Human Resource Consulting From The Business Viewpoint
Human Resource Update | December 2021

2021 was certainly a challenging year. It appears that 2022 will be better!

As usual, we will be looking at the important matters affecting employees and employers as we go through 2022.

We wish you, your family and associates a very Happy, Healthy and Successful New Year!
Sincerely,
Michael F. Yates
President
If you find value in this newsletter please let us know. Feel free to call me with a comment and/or ask a question at any time (908-689-4200) or send me an email (myates@mfyco.com). We offer this timely information as another benefit of your relationship with our company. If you feel a friend or colleague would benefit from receiving our newsletter, please feel free to forward a copy. 

You can view all of our newsletters by clicking the 'newsletter archives' link at our company website www.mfyco.com.
New York Expands Paid Family Leave “Family Member”
New York Governor Kathy Hochul signed S.2928-A/A.06098-A that expands New York State's Paid Family Leave legislation to allow caring for siblings.
 
Under the current law, Paid Family Leave “family member” care covers caring for spouses, domestic partners, children and stepchildren, parents, parents-in-law, grandparents and grandchildren with a serious health condition. Effect January 1, 2023, “family member” is expanded to include a sibling with a serious health condition. Sibling is defined as biological siblings, adopted siblings, stepsiblings, and half-siblings. These family members can live outside of New York State, and even outside of the country.
 
This bill builds upon the Paid Family Leave legislation that was enacted in 2016, which created one of the most comprehensive paid family leave programs in the nation. In effect since 2018, New York's Paid Family Leave program is employee-paid insurance that provides workers with job-protected, paid time off to bond with a newly born, adopted, or fostered child; care for a family member with a serious health condition (which may include severe cases of COVID-19), or assist loved ones when a member of the family is deployed abroad on active military service. Paid Family Leave may also be available in some situations when an employee or their minor, dependent child is under an order of quarantine or isolation due to COVID-19. Eligible workers may take up to 12 weeks off at 67% of their pay (up to a cap) to care for family members in times of need.
 
SOURCE: State of New York, Office of the Governor, News Release, November 1, 2021.
Two Preventive Steps to Ward off Ransomware Attacks for Small Business
If recent headlines about ransomware attacks on companies have you worried, your concerns are well-founded. Earlier this year, the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency – you may know them as CISA – issued a Fact Sheet on Rising Ransomware Threat to Operational Technology Assets. The computer criminals who traffic in ransomware try to exploit vulnerabilities in technology and soft spots in human nature. In addition to the Cyberattacks - What to Do and What not to Do article we posted, the Federal Trade Commission (FTC) suggests two steps your small business can take to bolster your digital defenses on both fronts.
 
Step #1. Make sure your tech team is following best practices to fend off a ransomware attack. One key protective step is to set up offline, off-site, encrypted backups of information essential to your business. Furthermore, share the CISA Fact Sheet with your IT staff. Underline, italicize, CAPITALIZE just how important it is for them to stay current on the latest word from the leading federal agency on defending against these threats and on updates from other trustworthy public-private partnerships. CISA’s ransomware resources – including its Ransomware Guide – should be required reading. This isn’t something to save for a slow day at the office. Your IT team should immerse themselves in the latest advice from CISA and other authoritative experts.

Step #2. Schedule a security refresher for your employees. Ransomware isn’t just an issue for IT professionals. Perps often use email to your staff as their entryway into your system. By clicking on a link or downloading an attachment, a distracted staffer could inadvertently hand a computer criminal the keys to your corporate kingdom. But as companies up their defensive game, the bad guys have responded. Some use publicly available information or stolen data about an employee to craft a more personal message. Rather than a misspelled mess that screams scam from the start, the email – or phone call, text, etc. – may appear at first glance to be legitimate business correspondence or even a message from a colleague. A small business’s best defense is a workforce trained in the tricks that cybercriminals are likely to use. Two more important protections are:
1)    rigorous authentication procedures; and
2)   a company policy that requires passwords for employee credentials and administrative functions to be l-o-n-g and complex. In addition, educate your staff on the folly of using the same password on different platforms, and consider the many benefits of multifactor authentication.
Looking for the FTC’s big picture perspective? Read Ransomware prevention: An update for businesses. The FTC also has to-the-point resources you can incorporate into your in-house security training program. The Cybersecurity for Small Business suite, created in conjunction with National Institute of Standards and Technology (NIST), the U.S. Small Business Administration (SBA), and the Department of Homeland Security, features self-contained topical modules, including one on ransomware. Mix it up with the FTC’s videosfact sheets, and quizzes.

The bottom line for business is that ransomware is a federal crime. If you think you’ve been targeted by a ransomware attack, contact your local FBI field office immediately. In the meantime, shore up your defenses through technology and training.

Find Us On Facebook
Cyberattacks - What to Do and What not to Do
Federal officials have recently warned employers and businesses that they could have insult added to injury if they respond to cyberattacks by making ransomware payments – increasingly requested through cryptocurrency – as such payments could violate federal law. The U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) issued a September 21 Updated Advisory to stress that the U.S. government strongly discourages companies from making ransomware payments, following up on a 2020 advisory on the potential sanctions they face for facilitating such payouts. The guidance also includes some best practices for your organization to consider to proactively prevent an attack from taking place, and recent federal guidance also provides recommended steps to respond to such an attack. What should your organization know about these critical steps?
 
How Did We Get Here?
In June of this year, the operator of the largest fuel pipeline in the U.S. was hacked by a Russian-affiliated cybercrime group known as DarkSide. The group stole nearly 100 gigabytes of data from U.S. Colonial Pipeline and threatened its release if its ransom was not paid in cryptocurrency (as most cybercriminals currently demand). After reviewing its networks to determine the breadth of the breach, the company shut down the entirety of its gasoline pipeline for the first time in its 57-year history and subsequently paid the requested ransom in the amount of $4.4 million in Bitcoin.
 
Although the U. S. Department of Justice was able to recover 63.7 of the Bitcoins – worth $2.3 million at the time – the damage was done, and the brazen nature of the attack and its success no doubt will lead other groups to continue their digital assaults on American businesses. The ransomware attack suffered by Colonial Pipeline is not an outlier – and will not remain an aberration – as cyber-attackers are stepping up their work and increasingly demanding payment in cryptocurrency in exchange for the release of a company’s systems and data.
 
Earlier this month, in fact, the Director of the National Security Agency predicted that the U.S. would face a ransomware attack “every single day” within five years. Other cybersecurity experts may be more optimistic about the future outlook, but still recognize that the proliferation of ransomware attacks is a major cause for concern in the business community. This is especially true as the pandemic’s shift leading to a marked increase in employer reliance on technology and remote work has led ransomware attackers to seize the opportunity.
 
What Does the Updated Advisory Say?
Disrupting the financial ecosystem that helps fuel these attacks is a primary area of focus for the Biden administration. It is in furtherance of these efforts that the OFAC released its latest Updated Advisory. Announcing the new guidance, Treasury Secretary Janet Yellen emphasized that “ransomware and cyberattacks are victimizing businesses large and small across America and are a direct threat to our economy” and that “as cybercriminals use increasingly sophisticated methods and technology, we are committed to using the full range of measures, to include sanctions and regulatory tools, to disrupt, deter, and prevent ransomware attacks.”
 
This new advisory provides background on ransomware, gives examples of designated “malicious cyber-actors,” and explains how making or facilitating ransomware payments with individuals or entities on the Specially Designated Nationals and Blocked Persons List (SDN List) could violate the OFAC’s regulations and result in sanctions.
 
Mitigating Factors Considered Before Imposing Sanctions
The Updated Advisory adds to the first advisory by delineating two mitigating factors the OFAC will consider before imposing sanctions on an employer for facilitating ransomware payments to sanctioned persons or jurisdictions.
  • The first is the extent of an employer’s compliance program and defensive measures. The guidance states that compliance program should take into account that a ransomware payment may involve an entity on the SDN List or a comprehensively embargoed jurisdiction. Given that the OFAC may impose civil penalties based on strict liability, the extent to which the business knew that the entity fell into one of those categories is of little consequence when determining whether to impose sanctions. However, if the business has taken meaningful steps to reduce the risk of exposure to a ransomware attack by adopting good “cyber-hygiene,” those steps will be a significant mitigating factor in an OFAC enforcement response.
  • The second mitigating factor is the employer’s cooperation with the OFAC and law enforcement officials after an attack takes place. Reporting a ransomware payment to the appropriate U.S. government agency and cooperating with the OFAC (as well as law enforcement officials) may help stave off significant enforcement action. The faster an employer self-reports and the greater the extent of their cooperation, the more likely the OFAC will resolve the investigation with what they call a “non-public response,” which would not include civil penalties.
 
Cryptocurrency Exchange Added to Bad Actors List
The Updated Advisory also adds SUEX OTC, S.R.O., a cryptocurrency exchange, to the SDN List for its part in facilitating financial transactions with known ransomware actors. An analysis of Suex’s transaction history showed that 40% of its known transactions were associated with illicit actors.
 
What Should Employers Do to Prevent Cyberattacks?
In order to take advantage of the OFAC mitigating factors laid out in the Updated Advisory, your organization should proactively plan ahead and take steps to minimize the chances of a cyberattack. Again, having a comprehensive compliance program and defensive measures in place will not only reduce the chances of becoming a cyberattack victim, but will put you in the best position possible under the latest OFAC advisory.
  • Provide robust cybersecurity training to employees on an annual basis.
  • Require two-factor authorization to access your internal company network.
  • Require employees to set up passwords with multiple characters (including numbers, letters, and symbols) and require that the passwords be routinely changed.
  • Maintain offline, encrypted backups of your data.
  • Regularly test your backups.
  • Create, maintain, and exercise a basic cyber-incident response plan, resiliency plan, and associated communications plan. The cyber-incident response plan should include response and notification procedures for ransomware incidents.
  • Mitigate internet-facing vulnerabilities and misconfigurations:
  • Employ best practices for use of Remote Desktop Protocol (RDP) and other remote desktop services;
  • Conduct regular vulnerability scanning;
  • Regularly update all operating systems and software, specifically antivirus anti-malware software; and
  • Ensure that devices are properly configured and security features are enabled.

What Should We Do if Our Company is the Victim of a Ransomware Attack?
Cyber criminals are increasingly demanding cryptocurrency as payment in ransomware attacks. When considering how quickly data can be digitally shared, being able to decisively respond to an attack can be critical to minimizing damage. As a result, you need to have a plan in place to deal with a potential ransomware attack and know how you will respond should the worst-case scenario occur. If your company becomes the victim of a ransomware attack, the Cybersecurity and Infrastructure Security Agency (CISA) recommends taking the following steps:
  • Determine which systems were impacted and immediately isolate them.
  • If affected devices cannot be removed from the network (or if the network cannot be temporarily shut down), power infected devices down to avoid further spread of the ransomware infection.
  • Triage impacted systems for restoration and recovery.
  • Engage your internal and external stakeholders.
  • Consider retaining a third-party incident response provider with experience in data breaches.
  • Notify affected individuals.
  • Report the incident to CISA, your local FBI field office, the FBI Internet Crime Complaint Center, or your local U.S. Secret Service office as soon as possible.
  • You should also engage knowledgeable counsel early on to provide guidance during the initial investigation following a ransomware attack and advise on whether the ransomware attack has triggered any data breach notification obligations.

What Else is the Federal Government Doing to Combat this Rising Threat?
The White House’s use of OFAC sanctions is not the only measure being taken by the Biden administration to crack down on cyberattacks and ransomware crypto payments. In addition, it announced the creation of a ransomware task force in July that will coordinate offensive and defensive resistance measures against ransomware attacks. This effort will include evaluating how to stop payments from being made in cryptocurrencies and how tracing cryptocurrency payments can increase efforts to track attackers, offering rewards in the realm of $10 million to help identify ransomware attackers, launching cyberattacks on hacker gangs, partnering with businesses to better share information about attacks, and coordinating efforts with U.S. allies.
 
To that end, the White House just hosted over 30 countries for a virtual conference on October 13 focused on combating ransomware attacks. The country delegates in attendance agreed that ransomware attacks are more than a criminal act: they are a transnational security threat. The delegates discussed how they could fight back against cyber criminals and put pressure on the countries that harbor them. These efforts, in tandem with the OFAC’s sanctions program, are designed to stem the tide of ransomware attacks.
 
Conclusion
The likelihood that any given employer faces a ransomware attack grows by the day. In addition, the recent rise in many cryptocurrencies to all-time highs only increases the chances of cyber attackers targeting unprepared businesses in the hopes of making an easy score. It is imperative that you are prepared.
 
Employers must have a sufficient compliance program and robust defensive measures in place, as well as a plan for what to do if your company’s data is ever breached. This plan should include access to resources that can manage the cryptocurrency aspects of an attack, if any, steps to curb the attack, determine what data has been accessed, and the process for reporting the attack. Most importantly, employers should exercise caution before engaging with cybercriminals and facilitating ransomware payments. While it may be tempting to pay a ransom to quickly regain access to your company’s data (especially if it’s a relatively nominal amount), the end result could be far more costly if you become the subject of an OFAC enforcement action.
 
Source Vital Law HR Tracker Expert Guidance November 2, 2021, Authors Fisher Phillips and Conor Harrington
Hybrid Work: Expectations vs. Reality
Sometime back in March 2020, we all walked out of our offices and told our coworkers, “See you in about two weeks.” Then those two weeks of working from home turned into a month, a month into a year, and for some, remote work has turned into a permanent setup. Over the past year, habits and routines have changed. We surveyed 1,000 adults between the ages of 18 and 64 to better understand the expectations U.S. workers brought with them on their return to the office or into new hybrid work models, as well as the reality of these models.

Read on (Survey Results) to see how their expectations failed to match up with the reality of the rapidly changing business environment. 

 From HR Daily Advisor
What Would You Like To See In A Future Issue?
Reflections on Social Security and Medicare – 2021 and Beyond
The Social Security and Medicare Boards of Trustees have issued their annual financial reviews of the programs. These reviews are presented as projections of possible future experience, based on assumptions regarding future economic and demographic trends.

The data and projections that were used for the 2021 Report include estimates of the effects of the COVID-19 pandemic and the ensuing recession. This resulted in moving the reserve depletion date from 2035 to 2034.

We have commented on the previous Trustee’s Report from 2018. This Report for 2021 has similar conclusions to the ones from that Report, specifically to the reserve depletion date referred to above.

However, the 2021 Report does not reflect the current economic and political environment that we are now experiencing in the U.S. and its potential for adversely affecting the economic health of the trust funds. These current conditions include:
1.    Negative real wage growth. Inflation is currently greater than wage gains, which causes even more of a future imbalance between the trust fund payouts versus contribution inflow.
2.    Potential massive tax increases, which will stifle productivity growth for the U.S. economy
3.    Potential large increases in energy costs, assuming the phase-out of fossil fuels
4.    Potential for worsening political divisions and resulting violence

The above conditions are extremely serious and are not being addressed by our current Congress. Instead, the recently passed legislation is actually worsening the problems.

Taking the above conditions and possible developments into account, it will be interesting to see what the Trustees Report for 2022 says about the future of the program. Depending on what actually gets passed in Congress in 2021, the 2022 assumptions may become much more conservative, resulting in a more grim prognosis.

The 2021 Report makes projections about what the increase in payroll tax rate would have to be in order to cover the 75-year trust fund deficit. This increase is 3.36 percent, resulting in an OASDI payroll tax of 15.76 percent. Note that this projection is based on the “Intermediate” set of assumptions, which includes the assumption that by the year 2056, the U.S. birth rate will return to 2 children per woman.

This fertility rate assumption is very important, probably the most important assumption used in the projections, because it is the basis for calculating the future ratios of active workers over the numbers of beneficiaries. These ratios have been falling, from 16.5 in 1950 to 2.7 currently, which is not at a level necessary to keep the funds from shrinking to zero.

What has been the recent fertility rate level? The chart above shows the history from 1960 to current.

What happened in 1960 to cause such a massive decline? The answer is very simple – birth control. On May 9, 1960 the FDA approved the sale of birth control pills and the rest is history. It is probably unrealistic to assume that the fertility rate will ever return to 2 births per woman.

So, where does that leave the future of Social Security? When the structure of “Social Security” was being designed in the late 1930’s, one of the basic foundations was to have the OASDI program completely self-funded through payroll taxes. No general revenue funding was contemplated. This principle has been followed to the current day, and Congress is not leaning towards changing it.

Therefore, with no safety net readily available, some obvious solutions involve possibly hefty payroll tax increases, or alternatively (or in addition), benefit cuts such as increasing the retirement age or scaling back the cost-of-living increases. Or will other solutions be presented, perhaps from the Congressional Research Service?

One thing is for sure – Time is getting short.
Standard Mileage Rate for 2022
car-front-icon.gif
For 2022, standard mileage rates for the use of cars, vans, pickups or panel trucks will be:

  • 58.5 cents per mile driven for business use, up 2.5 cents from 2021. This ties the highest safe harbor rate the IRS has ever published, which was a midyear increase in July 2008.
  • 18 cents per mile driven for medical care and for moving purposes for active-duty members of the Armed Forces, up 2 cents from the rate for 2021.
  • 14 cents per mile driven in service of charitable organizations, which remains unchanged.
IRS Announces 2022 Retirement Plan Limits
All limits are based on the calendar year.
If you have not received our business card with these numbers printed on it and would like one, please let us know! We would be happy to mail you one (or a few to share!)
About MFYCO
  • Michael F. Yates & Company, Inc. can help you with a variety of services ranging from retirement plans to providing results-oriented survey instruments, training and development programs for your employees. Our products and services are intended to help you maximize the effectiveness of your Human Resources function.
  • These products and services incorporate our years of experience so that you receive rapid results and exceptional value. From onsite consulting, to strategic business integration, to Web enablement, we understand how Human Resources can be applied to solve your problems and achieve your goals. As a result, we can help you get the most out of your investment and turn your most precious resource into a competitive advantage.
  • We offer Consulting, Retirement Planning, Pension and 401(K) both qualified and non qualified Plans, Welfare Plans, Communications, Computer Systems, Executive Plans, Compensation, Mergers, Acquisitions, Divestitures and Other Services. 
  • We offer a true and honest, Client Partnership.
Our staff and firm are proud members of the following professional organizations: 

Society of Actuaries

American Society of Pension Professionals & Actuaries

Society for Human Resource Management
(Sussex-Warren NJ Chapter)

GAPS (Global Association Pension Services)

WorldatWork

 American Management Association

National Federation of Independent Business

Better Business Bureau
101 Belvidere Avenue
P.O. Box 7
Washington, NJ 07882-0007
908-689-4200
Terms of Use 
 
The site ("from the HR perspective" hence herein referred to as MFYCO.com) is made available by Michael F. Yates & Company Incorporated. All content, information and software provided on and through 'from the HR perspective' and MFYCO.com ("Content") may be used solely under the following terms and conditions ("Terms of Use".) YOUR USE OF THIS WEBSITE CONSTITUTES YOUR AGREEMENT TO BE BOUND BY THESE TERMS AND CONDITIONS. IF YOU DO NOT AGREE TO THESE TERMS, YOU SHOULD IMMEDIATELY DISCONTINUE YOUR USE OF THIS SITE.  

Michael F. Yates & Company, Inc. believes strongly in protecting the privacy of its users. Click here to view our privacy policy.

As always, any statements regarding federal tax law contained herein are not intended or written to be used, and cannot be used, for the purposes of avoiding penalties that may be imposed under federal tax law or to market any entity, investment plan or arrangement.