Five ways IR35 will impact cyber security departments

5 impacts CISOS should be aware of

Cyber security departments are particularly contractor heavy due thier large change programmes and niche skill requirements. It is therfore likely they will be hit singularly hard by the upcoming IR35 reforms.

This article reviews the key impacts those reforms had on the public sector in 2017, and recommends steps that CISOs can take now to successfully manage them.

Loss of current contractors

76% of projects and departments in the public sector lost contractors due to the IR35 reforms.

The exodus wasn’t simply an issue of pay.  Contractors were concerned that if their engagements were determined inside IR35, or turned into permanent roles, this would lead to retrospective tax reviews and liabilities. The easiest way to minimise this risk was to move to new engagements.

Project Delays

71% of projects in the public sector were delayed as a direct result of the IR35 reforms.

Now is the time for CISOs to identify projects that rely on contractors and take concrete action.  Build extra contingency into project plans, identify where there may be additional cross dependencies, and communicate changed timelines to project sponsors and other stakeholders.

Increased Costs

The public sector IR35 changes led to significant cost increases with 42% of contractors raising their rates to counter the impact of being caught within IR35.

Expect project resource costs to increase between 10% and 20% regardless of how your organisation addresses the IR35 reforms, and ensure this is budgeted  into financial forecasts.

Scarcity of Skilled Workers

94% of contractors stated in a recent survey that they would that avoid contracts that placed them 'inside IR35’ with 23% stating that they would stop contract work altogether.

Contractors will have three choices come April 2020 - find a contract that falls outside of IR35, increase rates to balance the cost of being inside IR35 or take up a permanent position.  Quite possibly some contractors will do all three in a short space of time as the market stabilises.

Whatever they choose, this will lead to disruption and delays in engaging specialised resource, and a period of uncertainty.

Increased Administrative burden

Whilst this is mainly an HR issue, CISOs should be aware of the extra administrative burden the IR35 reforms will bring:

  • Identifying contractors used both internally and in the supply chain
  • Training HR staff to make IR35 status determinations
  • Identifying and making adjustments to working practices and IT systems
  • Ongoing management of IR35 status determinations, statements and the disputes process

What can CISOs do now?

Many public sector organisations introduced blanket policies to avoide allocating time, money and resource to the new rules.  However this is not recommended for organisations which require a flexible workforce.

Published on

Bob Nicolson | Head of Consultancy

bob.nicolson@nicolsonbray.com