2016 BDO Technology RiskFactor Report
2016 BDO Technology RiskFactor Report
The 2016 BDO Technology RiskFactor Report examines the risk factors listed in the most recent annual shareholder reports of the 100 largest publicly traded U.S. technology companies by revenue. The risk factors were analyzed and ranked in order of frequency cited.
Technology in 2016: Slowing Down to Speed Up
Whether you choose to view the glass as half-empty or half-full, 2016 is a turning point for the industry. After an explosive six-year run-up, the technology industry has hit a speed bump as bellwether stocks falter on disappointing earnings reports and jittery investors. Recent tech IPOs have disappointed: 80 percent of tech companies that debuted in 2014 or 2015 are trading below their first-day closing price. But while the robust pace of growth of the last few years may be gone, industry growth has not ground to a halt. The tech sector overall has rallied after a rocky start to the year, recovering most of those early losses. U.S. venture funds raised a record $13 billion in Q1 2016, according to data from Dow Jones VentureWire—though both private and public investors are exhibiting more price consciousness. And although global M&A is down, the tech sector was a standout, totaling $100.3 billion in deal value, the second highest first quarter on record.
Whether you choose to view the glass as half-empty or half-full, 2016 is a turning point for the industry. According to our ninth annual Technology RiskFactor Report, three-quarters (76 percent) of the 100 largest U.S. public technology companies cite uncertain financial performance as a chief risk in their annual filings—up seven percentage points from last year. Growth is no longer a foregone conclusion, and today’s tech investor is far savvier and more selective. Tighter purse strings mean more competition to win limited investor dollars—and more pressure to seize the right opportunities and avoid making mistakes.
Cybersecurity Steals the Top Spot
Cybercrime is the dark underbelly of technology innovation; every instance of progress breeds new opportunity for exploitation. The tech industry creates more advanced cyber solutions, and hackers respond with more sophisticated attacks. Achieving perfect cybersecurity is mission impossible; preparing for the inevitable is best practice.
All 100 of the largest U.S. public technology companies cite risks related to cybersecurity in their 10-K filings, increasing by four percentage points year-over-year to tie for the number one spot. The tech industry accounts for just 2.6 percent of total reported data breach incidents since 2010, according to TrendMicro data, although it’s important to note that this excludes incidents where public disclosure isn’t required. Personally Identifiable Information (PII) is the most popular record type stolen, so it stands to reason that B2B technology companies would be less frequently targeted than consumer-facing industries like banking and healthcare. The per capita cost of a data breach in the tech industry is also on the lower end, averaging $127 compared to the overall mean of $154, data from the Ponemon Institute shows. However, BDO’s 2016 Technology CFO Outlook Study found that more than half (57 percent) of respondents increased spending on cybersecurity in 2015, corroborating the industry’s growing concerns about data privacy and security.
The true financial impact of a data breach goes far beyond the direct expenses of remediating the incident. Eighty-one percent of technology companies cite the ability to maintain operational infrastructure, including information technology, as a risk. A failure in security or a technical glitch that throws operations offline can erode trust and have lingering reputational impact, particularly in an industry like tech where data integrity and security are part of the organization’s value proposition.
Data breaches don’t necessarily hurt stock prices—historically, shares drop in the immediate aftermath of a security breach and then quickly bounce back—but the long-term reputational and legal consequences can have a heavy financial toll, particularly as regulators step up scrutiny of cyber preparedness. Fifty-one percent of companies specifically cite cyber regulations as a risk factor, reflecting not only the growing cyber threat but potential sanctions for inadequate defense measures.
In February, President Obama signed an executive order to put in place a Cybersecurity National Action Plan, creating a permanent Federal Privacy Council to implement more strategic and comprehensive federal privacy guidelines and increasing the Department of Justice’s cyber enforcement budget by more than 23 percent. In addition, the ongoing data encryption debate between the private sector and government has complicated how technology companies approach balancing data privacy with compliance. In late April, the U.S. Supreme Court announced a change to the Federal Rule of Criminal Procedures that allows federal judges to grant law enforcement warrants to search computers anywhere in the world—beyond the borders of their jurisdiction. Pending congressional approval, this rule change could broadly expand the government’s digital surveillance powers.
Regulators in the financial services and healthcare industries have also issued cybersecurity guidance that could impact tech companies with clients or vendors in those sectors. Ninety-two percent of technology companies mention risks related to suppliers, vendors, distributors and partners/alliances. While vendor risk extends far beyond cybersecurity, the majority of cyber crime is carried out via third parties. The risk for the tech industry is twofold:
technology companies often outsource a number of key business and operational functions that, lacking the proper oversight and controls, may be vulnerable endpoints in the network; and
many tech companies are also service providers to other user entities and, depending on contract terms, may be held liable or become embroiled in a lengthy and expensive data breach lawsuit.
“To compete in the global marketplace, modern enterprises have no choice but to leverage technology and information. It is now widely accepted that information and technology are critical corporate assets that must be protected.” She adds, “Complete cybersecurity is simply impossible; companies need to develop and practice a plan to deal with a cyber incident, before an incident occurs. In addition, it’s important for companies to consider the ways in which they can transfer cyber-related risks through insurance.” - Judy Selby, Managing Director in BDO Consulting’s Technology Advisory Services practice, in an interview with Legaltech News
“The technology industry gets to play the role of hero and villain in the world of cybersecurity. The advances we’ve seen in machine learning and threat intelligence is rightfully credited to innovation in the tech sector. At the same time, any cyber incident that occurs is the result of a vulnerability or flaw in technology. While the onus is partly on the user entity to implement the appropriate protocols and policies, the technology manufacturer or service provider does share in the blame—whether or not it’s warranted.” - Shahryar Shaghaghi, National Leader, Technology Advisory Services and Head of International BDO Cybersecurity
Policy Matters: Regulatory Concerns Share the Stage
Concerns related to federal, state or local regulations tied with cybersecurity as the most frequently cited risk factor this year, noted by all 100 companies analyzed. This aligns with our Technology Outlook Survey findings, in which tech CFOs ranked policy and tax changes as one of their biggest challenges in 2016.
With the U.S. election cycle in full swing, the policy landscape could be on the cusp of significant change. Regardless of the outcome in November, the new administration will reignite tax reform and policy discussions at every level of the government. Top of mind is the evolving cloud computing taxation landscape, with the states adopting inconsistent standards for taxing cloud-based transactions.
A new administration also raises questions about the future of government initiatives and spending plans. This year, 57 percent of technology companies cite the loss of government contracts, spending or incentives as a potential risk, up 10 percentage points from 2015.
In the interim, the regulatory environment continues to shift, creating new challenges for businesses in the technology industry. In April, the IRS and U.S. Treasury issued temporary regulations aimed at stymying corporate inversions, and so-called “earnings stripping” rules that would impact the economics of cross-border acquisitions of U.S. targets as well as hamper the ability of acquirers to internally leverage those transactions. Comcast’s bid for Time Warner failed as the result of tough antitrust and regulatory scrutiny, and amidst discussions concerning net neutrality. The tech industry appears concerned about the emergence of potential regulatory and compliance hurdles like these on future M&A activities. Ninety-eight percent of companies analyzed cite the management of current and future M&A and divestitures as a top risk.
Further complicating the tax policy landscape for tech, in October 2015 the Organisation for Economic Co-operation and Development (OECD) issued its long-awaited final recommendations to address tax base erosion and profit shifting (BEPS) by multinational enterprises. First introduced in July 2013, the 15-point action plan is designed to shape “fair, effective and efficient tax systems” and address issues arising from tax planning strategies that exploit gaps or mismatches in member countries’ tax rules. BEPS implementation “could also hasten structural change at some of the world’s biggest technology companies,” The Wall Street Journal reported. According to BDO’s 2016 Tax Outlook Survey, nearly half (48 percent) of U.S. tax directors say international tax planning, including BEPS, is their biggest tax issue for 2016.
“The continued budgetary squeeze and forced sequestration are putting pressure on the government to reduce spending on defense and military engagements, and the entire contracting landscape is evolving as the Department of Defense expands its regulatory requirements for acquiring goods and services. Contractors are facing heightened competition to get their hands on a more limited pool of contract bids in this Low Price Technically Acceptable (LPTA) world, yet more organizations continue to throw their hats in the ring for emerging contracting opportunities. Couple this mounting scrutiny on contract costs with the Defense Contract Audit Agency’s efforts to catch up on its audit backlog, and the contracting environment is rife with risk.” - Bob Craig, Managing Director with BDO’s Risk Advisory Services practice
“One of the reasons why [the technology industry] is at the forefront of some of the more advanced tax planning [activity] is because with technology, you can move your intellectual property from country to country relatively easily compared to moving plants and people. There seems to be some dissatisfaction that traditional transfer pricing rules can adequately tax technology companies.” - David Yasukochi, Partner and Leader of the Technology & Life Sciences Practice at BDO, in an interview with ThinkAdvisor
In the wake of heightened regulatory scrutiny and changing laws, 83 percent of technology companies cite accounting, internal controls and compliance risks in their filings. The Public Company Accounting Oversight Board (PCAOB) has stepped up its scrutiny on internal control procedures and testing, following a significant rise in tax and financial reporting control deficiencies over the last few years.
In addition, the Financial Accounting Standards Board has announced a number of Accounting Standard Updates that technology companies are in the early stages of implementing. Although the new revenue recognition standard was announced in 2014, 31 percent of tech CFOs are still trying to understand the changes, according to our Technology Outlook Survey.
”As companies outsource more of their critical business functions, they are seeking assurance from their technology partners on the adequacy of their internal controls. In highly regulated industries like financial services and healthcare, user entities are held accountable for the compliance—or noncompliance—of their vendor relationships. In the tech industry, Service Organization Control attestations are increasingly a staple of vendor requests for proposals and viewed as a competitive advantage.” - Binita Pradhan, Third-Party Attestation Practice Leader for BDO’s West Region
“Employee expectations for compensation and benefits have never been higher, particularly in the technology industry. Silicon Valley has made a name for itself—and earned its own TV show—for its creative job perks and unique workplace culture.” - Andrew Gibson, BDO’s Global Compensation and Benefits Practice Leader
Nearly all of the largest U.S. technology companies (98 percent) cite risks related to competition in their annual filings. The war for top tech talent continues to heat up as the industry faces an ongoing shortage of skilled tech workers and a tough hiring environment. Ninety-one percent of companies cite attracting and retaining key personnel as a risk factor, ranking as the eighth highest risk overall. Compounding these challenges, 75 percent cite labor concerns, including the rising cost of healthcare and employee benefit plans.
Competition to capture customer business and loyalty is also fiercer than ever, triggered by weak consumer and corporate IT spending. Gartner recently revised down its forecast for worldwide dollar-valued IT spending growth in 2016 to negative 0.5 percent, chiefly due to currency fluctuations; however, in constant-currency terms, growth is still forecast to be relatively flat. Sixty-one percent of companies cite loss of a major customer as a concern, up 17 percentage points from last year—the biggest change year over year in the top 25 risk factors tracked.
Ultimately, the tech industry is in the business of innovation, and, despite chatter about gadget fatigue and an overabundance of “me-too” innovation, the companies that thrive during times of uncertainty are those that continue to push the limits and pioneer new territory. Ninety percent of the companies assessed cite risks related to predicting customer demand and innovation. Speaking to innovation as a competitive differentiator, 50 percent cite risks related to entering into new markets and product diversification, up 14 percentage points year over year. Executing on innovation and speed to market also pose challenges, with 83 percent citing risks related to failure to effectively develop or market new products or services. However, the industry is cautious of sacrificing quality for speed, with 81 percent citing equipment failure and product liability.
“We’re seeing a shift in mindset as the industry responds to market volatility and more stringent rules and regulations. In this environment of uncertainty, companies are reassessing their risk tolerance, cutting down on unnecessary extravagances and buckling down on strategy. This will be a year that the tech industry slows down to speed up.” - Aftab Jamil, Partner and Leader of the Technology and Life Sciences Practice at BDO
Spotlight on BEPS
In an effort to address perceived emerging global tax issues in a coordinated and comprehensive manner, the G20 finance ministers called on the OECD to develop an action plan to equip countries with instruments that will better align tax with economic activity.
Some of these issues are often identified with multinational technology and life sciences companies. The “Base Erosion and Profit Shifting” (BEPS) initiative consists of 15 points, or “Action Items,” ultimately designed to provide guidelines for constituents to follow in addressing perceived inadequacies of traditional tax frameworks. While companies may be impacted by all elements of the BEPS recommendations, some of the Action Items that are of particular relevance to technology and life sciences companies include the following:
Addressing the Tax Challenges of the Digital Economy
Action Item 1 specifically addresses the digital economy which, to a large extent, is the genesis of the BEPS Project. In particular, the rise of “stateless income,” which prompted many countries to join in the OECD-led effort, is perceived to be directly related to the taxation of the digital economy. Final guidance on this Item includes revised definitions of nexus/permanent establishment, new transfer pricing rules that clarify that legal ownership alone does not necessarily generate rights to the returns generated by the exploitation of intangibles, and the strengthening of controlled foreign company (CFC) rules in order to prevent companies from avoiding home country tax on digital economy-related profits arising in CFCs.
Countering Harmful Tax Practices More Effectively, Taking into Account Transparency and Substance
Action Item 5 focuses on the need for a stronger definition of “substantial activity” in order for companies to benefit from a preferential tax regime. The substantial activity requirement as defined within the final report is in the context of Intellectual Property (IP) regimes, and is later applied to other non-IP regimes. To address the situation of artificially moving IP away from where value is created, the “nexus approach” was developed. This approach uses expenditures to determine where substantial activity takes place, and stipulates that a taxpayer can benefit from a favorable tax regime only if it incurs the qualifying research and development expenditures that generate IP income covered by the regime. This is anticipated to dissuade the use of preferential tax regimes selected as conduits for intangible property transactions based solely on their low or nil tax rates.
Aligning Transfer Pricing Outcomes with Value Creation
Released in a single report, Action Items 8 through 10 address transactions involving intangibles, risk and capital transfers between group entities, and other high-risk transactions. The proposed measures recommend the adoption of a broad and clearly delineated definition of intangibles, which will ensure that profits associated with the transfer and use of intangible property are appropriately allocated in accordance with value creation. They also outline transfer pricing rules or special measures to ensure that an entity does not accrue inappropriate returns solely based on contractually assumed risk or the provision of capital, which are critical principles underlying traditional tax planning structures. Finally, these items also address transactions that would not, or would rarely, occur between third parties, and attempt to clarify the re-characterization of transactions and the application of transfer pricing methods with respect to global value chains, as well as provide protection against common types of base‑eroding payments.
The ripple effect of the BEPS initiative is sure to have an impact on the tax planning activities of technology and life sciences companies in the coming years, as they wait to see what will manifest in the way of the establishment of new tax regimes across the globe.
Competition remains a top risk, but will collaboration be on the tip of the global tech industry’s tongue in 2016?
According to Fortune, “we are in the midst of a great convening of global tech powers, who are uniting to tackle this mobile-first, cloud-based, data-driven shift in the way large corporations operate.”
Indeed, innovation is driving more than rapid consolidation and “acqu-hiring;” it’s also driving global tech giants to work together. Apple and SAP, and Fiserv and Cisco are just a couple of examples of powerhouses joining forces to meet evolving international, customer and business needs.
Risks are also evolving for global tech companies. Among the 100 largest U.S. technology companies in our study, 68 operate in more than 15 countries, and for the first time, we analyzed their unique risks to uncover the growing challenges impacting tech companies with a large, multinational presence.
International Risks Peak
While the top risks (regulations and cybersecurity) are the same across all companies analyzed, threats to international operations and sales jumped to the third most-cited risk for global companies, compared to the fifth most-cited overall. When discussing international risks, global companies point to issues dealing with regulatory compliance across numerous markets, tariffs, currency exchange and their ability to protect their IP and operations. Nearly three-fourths of global companies also cite labor concerns, including challenges to managing a geographically dispersed workforce.
Emerging Markets in Focus
International tech companies also appear to be expanding faster than their peers, though their level of confidence depends on the market. While global companies cite risks related to expanding abroad at a similar level to the full sample, emerging markets present a bigger challenge. Sixty percent of global companies point to challenges entering a developing or emerging market this year, compared to 50 percent of companies overall. Still, there is ample opportunity for companies that have the technology, infrastructure and talent to meet the needs of emerging markets:
India: More than three-quarters of the global companies analyzed have operations in India, and for good reason. Gartner expects India to be the fastest growing IT market in 2016. Their technology and services market is poised to grow to $350 billion by 2025, according to a Nasscom-McKinsey report.
China: More than 75 percent of these global tech companies boast a presence in China. Spending on technology products and services in China is expected to reach $155.8 billion in 2016, according to Gartner. While some large tech companies have disagreed with Chinese policy, Zacks reports that Intel will invest $5.5 billion in its Dailan facility, and its capital arm is investing $67 million in Chinese tech startups.
Latin America: International tech companies remain interested in the promise of growth in Latin America. Roughly 70 percent of the global companies have operations in Brazil, while 65 percent have a presence in Mexico, just under half in Argentina, 40 percent in Colombia and 35 percent in Chile. Economic troubles have challenged both Brazil and Argentina, but The Wall Street Journal reported improved investor interest following government changes in both countries.
“India is on the cusp of becoming a global tech powerhouse. The pace of growth in IT and services is driving tech companies and investors to expand in India—increasing sales, operations and competition for skilled talent. But with growth come new risks and challenges.
Our national conversation over patents has drawn international attention as we look to spur, not stifle, further innovation.” - Deepak Rao, Partner at BDO India LLP
Global tech companies also remain committed to more mature markets. Seventy-two percent have operations in Canada. In Europe, top markets include the U.K. (76 percent), France (75 percent), Germany (75 percent), Italy (72 percent), Netherlands (68 percent), Spain (68 percent), Belgium (60 percent), Poland (57 percent) and Ireland (46 percent).
“Despite setbacks in a few markets, the pace of deal activity signals that the global tech industry is thriving. Tech companies are actively targeting new innovations and expanded market share. We expect 2016 will be marked by further consolidation and compelling merger and partnership opportunities.” - Jakob Sand, Leader of BDO’s Global Technology M&A practice
FCPA a Key Concern
As their footprint grows, compliance with the Foreign Corrupt Practices Act (FCPA) is also top of mind for global tech companies. Sixty-three percent cite concerns over their ability to comply with FCPA and other anti-corruption or bribery laws, compared to 58 percent of all tech companies in the study. In recent years, tech companies have racked up millions in FCPA legal costs and fines, and as global locations and third-party partners grow, potential exposures rise.
Regulators around the world have increased their focus on individual accountability, holding not just companies, but corporate officers, liable for corporate wrongdoing. In the United States, the Department of Justice has set the stage for more aggressive prosecution of individual perpetrators with the Yates Memo and the recently announced FCPA pilot program, encouraging broader civil enforcement and raising the threshold on what constitutes cooperation credit. Meanwhile, in the United Kingdom, the Serious Fraud Office entered into its first-ever deferred prosecution agreement last November, tied to charges of failure to prevent the bribery of foreign officials under Section 7 of The Bribery Act 2010.
“While the lean startup mentality embraced by the tech industry at large is often a boon for growth, the compliance function can end up underdeveloped as an organization matures. Technology’s reliance on third-party relationships is its Achilles’ heel when it comes to managing bribery risks, landing some of the biggest names in the industry in hot water. Every company doing business overseas needs to take a fresh look at their internal controls, address any gaps in oversight and due diligence, and have a plan of action in place should a violation occur.” - Glenn Pomerantz, BDO Global Forensics Practice Leader
Global Strategy Adds Complexity
The stakes are high in the global tech industry; one wrong step can lead to an exited market or a lower valuation, and one smart move could mean a blockbuster collaboration or new product. Corporate strategy success has been a growing risk in the tech industry and is especially top of mind for international companies, which must navigate diverse market, customer and investor needs. A larger majority of global tech companies (88 percent) cite risks related to the success of their business strategy, compared to 84 percent of companies overall.
Nine out of ten global tech companies also note reliance on their top executives and their ability to attract and retain key personnel as a risk this year. The right leaders are critical for international companies who need strong local leadership and market knowledge in addition to executives with experience developing strategy for and managing multinational organizations. And competition for talent has never been fiercer. According to executive recruiter Korn/Ferry International, for example, roughly one-third of semiconductor companies changed CFOs in the last 12 months.
Navigating Cross-Border Cyber Issues
While all companies analyzed cite cybersecurity as a top risk, global tech companies with operations in the EU face unique challenges. In October 2015, the European Court of Justice (CJEU) invalidated the 15-year-old U.S.-EU Safe Harbor framework that thousands of companies use as their legal safeguard to manage transatlantic data transfers. A new framework, the EU-U.S. Privacy Shield, is under discussion but may ultimately fall through.
At the same time, the European Parliament voted to approve the General Data Protection Regulation, which applies new data protection laws to any company operating anywhere in the EU, set to go into effect in April 2018. The laws include the “right to be forgotten,” allowing individuals to request that their online accounts and all data associated with them be deleted.
In the absence of a clear regulatory framework for cross-border data transfers, global tech companies are operating in a state of limbo. Some major cloud providers, such as Amazon and Microsoft, have opened new international data centers to house data closer to their end customers to help mitigate data transfer risks. In the interim, most tech companies will need to put alternative legal mechanisms in place.
While the tech industry grapples with the risks inherent to a global footprint, the opportunity for growth has recently outpaced those concerns. However, 2016 may prove a slower year for growth. According to Gartner, global IT spending fell by close to 6 percent in 2015 amid a strong dollar. Currency fluctuations have also recently led the research firm to revise its forecast for 2016 to a 0.5 percent net decline.
These headwinds, coupled with some pullback in optimism around select BRIC markets, may lead some global tech companies to rethink strategy for 2016 and beyond. Partnerships and collaborations may continue to rise as companies explore ways to grow and enter new regions with less exposure to risk.