
- Vendor management: At every touch point vendors can introduce cyber threats (e.g. – viruses) into a company’s systems and data bases.
- Incident Response Planning: The primary objective of an incident response plan is to provide a framework to manage a cybersecurity event in a way that limits the damage, and deals with the legitimate concerns of third parties.
- Staff Training: Without adequate staff training and related awareness, the rest of a company’s cybersecurity program can be easily compromised.
- Cyber Insurance: While almost unknown five years, many companies have chosen to obtain cyber risk insurance.
The above has been extracted from a White Paper by Tom Van Lenten, Director, CFO Consulting Partners. Download PDF
Would You Give Your Accounting Department an A?
Dear Mr. CFO, would you give your accounting department an A?
If you can answer YES to 9 out of 10 items, then you may have an “A” functioning accounting department. The following questions are addressed to the CFO, but can generally be answered by the CEO and many other senior executives?
1. Do you provide answers to requests in two hours?
2. Are you able to close the books in a maximum of 7 days?
3. Do you have written comprehensive policies and procedures for main processes, and are they followed?
4. Do all members of the senior management team have a solid understanding of the key business drivers?
5. Would your CEO and other senior executives consider you to be their partner?
6. Do you have a budget and report monthly variances against it?
7. Are you generally able to complete your tasks and goals on time?
8. Do you have a mentor?
9. Do you report bad news within 2 hours?
10. Are your receivables less than 45 from the last day of work completion (not from when you send out the invoice)?
CFO Consulting Partners unlocks the full potential of accounting and finance functions in small and midsized public and private companies.
If you would like a confidential, no obligation meeting with one of our partners, please email Allan Tepper at atepper@cfoconsultingpartners or call him at 646-650-2028 X701.
Fin Tech Case Study
CFO Consulting Partners was engaged by a start-up Fin Tech Company to assist in setting up their entire financial infrastructure, including establishing and documenting GAAP and regulatory policies, establishing and documenting internal controls and procedures, and constructing the regulatory reporting process. CFO CP also assisted in the preparation of US GAAP financial statements for a Review and eventual audit by the company’s external audit firm. The Company is a pioneer in its industry and needed the Review report to be included in its application for regulatory approval.
CFO CP assisted in developing the workpapers and supporting documentation for the Review and eventual audit. In particular, CFO CP reviewed the trial balance, general ledger from date of inception to the Review period and all the underlying accounting records for propriety and accuracy/completeness. CFO CP ensured that the information requested by the audit firm was prepared in advance and reviewed by management, that it was accurate, and that it had a well-documented audit trail. CFO CP also prepared the relevant schedules and analyses for some account balances. Since the client is a start-up, CFO CP prepared the financial statements from date of inception to the relevant period end, including detailed footnotes. CFO CP worked closely with the auditors throughout the duration of fieldwork and assisted in resolving Review issues with the auditors.
The auditors completed the Review process and issued their Review report within five business days and, the materials required for regulatory approval were filed on time. As a result of CFO CP’s involvement, the books and records have clear Review trails and the Company has a chart of accounts that is specifically designed for its business. Also, all the significant accounting policies and internal controls were well documented. CFO CP was commended by the Company’s CFO, senior management and the CPA firm for exceptional work.
From time to time, we read about accounting errors in public companies. Often these result in restatements and may even result in a shareholder lawsuit.
- Weak internal controls
- Deficiencies in its management reporting practices
- A lack of a solid understand of the industry by its board and audit committee
- An over-reliance on excel worksheets and/or a corporate culture that lives for “quarter to quarter” earnings.
Prepare Now for Revenue Recognition Implementation
In May, 2014, the Financial Accounting Standards Board (FASB) issued Accounting Standards Update (ASU) 2014-09, Revenue from Contracts with Customers, (Topic 606). The Update takes effect essentially in 2017 and establishes a comprehensive revenue recognition standard for almost all of the various industries. Prior to the promulgation of this standard, certain companies followed their industry-specific revenue recognition standards such as software and real estate.
Revenue is an important number to users of financial statements in assessing an entity’s financial performance and position. However, previous revenue recognition requirements in US Generally Accepted Accounting Principles (GAAP) differed from those of International Financial Reporting Standards (IFRS). Hence the FASB is making these amendments to the Accounting Standards Codifications (ASC), and the International Accounting Standards Board (IASB) is issuing IFRS 15, Revenue from Contracts with Customers.
The issuance of these documents completes the joint effort by the FASB and the IASB to meet the objectives of removing inconsistencies and weaknesses in revenue requirements, provide more useful information to users of financial statements through improved disclosure requirements and generally improve financial reporting by creating common revenue recognition guidance for US GAAP and IFRS.
Summary of the New Rules
Under the new rules companies will follow a five-step approach to apply the standard:
Step 1: Identify the contract(s) with the customer. A contract is an agreement between parties that creates enforceable rights and obligations. It can be written, oral, or implied by an entity’s customary business practice. Generally, any agreement that creates enforceable rights and obligations will meet the definition of a contract.
Step 2: Identify the separate performance obligations in the contract. A performance obligation is a promise to transfer a distinct good or service (or a series of distinct goods or services that are substantially the same and have the same pattern of transfer) to a customer. The promise can be explicit, implicit, or implied by an entity’s customary business practice. The objective of identifying distinct performance obligations is to describe the transfer of goods or services to the customer.
Step 3: Determine the transaction price. The transaction price is the amount of consideration that an the company expects to be entitled to in exchange for transferring promised goods or services to a customer, excluding amounts collected on behalf of a third party. Determining the transaction price will be more complex if the contract involves variable consideration, a significant financing component, or noncash consideration.
Step 4: Allocate the transaction price to separate performance obligations. The transaction price is allocated to the separate performance obligations in a contract based on the relative standalone selling prices of the goods or services in the contract. The allocation is made at contract inception and not adjusted to reflect subsequent changes in the standalone selling prices of those goods or services. The best source of standalone selling price is the observable price of a good or service when the entity sells that good or service separately.
Step 5: Recognize revenue when (or as) each performance obligation is satisfied. The new revenue recognition model culmination is recognizing revenue. A company will recognize revenue when (or as) a good or service is transferred to the customer and the customer obtains control of that good or service. Control of an asset refers to a company’s ability to direct the use of and obtain substantially all of the remaining benefits (that is, the potential cash inflows or savings in outflows) from the asset. Directing use of an asset refers to a customer’s right to deploy that asset, to allow another entity to deploy that asset in its activities, or to restrict another entity from deploying that asset.
- For a public entity, the amendments are effective for annual reporting periods beginning after December 15, 2016, including interim periods within that reporting period. Early application is not permitted.
- For all other entities (non-public entities), the amendments are effective for annual reporting periods beginning after December 15, 2017, and interim periods within annual periods beginning after December 15, 2018. Early application is permitted under certain circumstances.
- An entity should apply these amendments using one of the following two methods:
- Retrospectively to each prior reporting period presented
- Retrospectively with the cumulative effect of initially applying this standard recognized at the date of initial application.
Even though implementation seems far away, it is highly recommended that companies begin to prepare now for implementation
The new standard will likely affect the measurement, recognition and disclosure of revenue, which is often the most important financial performance indicator. Since an entity’s objective is to generate revenue, it is not surprising that changes to the accounting for revenue could affect multiple business functions. To prepare for implementation companies should:
- adjust or add controls to address increased judgments and estimates in revenue amounts, including documentation and testing of those new controls
- update policies and procedures to conform to the new standard,
- consider internal controls optimization for all revenue-related controls.
It Pays to Do It Right the First Time
By Art Finnel, Head of Life Sciences Practice
Prior to joining CFO Consulting Partners, I held a CFO position with a company that was planning to go public and hired a new accounting firm for the audit. The company had planned for this possibility five years before my arrival. Everything seemed in order. I was going to have great fun, so I thought.
Shortly after joining, we began to prepare for the next audit. During my review, I found that a series of shortcuts had been taken in certain critical accounts during the year. This turned out to be totally unsatisfactory in satisfying a proper audit and preparing for a set of filings with the SEC.
Further, the documentation supporting the entries on the company’s books was very thin and in certain cases non-existent, which then required exhaustive research of the issues and relevant accounting rules. In many instances, an entire redo of the calculations and a determination of the proper entries had to be made. Besides the significant investment of my time and energy to correct the deficiencies, it cost the company dearly to comply with the auditing standards of the new accounting firm.
My takeaway from this experience is pretty simple. Do it right the first time around! Don’t shortcut. Make sure you and your accountants understand the accounting rules. If there is ambiguity, then find the right expertise to provide the necessary advice and support. And finally, Document! Document! Document! By following these simple rules, you should feel confident that your company can present its accounts properly and handle any questions or due diligence that might be undertaken in the future.
Is Your Company Getting Ready for an Exit?
By Allan Tepper, Co-Founder and Managing Director
Since the Great Recession, 2014 may be the best year yet for an exit. This is true for sales of companies as well as IPOs. For private equity transactions, average hold periods are at an all-time high of nearly six years. These companies must be sold at some point. See BB&T Capital Markets video for macro developments over the past decade here.
For IPOs, 2013 proved to be one of the best years for the IPO market since the tech boom of the early 2000s, and PWC reports that 2013 has been the most active IPO environment since 2007. See PWC’s article, “Being Prepared in a Hot IPO Market” for references and additional information here.
In preparing for your exit, we suggest the gathering of both historical and projected numbers. Historical data should include all your key numbers and should present a clear picture of your business. Your forecast data should be driven by the key drivers of your business, and all forecast numbers should be supported by sound assumptions.
Unfortunately, some of the information required in producing historical and forecasted numbers may not be available in your accounting system. We recommend that companies would be wise to develop processes to capture those “non-accounting system numbers” on an ongoing and consistent basis.
Waltham, MA – Eleven independent finance and accounting consulting firms from across the country have aligned to launch a membership-based group called the Finance and Accounting Consultants Alliance (FINACA). Sharing best practices and insights enables the members to provide exceptional client service as well as deliver expert finance and accounting resources across the United States.
Jim Bourdon, CEO and Founder of Accounting Management Solutions (AMS) in Waltham, MA, spearheaded the efforts to establish FINACA. “This collaboration will provide incredible opportunities to share operational ideas, technical knowledge and resources so that we can each better serve our clients,” said Jim.
FINACA consists of 11 member firms with more than 700 professionals throughout the country who specialize in accounting, finance and internal audit services. In addition to AMS in the Greater Boston area, other founding members of the alliance (along with each metropolitan area served) include:
Compromise for Lease Accounting Overhaul Has Been Rejected by the Leasing Industry Accountants and Analysts
Since 2006, the U.S. Financial Accounting Standards Board and the IASB have been working on a lease accounting overhaul. This effort has been spurred by investor complaints that huge off-balance sheet leases can blur a company’s true financial obligations. On May 16, 2013, the FASB and IASB issued their joint Exposure Draft (“ED”) on lease accounting. Comment letters were due to the FASB/IASB in September 2013. The May 2013 ED would have brought virtually all leases with a tenor of one year or more onto the balance sheets of both lessors and lessees. The SEC estimated that the accounting proposed by this ED would add an average of $1 billion in new assets to the balance sheets of S&P 500 companies.
Reacting to prior criticism about the income and expense recognition patterns in the 2010 ED, the MAY 2013 ED proposed a complex framework of dual lease classification. Leases would either be classified as either Type A or Type B. Under a Type A lease the amortization would look similar to that of a financial asset. Whereas, Type B leases, which were created in response to complaints that not all leases are like asset financings, would allow expense recognition on a straight-line basis.
The Boards received 638 comment letters on the May 2013 ED. Based on the mostly critical feedback in these comment letters, the Boards decided to begin re-deliberations of all significant issues in the first quarter 2014. The more significant topics discussed at the meeting are summarized below:
- There are serious concerns about the complexity of the proposal as it relates to numerous issues, including lease classification and subsequent measurement.
- The majority of constituents do not support changing the existing lessor accounting model, expressing a position that the existing lessor model is not fundamentally flawed. Those constituents do not think that consistency between the lessee and lessor accounting models is necessary.
- Many respondents support the concept that lessees should recognize lease assets and liabilities on their balance sheets. However, there are mixed views regarding the income statement and cash flow statement proposals. Some support a single lessee accounting model; others support a dual lessee accounting model.
On January 23, 2014 the FASB and the IASB began their re-deliberations of the proposals included in the May 2013 Leases Exposure Draft. The objective of the meeting was to have an in-depth discussion of the following:
– Lessor accounting model
– Accounting for “Type A” leases by lessors
– Lessee accounting model
– Lessee small-ticket leases.
The Boards did not make any decisions at this meeting.
Implications of the Volcker Rule
Five Governmental agencies (The Board of Governors of the Federal Reserve System, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, Securities & Exchange Commission, and Commodity Futures Trading Commission) concluded their three year collaboration passing the final Volcker rule on December 10, 2013. It ushered in a ban on proprietary trading for banking entities. The rule is effective April 1, 2014, with a conformance timeline running through July 21, 2015, unless extended.
The ban on proprietary trading will affect the banking entity’s relationship with hedge funds, private equity, and covered funds, in many instances terminating the relationship. A myriad of exemptions apply for all prohibited actions – proprietary trading, hedging, covered funds, etc. The affected firms will have to look closely at the exemptions in order to completely understand the proper actions to take.
The Volcker Rule restrictions on covered funds may impact community banks that invest in Collateralized Debit Obligations (CDO’S), Collateralized Mortgage Obligations (CMO’s) and/or Collateralized Loan Obligations (CLO’s). Trust preferred CDO’s issued prior to May 19, 2010 are exempt from the Rule. Aside from that exception, banks which have invested in CDO, CMO and CLO securities will be required to identify their specific hedging risks, and monitor the effectiveness of those hedges as consistent with their policies.
The final Rule exempts Community and Regional banks with less than $10 billion in total consolidated assets from trading restrictions and compliance requirements with respect to trading in U.S. Treasuries, GSE Agencies, Municipals, and FDIC obligations. Even with an exemption or exclusion in every aspect of the Volcker Rule, all banking entities would be wise to review their portfolios, risk policies and procedures and draft a compliance program.
Wall Street Journal: The Volker Rule with Notes:
Debevoise & Plimpton Client Update: The Volker Rule: An Overview:
Sandler O’Neill + Partners: The Volcker Rule’s Impact on Regional and Community Banks:
Wall Street Journal: Regulators May Again Clip Volcker
Private Equity Case Study
A private equity firm desired to sell one of its portfolio companies. The company, with sales of $75 million, was a leader in the fashion industry. The incumbent Chief Financial Officer and Controller left at the start of the sale process.
The company could not hire another full-time Chief Financial Officer and Controller as it was actively engaged in the sale process. It needed two people for the short term who could work with its PE owner, the investment banker, the potential buyers, lenders and other stakeholders, and at the same time, continue to produce required financial information and to liaison with its auditors.
The PE firm reached out to CFO Consulting Partners (CFOCP) to provide an Interim CFO who could handle both the CFO and controllership responsibilities, and who could provide financial management leadership to the company during the sale process. One of CFOCP member’s was retained by the company.
During the initial phase of the engagement, the Interim CFO took total charge of the Finance Area. The Interim CFO’s direct areas of responsibility included Accounting & Finance, Information Technology, Human Resources and Legal. He was instrumental in accelerating the closing process by up to two weeks, and he enhanced the HR area by outsourcing a portion of the function. In addition, he was able to recover certain funds by investigating nuances of certain long term contracts and participated in direct negotiations of certain contracts and leases.
During the potential buyers’ due diligence processes, the Interim CFO fielded and directed all due diligence responses. He also played an active role in the Management Presentations. This posed a tremendous challenge as the sale process was not disclosed throughout the Company.
CFOCP, which specializes in providing senior-level financial management services, provided such an experienced CFO from its team. CFOCP supported the Company with various accounting and M&A services. The CFOCP member became an integral member of the management team. The needs of all stakeholders were met, and the sale was successfully completed. Subsequent to the sale, the buyer group retained the CFOCP member to assist with accounting integration, purchase price accounting and a subsequent refinancing. In addition, the CFOCP member provided valuable institutional knowledge to the buyer group.
Basel III Affects Community Banks
The final Basel III rules for US banks were issued by the bank regulators in July, 2013. These rules require all banks to maintain higher capital levels, and generally add complexity to the US regulatory capital framework. All banks will need to strategically manage to the higher capital levels.
Implementation of the new rules for Community and most other banks and bank holding companies begins January 1, 2015. Implementation for “Advanced Approaches” Banking organizations, which include all banks and bank holding Companies with $250 billion or more in consolidated assets or $10 billion or more of on-balance sheet foreign exposure, begins January 1, 2014. For all banks, there are detailed phase-in requirements in the implementation framework that need to be considered in planning and analyzing Basel III implementation.
The Final Basel III rules a) significantly increase required minimum capital ratios, b) introduce a new common equity ratio, c) create the concept of “capital buffers,” d) narrow what is permitted as capital and e) change the risk based assets calculation. The new common equity ratio is called “Common Equity Tier 1” or “CET1”. The minimum “CET1” ratio for Non-Advanced Approaches banking institutions, which include Community Banks, increases from 4.5% at January 1, 2015 to 7.0% at January 1, 2019. This calculation includes a “capital conservation buffer” which is added to the minimum ratio of CET1 to risk weighted assets of 4.5%, and is phased in from 0.0% in 2015 to 2.5% in 2019, resulting in an effective CET1 to risk weighted asset ratio of at least 7.0% in 2019.
CET1 is defined by reference to 13 criteria, but is essentially common equity with limitations on distributions. Tier 1 Capital is defined by 14 criteria, with the most common qualifying Tier 1 instrument being noncumulative perpetual preferred stock. Tier 2 Capital is defined by reference to 11 criteria, with the principal criteria being subordination to depositors and general creditors, original maturity of at least 5 years, and no credit-sensitive features. There are special rules and some phase outs for Trust Preferred Securities.
Computations for the capital ratio denominator (risk adjusted assets) are equally complex, with special rules for residential mortgages, commercial estate, corporate exposures, and securitizations.
The following are links to useful publications and analysis available from regulators and industry participants.
OCC Community Bank Guide: