2020 Articles - Suits the C-Suite - Page 5 | SGV & Co. | EY

16 March 2020

Erickson Errol R. Sabile

Will it be endgame now for 5% GIT?

Once again we wait to see if the Corporate Income Tax and Incentives Rationalization Act or the CITIRA bill (either House Bill No. 4157 or Senate Bill No. 1357) will pass into law this month. The bill is being repackaged for the third time after its predecessor bills were no legislated (TRAIN 2 and TRABAHO). If passed, CITIRA is expected to have a strong impact on Philippine Economic Zone Authority (PEZA)-registered firms. For PEZA-registered firms availing of the 5% Gross Income Tax (GIT) incentive, the withdrawal of the privilege would eventually mean a reassessment of their direct costs and expenses that would qualify as deductions in light of Revenue Regulations (RR) No. 11-05 — Definition of Gross Income Earned. This makes it an ideal time for companies to prepare for the eventual implementation of CITIRA by conducting simulations and evaluations using their most recent balances. DEDUCTIBLE EXPENSES FOR 5% GIT UNDER THE EXISTING PEZA LAW Favorably for PEZA-registered firms under 5% GIT, the Court of Tax Appeals (CTA) in recent years has been consistent with its interpretation that the list of direct costs in RR No. 11-05 is not exclusive but merely enumerates the expenses that are in the nature of direct costs. Thus, PEZA-registered entities may be allowed to deduct expenses which are in the nature of direct costs even if they are not specifically included in the list provided in RR No. 11-05. However, these items must be directly attributable to the entity’s PEZA-registered services/activities. The same position — that the list of expenses provided by RR No. 11-05 is not exclusive but merely instructive — was carried on in the recent CTA En Banc (EB) Case No. 1809-10 dated Nov. 14, 2019 (Moog Controls Corporation-Philippine Branch vs CIR). Moreover, Moog was able to prove that expenses (i.e., repairs and maintenance, data processing expense, building insurance expense and outside services) claimed under 5% GIT were directly related to its registered activities, and hence allowed as deductions under 5% GIT. However, it is worth pointing out that while a number of recent court decisions held by the CTA adopted the non-exclusivity of the list of expenses under the mentioned RR, the CTA has also disallowed the inclusion of certain expenses such as accident/life insurance, equipment and uniforms for on-the-job trainees, employee activities (e.g. holy mass for Sto. Nino Feast, Ping-Pong tournament expenses, treadmills for physical fitness clubs), non-technical training and development, the Department of Energy (DoE) electrification fund, general office expenses, business expenses, taxes and licenses for being unrelated to the rendition of PEZA-registered services. (CTA EB Case No. 1207 dated Feb. 3, 2016, East Asia Utilities Corp. vs. CIR) Needless to say, it is crucial that adequate documents (e.g., journal vouchers, accounts payable voucher, invoices/receipts) are maintained to support that the expenses can be attributed to the rendition of the PEZA-registered activity. (CTA Case No. 8508 dated Sept. 1, 2014, Medtex Corporation vs. CIR) 5% GIT UNDER CITIRA HOUSE AND SENATE BILLS While both CITIRA versions of the House and Senate seek to lower the regular corporate income tax rate and rationalize the tax incentives currently enjoyed by entities with special registration (e.g., PEZA–registered firms), each bill has its own proposed provision on the continuation of incentives granted before it takes effect as a law. HOUSE BILL NO. 4157 In the House version, registered activities granted an Income Tax Holiday (ITH) shall be allowed to continue and the incentive may be availed of for the remaining period of the ITH or for only five more years (whichever comes first). This is allowed provided that the 5% GIT shall commence only after the ITH period has lapsed; and further, that the 5% tax on gross income earned shall be allowed to continue for periods based on a schedule that varies depending on how many years the current tax incentive is being enjoyed (up to a maximum of five more years). After the lapse of the 5% GIT period, the regular corporate income tax rate shall take effect. At the same time, this version grants ITH, a reduced corporate income tax of 18% or enhanced deductions for commercial operations dependent on location. For example, companies in the NCR can enjoy up to three years ITH and up to two years reduced corporate income tax rate. Areas adjacent to Metro Manila get slightly longer periods, while all other areas can get up to six years ITH and four years reduced corporate income tax. The bill also states that the regular corporate income tax rate will be reduced by 1% every two years from 2022 until 2030. SENATE BILL NO. 1357 In the Senate version, registered activities only granted an ITH can continue to enjoy the incentive for the remaining period of the ITH. On the other hand, the 5% tax on the gross income of registered activities granted prior ITH (where the ITH will expire within five years once CITIRA takes effect) shall commence only after the lapse of ITH and shall continue for the remaining period (but not to exceed five years). Further, the 5% tax on gross income earned shall, similar to the House version, be allowed to continue for periods based on a schedule that varies depending on how many years the current tax incentive is being enjoyed, up to a maximum of five more years. Interestingly, the Senate version added a provision extending the sunset period for availing of 5% tax on gross income up to seven years for firms that export 100% of output, employ 10,000 Filipino workers in the incentivized activity, or are engaged in “footloose” manufacturing, which are operations outside of Manila that export manufactured goods and have a designated labor to asset ratios for a period of time before CITIRA. Similar to the House version, the Senate version grants an ITH followed by a special corporate income tax rate (SCIT) or enhanced deduction whose durations are based on the registered enterprise’s location and industry tier, with the caveat that the total period with incentives not last more than 12 years. The Senate version, however, sets the SCIT at 8% of the gross income earned in lieu of all national and local taxes, rising 1% per year until it reaches 10% in 2022 and onwards. Nevertheless, the determination of what constitutes direct costs will remain relevant during the sunset years of existing registered activities under the 5% GIT prior to CITIRA, and likewise under the new SCIT rates proposed by the Senate in this version. We should also note that PEZA-registered activities that qualify for registration under the strategic investments priority plan (SIPP) may opt to be governed by the provisions under both House and Senate versions of CITIRA. In such a case, such enterprises will have to surrender their Certificate of Registration, signifying their intent to waive the incentives they previously enjoyed. WHAT CAN BE DONE IN THE MEANTIME? At this point, knowing that the 5% GIT regime may slowly fade out of the picture once CITIRA takes effect, it would be prudent for PEZA-registered firms to evaluate the law’s impact on their current and future operations by way of a simulation using the most recent account balances. PEZA-registered firms should consider the following scenarios: • The companies continue to avail of their current incentives as PEZA-registered entities. • The companies opt to waive their privilege to avail of the incentives as PEZA-registered entities: 1. Where the registered activities of the companies qualify for registration under the SIPP. 2. Where the registered activities of the companies does not qualify for registration under the SIPP. By carefully conducting this gap analysis, PEZA-registered firms will be better able to evaluate if it is better for them to maintain their current incentives or to deregister from PEZA and instead fall under the new provisions of CITIRA. As with many projection matters, advance knowledge and the results of the simulation are often invaluable in helping companies decide on their way forward. By using real data from the company’s most recent balances, the simulations then become even more accurate and relevant to the company’s actual operations. This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinion expressed above are those of the author and do not necessarily represent the views of SGV & Co. Erickson Errol R. Sabile is a Tax Senior Director from the Global Compliance Reporting Service Line of SGV & Co.

10 March 2020

Ma. Theresa M. Abarientos-Amor

How to make digital taxation click

Digital technology has undoubtedly revolutionized the world economy. With the growing popularity of online shopping in particular, businesses can reach consumers without needing a physical location. The increasing digitization of the world economy has not only made the sale of goods and services instantaneous and efficient — it has also provided a convenient way for consumers to purchase goods without having to waste time being stuck in heavy traffic. According to research pioneered by Google, the internet economy in Southeast Asia hit the $100 billion mark in 2019. By 2025, the internet economy is projected to grow to $300 billion. These numbers indicate a significant opportunity for tax authorities to not only regulate appropriately, but to also tap this source for additional government revenue. CROSS-BORDER ONLINE TRANSACTIONS In 2013, the BIR issued Revenue Memorandum Circular (RMC) No. 55-2013 to set the tone for companies operating in the digital market. By reiterating the obligations of parties in online transactions, the Circular sought to enforce our tax laws in the digital economy. However, the Circular has yet to address cross-border online transactions, or how taxes will be imposed on non-residents for online sales to local consumers. One apparent reason for this may be the inadequacy of our present tax laws as basis for taxing this type of transactions. Like most jurisdictions, the Philippines relies on physical presence or locus of activity within the country as a condition for the imposition of taxes. Tax treaties are likewise framed this way. However, cross-border online sales do away with physical presence since most online servers are located outside the country. Sales activities conducted through these portals are deemed to occur outside Philippine territory, as it can be argued that since an online transaction’s server is located outside the Philippines, the business itself isn’t considered to be held within the country. Such transactions can therefore be said to be outside the country’s taxing jurisdiction. Regardless, it is difficult to determine where the locus of the sales activity truly lies, only making it more difficult to enforce tax rules. THE NEED TO INNOVATE PRESENT TAX LAWS Tax authorities will need to come up with innovations to our present tax laws to address tax profits earned by non-residents from consumers here, as well as the enforcement or collection of taxes, the visibility over tax reporting data, and the addressing of the controversy surrounding the issue of capturing lost profits for our country. However, doing so without disrupting how bricks-and-mortar businesses are taxed can be daunting. In this light, perhaps our tax authorities can revisit the recent proposals of the Organization for Economic Cooperation and Development (OECD). Last year, the OECD released the Programme of Work to Develop a Consensus Solution to the Tax Challenges Arising from the Digitization of the Economy. While the Philippines is not a member of the OECD, the issues tackled by the organization are felt worldwide, and our tax treaties are patterned after the publication. The tax authority has also cited OECD commentaries in several rulings, giving the commentaries a more persuasive effect. The Philippines can benefit from the suggestions raised by the organizations in addressing base erosion issues for tax purposes. The proposals contained in the publication were grouped into two pillars: Pillar One, which focuses on the allocation of taxing rights and seeks to undertake a coherent and concurrent review of the profit allocation and nexus rules; and Pillar Two, which seeks to develop rules that provide jurisdictions with a right to tax back where other jurisdictions have not exercised their primary taxing right, or where the payment is otherwise subject to low levels of effective taxation. It calls for the development of a coordinated set of rules such as the income inclusion rule, switch-over rule, undertaxed payment rule, and the subject to tax rule. Their development addresses the ongoing risks from structures that allow multinational companies to shift profit to jurisdictions with very low or no taxation. There are three proposals under Pillar One that tackle how taxing income generated from cross-border activities in the digital age could be allocated among countries. These are composed of the “user participation” proposal, the “marketing intangibles” proposal and the “significant economic presence” proposal. All are supposed to allocate more taxing rights to the jurisdiction of the customer and/or user. Of special interest is the “user participation” proposal, which focuses on digitized business models such as search engines, social media platforms and online marketplaces. This proposal suggests that profits should be allocated to market jurisdictions based on the value-creating activities of the active user base. THE DIGITAL ECONOMY AS AN ADDED SOURCE OF REVENUE As a burgeoning digital economy, we may wish to explore how value-creating activities can be a source of taxing rights over income from digital cross-border sales. Granted, tax authorities will need to carefully weigh the nature of digital taxing rights vis-à-vis the importance of negotiations. One only needs to ask about the fate of the digital tax passed by France last year, which had to be postponed amid US retaliatory tariffs. However, once the statutory foundation for a set of tax rules that apply to the digital economy is drafted, bilateral as well as region-wide discussions in matters of implementation will surely follow. The key here is to find the right balance between creating a consistent and globally accepted set of digital tax rules that can benefit tax authorities in all jurisdictions while also being fair and supportive of digital enterprises that face new and rapidly evolving challenges to remain competitive in an increasingly crowded online market. This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinion expressed above are those of the author and do not necessarily represent the views of SGV & Co. Ma. Theresa M. Abarientos-Amor is a Senior Manager from the Tax Advisory Services Group of SGV & Co.

02 March 2020

Marlynda I. Masangcay

Foreign nationals and the taxman

Foreign nationals working in the Philippines are governed by at least three sets of rules — those of taxation, immigration and labor. Only by fully complying with each set of rules can foreign nationals ensure a fruitful and worry-free stay in the Philippines. This article focuses on taxation. For regular Filipino employees, taxes due on salaries are withheld by their employers and remitted to the tax authorities during the year. Foreign nationals, however, may be covered by Philippine tax rules but are unaware that they have tax reporting obligations. Certain tax obligations pertain to foreign nationals on home payment arrangements, whether partially or in full, and to those who come to the Philippines as short-term business travelers. There are foreign nationals who work in the Philippines under a split-payroll arrangement, i.e., their salaries are paid both from their home countries and from their Philippine employers. Some foreigners come to the Philippines for a specific business purpose within a short time period with wages usually paid from their home payrolls. Under both circumstances, there are fewer issues to consider if the home country payments are recharged to a Philippine entity as these will eventually be subject to withholding tax. However, in instances when the payroll costs remain with the home country, it is more difficult for the Philippine government to tax the foreign national. This is because no local entity or agency is privy to the amount that they receive from abroad. This is further complicated by existing tax rules governing foreign nationals that relate more to their presence and privilege to work in the country, but not to their tax obligations. The question arises: Are these foreign nationals really subject to Philippine income tax on offshore wage payments? The answer may seem to be a straightforward “no” since the income or part of it is not paid by a Philippine company. However, the reality is not that simple. We will need to take into account the basic principles on situs (or place) of taxation. FOREIGN-SOURCED INCOME As a general rule, the basis for taxation of foreign nationals is on Philippine-sourced income only. The issue may lie in what constitutes foreign-sourced income. Employment income is considered Philippine-sourced if it pertains to services performed in the country. This is regardless of where the income was paid, where the contract was perfected, or where the payor resided. Thus, in determining the extent to which foreign nationals are subject to tax, the basic consideration is where the work for which the income is earned was performed. The paying entity need not be a Philippine company; there does not even have to be a performance agreement between the foreign national and the local office. As long as the work is rendered in the country, the income derived from such work is generally subject to Philippine income tax. We say “generally” as there may be income tax exemptions for foreign nationals who are tax residents of countries with which the Philippines has bilateral agreements on double taxation. TAX ISSUANCES FOCUSING ON FOREIGN NATIONALS Adding to the ambiguity is the absence of other government rules on how foreign nationals are to be taxed. However, in 2019, following the sudden and steady influx of foreign nationals working in the Philippines (not to mention the lost revenue from this working group) the government released four issuances directed towards subjecting foreign nationals to tax. At the forefront is the Joint Memorandum Circular (JMC) No. 001, series of 2019, Rules and Procedures Governing Foreign Nationals Intending to Work in the Philippines. Drafted by nine government agencies, the JMC aims to harmonize the regulations and policy guidelines on the issuance of work permits and work visas to foreign nationals as well as the authority to hire and employ foreign nationals. Such permits are usually issued by various government agencies, including the Department of Labor and Employment (DoLE), Professional Regulation Commission, Bureau of Immigration (BI), and others. The JMC requires foreign nationals and/or the employer/withholding agent to secure a Tax Identification Number (TIN) from the Bureau of Internal Revenue (BIR) as a precondition for permits and visas. A special task force (composed of the DoLE, the BI and the BIR) was also created to conduct joint inspection of establishments employing foreign nationals. Moreover, a database will be created to record all issued work permits and authority to employ and hire foreign nationals. Aside from the JMC, the BIR also issued Revenue Memorandum Order (RMO) 28-2019, which prescribed the registration requirements for foreign individuals not engaged and/or engaged in trade or business or gainful employment in the country. The BI then issued two Operations Orders, both dealing with the TIN as a requirement for work permits and non-immigrant visa applications. CONSIDERATIONS FOR TAX COMPLIANCE To allow strict monitoring of the presence of and tax compliance among foreign nationals, it would be helpful for the government to clarify the definition of “taxable work or services” for foreign nationals. To illustrate, there are short-term business travelers who stay in the Philippines for only a few days or months under a 9a visa and perform activities even without a Special Work Permit (SWP). Securing a 9a business visa does not require a TIN, and these individuals may assume that they do not have tax obligations (either to report any income and pay tax, or to file any applications for tax treaty relief), even if their activities in the country qualify as work or performance of a service. Furthermore, compliance with TIN registration of foreign nationals may be difficult, especially if additional documents are required. For example, foreign nationals married to Filipinos and who apply for a TIN used to be required to submit English-translated and authenticated/consularized marriage certificates with their application. REVISITING TAX OBLIGATIONS FOR FOREIGN NATIONALS Policies should be reviewed to consider the changes that come with the fast-evolving world of workforce mobility, such as with the Emigration Clearance Certificate (ECC). An ECC is required from foreign nationals departing from the Philippines (either temporarily or for good) to ensure they have no pending obligation with the government. Current BI rules on ECC issuance, however, do not mention any need for the foreign national to submit documentary clearance of unfulfilled responsibilities from other government agencies. There appears to be no solid coordination process among government institutions. There is also no database to provide the information necessary to support an ECC application. With the JMC mentioned previously, it may help all concerned agencies to look into the ECC process and develop a method to cover the tax compliance obligations of departing foreign nationals. It would also be worth looking into the best practices of tax jurisdictions like Singapore, the US and Canada on their exit permits and non-residency status upon departure of foreign nationals. While the government is undoubtedly concerned about regulating the activities and rightful tax obligations of foreign nationals, there is much that can be done in terms of efficient implementation. We can hope that, given the number of government agencies involved in legalizing the affairs of foreign nationals, forthcoming guidelines will facilitate compliance. Moreover, with a TIN now a pre-requisite for work permit application, it may be advisable for foreign nationals and their employers to revisit their actual tax obligations arising from locally-sourced income. This is an opportune time to do so, as the April 15 tax filing deadline quickly approaches. Surely, no one wants the additional burden of stiff penalties, a BIR examination, or reputational peril that may be brought about by failure to comply with tax obligations. This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinion expressed above are those of the author and do not necessarily represent the views of SGV & Co. Marlynda I. Masangcay is a lawyer and Tax Senior Director from the People Advisory Service Line of SGV & Co.

24 February 2020

Rogelanne O. Villarubia

How workable is working from home?

Organizations often claim that their most important assets are their people and studies have indicated this to be true. This is the reason why companies are always looking for ways to motivate their workforce and maintain high job satisfaction. While some consider compensation and benefits as the main drivers when a job seeker decides to accept an offer, we now see other factors that are equally relevant to applicants and recruits. A leading consideration is the flexibility of an employer’s work arrangement policies. In general, employees prefer working hours that allow them to achieve some level of work-life balance. Employees desire the flexibility that provides them the means to meet the demands of their jobs and their personal responsibilities such as attending to family, pursuing further education, or checking items off their bucket lists. This work arrangement is not new; other economies have already adopted it as part of their labor laws and practices. In the Philippines, however, although most employers require a fixed on-site eight-hour work shift, some multinational companies have already introduced flexibility in the workplace, such as allowing their employees to “telecommute” as a work alternative. THE TELECOMMUTING ACT Telecommuting is defined as working from home or an alternative workplace through an electronic link with a central office. While the practice of working at home and interfacing with the office via modem, telephone, or some another electronic device only became commonplace recently, the word “telecommute” has been used since the mid-1970s. Its earliest documented reference can be found in a January 1974 article in The Economist that predicted, “As there is no logical reason why the cost of telecommunication should vary with distance, quite a lot of people by the late 1980s will telecommute daily to their London offices while living on a Pacific island if they want to.” We have seen how this prediction has become a global reality. The Philippines finally passed a law regarding this alternative work arrangement when the President signed into law on Dec. 20, 2018, Republic Act (RA) 11165, known as the Telecommuting Act. The RA codifies the definition of telecommuting and specifies how such a program would work in a company. An employer in the private sector may offer a telecommuting program to its employees on a voluntary basis, including compensable work hours, a minimum number of work hours, overtime, rest days, and entitlement to leave benefits. The law further enumerates a fair treatment clause for employees under the telecommuting program and for those not practicing this alternative work arrangement. Section 5 of the RA provides that the employer will ensure that the telecommuting employees are given the same treatment as that of comparable employees working in the employer’s premises. Further, it listed the rights of telecommuting employees, such as: receiving a rate of pay (including overtime and night shift differential, as well as other similar monetary benefits not lower than those provided in applicable laws); collective bargaining agreements; having the right to rest periods, regular holidays, and special non-working days; having the same or equivalent workload and performance standards; having the same access to training and career development opportunities; and being subject to the same appraisal policies. The RA also features a clause on Data Protection in relation to the Data Privacy Act of 2012 as employees under this work arrangement should still be governed by confidentiality and data security policies in the conduct of their work. PRODUCTIVITY BENEFITS Like in any program or policy, there should be an evaluation of the telecommuting program’s pros and cons. One of its benefits is the flexibility offered to employees to work during the hours that complement their needs, responsibilities and preferences. Research has shown that when employees have work flexibility, they are able to increase their productivity and more effectively meet their deliverables. The company may also consider the potential cost savings to having employees work remotely, such as a reduced need for valuable office space, lower utilities consumption and similar reduced expenses. In addition, telecommuting provides the benefit of less potential business disruption as employees can continue working even if they are physically unable to report to the office. Good examples of this would be the recent events that transpired in the Philippines: the Taal Volcano eruption and the Covid-19 virus outbreak, both of which prompted employers to think about the safety and health of their employees. If a company has a telecommuting program in place, business operations can continue since employees are able to deliver the work from alternative locations. Another benefit of the telecommuting program is that the actual travel from home to office and vice versa will significantly be reduced. This would be beneficial to so many considering the notorious traffic conditions in the Philippines. WHAT TO CONSIDER While telecommuting seems advantageous, there are challenges in implementation. First, telecommuting assumes that the employee would have the necessary resources such as a reliable Internet connection to log on to the employer’s infrastructure. Second, if a company adopts this program, the employer must have well-written guidelines to monitor the work of telecommuting employees to address possible issues of employees not being “active” and potentially missing out on deliverables. Third, and as mentioned earlier, data protection should be addressed because working externally could expose the employee to possible data breaches and security threats, especially with the data handled by the telecommuting employees themselves. Fourth, companies will also need to consider the investment in technology, platforms and resources that will allow employees to remotely access company servers and shared data, particularly in cases where employees function as part of a larger team. CHALLENGING AND DISRUPTIVE It is encouraging to see that the traditional eight-hour desk job in the office has been updated to consider other factors. Employees in the Philippines looking for options to achieve work-life balance now have another consideration when evaluating a job offer. At the end of the day, employers should look carefully at their options to ensure maximum productivity, work efficiency and service delivery quality while taking into account evolving employee needs and job satisfaction measures. Companies may experience transitioning from an existing on-site workforce to a telecommuting team as both challenging and disruptive, but a careful analysis of the pros and cons of the program may help management decide to take the big step of having their employees literally out of the office. This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinion expressed above are those of the author and do not necessarily represent the views of SGV & Co. Rogelanne O. Villarubia is a Tax Senior Director from the People Advisory Service Line of SGV & Co.

17 February 2020

Alvin Manuel, Shaun Cusi, and Dawn Casocot

When the going gets tough, the tough get going

Just over the course of one month into 2020 and the world has been bombarded with a flurry of disasters and unforeseen events. Headlines have been filled with alarming and heartbreaking news — from the wildfires in Australia, to the eruption of the Taal Volcano, and just recently, the outbreak of COVID-19 (coronavirus disease 2019) affecting numerous countries around the world. With these events happening all over the globe, we come face-to-face with the glaring fact that disasters are not a matter of “if,” but “when.” Given the increasingly frequent occurrence of unfortunate events, whether natural or man-made, are organizations prepared to face such ever-evolving and emerging threats? Taking a proactive stance seems to no longer be an option, but a necessity. It is more crucial than ever for companies to ensure that they have an established plan in place to guide the organization on how best to respond and safely maintain operations in the face of unprecedented situations. Recent events should serve as a wake-up call to revisit and ensure that business continuity plans (BCP) are robust enough to cater to all sorts of disasters. DEVELOP AN ORGANIC, EVOLVING BCP First, companies should review their existing BCP and check that all potential threats, whether natural or man-made, are considered in the plan. This would entail the broadening of their perspective to anticipate the current and future risks that the organization may face. The next step would be to update these plans periodically in order to tackle new and continually emerging threats in the industry. This likewise involves checking if the roles and responsibilities are still correct and sufficient, if advances in technology solutions and infrastructure are accounted for, and if procedures to recover critical services are still applicable. The organization should consider specific plans catering to different threats, such as Pandemic Plans and IT disaster recovery (IT DR) plans. These plans should also cover high-risk, low probability events. Having well-documented plans are only the starting point of a well-developed Business Continuity Management (BCM) program. The plans and strategies must also be exercised to test the effectiveness of the strategies. When planning for exercising activities, the organization must consider the current BCM maturity to ensure effectiveness of the testing activities. For example, the organization must start off with tabletop exercises and then transition into simulated exercises as the program progresses. In light of reviewing the BCM, organizations should consider the following points. AWARENESS AND COMMUNICATION The safety of employees should be a top priority, making awareness and communication initiatives especially critical. Organizations should establish proper communication channels and procedures and deploy an emergency broadcast process that will allow the company to reach employees quickly and measurably. Employers must also account for their employees in times of a disaster and be able to escalate emergencies to the proper authorities as necessary. Employers must ensure that their people are regularly updated with reliable information regarding the situation, both to manage the spread of correct, verified information from authorized sources as well as to control the spread of harmful and panic-inducing disinformation. The company’s leaders should maintain communications through easily accessible media, such as printed posters, e-mails, weekly updates, programs and activities. As an example, to increase awareness on the organization’s pandemic plan, the business should send out awareness e-mails regarding the extent of the virus as well as countermeasures and preventive actions. The organization must also consider the company culture in crafting an effective BCM Awareness program. BUSINESS IMPACT AND SUPPLY CHAIN CONCERNS Given the unexpectedly broad impact of the COVID-19 virus outbreak, businesses should revisit their 2020 and Q1 budgets. Determine areas where operations will be impacted, including key suppliers, vendors, and third parties. Consider the impact of the disaster on key suppliers and vendors, as this will also impact the delivery of services if disruptions occur, especially for suppliers that provide manpower services. If necessary, identify back-up suppliers and vendors as a pre-disaster activity. This will ensure that critical services and products provided by affected suppliers will continue in the event of a disaster. Organizations should also determine key dependencies, assess potential impacts on these services and align with key clients on adjustments to any affected expectations and deliverables. Additionally, businesses should consider revisiting their contracts with clients or third parties, especially long-term or high value contracts. Client initiatives for their own business continuity should also be taken into consideration, since this can possibly cause delays in the completion of the project/engagement. As an example, the recent outbreak of the COVID-19 restricts work obligations which require teams to work on-site with clients, since quarantine and lockdown measures are in effect in infected countries like China. It is also important to thoroughly go through contracts with strict timelines, stipulations of damages in case milestones are not met, or those with a termination clause in cases of unforeseen events. In reviewing these, organizations should always put into perspective their capabilities to deliver their products and/or services even under extremely difficult circumstances. Business must also look into the impact of disasters on the organization’s assets and workforce. Different disasters call for different responses and organizations must be able to adapt to each one. For example, disasters such as fires, earthquakes, typhoons and floods would affect the organization’s facilities and equipment. Situations such as cyber or hacking attacks would necessitate a different set of responses and resources from digital security teams. Similarly, disasters such as pandemics will directly impact the workforce in terms of physical health and contagion control protocols. In such an eventuality, leave policies must be updated and clearly communicated to the workforce, and health insurance policies for employees must be revisited. Employees that have symptoms or illness should be allowed to remain at home or work from home and seek medical care as soon as possible. BUSINESS SUCCESSION AND BACKUPS In times of disaster, leadership may not be available to address urgent and critical concerns; thus it is essential to develop a plan for leadership continuity in the event that key decision makers are affected. Organizations should also consider setting up physically separate back-up teams that can be deployed in times of disaster. These identified back-up and alternate personnel must also know their roles and responsibilities in times of crisis. For companies with multiple office locations, this may mean designating one office as a support team for another location. Additionally, the company should also include data back-up processes as part of their regular safety protocols. As new threats emerge in the ever-evolving world, people and organizations must stay vigilant not just about COVID-19, but other possible issues that may arise. Practice additional caution by staying updated on current events, carefully examining the organization’s level of readiness and adapting. Consider that just weeks prior to the virus outbreak, parts of the country were affected by storms and earthquakes while Metro Manila was severely affected by the Taal volcano eruption, which led to the closure and suspension of work and classes in several locations. An emergency can occur at any time, so being prepared with a strategic and tested business continuity plan is essential to ensure the safety of a company’s people and the continuity of business-critical services in times of disaster. This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinion expressed above are those of the authors and do not necessarily represent the views of SGV & Co. Senior Manager Alvin Manuel, Manager Shaun Cusi, and Associate Dawn Casocot are from the Advisory Service Line of SGV & Co.

10 February 2020

Philip B. Casanova

Banks rate cybersecurity as top concern

Board members and Chief Risk Officers (CROs) of banks and other financial institutions have identified cybersecurity as their top short-term (12 months) risk priority. This was revealed in the Tenth Annual Global Risk Management Survey conducted by EY (Ernst & Young) and the Institute of International Finance. Survey participants comprised 94 firms in 43 countries with 23% based in Asia. Cybersecurity emerged at the top spot for the third straight year, considering that it only surfaced as a risk concern in 2015. We see this as a result of rapid technology development and the onslaught of banks embarking on digital transformation journeys in the last five years. The refreshed survey also affirmed cybersecurity as one of the major risks to anticipate in the next decade. Some of the key issues identified were concerns on industry-wide cybersecurity attacks, third-party security, cloud transition, and cybersecurity capabilities. INDUSTRY-WIDE CYBERSECURITY ATTACKS In the next five years, 80% of respondents foresee an industry-wide attack. This concern is attributed to three key factors: (1) constant cybersecurity attacks on banks and other significantly important financial institutions; (2) nation states that have exhibited destructive behavior using cybersecurity attacks; and (3) critical third parties that are regularly attacked, such as telecommunications and cloud provider companies. These issues resulted in recent government and private organization initiatives that utilize cross-industry cybersecurity attack drills rather than isolated tests. The survey also showed that 53% of respondents worried about their ability to recover operations after a cybersecurity attack. At the same time, 33% were concerned that customers would not be able to access vital bank services immediately after a cybersecurity attack. These issues relate to another major risk identified as resiliency: the ability to deliver services to customers, clients and markets without disruption. An overwhelming 94% of respondents mentioned that cybersecurity risk is their top resiliency concern, marking a significant increase from 80% in the previous year. This, in turn, led to the rising trend of integrating resiliency into frameworks or functions such as cybersecurity and technology incident responses, disaster recovery, and business continuity planning across business units. Integration is also seen in functions such as crisis management, crisis communication, recovery and resolution planning activities, and testing that includes simulation and table top exercises. THIRD-PARTY SECURITY Banks have long depended on third parties to provide core and support services, a trend that is expected to still grow in the future. However, third-party risk is also noted as a major risk in the next decade and described as the risk of operating in an ever-expanding ecosystem. Cybersecurity is identified as the top third-party risk, with 56% of the banks surveyed echoing this sentiment. Since banks are fortifying their cyber defenses, we should note that third parties handling or processing the banks’ information will likely become bigger targets for cybersecurity attacks. Third parties are expected to be at par or to have better cybersecurity controls than banks. It is also interesting to note that banks are transitioning in defining critical third parties. Previously, third parties were evaluated based only on spending and financial impact, but now, banks are also considering business continuity and resilience (66%), types of data and systems accessed (61%), and sensitivity of data used (54%). This more holistic approach has led to some challenges for banks in handling the sheer volume of third parties that need to be assessed and monitored for their cybersecurity control effectiveness. TRANSITIONING TO THE CLOUD It is evident that cloud transition is the most effective means for banks to tighten cybersecurity, given the service’s promise of efficiency, reliability, and scalability. However, the security of customer information and the banks’ data contained in the cloud remains a big concern for most CROs (92% of respondents). This also poses a major risk in the next decade despite the many cybersecurity controls and capabilities already established by cloud service providers. Banks are also moderately confident in their capabilities to operate in a cloud environment. We see that banks are keen to first establish their cloud security and risk frameworks prior to transition. There is also recognition of differences between the operation of on-premise systems and cloud environments, highlighting the need for additional controls and capabilities. CYBERSECURITY CAPABILITIES The survey further showed that while the banks’ cybersecurity capabilities are mostly rated as “Managed,” (i.e., ad hoc, repeatable, defined, managed, efficient), there is still the challenge to elevate cybersecurity to the next level. Respondents were wary of cybersecurity capabilities such as data restoration (32%), cybersecurity incident response (30%), identity access management (28%), and patch management (27%). They consider these as key areas where banks need to improve. The capabilities must include employing a skilled and knowledgeable cybersecurity workforce. Capability issues are exacerbated due to the inadequate number of qualified cybersecurity professionals on a global scale. While there is an active inter-organization movement among cybersecurity professionals, there are simply not enough new capable talents who can help bridge the gap. SECURITY IS ONLY AS STRONG AS THE WEAKEST LINK Cybersecurity remains a formidable risk for banks to grapple with both in the short and long-term. The challenge to improve the banks’ cybersecurity capabilities includes recognizing that security is only as strong as the weakest link. With the cybersecurity threat landscape rapidly and continually evolving, banks need to increase their vigilance and be more comprehensive in addressing cybersecurity risks. This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinion expressed above are those of the author and do not necessarily represent the views of SGV & Co. Philip B. Casanova is an Advisory Partner of SGV & Co.

03 February 2020

Ana Katrina C. Celis-De Jesus

Transfer pricing and tax avoidance: What does the CITIRA bill say?

Government investment promotion agencies offer tax incentives to attract investors. Many companies, especially those in priority and emerging sectors, benefit from such incentives in the course of doing business. In some cases, companies engage in related-party transactions, such as transactions between a parent company and a subsidiary, or between affiliates. However, according to a Department of Finance (DoF) and Bureau of Internal Revenue (BIR) analysis, such practices may give rise to abusive transfer pricing schemes, deemed to cost the Government billions in lost revenue each year. Specifically, the DoF identifies transfer pricing abuses to include the corporate practice of shifting profits from a high-tax country to tax havens, as well shifting profits from a corporate taxpayer to its related party located in special economic zones. Because of such practices, the DoF is pushing for the legislative approval of the Comprehensive Tax Reform Program (CTRP), which will prevent income from being shifted among related parties through the inappropriate pricing of related party transactions. Under Section 50 of the Tax Code (the Philippine Transfer Pricing provision), the Commissioner of Internal Revenue has the authority to review controlled transactions among associated enterprises and distribute, apportion or allocate their income and deductions to reflect the true taxable income of such enterprises. In the 17th Congress, a bill was introduced which included a proposal to amend Section 50 of the Tax Code under the current administration’s Tax Reform for Attracting Better and High-Quality Opportunities (formerly known as the TRABAHO Bill or the then CTRP Package 2). The TRABAHO Bill was approved on third reading by the House of Representatives but was not passed by the Senate in the 17th Congress. The TRABAHO Bill has since been renamed the Corporate Income Tax and Incentives Rationalization Act (the CITIRA Bill or the now CTRP Package 2). The CITIRA Bill has been re-filed in the 18th Congress to pursue, among others, the amendment of Section 50. As of this writing, the CITIRA Bill has been approved on third reading by the House of Representatives and has been endorsed to the Senate for its consideration and approval. FINE LINE BETWEEN TAX AVOIDANCE AND EVASION The proposed amendment to the current transfer pricing provision emphasizes the prevention of tax avoidance. The proposed amendment defines tax avoidance for purposes of transfer pricing. Corporate taxpayers often weigh their options when planning to implement their business transactions. In doing so, they may resort to tax avoidance strategies to reduce the amount of tax payable. Tax avoidance per se is not illegal. On the other hand, the intentional and deliberate non-payment of taxes, in an attempt to reduce or eliminate a taxpayer’s liability, is called tax evasion, which is illegal. An Organization for Economic Cooperation and Development (OECD) Economics Department working paper by Johansson, Skeie and Sorbe reported that all G20 and OECD member countries have implemented transfer pricing rules to prevent related-party taxpayers from manipulating the price of their transactions for tax purposes. Some of these member-countries have anti-avoidance rules against international tax planning by multinational enterprises. The general anti-avoidance rules prohibit an aggressive approach to tax avoidance, with a common thread of adherence to the principle of substance over form. Tax benefits may not be availed of when a related-party transaction lacks economic substance or has no reasonable commercial purpose. The anti-avoidance rules of the G20 and OECD member countries are generally designed to achieve the following goals: identification of such a scheme or arrangement; quantification of the actual tax benefit or advantage gained from the scheme; and performance of a test to assess if the company gains a clear tax advantage through the scheme. It should be noted, however, that there are differences in the rules for various countries. STRENGTHENING THE TRANSFER PRICING PROVISION The CITIRA Bill proposes that the time is ripe for the Philippines to adopt similar anti-avoidance rules to counteract the potential abuse of tax incentives by corporate taxpayers. From a current Philippine tax perspective, the BIR may impose an adjustment to transfer prices affecting the recognition of income or expenses of taxpayers based on its industry-specific arm’s length standards. This imposition may result in deficiency taxes and even possible interest and penalties to be assessed against the taxpayer. With the proposed transfer pricing amendment to Section 50 of the Tax Code, the CITIRA Bill will vest the Commissioner of Internal Revenue with dual roles: first, to distribute, apportion, allocate, and impute income and deductions; and second, to disregard and counteract tax avoidance arrangements necessary to clearly reflect the income of a corporate taxpayer. The CITIRA Bill also aims to empower the Commissioner to consider the transaction or arrangement as void for income tax purposes. Under the proposed amendment, tax avoidance will become more clearly defined to include actions that directly or indirectly alter either the incidence of any income tax, or relieve, avoid, postpone, or reduce any liability to pay current or future income tax. Companies with transfer pricing arrangements should note that tax avoidance is presumed to exist in situations where the transaction or arrangement can be proven to be motivated by obtaining a tax benefit or advantage with no commercial reality or economic benefit. CONSIDERING TRANSFER PRICING RISKS If and when the proposed amendment to Section 50 of the Tax Code passes into law, we can expect the BIR to take an aggressive approach to transfer pricing. Philippine companies with related-party transactions will have to increase vigilance to potential transfer pricing issues that may have a significant impact on reporting its taxable income. Given the current administration’s drive for tax reform, the passage of the CITIRA Bill into law will further intensify the need for taxpayers to include transfer pricing as a significant part of their tax planning and risk management strategies. This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinion expressed above are those of the author and do not necessarily represent the views of SGV & Co. Ana Katrina C. Celis-De Jesus is a Tax Senior Director of SGV & Co.

27 January 2020

Pamela Lantes-Arellano

Rising from the ashes: How to claim tax relief from Taal’s unrest

The Philippines is vulnerable to natural calamities due to its geographical location. The archipelago is frequently exposed to the devastating effects of natural disasters like typhoons, earthquakes, and — from time to time – volcanic eruptions. On Jan. 12, the picturesque Taal Volcano expelled smoke, ash and lava, prompting the government to evacuate residents from nearby towns as a precaution in the event of a more powerful eruption. Just less than a month prior, hundreds of thousands of Filipinos lost their homes and livelihoods when Typhoons Tisoy and Ursula swept the Visayas region. In the aftermath of natural or environmental catastrophes, many businesses struggle to recover from the resulting damage, loss and devastation, especially when they are unable to claim losses incurred as deductions for income tax purposes. However, it may be of some comfort to affected taxpayers that this can be avoided. CLAIMING CASUALTY LOSSES Affected individuals and corporations engaged in trade, business or a profession may avail of tax relief by claiming (as business deductions) casualty losses incurred from destroyed properties that were actually used in the business. Keep in mind, however, that casualty losses on assets not used in the course of business or are personal in nature will not be allowed as deductions. To guide taxpayers on how to declare casualty losses incurred during the year for tax purposes, the Bureau of Internal Revenue (BIR) issued Revenue Memorandum Order (RMO) No. 31-2009. Although it is a dated RMO, these rules are still in force and highlight critical considerations for taxpayers in claiming casualty losses. ACT FAST, BUT BE DETAILED Businesses that wish to deduct casualty losses need to file their claim of casualty loss within 45 days after the date of the event. A Sworn Declaration of Loss is submitted to the Revenue District Office (RDO) holding jurisdiction over the taxpayer’s place of business. The sworn declaration of loss should include specific details, such as the nature of the event that gave rise to the loss; when it occurred; a detailed description of the damaged properties and where they are located; and very importantly, the amount of insurance or other compensation that the taxpayer anticipates receiving. In addition, the taxpayer needs to provide a detailed computation of the losses covering the cost of the property, any depreciation deducted, the value of the properties before and after the event, and the cost of any necessary repairs for assets that can be recovered. As with other similar claims for deduction, the taxpayer should submit proof of the loss incurred, including but not only limited to before and after photographs of the damaged or destroyed properties. KNOW HOW MUCH LOSS TO REPORT When a taxpayer submits the declaration for casualty losses, it is important to accurately calculate the deductible casualty losses. This amount is basically the difference between the value of the property before and immediately after the calamity. This means that the casualty loss should never exceed the cost (or other adjusted basis, including depreciated cost) of the property the taxpayer is using in business. At the same time, taxpayers should remember to deduct any insurance or compensation they receive for the loss. Understandably, insurance claims take time to process. If the taxpayer or company anticipates any insurance payments to occur after the reporting period in which the losses occurred, then for financial reporting purposes, the loss should be recognized when incurred. For example, when a piece of equipment is destroyed, the asset should be written off, regardless of whether the losses can be recovered from an insurance policy or if there are plans to replace the equipment. Companies should also note that timing will be different for financial reporting and for tax purposes. In cases where a company has no insurance on the assets used in its business, the loss will be recognized on the date it is incurred. However, if a claim for reimbursement exists and there is a reasonable prospect of recovery, then no portion of the loss is sustained until it can be reasonably ascertained whether or not such reimbursement will be received. Determining whether a reimbursement will be received or not can be reasonably ascertained such as by a settlement, adjudication, or abandonment of the claim. Why is this significant? Because taxpayers either need to actually collect insurance proceeds or decide to abandon their claim (which, naturally, requires documentary proof), before they can claim casualty losses as tax deductions. Since volcanic eruptions and the damage they may cause are not usual vents, insurance companies will need time to accurately evaluate the reasonableness of the incurred losses compared to other more frequently occurring disasters, such as floods and typhoons. HOPING FOR MORE TIME Arguably, the 45-day period for taxpayers to submit the sworn statement (together with the supporting documents) may not be enough. This is considering that the losses should first be ascertained before a taxpayer can start preparing the documentary requirements. Our tax authorities in their wisdom may wish to consider granting a longer period to allow taxpayers to collate all of the documentary requirements to report these casualty losses. As an example, the BIR extended by three months the filing of the sworn declaration in the wake of typhoon Yolanda in November 2013. In the meantime, as we hope and wait for any advice for a reporting deadline extension from the BIR, we expect that affected businesses and taxpayers will continue to prioritize the safety and recovery of their employees and their families, while anticipating the resumption of normal operations in the soonest possible time. Amidst all challenges, we hope and pray for the safety and well-being of our affected kababayans. This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinion expressed above are those of the author and do not necessarily represent the views of SGV & Co. Pamela Lantes-Arellano is a Tax Senior Director under the Financial Services Organization Group of SGV & Co.

20 January 2020

Betheena Dizon

Estate tax amnesty for non-resident Pinoys: Yay or nay?

Among all the internal revenue taxes imposed in the Philippines, estate tax is arguably one of the most neglected. It is not uncommon to see estate taxes remain unpaid for several years after the death of the decedent until the heirs see the need to transfer the inherited property. These properties then remain idle with their economic benefit unutilized. Thus, the much-anticipated Estate Tax Amnesty program was welcomed when the President signed it on Feb. 14, 2019. This program provides a one-time opportunity to settle estate tax obligations at a reduced tax rate and with no penalties. In a nutshell, the estate tax amnesty allows unpaid estate tax obligations to be settled at the rate of 6%, without any penalties imposed. This covers the estates of decedents who passed away on or before Dec. 31, 2017, with or without tax assessments issued by the Bureau of Internal Revenue (BIR) and that have remained unpaid as of the same date. The amnesty also covers “undeclared estates” or properties that were not included in a previously filed estate tax return and not subjected to estate tax. The 6% amnesty tax rate is imposed on the net estate of the decedent at the time of death. This means that the estate can take advantage of the deductions that are available under the Tax Code as of the time of the decedent’s death. AVAILING OF THE ESTATE TAX AMNESTY The estate tax amnesty return (ETAR) shall be filed with the BIR Revenue District Office (RDO) that has jurisdiction over the place of residence of the decedent, who must be a resident of the Philippines, or of the executor/administrator in the Philippines if the decedent was a non-resident. If the estate has no executor or administrator in the Philippines, the ETAR will be filed with BIR RDO No. 39 in Quezon City. Following Revenue Memorandum Order No. 33-2019, the Certificate of Availment and the Electronic Certificate Authorizing Registration (eCAR), which authorizes the transfer of the estate properties to the heirs, shall be issued within 15 calendar days from the receipt of the validated Acceptance Payment Form and proof of payment of the Estate Amnesty Tax. The estate tax amnesty is available for two years, starting June 15, 2019 and ending June 14, 2021. Any estate that fails to take advantage of the tax amnesty within the period given will be subject to the graduated estate tax rate that was in effect as of Dec. 31, 2017, with interests and penalties also due upon payment. The law was good news to Filipinos in the Philippines as well as those residing overseas who are heirs to unsettled Philippine-based estates with unpaid taxes. Many Filipinos who have settled abroad with their families have expressed their preference to settle the estates and sell off Philippine-based properties. CHALLENGES FOR NON-RESIDENT FILIPINOS However, there are challenges for non-resident Filipinos who wish to take advantage of the tax amnesty. One challenge is the availability of documents required by the ETAR. Under Revenue Regulations (RR) No. 6-2019, documents pertaining to the value of the properties within the estate must be attached to the ETAR to provide a basis for the tax base and the resulting estate amnesty tax payable. If, for example, the decedent passed away decades ago, there is a good chance that the heirs no longer have documents that indicate the value of the properties as of the time of the decedent’s death. This can cause difficulty in proving the actual value of the properties, since it is certain that these properties were worth far less at the time when the decedent died than their current fair market value. Without the relevant documents, it will be difficult to determine the actual value of the decedent’s estate, and the resulting basis to compute the estate amnesty tax. Another challenge for non-resident heirs is how to determine the actual properties that comprise their parents’ or grandparents’ estates. In some cases, the heirs had already migrated to other countries, leaving their parents behind in the Philippines. When the parents are gone, there is a chance that the survivors have no clear idea about the nature or number of properties that were left behind. As they have no resources in the Philippines to obtain information on their parents’ properties, the likely result is an ETAR that may not include all the properties that actually belonged to the decedent. A third challenge for non-resident Filipinos is the actual filing of the ETAR and payment with the bank. Non-residents usually prefer to remit payments online or through wire transfer. However, the amnesty regulations require the physical filing of the ETAR and payment through BIR authorized-agent banks. To avail of the amnesty would require that the non-resident return to the Philippines or to authorize a representative for this purpose. POTENTIAL COURSES OF ACTION With the way that the regulations for estate tax amnesty are currently worded, non-resident Filipinos have the option to authorize representatives in the Philippines to file and process the applications on their behalf, without having to come to the Philippines themselves. Where a proper authorization is in order, these representatives can assist in determining the properties covered by the estate, preparing and submitting the ETAR to the BIR, making the actual payment, and claiming the eCAR to be issued to the estate. In determining the properties that may be covered by the estate, the heirs or their representatives can try to confirm with the relevant government agencies any registered properties that the decedent may have. However, there may also be hurdles on this point as more and more government agencies begin to implement rules that limit information disclosure. Given these challenges for non-resident Filipinos, there may be a need to first evaluate how the authorities can help them maximize the benefits of the amnesty. For example, it may be useful to determine whether it is feasible to authorize Philippine embassies or consulates to accept ETAR filings and amnesty tax payments. Another potential option would be to develop online platforms to enable these individuals to file the ETAR online and settle through bank-to-bank payments. These potential options will certainly help ease the compliance of non-resident Filipinos who may be keen on settling outstanding estate tax obligations. The intent of the estate tax amnesty is certainly laudable as it seeks to increase the revenue of the government, while helping unlock idle properties and opening these up for transfers upon the payment of the estate tax obligation. These objectives can better be realized if additional measures can be developed to help Filipinos, wherever they may be in the world, conveniently and efficiently take part in the estate amnesty program within the given period of time. This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinion expressed above are those of the author and do not necessarily represent the views of SGV & Co. Betheena Dizon is a Tax Senior Manager of SGV & Co.

14 January 2020

Nathaniel F. Dizon

Smart, savvy and strategic cyber risk management

We regularly hear and read about hacks, security breaches and similar cybersecurity incidents that expose vulnerabilities in corporate and government digital security systems. The reality is that most companies and organizations lack the internal cybersecurity expertise and capability to combat external threats, which lead them to seek external solutions. While this may be necessary, effective cybersecurity efforts should be anchored on a clear digital risk management strategy, as discussed in a recent EY article, “Making digital risk management strategic.” Digital risk management is the next stage in enterprise risk and security for companies and entities that are incorporating digital processes and technologies into their business. It includes new and unexpected challenges that may arise as a result of digital transformation. Digital risk is a business and not a technology issue, making it a C-suite level concern instead of just an IT matter. Organizations need to take on a holistic approach when creating a digital risk management strategy, one that supports risk-based decisions and improved cybersecurity that reduces costs related to managing security risk. This approach considers the entire organization’s digital assets and relationships since some vulnerabilities can come from the most unlikely of sources. An example would be an incident where the customer information of a local remittance company was leaked through a data breach on a separate system used for marketing purposes. The latest EY Global Information Security Survey showed that 37% of organizations stated they would not be able to detect a sophisticated system breach, despite 53% of respondents claiming that they increased their cybersecurity budgets in prior years. This paints a bleak picture, although the situation may be due to the blurring of organizational boundaries resulting from the emergence of more interconnected devices. With the “Internet of Things” (IoT), or the increased connectivity between systems and the growing online presence of many organizations, any company may become a potential victim. Addressing these risks requires a combination of strategic elements such as identifying risks; monitoring and predicting potential cyber threats; having a ready response protocol to any incidents; and a plan to restore operations. These are considerations that all organizations, regardless of size, need to consider within the limits of their financial and human capital resources. Whether it is a large organization or a smaller one with fewer resources, the key to building an effective digital risk management strategy lies in a few significant steps. FIND YOUR WEAK SPOTS Organizations need to actively and thoroughly review their existing processes, digital platform and operations to identify areas where risks can be minimized or addressed early on. One example of taking bold steps to implement a digital risk management strategy was undertaken by the Singapore Ministry of Defence (MINDEF) in 2018. The government agency decided to invite about 300 ethical (or white hat) hackers from around the world to a first-ever bug bounty event. The challenge was to attempt to hack into the agency’s internet connected system to find vulnerabilities and be rewarded for finding vulnerabilities. This innovative action helped generate nearly 100 vulnerability reports, 35% of which were considered valid security vulnerabilities that the government agency addressed immediately. While this may have been a first for a government agency, it has actually become a common practice for some multinational entities. They now hire white hat hackers to test their security systems for flaws and vulnerabilities by replicating the tactics, techniques, tools and procedures that a malicious hacker would utilize in an actual cyberattack. PROTECT THE CROWN JEWELS Companies need to quantify their risk appetite and identify the digital operations that require greater resources, competencies and capabilities to protect. These are usually the most vital operations such as infrastructure, cloud applications, managed operations or security services. Organizations also need to consider investing in intelligent technology solutions that can automate the process of monitoring and managing digital assets that are most at risk or have the greatest impact on operations. There has been a trend for larger organizations to move their digital risk management and cybersecurity functions outside of traditional IT or technology departments and put them directly under the oversight of top management. This highlights the reality that cybersecurity and digital risk management are larger business issues and not simply IT problems. PREPARE FOR THE WORST Organizations should prepare an incident response plan ahead of time and undertake drills and practices to ensure that all stakeholders know what to do in the event of a breach. This plan, naturally, needs to be one that is continually studied and enhanced as threats evolve. Following the initial response to any breach and the measures taken to minimize the damage, companies should have contingency plans in place to restore business-as-usual operations in the shortest time possible while also managing any operational and reputational damage that may occur. GET YOUR PEOPLE UP TO SPEED As with most programs, people are both the first line of defense and often the greatest point of vulnerability. The EY survey found that 34% of organizations consider careless and untrained employees as their greatest vulnerability. Based on our experience, about one out of five employees fall victim to social engineering techniques in the campaigns we conducted for our clients. This is the reason why organizations need to ensure that all their people are adequately trained in a cyber resilient risk culture. People, in this context, refer to more than just employees. They also include the people engaged by an organization’s vendors, third-party stakeholders and internal/external systems providers. Cyber-savvy organizations need to ascertain that proper access controls, policies and technologies are in place to reduce possible unauthorized access to vital systems or confidential data. A thorough evaluation of the cybersecurity knowledge, exposure and competencies of an organization’s people can also help identify possible human single-point-of-failures, which can significantly hamper an organization’s response time and effectivity in case of a breach. For example, say a breach happens and the cyber-security team swings into action. Part of their containment solution is to block all access to vital databases, but before they can do so, permission from the CIO is required. If for some reason the CIO cannot be readily contacted, it would cause a delay in implementing the security protocols. AN AGILE, HOLISTIC APPROACH TO CYBERSECURITY In the digital environment and ecosystem we operate in today, cyber threats will continue to exist and will constantly evolve to present new risks. Some analysts believe that a breach is inevitable for any organization. However, what matters is how the organization will respond to such an incident. Hopefully, it will be carried out with an agile, scalable, well-designed digital risk management strategy that integrates processes, systems, people and technical competence into a holistic cyber defense system. This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinion expressed above are those of the author and do not necessarily represent the views of SGV & Co. Nathaniel F. Dizon is an Advisory Manager of SGV & Co.

2020