How the UK's IR35 tax rules affect interim and virtual CISOs

The delayed UK tax rules mean interim CISO positions are becoming less common, and both interims and vCISOs will raise their rates to offset higher taxes.

British pound banknotes + coins / currency / money
Mario Guti / Getty Images

Though its introduction to the private sector was delayed due to COVID-19, the UK’s incoming IR35 tax laws could have a large impact on interim CISOs, vCISOs, and the organisations that engage with them. Contracted security leaders offer a way for organisations to achieve short-term goals including temporarily filling vacant positions, standing up a cybersecurity function for the first time, or helping deal with an incident.

“We would expect the interim CISO market to shrink somewhat due to the effects of IR35 and the fact that more businesses are moving towards appointing a CISO on a permanent basis,” says James Walsh, head of security practice at Harvey Nash. “However, we would expect the market for vCISOs to maintain or even increase — as businesses value the fluid and flexible access to expertise such an arrangement can give them.”

What is IR35 and how does it affect contractors and companies?

The updated IR35 tax law is aimed at combating tax avoidance by “disguised workers” supplying their services to clients but who would be an employee if an intermediary such as a limited company was not used. The update requires businesses to understand the roles and responsibilities of every contract worker in the company and determine contractors' tax status.

The rules means that contractors deemed to fall within IR35 requirements will pay increased tax. Contractors inside IR35 would be subject to pay-as-you-earn (PAYE) tax, be required to pay national insurance and income tax, and could see income reduced by as much as 30% without the additional benefits of fully-employed work such as paid annual leave or sick pay. Failure to comply can result in penalties where the business covers the unpaid tax, late payment fines and interest.

Already in force in the public sector since 2017, the updated IR35 rules were due to come into force in the private sector in April 2020. Due to COVID-19, the date was pushed back until April 2021. IR35’s introduction has been controversial with many organisations saying it is unfair to contractors who will be taxed both as an employee as in a self-employed manner and adding greater complexity to organisations.

“The implementation of IR35 will see contractors pushing their rates up to cover their additional costs and potentially see the best people moving overseas to take up jobs where this legislation doesn’t apply,” Mark Dexter, CEO of KDR Recruitment, said shortly before the rules were due to come into force earlier this year.

According to Harvey Nash’s 2019 IR35 study, 17% of contractors planned on raising their rates to cover the increased tax burden, while 20% of businesses said they were considering cutting the use of contractors completely. The survey suggested that 10% of contractors would be seeking permanent employment positions, while 6% would be looking for contracted positions abroad.

“Pre-COVID, my response would have been that rates would have to increase drastically,” says Harvey Nash’s Walsh. “Now that COVID has happened, I still believe rates will need to increase, but not by nearly as much. It is more of an employer’s market now.”

Organisations are decreasing contractor engagements

Scott West, managing consultant at Acumin Consulting, tells CSO that the interim market was definitely affected by the planned introduction of IR35. “Companies prepared themselves for IR35 taking effective in April this year, and the interim CISO market took a bit of a hit on that because a lot of roles were determined to be inside of IR35,” he says.

West says that many organisations are taking a cautious approach and likely to be deeming most people inside IR35 because they don't want any liabilities. Large companies including Vodafone, GSK, Barclays, Deutsche Bank and National Grid have all cut back on their use of contractors, especially those using personal service companies, to avoid potential infringement.

“Most organisations will take the view that if someone is an incumbent and they're in a managerial and operational role and that they're directing a function, which naturally a CISO would do, then they will generally fall foul of the IR35 regulations. If a CISO is in there providing ad hoc consultancy, then that probably won't affect that person.”

Harvey Nash’s Walsh acknowledges that IR35 can create extra challenges for firms, primarily around the process to determine whether a position falls inside or outside its scope. “This [determination] frequently gets passed by the business to HR, but in fact is often almost a legal question. So, it can be challenging for businesses to formulate the best approach to this. We are seeing an increase in statements of work (SOW) as positions become more outcome- and deliverables-based so that they are more obviously interim rather than open-ended.”

IR35 sees interims seeking permanent roles or changing engagements

The knock-on effect of that is interim CSOs are looking for permanent positions or they are more reluctant to take on full-time, long-term contracting roles that they would have accepted previously. “If you're taking a five-day-a-week, six- or-12-month contract, then you're probably going to get caught,” says West. “Whereas, if you're taking an ad hoc contract which are one or two days a week in terms of advisory capacity on an ongoing basis, then that's probably where that market is heading.”

“A CISO providing ad hoc consultancy one to two days a week is not going to be able to manage and really drive that function forward,” West adds. “They can probably provide really good advice and maybe coaching or mentoring.”

Experts at Harvey Nash say that while COVID-19 and the delay of IR35 coming into the private sector softened the impact on the interim market, the potentially difficult economic situations that will follow mean companies may be less willing to take on permanent roles and still be willing to invest in interim security positions.

“What we saw out of the financial crisis in 2008 was a growth in the reliance on contractors; companies went to the contingent workforce to provide the agility, capability and capacity without taking the permanent headcount and risks associated,” says Will Jones, director of workforce solutions at Harvey Nash. “Companies will typically not want to invest heavily in permanent headcount due to the risks of potentially returning into a downturn through additional COVID spikes. Therefore, the flexible labour market should increase if companies need to pivot, or digitally transform their businesses which of course interim CIOs and CISOs will be crucial to achieving.”

Walsh said that while COVID-19 has compounded the issue for interims looking to move into more permanent roles, the increased focus and demand for security expertise in the wake of the pandemic means those looking for roles – especially vCISOs who are less likely to fall under IR35 – won’t be short of work. “There is a movement towards interims and especially vCISOs having more multiple engagements as this can be a differentiator for IR35 determinations,” he says. “vCISOs are tending to keep to their existing model therefore rather than look for a permanent role.”

The potential issue for interims looking for permanent positions is that amid a large pool of potential recruits, organisations may be reluctant to hire executives known for their interim work for permanent roles in the fear they may leave quickly if a more appealing contract presents itself. “We've seen in seasoned contractors wanting to go permanent and reservations from the hiring manager saying he or she only wants to go permanent because the contract market is a little bit tough at the moment and as soon as it picks back up they're gone,” says Owanate Bestman, director at Bestman Solutions. 

Richard Brinson, CEO of cybersecurity consultancy Savanti, says that he has noticed a reluctance from some clients to use its associates (freelancers the firm hires out to clients) for interim CISO work or other consulting engagement. “We have had a number of clients state they would only use our services if all consultants on an engagement were fully PAYE and no sub-contracting. We’ve had to sign attestations to this effect,” he says.

“Even though the government focus has moved on for now, some of our private sector clients are very worried about retrospective fines applied to laws not yet in force," Brinson adds. "There is a feeling that when the government tries to raise tax revenues aggressively, they will come after private sector companies saying something like, ‘You should have known this was coming and had plenty of time to do something about it.'”

Security impact of not preparing for IR35 now

Walsh explains that it became more difficult for the public sector to compete for the best talent after the new rules came into force in 2017. “Seasoned interims were very wary of accepting roles that fell within the IR35 determination,” he says. “They tended to avoid such opportunities, focusing almost exclusively on the private sector instead. For organisations, it also meant that they had to increase rates to be competitive – although even with this uplift, contractors would still be likely to take home less than they did before the changes came in.”

As well as increased costs and less accessible talent, a 2017 survey by ContractorCalculator found that many public sector projects faced a challenges within four months of the IR35 changes. Twenty-four percent of projects lost at least half of their contractor workforce and 38% of contractors couldn’t be replaced. Thirty-seven percent of those who abandoned the public sector were IT contractors, leading to 79% of IT projects suffering delays.

Jones adds that public sector organisations that took the time to prepare and adapt their working practices effectively remained competitive. “The idea here isn’t to say all roles will be outside of IR35. IR35 needs the right governance, processes, compliance and management, but if done well you can still engage with contractors both inside or outside of IR35. Our advice is to assess every role independently and make an IR35 determination on its own merits taking account of the key factors. If you get a good view on this, you can then make an accurate IR35 assessment.”

Copyright © 2020 IDG Communications, Inc.

The 10 most powerful cybersecurity companies