The Real-time Risks Of Tax Technology
9 August 2018
Cybersecurity will only become more important as the rise of real-time reporting technologies revolutionise compliance methods. Malware can spread through corrupted updates on accounting software just as it can on any other network.
International Tax Review spoke to Ali Kennedy, vice president of tax at cybersecurity group Sophos, who stressed the gap between understanding the risks and putting in place the resources to mitigate it.
"The understanding of the vulnerabilities is there, it just comes at a cost," Kennedy said. "If you want to protect yourself against a cyberattack, you need to keep your software patched and up to date. If a version is no longer supported by security patches by the vendor then it should be replaced."
While corporations may have the funds and resources to protect their systems against harm, the same cannot be said for tax authorities.
"If the technology or the software is getting out of date, the system is immediately more vulnerable to attack. There needs to be extra resources and funding to ensure that the systems do not fall behind. The authorities know what they have to do, but they are working on a tight budget," Kennedy said.
There have already been instances of cyber strikes that have disabled global systems. Sixty-four different countries were affected by a piece of malware in one day in June 2017. Security experts attributed its source to the accounting package MeDoc, though the developer, Intellect Service, disputed this claim.
What is clear is that the Petya malware spread through Ukraine’s financial and energy sectors, before crossing borders and hitting foreign businesses like the Russian oil conglomerate Rosneft and DLA Piper.
It spread so far so quickly that the malware even crashed the computer system of a Cadbury’s factory on the Australian island of Tasmania. But, as Kennedy pointed out, the real dangers come in quiet times when businesses and governments are more likely to let their guard down.
"Sadly sometimes you need an emergency to really get across the risks of not keeping up to date," Kennedy said.
"There is plenty of expertise in the private sector, but there is also a lot of change right now and competition for resources," she explained. "The tech industry is a complex world and it moves very quickly. It is quite difficult for some companies to keep up."
The Danger of Live Feeds
While the business community tries to keep up with the pace of change, governments around the world have been looking at reporting technologies to make their tax systems more efficient and crack down on tax fraud, as well as raise additional revenue.
As part of the BEPS project, the OECD has adopted the standard audit file for tax (SAF-T) as the global model for the electronic exchange of accounting data. SAF-T has become the starting point for designing new reporting systems.
Spain has introduced the immediate supply of information (SII) report to standardise how taxpayers submit VAT data every four days. Likewise, Hungary and Brazil have introduced live reporting. The Hungarian system requires daily reporting, whereas the Notice Fiscal requires a report every few days like the SII model.
Andrew Bohnet, managing director at Innovate Tax, has stressed that the flaws in the SAF-T model run through all real-time technologies.
"The problem with SAF-T is that there is a single point of failure – the tax authorities," he told ITR. "It’s not just SAF-T, it’s any real-time invoicing or reporting such as the SII report."
"The other problem is that from a hacking point of view, once they have access to the data, they don’t need to disrupt it," he continued. "Meaning someone could be listening in without being known, and once they are able to hack then they can tap into any company data coming through."
Bohnet has speculated that the real-time reporting model might become a target for hackers looking to engage in insider trading. After all, the information could reveal a lot about the state of a major company, especially if fresh data is being uploaded every few days. This could give a hacker an advance on the company’s financial results before the market has any sense of it.
A lot of companies would feel better about having a barrier with the authorities. Not even for confidentiality reasons, but because the bad guys can get into these systems.
"A live data feed between a company system and a revenue authority is different because it leaves the potential for a security breach and unauthorised access to company systems," she added. "This represents a significant risk."
These real-time systems are highly innovative in terms of access for the tax authorities. However, a data breach could give hackers a lever over a company’s financial future. Every innovative step forward brings with it new risks.
The above article was published on www.internationaltaxreview.com on August 9 2018 and has been republished with the approval of the Publisher.