Article

Cybersecurity in finance and unclaimed property

May 16, 2024 · Authored by Jim WeigandMatthew Chenowth

Cybersecurity and why it matters

If your organization experiences a cyberattack, sensitive information can be accessed, changed or destroyed, money can be extorted or business processes can be interrupted. While sophisticated hacking is a valid threat to organizations, it is rarely the root cause of a data breach. Unfortunately, most data breaches and cybersecurity incidents are caused by a breakdown of basic cybersecurity processes and controls.

One area that has been receiving additional attention recently is the importance of cybersecurity as it relates to a company’s unclaimed property processes, including state record retention requirements, increased fraud and handling potentially sensitive personal data. The good news is that a company’s defenses can be strengthened by identifying potential weaknesses and implementing best practices solutions.

Cybersecurity concerns for finance

Companies face many challenges today, including increasing regulatory scrutiny and uneven market conditions. Unique among the challenges are the risks these companies face regarding data security. Some key areas of risk, along with potential solutions, are outlined below.

Vendor risk management

No matter how well-established your business relationships may be, large companies inevitably take on additional risks when working with an extensive supply chain of vendors. Adding to the inherent risks in managing multiple vendors are threat actors that realize that these vendors can often offer their easiest entry points into large targets. While there is no way to completely bullet-proof your company from bad actors, this risk can be significantly reduced by conducting thorough vendor risk assessments on any third-party vendors with which your company does business to ensure they satisfy all your company’s cybersecurity requirements.

Increased regulatory scrutiny

Recently, there have been significant changes in terms of privacy laws — at both the federal and state levels, putting additional pressure on companies to reconsider the importance of complying with regulatory requirements. In the past regulatory focus was on oil and gas and healthcare, but today companies across multiple industries are widely affected by cyber regulations. What’s the solution? Unlike the past, companies can no longer get away with having weak systems and controls. Today, in the face of increased regulatory scrutiny, companies across all sectors need to be prepared to have their controls tested and to prove their ability to meet regulations.

Data security on the cloud

Locally and nationally, we have already seen minor breaches by cloud providers. While cloud providers can promise to get your data back quickly in a straightforward manner, a major concern remains: what can happen to your data in the event of a major breach? While the cloud does provide data-security, remember that the protection it provides is merely baseline security for your systems and data. What should a company do? As a starting point, all organizations should test their incident response plan, business continuity plan and disaster recovery plan periodically to ensure they are prepared for a real-life incident. In addition, companies need their own enhanced security measures, including air-tight controls and well-documented policies, so that they are not depending solely on the cloud providers for cyber protections.

Increase in the number and creativity of cyberattacks

Cyberattacks are on the rise as threat actors continue to gain access to companies through the inadvertent actions of employees and vendors. The creativity of attacks has blossomed in recent years as well, and social engineering thought various media platforms continues to be a leading method to begin attacks. To address this issue, cybersecurity protections need to be implemented on both the personnel and organizational sides. Each person within an organization serves as a guardian for the organization’s data, and companies need to provide proper training to their employees to successfully combat the quantity and quality of attacks.

Impact of artificial intelligence (AI) on the cyber landscape

AI continues to become a pillar of more complicated attacks in areas such as spoofing, text messages, phone calls, video calls and deep fakes. AI is likely to continue in that capacity, and to get even more severe, in the future. Fortunately, AI generated attacks can often be combatted with AI, so companies that use it positively can also use it to remain safe and vigilant against attack. To do so, companies need to conduct regular risk assessments on their AI to ensure that it is giving them the best outputs with the lowest amount of risk. These AI risk assessments need to take place early in any implementation process, as any usage of AI opens the door to potential infiltration by a bad actor, putting the company and its technology at risk.

Unclaimed property – what is it?

Unclaimed property (UP) is generally any intangible (financial asset) property that is held, issued or owed in the ordinary course of business and has remained unclaimed by the apparent owner for a specified period. It’s important to remember that UP is not a tax, so nexus rules do not apply. As a result, a completely different set of rules applies regarding which state has jurisdiction over UP. Depending upon the circumstances, UP is reportable to either the state indicated by the owner’s last known address or, if the owner is unknown or the address is unknown, the state of incorporation of the company of the company holding the UP.

Although it’s not a tax, all 50 U.S. States, District of Columbia, Guam, Puerto Rico and U.S. Virgin Islands have annual UP reporting requirements. In addition, states will audit companies to ensure that they are compliant with the applicable UP laws. Typically, states will often delegate audit programs to third-party audit firms, some of which work on a contingency-fee basis.

Companies often ask how to identify UP their organizations. A good starting point is reviewing historical accounting records to identify items that remain unresolved, including bank statements and reconciliations, check registers, data from your company’s ERP system, accounts receivable aging reports, billing system, as well as general ledger system data.

While most companies are familiar with tax laws and the associated record retention requirements, UP record retention rules do NOT adhere to IRS record retention requirements. Generally, it is often suggested that companies retain the types of records mentioned above for 15 years or more, which is beyond the period for which most records are readily available. Why? The period scoped under a typical UP audit may include property generated back 10 years plus the state determined dormancy period, which means that a typical UP audit can extend upwards of 13 – 15 years.

Cybersecurity and unclaimed property

One of the main areas of cybersecurity risk related to unclaimed property is in the area of owner claims, where bad actors try to infiltrate your organization and/or fraudulently claim property by pretending to be the rightful owner. A company’s goal should be to return as much property to owners before reporting UP while preventing fraud. To do so, they need to adopt and implement policies and processes to ensure that any property identified as UP is returned to the appropriate party. While overly restrictive policies and evidence standards can undermine the rate of returning property to the rightful owner, companies still need to have strong procedures in place as bad actors will attempt fraud, phishing attempts and other efforts to illegally claim UP. Unfortunately, even if a company pays a false claim in good faith, it may still be liable to the owner or state for the property.

Another area where cybersecurity and UP intersect is in the need to maintain data security if your company is under an UP audit. Audit firms will request large volumes of data that may include personal identifiable information (PII) on the company’s customers, employees and vendors, which may include shareholder registries, tax returns and check registers. That’s why, as part of audit proceedings, a company should start the process by ensuring that a binding non-disclosure agreement (NDA) is in place before the transfer of any sensitive information.

Once the NDA is in place, companies should ensure that all data exchanges related to the audit are transferred securely via a secure or encrypted data room or web-portal – not by un-encrypted e-mail. In addition, to ensure personal data remains protected when moving from one party to another, it should remain encrypted throughout the transfer process. Regardless of the method used to transfer the data – online portal, email, FTP or other method – secure encryption is always essential. In addition to the transfer process, sensitive data should also be encrypted when it is stored in a database or on a device such as a hard drive as it protects the information when it is “at rest.” This ensures that even if a device is stollen or accessed improperly sensitive data is still protected.

Finally, management is also responsible for adopting proactive policies to ensure the company’s adherence to federal statues such as HIPAA, the Gramm–Leach–Bliley Act, state consumer protection and international laws, governing the protection of PII, Nonpublic Personal Information (NPPI) and Personal Health Information (PHI). Violations of these protections could result in civil and criminal penalties, so great care needs to be taken to ensure compliance. Some companies have even taken the precaution of not including PHI and potentially NPPI from their UP reporting processes. Always remember, once the data leaves your possession, there are no guarantees of its safety.

If you have questions about cybersecurity risks related to unclaimed property and how these risks can impact your organization, contact a specialist at Baker Tilly today.

The information provided here is of a general nature and is not intended to address the specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought. Tax information, if any, contained in this communication was not intended or written to be used by any person for the purpose of avoiding penalties, nor should such information be construed as an opinion upon which any person may rely. The intended recipients of this communication and any attachments are not subject to any limitation on the disclosure of the tax treatment or tax structure of any transaction or matter that is the subject of this communication and any attachments. Baker Tilly US, LLP does not practice law, nor does it give legal advice, and makes no representations regarding questions of legal interpretation.