Why and How to “Pen Test” Your Systems

Caitlin Gibbs, CPA

The global cost of cybercrime is expected to soar in coming years, and not-for-profits are far from immune to the threat. The rising role of technology, especially in an age of increased remote work, leaves organizations of all kinds vulnerable to data-related crime.

You may take some comfort in the controls you have implemented, but will they actually work with future cyberintruders? Penetration (pen) testing can help you preempt intrusions and attacks by identifying weaknesses so you can proactively address them.

Need for testing

According to the Identity Theft Resource Center, more than 350 million people were victimized as a result of data breaches at not-for-profits in 2023. That should not be a huge surprise. Many not-for-profits lack the staff and other resources to establish and monitor cybersecurity measures that are required to protect sensitive data, such as banking passwords and donors’ credit card information. This makes not-for-profits an appealing target for criminals.

Even if you have dedicated IT staffers, they simply cannot monitor every area of your organization that may pose a risk. Pen testing is designed to find vulnerabilities that might otherwise go unnoticed until a breach occurs. Further, cyberinsurance providers and other stakeholders increasingly are demanding such testing. Pen testing can help you demonstrate that your organization takes data security seriously.

Although pen testing can be expensive, the costs of a data breach could prove devastating for your organization. The IBM “Cost of a Data Breach Report 2023” found that the global average cost of a data breach in 2023 was $4.45 million, a 15% jump since 2020. Costs could include those related to:

• Downtime;
• Ransom demands;
• Regulatory fines and penalties;
• Litigation;
• Forensic investigation;
• Remedial measures; and
• Crisis management.

Also, reputational damage could undermine your future support from funders, members and the general public.

Taking the test

Pen testing provides a comprehensive assessment of the effectiveness of your overall cybersecurity program and specific controls. It examines not only your technological vulnerabilities but also those related to your people, facilities, policies, processes and procedures. Testers can find gaps or misconfigured settings that criminals could leverage.

If you engage testers, they will replicate a third-party cyberattack, targeting your users, systems and network to attempt to gain unauthorized access to sensitive data. They generally start by scrutinizing your network and systems for potential openings and then try to exploit those openings to achieve unauthorized access. They then use tools and techniques real criminals might use to penetrate your organization’s defenses by, for example, trying to crack employee passwords or using social engineering methods such as phishing. They might focus on all of your networks and systems or just those that are public facing (for example, through your website or email). Their simulated attacks may be scheduled or unannounced.

Make it routine

Pen testing is best done on a regular basis rather than as a one-off event. Technology is constantly evolving, as are cybercriminals’ schemes. Plan on having testing done at least annually, or more often if you have put new controls in place in response to a testing report.

Sidebar: Getting started

Once you recognize the value in penetration (pen) testing (see main article), you will want to get the most bang for your buck. The first step is to find a reputable company. Identify at least three companies and request references from existing clients, preferably other not-for-profits. You also should inquire about their employees’ certifications. A range of related certifications are available, including Certified Ethical Hacker, Certified Expert Penetration Tester and Offensive Security Certified Professional.

Before you sign a contract, determine the appropriate scope for the testing. If budget is an issue, you can perform a cybersecurity risk assessment to identify the highest risk areas and prioritize the testing accordingly. If you wish, you can declare certain systems off limits. Finally, the contract should detail the information to be included in the test report, including recommendations for remedying uncovered vulnerabilities.

For more information, contact Caitlin Gibbs at [email protected] or 312.670.7444. Visit ORBA.com to learn more about our Not-For-Profit Group.

Is it Time to Review Compensation?

Barb Miller, CPA

In a tight job market, where not-for-profit organizations are competing with for-profit businesses for talent, you may find it necessary to raise your compensation. If so, keep in mind the potential tax penalties that can result if the IRS deems your compensation more than reasonable. Here are some answers to common questions on the topic.

Who is involved?

Excess benefit transaction (EBT) rules generally apply to “covered organizations,” meaning 501(c)(3) and 501(c)(4) organizations. They do not, however, apply to private foundations. The rules also involve “disqualified persons,” including:

• Individuals in a position to exercise substantial influence over your organization’s affairs;
• Family members of disqualified individuals;
• Entities in which disqualified individuals have a 35% or greater stake;
• Individuals able to substantially influence a Section 509(a)(3) supporting organization; and
• Donors and donor advisors involved in transactions with donor-advised funds (DAFs).

Family members generally include a disqualified person’s parents, siblings and their spouses, children and their spouses, and grandchildren and their spouses. Under proposed regulations, the definition of “donor-advisor” would include personal investment advisors who manage the investment or provide investment advice related to both the DAF assets and the donor’s personal assets.

What is an EBT?

Generally, an EBT is a transaction with two components:

1. A covered organization must directly or indirectly provide an economic benefit to a “disqualified person;” and
2. The value of the benefit must exceed the value of the consideration the not-for-profit received in exchange from the disqualified person.

The IRS examines all consideration and benefits exchanged.

What are the potential tax risks?

Although revocation of your tax-exempt status technically is possible, in practice, the sole penalty is “intermediate sanctions,” also known as an excise tax. Disqualified individuals who engage in EBTs face an excise tax of 25% of the excess benefit received. They should make a timely correction to the transaction by, for example, returning the excess benefit. If they do not, the IRS will impose an additional excise tax of 200% of the excess benefit.

Notably, your not-for-profit’s managers also are at risk of a financial penalty. A manager found to have knowingly participated in an EBT might end up on the hook for a 10% tax on the excess benefit up to $20,000, to be paid by the individual.

How can you reduce threats?

The tax regulations provide not-for-profits a safeguard known as the “rebuttable presumption of reasonableness.” The compensation you pay disqualified persons is presumed to be reasonable if you satisfy three requirements:

1. Advanced Approval from an Authorized Body
   The compensation arrangement should be approved by your board of directors or a board committee composed entirely of individuals who do not have conflicts of interest.
2. Comparability
   The authorized body must obtain and rely on appropriate data on the comparability of the compensation before making its determination. Appropriate data includes compensation paid by similar organizations for comparable positions, the availability of similar services in your geographic area and current compensation surveys compiled by independent firms.
3. Documentation
   The authorized body needs to adequately — and concurrently — document the basis for its determination. Documentation must note the transaction’s terms and the date it is approved; the members of the authorized body present for debate of the transaction and who voted on it; and any actions taken by a member who has a conflict of interest.

The documentation also must include comparability data and how it was obtained. This can be difficult to come up with — but smaller organizations are in luck. Authorized bodies of not-for-profits with annual gross receipts of less than $1 million can fulfill the requirement if they have data on compensation paid for similar services by three comparable organizations in the same or similar communities for similar services.

Protect your organization

Rising salaries are a fact of life for many organizations. To avoid penalties, take the time to get reasonable-compensation reviews for your highest-paid employees.

Sidebar: Who wields substantial influence?

Board members and executives usually have “substantial influence” over their not-for-profits for excess benefit transaction purposes. Less obvious are other individuals who can also have such influence. The IRS considers several factors that indicate whether someone has substantial influence over an organization’s affairs, including if the person:

• Founded the organization;
• Is a substantial contributor in the current and four previous tax years;
• Is compensated based primarily on revenue derived from the not-for-profit’s activities or a department or function they control;
• Has authority to control or determine a substantial portion of the not-for-profit’s capital expenditures, operating budget or employee compensation;
• Manages a discrete segment of the organization that represents a substantial portion of its activities, assets, income or expenses;
• Owns a controlling interest (by vote or value) in an entity that is a disqualified person; or
• Is a non-stock organization controlled directly or indirectly by one or more disqualified persons.

By contrast, contractors (such as attorneys, CPAs or investment advisors), whose only relationship to the organization is providing professional advice on transactions from which they will not economically benefit (other than customary fees), generally do not have substantial influence.

For more information, contact Barb Miller at [email protected] or 312.670.7444. Visit ORBA.com to learn more about our Not-For-Profit Group.