Impact of IR35 on cyber security departments

Cyber security departments are particularly contractor heavy due thier large change programmes and niche skill requirements. It is therfore likely they will be hit singularly hard by the upcoming IR35 reforms.

This article reviews the key impacts those reforms had on the public sector in 2017, and recommends steps that CISOs can take now to successfully manage them.

76% of projects and departments in the public sector lost contractors due to the IR35 reforms.

The exodus wasn’t simply an issue of pay.  Contractors were concerned that if their engagements were determined inside IR35, or turned into permanent roles, this would lead to retrospective tax reviews and liabilities. The easiest way to minimise this risk was to move to new engagements.

71% of projects in the public sector were delayed as a direct result of the IR35 reforms.

Now is the time for CISOs to identify projects that rely on contractors and take concrete action.  Build extra contingency into project plans, identify where there may be additional cross dependencies, and communicate changed timelines to project sponsors and other stakeholders.

The public sector IR35 changes led to significant cost increases with 42% of contractors raising their rates to counter the impact of being caught within IR35.

Expect project resource costs to increase between 10% and 20% regardless of how your organisation addresses the IR35 reforms, and ensure this is budgeted  into financial forecasts.

94% of contractors stated in a recent survey that they would that avoid contracts that placed them 'inside IR35’ with 23% stating that they would stop contract work altogether.

Contractors will have three choices come April 2020 - find a contract that falls outside of IR35, increase rates to balance the cost of being inside IR35 or take up a permanent position.  Quite possibly some contractors will do all three in a short space of time as the market stabilises.

Whatever they choose, this will lead to disruption and delays in engaging specialised resource, and a period of uncertainty.

Whilst this is mainly an HR issue, CISOs should be aware of the extra administrative burden the IR35 reforms will bring:

Many public sector organisations introduced blanket policies to avoide allocating time, money and resource to the new rules.  However this is not recommended for organisations which require a flexible workforce.