Understanding the global minimum tax and the growing risk of ransomware

The G7 announced a framework for a global minimum tax last week. In this episode, Amy Wang Miller, CPA, J.D., senior manager with the AICPA’s Tax Policy & Advocacy team, explains what the framework means, what accounting and finance professionals can expect next, and what the future of a global minimum tax looks like.

Also, we explore the growing risks and cost of ransomware with Gerry Glombicki, CPA, a director with Fitch Ratings insurance group, and how organizations should be approaching ransomware.

What you’ll learn from this episode:

• What exactly the G7 finance ministers agreed to regarding a global minimum tax framework.
• What political hurdles remain for a global minimum tax.
• How accountants and finance professionals should be preparing for a global minimum tax.
• How the growing risk of ransomware can cost organizations in unexpected ways.
• Why organizations should be thinking about ransomware holistically.

Play the episode below or read the edited transcript:

To comment on this episode or to suggest an idea for another episode, contact Drew Adamek, a JofA senior editor, at Andrew.Adamek@aicpa-cima.com.

Transcript:

Drew Adamek: Welcome to the Journal of Accountancy podcast. I am senior editor Drew Adamek, and this week we’ll be exploring what the G7’s announced framework for a global minimum corporate tax means for accounting and finance professionals, and later, I’ll talk with experts about the hidden risks and costs of ransomware.

On June 5, finance leaders from the G7 Group of Nations agreed to a framework for a global corporate minimum tax of at least 15%, no matter where the business is located.

The agreement was years in the making and is especially focused on tech giants like Google, Facebook, and Amazon. While the deal could significantly alter how and where global companies do business, many hurdles remain for the deal. To help understand what the deal means and what’s next, I spoke to Amy Miller, a CPA and senior manager with the AICPA’s Tax Policy & Advocacy team, about what finance professionals and accountants need to know about the proposed global minimum tax.

What exactly has the G7 announced, and what does that practically mean for organizations? How significant is this announcement?

Amy Miller: The announcement is significant, but also insignificant in some ways. I’m going to try to be brief, but basically finance leaders from the world’s 20 largest economies met to discuss plans for global minimum corporate tax rates, and also new rules for how to tax large tech firms like Facebook and Apple. And why that’s significant is because the OECD has been discussing for a few years now about how to tax these tech companies differently. So it’s a shift from taxing physical presence to taxing where the economic presence is.

What happened is that the pandemic has really caused tax revenue needs in the trillions of dollars or pounds or euros. Now, there is an urgency for unilateral approaches from many countries on how to deal with whether it’s a global minimum tax, a digital service tax (DST) and how to tax these large companies, because they really need that revenue to come back from the pandemic. And a lot of countries believe that tech companies disproportionately came out on top through the pandemic with significant revenues. This agreement is kind of a move towards figuring out where will those revenues go and how will countries allocate that appropriately.

Adamek: A lot of the press coverage immediately after this announcement painted it as a way of dealing with corporate tax avoidance. How do you see this fitting in with other recent international efforts to curb tax avoidance?

Miller: Yeah, so that’s a great question. It’s interesting because in terms of tax avoidance, you know, I don’t know if it was tax avoidance. We never had a system that truly understood how to tax these digital services, right? This is all new. How do we tax digital companies? I think where it’s kind of like catching up to the new times and how to tax these new tech companies. And of course, the U.S. wanted to raise this minimum tax to 21% because that’s our current corporate tax rate, and we want our U.S.-based corporations to be competitive in the whole international tax regime and other countries obviously want it to be lower, because in Europe right now the corporate tax rate is much lower. So it’s a competition between countries of just how to come to this difficult agreement.

Adamek: In trying to address tax avoidance — that’s sort of the base problem that this is hoping to address, as I understand it — but does this create loopholes? Are there any apparent loopholes and how effective can this be if, say, a country decides not to abide by this agreement?

Miller: Yes, often in tax, especially in new tax rules, there will always be loopholes, right? That’s the job of the tax attorney or a CPA is to find those spaces in between the laws where you can still help your clients protect their revenue. Things that may be disagreements within countries that we are kind of wary of is that, while the OECD has been holding discussions and meetings and a lot of countries are trying to come together to come to an agreement, Congress in the U.S. is really worried other countries won’t agree to withdraw their existing plans, or maybe existing regimes or plan digital service tax regimes after the OECD strikes the final deal.

I think half of the countries in Europe have existing digital service taxes that are being implemented. And in order for these new rules for global minimum tax to be effective and to work, they have to withdraw the existing digital service tax rules that are currently in play, and Congress wants to see binding commitments from those foreign countries before they move forward.

And even with commitments that those foreign countries are going to withdraw their unilateral DSTs will there be a bipartisan agreement in U.S. Congress to pass these new rules and to pass this minimum tax?

We’re just not sure.

Adamek: What are the next steps for a global minimum tax and where can listeners learn more about this?

Miller: While the G7 communiqué discusses an agreement in principle, it is clear that there are still many substantive points that remain subject to further negotiation between the world’s finance leaders. The OECD is going to need to focus their efforts on significant design and implementation considerations for their framework because those details are critical to ensuring a functional and lasting agreement internationally. If listeners want to learn more, the AICPA has an OECD task force, and we’ve been commenting and submitting comment letters along with CIMA in the UK to the Government to give our input. but we also have our comment letters on our AICPA tax policy and advocacy page, and we have our recommendations for Treasury in the U.S. and for foreign governments on what’s the best plan to move forward.
 
Adamek: Amy, thank you so much for joining us.

Miller: Thank you so much for having me, Drew.

Adamek: Alarming ransomware attacks have generated a lot of headlines recently and seem to be growing in scale and menace. Several attacks since May have interrupted critical infrastructure and have had a rippling economic impact on essential consumer goods. In May, a ransomware attack on the Colonial pipeline by a group of criminal hackers calling itself DarkSide disrupted fuel supplies on the East Coast for several days.

On June 1, a ransomware attack on JBS, the world’s largest meat processor, shut down nine beef plants and could have a significant impact on wholesale meat prices across the country. Gerry Glombicki, a CPA and director in the insurance group at Fitch Ratings, recently co-authored a study on the growing risks and costs of ransomware attacks.

I recently spoke to Gerry for the FM magazine podcast about what accounting and finance professionals need to know about the hidden risks and costs of ransomware. Here is a preview of my conversation with Gerry about why accountants and finance professionals need to be paying attention to ransomware.

Adamek: How significant is the threat of ransomware, and why should finance departments be paying attention to that threat?

Gerry Glombicki: So ransomware has grown quite significantly over the past year. In our Fitch Wire, we cite that it’s gone almost 500% year over year, and that was according to Bitdefender. It’s definitely a growing financial risk and it’s across all sectors and geographies. Basically, if you’re connected to a network, you are at risk of being attacked. It’s really up to your network security to prevent all attacks.

One of the interesting things too about ransomware, just cyber risk in general, is the information security team security has to be right all the time, 24 hours a day, seven days a week. If you just have one flaw, it just needs that one flaw for the bad guy to find it and exploit it and basically get you a very bad day.

Adamek: When you talk about IT departments needing to be prepared at all times, when you look out at the threat landscape, how prepared are organizations to deal not just with the threat of ransomware but cyber threats in general?

Glombicki: It varies by company and it varies even within the companies. Information technology is what a lot of people associate with dealing with this risk, but information technology is a very broad department, of which information security is a subsegment of that.

One of the things that’s very important is something called endpoint security. Endpoint security is basically all the devices that connect to the internet — that’s my laptop, that’s my cellphone. I can actually connected via VPN to the company’s email systems. It’s the VPN on my laptop that connects itself into the system.

All of these things create entry points to the network, which is convenient to me but also is a security risk to the company. And these are things that have to be secured, and they’re secured by different people, even within the IT department. So within the IT departments, and the company as a whole, they really need to talk to each other. Again, they only need to be wrong once for an attacker to actually find a way in.

And then, just broadly speaking too, when you look at the risks of IT, it used to be done by someone who was kind of an overworked person in the IT department. They just gave them information security title. You started to see, with some regulations increasing, that you have to have a CISO, a chief information security officer on staff, you know, if you met certain requirements. Now it is actually a dedicated response and you’re starting to see boards starting to have dedicated information security and dedicated IT segments themselves as well. You are starting to see a lot more pick up and interest on this at both the corporate and executive level.

Adamek: Ransomware has been in the news a lot lately because of the recent pipeline shutdown. But are there other risks, not just business disruption, that ransomware poses?

Glombicki: Ransomware in particular is interesting because basically what happens is one day you’ll wake up to find that you don’t have access to your systems. There’s variance to this as well. As a matter of fact, I was reading from Emsisoft today, and they were talking about how some of the threat actors are double-encrypting your systems, so they’ll actually encrypt it once and they might encrypt just half the system with one method and encrypt the other half with a different method. They might actually encrypt it with the same method twice and make you pay twice. They could be just after certain files. They might just do a certain subsegment of your network.

It causes basically a big business interruption and continuity risks. But it also it matters in your supply chain. So, for example, if you’re looking for a vendor to supply you with something but their businesses are interrupted, that can impact you. So you also have to pay attention to your risks, but the risks of cyberattacks throughout your entire supply chain, and that’s something that a lot of organizations are starting to really realize.

Adamek: For more of my conversation with Gerry, please visit the FM magazine podcast page in July.

In other news, on June 15, the AICPA and NASBA launched the CPA Evolution Model Curriculum, a recommended blueprint for an accounting program designed to help educators prepare graduates for the changing demands of the CPA profession.

The CPA Evolution Model Curriculum outlines suggested courses colleges and universities can offer to align their accounting programs with CPA Evolution, a new CPA licensure model expected to debut in 2024.

Under the CPA Evolution model, CPA Exam candidates will all take three Core sections, which will test their fundamental knowledge in the areas of accounting, audit, and tax/regulation, with a recognition of the ways technology has impacted these three areas.

They will then take an Exam section in their choice of one of three disciplines: tax compliance and planning (TCP), business analysis and reporting (BAR), or information systems and controls (ISC).

The AICPA anticipates rolling out a new version of the CPA Exam based on this model in 2024.

The IRS opened an online site June 14 that allows taxpayers who are not required to file a 2019 or 2020 individual income tax return to sign up to receive advance child tax credit payments, which will begin July 15.

The AICPA and the Center for Audit Quality voiced support for the SEC’s exploration of disclosures related to climate change and environmental, social, and governance issues in comment letters sent to the commission on June 11.