Browser Not Supported

This website is enhanced for viewing with modern browsers such as Chrome, Firefox, and Edge. Unfortunately Internet Explorer is not currently supported.

For a better browsing experience please return to on another browser, or on your phone or tablet.

Sending email...

Loading downloads page

IR35: 5 Things you must do now

for your Cyber Security Programs

The clock is ticking

In April 2020 the IR35 tax avoidance reforms extend to the private sector.

The implication of this is that it will be your business – not your contractor – that will be liable for the entire tax shortfall if you are found by HMRC not to be IR35 compliant.

The cyber security industry carries an incredibly large number of skilled contractors, working on the rich variety of ongoing cyber projects necessary to stay ahead of the game. Other sectors will find it easier to attract suppliers into permanent roles, but cyber security specialists know that they have niche skills that are in short supply and are increasingly in demand.

Therefore, it’s incredibly important that you act now to avoid negative impacts to your organisation’s cyber security projects and programs.

Countdown to IR35:

1. Carry out an initial audit

Know who is working for you, where they are working and why. Add in your requirements for 2020 (i.e. projects that require specialist resource). Remember that many of your cyber security specialists will be in a supply chain, which ultimately you will now be responsible for.

2. Assess your options

Making IR35 Status Determinations

If you decide that your organisation will make the necessary IR35 status determinations from April, put the framework for this together now. Firstly, you will need to secure and train the resource to make the determinations. Following this, you will need to manage the ongoing IR35 compliance for each of your contractors, whether they are inside IR35 or off-payroll workers (outside IR35).

The Consultancy Solution

Engage a cyber security consultancy that you can work with to meet your project requirements through using their services and in doing so, remain compliant with IR35.

Permanent Recruitment

If you are going to ask contractors to become permanent staff, think carefully about these policies and their impacts, and create a communications plan. You will need to consider the likelihood of cyber security specialists being attracted to work “in-house”, agree and set suitable salaries and manage the timescales for recruitment.

3. Secure additional budget

The lessons learned from the introduction of these rules into the public sector in 2017 has proven that no matter which option you choose, you are going to need more money to complete your cyber security projects. 45 % of all public sector services have reported an increase in costs due to the implementation of the new IR35 rules. Many reports are available that describe in more detail the increased costs, scarcity of talent and delays to projects the public sector experienced.

4. Communicate with your clients and suppliers

A recent survey has found that less than 10% of contractors have been contacted by the organisations they supply, to discuss the impending IR35 rules. Nervous contractors are much more likely to look for a new position, so you need to create a detailed communications plan to ensure all stakeholders are informed of IR35 updates, its potential impact and the benefits of the action you will be taking.

5. Implement your plans

Making IR35 Status Determinations

To do this you must have internal resources trained and in place quickly. We estimate approximately 10 status determination statements can be processed per working day by trained staff. You may also want a third party to check these prior to release.

Following this, you must ensure the entire supply-chain has received the determination and put in place a process to deal with any contests to the decisions. Thereafter, your organisation needs to manage the IR35 compliance with each contract renewal and every new contract.

If you find current contractors that are “inside” IR35 they will need to change their business set-up to use umbrella companies and become PAYE workers. You will need to secure an increased budget for rate rises of between 20-30%, to cover the new taxes the contractors will be paying. Be prepared for the loss of many of your current contractors. There are two reasons for this: either they want to remain outside of IR35, or they are concerned that remaining in their role could open them up to a retrospective review by the HMRC.

The Consultancy Solution

If this is not feasible for your business, act quickly to call in a cyber security consultancy.

Nicolson Bray are adept at working with clients on their cyber security programs and will work with you to keep momentum, whilst providing the specialist skills you need. By using a consultancy, your organisation is not liable to provide status determinations following the IR35 reforms. Nicolson Bray provide you with cyber security services and we are responsible for all the supply chain risks associated with the IR35 changes.

As a small, specialised consultancy Nicolson Bray provides further assurance of IR35 compliance because small businesses are exempt from the new rules. This can further assure you that in using our services you are meeting the new IR35 rule requirements, without needing to do anything further.

Permanent Recruitment

If you decide to try to move your contractors into permanent roles, you need to begin consultations with each of them immediately. You will also need to initiate discussions internally to negotiate sufficiently high permanent salaries and plan your projects around the time it is likely to take to onboard the people that you require.

It takes on average 3 to 6 months to fill a cyber security role and for niche roles it can be extremely difficult to find people. This is because the cyber security workforce skills gap is enormous – with 65% of organisations reporting a serious shortage of cyber security professionals.

Permanent employment of your current contractors will be difficult, as many are worried about HMRC using the offer of permanent employment as evidence of previous “disguised employment” and demanding tax retrospectively.

From the 11th January 2020, there are only 60 working days until the IR35 reforms come into effect. Don’t wait for the Government review - now is the time to get your house in order and enable your business to rise to the challenges ahead.

If you would like to discuss how we can ensure IR35 compliance for your cybersecurity projects, please get in touch.

We provide efficient, expert consultancy services at a cost similar to that of hiring contractors and are both more agile and less expensive than the larger, less specialised consulting firms.