COMMENTARY: The state of New York has just given bad actors a major advantage.
Let me explain why:
A
recent decision by the New York State Department of Taxation and Finance ruled that a company’s security services are subject to both state and local sales tax. This short-sighted decision will essentially punish companies for trying to strengthen their cybersecurity amid a time of ever-increasing risk – or worse, encourage them to cut corners on cybersecurity, which can have a significant ripple effect.
[
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Other states need to take heed – and New York State tax officials should rethink the parameters of this decision. At the same time, organizations should watch where they try to cut back, since the repercussions of cyberattacks are often significant.
The facts of the case
In the scenario that led to this tax decision, a managed detection and response provider sought guidance on whether sales of its service offerings in New York State – network security monitoring services and professional advisory services – were subject to local and state sales tax. The state tax department’s verdict? Yes, based on the tax law as currently written.
This case was built on
a previous precedent, set in 2021. In that instance, a managed security services provider (MSSP) asked if it was required to pay sales tax for its services for customers in New York State. The judge ruled that MSSPs are indeed required to pay sales tax on certain cybersecurity services. The state taxes anything it deems “protective and detective services” according to the wording of the existing state tax law. In the more recent case, the state expanded that definition to include network monitoring and managed security services. If the property being protected is in New York State, these services are taxable and the customer will feel the pinch.
In other words, instead of incentivizing companies to invest in cybersecurity, the state continues to make changes that will do the opposite.
The slippery slope of taxing defense
We’re in an era where cyberattacks are reaching all-time highs. Personal information gets compromised all the time. Think about how many credit monitoring firms people now sign-up for as a result of data breaches. Organizations across every type of industry are trying to stay secure amid an onslaught of risks. The state should encourage organizations to shore up their defenses – not financially penalize them.
Imagine if ambulances and other first responders were charged tolls to get to their patients, increasing costs for patient care for the sake of revenue generation. With respect to this ruling, it feels very much like New York State has taken an emergency situation and made it worse. I think there’s a lack of understanding by the state officials putting these rules into effect. It feels like a poorly thought-out cash grab that will only have negative consequences for those in need of cybersecurity services.
One of the more negative unintended consequences: some of the most innovative firms – including some of the smaller firms that are least equipped to deal with New York State taxes – will now find themselves disrupted by this ruling.
And, organizations with already-strapped budgets trying to make their dollars stretch are now being told they’re going to have to invest some of their security spend on paying New York State taxes. A CISO’s budget isn’t going to increase to accommodate taxes – which could mean cutting corners on other important security investments.
What are the next steps?
While state leaders may focus on the bottom line as they see it (tax revenue) or even think it will spur in-state job creation, that’s wishful thinking. In fact, it could lead to the opposite: more companies moving out of New York State or refusing to take on customers in the state.
In the immediate future, organizations operating in New York State will need to increase their budgets to account for taxation; otherwise, they’ll put their CISOs in a bind. For the organizations that offer these services to companies in New York State, they will need to understand the impact this could have on their clients – and they need to raise their voices to help lawmakers understand why this ruling will have unintentional negative consequences on security posture overall.
Whatever good this bit of tax law may have intended, I don’t see it. This tax decision comes as breaches proliferate, AI enables cybercriminals, and we continue to see cybersecurity risks at every turn. This type of tax makes an already difficult problem harder. In a challenging macroeconomic environment, CISO budgets aren’t going up. And at a time when cybersecurity concerns are reaching all-new highs, it’s not a wise move.
Security isn’t a luxury, and we shouldn’t tax it as though it were. New York and other states should make it easier for organizations to invest in their security programs, not over-burden them with yet another tax.
Charles Henderson, executive vice president of cybersecurity services, CoalfireSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
