California Vaping Executive Order: The Bad (and Good) News for Cannabis Businesses

by Linda Hurley, Assurance Partner and Leader of the MGO | ELLO Alliance Governance, Risk and Compliance Advisory Practice. 

On September 16th, California Governor Gavin Newsom issued Executive Order N-18-9, the first state-wide effort to address emerging issues related to e-cigarette and cannabis vape use. The move by Gov. Newsom follows a report issued by the CDC earlier this month linking a number of deaths and other severe health concerns to vaping and e-cigarette use.

Breaking down Gov. Newsom’s Executive Order

The California Executive Order opens with a bulleted list of facts and assumptions related to the growing use of vaping devices in California. Following are some of the more interesting points related to the cannabis industry (paraphrased from the executive order):

  • Vaping devices are the most commonly used tobacco product in California;
  • 80 percent of high school-aged tobacco users vape;
  • In 2018, 10.9% of high school students reported using e-cigarettes, and 14.7% reported using cannabis (ed: no detail provided on whether they vaped cannabis);
  • There are no manufacturing standards for non-cannabis vape products;
  • A clinical syndrome has emerged that connects respiratory failure to the use of illegally obtained cannabis products, cause of the syndrome remains unknown.

The Executive Order goes on to list of Gov. Newsom’s multi-point plan to address the emerging vape issue. Key points include (paraphrased from executive order):

  • The California Department of Public Health (CDPH) is ordered to create recommendations for reducing the use of vape products by persons under the age of 21. Those recommendations should include health warnings for packaging and retail locations, increased enforcement of illegal vape sales, and establishing standards for measuring levels of nicotine and incorporating it into the calculation of taxes on vape products. Due 10/14/19
  • CDPH to allocate $20 million in funding to educational campaigns on the risks of vaping.
  • The California Department of Tax and Fee Administration (CDTFA) is ordered to provide recommendations for cracking down on the sale and use of illegal vaping products, particularly among under-age users. Due 10/29/19

The Bad News for Cannabis Companies

In the weeks following the CDC report on the dangers of vaping, a media firestorm has emerged with more reports of vaping related deaths and illnesses. The negative media attention on vaping will almost certainly produce a public backlash, which could negatively affect sales numbers for e-cigarettes, and to a lesser extent for cannabis vaping products and oils. Further legislation is almost certainly in the works across the nation. Flavored e-cigarettes have already been banned (via Executive Order) in Michigan and similar measures are in the works for New York State and the city of Chicago.

As a result, sales forecasts and valuations for cannabis companies manufacturing or selling vape products, cartridges, and oils should account for a potential dip in public demand and limits on access in coming months.

The biggest concern for the cannabis industry is that cannabis vaping gets lumped in with the dangers of e-cigarette use, despite cannabis products having no nicotine or the other toxic chemicals associated with cigarette use. To date, none of the reported illnesses or deaths have been conclusively connected to legally produced cannabis vape products (although in one case of death in Oregon, a cannabis vape product is being investigated as a possible cause). The lingering issue is that “bad actor” illegal cannabis producers could be producing toxic, unregulated products that put the entire industry in the sights of lawmakers and regulators.

A nearly guaranteed outcome is that lawmakers and regulators will increase the oversight of legal cannabis producers. Further manufacturing, testing, packaging and marketing laws are likely to result, increasing the regulatory burden for cannabis companies based in California and throughout the US.

The “Good” News for the Cannabis Industry

While the initial takeaway from laws and executive orders designed to curb vape-use have a number of negative business impacts on the cannabis industry, there is some silver lining for legally-operating and compliant cannabis businesses.

  1. The Focus is on E-Cigarettes – As alluded to above, health officials, lawmakers and regulators are primarily focused on the widespread use of e-cigarettes, focusing especially on under-age use and the marketing of flavored oils (perceived as targeting young users).
  2. Legally Compliant Cannabis Companies May Have Less to Worry About – Similar to the previous point, health officials and other investigators are focusing on illegally purchased vape products and e-cigarette products produced in a largely un-regulated environment. Cannabis companies fully compliant with state regulations, which include laws governing manufacturing, testing, packaging and selling cannabis products, are not currently the primary target of investigations. This could, in fact, present an opportunity for compliant companies to differentiate themselves and market the testing and quality control procedures their products undergo before hitting the market.
  3. Vaping is Just One of Many Cannabis Consumption Methods – While vaping cannabis has becoming increasingly popular in recent years, a number of other consumption methods are also gaining widespread use. Edibles, tinctures, and topicals are fast-growing cannabis products finding defining new markets. Cannabis companies with diverse product lines may want to consider a strategic pivot away from vaping products in the interim and focus on less “stigmatized” products.

The Science is Still Out

The ultimate take-away from the CDC’s report and subsequent investigations is that no direct causal relationships between vaping and potentially deadly respiratory illnesses have been proven. The CDC is advising the public against vaping until the science is clear and cracking down on illegally-produced and unregulated vaping products is a common sense step for public safety.

Cannabis companies and investors need not panic (yet) on the fate of cannabis vaping. We are certain to see changes in the coming months, especially in regard to regulations for manufacturing, marketing and selling vape products, but compliant companies have little to worry about in the near-term as long as they continue to update controls and follow regulations.

Cybersecurity Culture: Empowering Your Employees

cyber security, cyber threat, corporate culture, security culture, information security, technology, consulting, advisory

by Joshua Silberman, IT / Cyber Security Consultant, MGO Technology Group

Are your employees comfortable telling leadership about a potential problem at your company? Now ask yourself, are they comfortable telling leadership about a potential mistake?  A large number of today’s cyber-breaches often begin as the result of an innocent mistake by an employee.  It might be sharing a password over an unprotected median, a nefarious actor grabbing a picture of an employee’s laptop screen while they are working in public, or as is most common, an employee clicks on an innocuous link from a phishing email.  What most employers may not realize is that many employee’s common sense regarding breaches is actually pretty good.  At the very least they will suspect that something is amiss, which could be the first step in detecting a potential breach.  Empowering your employees to actively look for, and report on, potential breaches goes a long way to helping your organization build a strong cyber security culture.

Creating A Positive Cyber Security Culture

The first step is to educate your employees on what to look out for when it comes to cyber and information risk. Many firms employ some form of basic cyber-security training, mostly at the time of on-boarding, but training usually ends there. Cyber security is an ever-shifting landscape where threats are always evolving. This is why it is important for firms to enact a year-round cyber security awareness program based around employee activities.  A good employee-based cyber security awareness program will be light on technical jargon and focused on highlighting the vulnerabilities of the processes and systems that all employees use in their day-to-day work, such as instant messaging, answering e-mails, browsing the web, and sending documents through authorized and unauthorized means of file sharing.  There is no great need to get into the technical details of how an attack might happen, but rather acknowledge that the danger is out there and focus on what employees can do to look out for potential dangers, such as noticing strange URL’s and suspicious e-mail attachments from unrecognized users.  Consistently educating employees on current cyber threats and methods will give them the tools to identify a threat and be proactive in helping your company stop it.

Encouraging Active Breach and Threat Reporting

Training employees to spot the dangers is only half the battle.  The other half is generating an effective reporting culture.  No cyber security strategy is complete without a good cyber security reporting culture that puts a premium on reporting potential breaches.  Here are a few suggestions to create a positive culture of reporting:

Have the team that provides your first level IT Support lead awareness/education sessions, as they will mostly likely also be the first point of contact for reporting potential breaches. The sessions can be developed by an outside consultant or an internal cyber security professional, but building a repertoire between those who should be reporting the incident and that first point of contact provides a sense of comfort that your employees are reporting the issue to the right group in the correct way.

In training, the IT support staff should make clear that reporting a threat is NOT a burden and that employees should err on the side of caution. If an employee receives an e-mail they find suspect they should not hesitate to contact their IT department through the designated reporting means.

Everyone from the organization must know and believe that the consequences of reporting a potential mistake will not be dire. Beyond feeling comfortable reporting suspicious activities, employees must also feel comfortable in reporting suspicious behavior that might be a direct result of their own actions.  If an employee feels that admitting a mistake will be detrimental to their career they will keep quiet and a potential breach oversight could occur.  Admittedly, this strategy carries some risk as you do not want certain behaviors to be consequence-free.  However, the scope of consequence must be weighed against the actual action.

For example, an employee need not be officially reprimanded for admitting to clicking on a suspicious link and reporting it, but it would be prudent for the IT support staff to point out what could have been done differently to avoid the infraction. If the employee becomes a repeat offender, then a more official process might be warranted.  Until then, simply pointing out of the issue should be enough to change behavior while maintaining a culture where employees are not fearful of bringing an issue forward.

Strong and Proactive Cyber Security Culture Starts at the Top

When setting the company’s cyber security policy, upper management must keep an eye toward baseline employees who perform the day-to-day actions of the company.  Clear signals about saying something if you think something is wrong can go a long way toward changing your company culture. Having a strong IT or Cyber Security group is simply not enough when your own staff could unknowingly be your cyber Achilles Heel. There is a saying in cyber security that “every employee is a potential vulnerability.” However, if trained and leveraged correctly, your employees can also act as another safeguard, actively working to protect your information technology environment.

If you have any questions or would like support developing and implementing an effective cyber security program, reach out to the MGO Technology Group for a consultation.

The Real Oversight is NOT Having an Audit Committee


Everything Changes, Except When It Doesn’t

Time and time again we’ve seen reactions to various accounting scandals, after which new policies, procedures, and legislation are created and implemented. An example of this is the Sarbanes-Oxley Act (SOX) of 2002, which was a direct result of the accounting scandals at Enron, WorldCom, Global Crossing, Tyco, and Arthur Andersen.

SOX was established to provide additional auditing and financial regulations for publicly held companies to address the failures in corporate governance. Primarily it sets forth a requirement that the governing board, through the use of an audit committee, fulfill its corporate governance and oversight responsibilities for financial reporting by implementing a system that includes internal controls, risk management, and internal and external audit functions.

Governments experience challenges and oversight responsibility similar to those encountered by corporate America. Governance risks can be mitigated by applying the provisions of SOX to the public sector.

Some states and local governments have adopted similar requirements to SOX but, unfortunately, in many cases only after cataclysmic events have already taken place. In California, we only need to look back at the bankruptcy of Orange County and the securities fraud investigation surrounding the City of San Diego as examples of audit committees that were established in response to a breakdown in governance.

Taking Your Audit Committee on the Right Mission

Governments typically establish audit committees for a number of reasons, which include addressing the risk of fraud, improving audit capabilities, strengthening internal controls, and using it as a tool that increases accountability and transparency. As a result, the mission of the audit committee often includes responsibility for:

  • Oversight of the external audit.
  • Oversight of the internal audit function.
  • Oversight for internal controls and risk management.
Chart(er) Your Course

Most successful audit committees are created by a formal mandate by the governing board and, in some cases, a voter-approved charter. Mandates establish the mission of the committee and define the responsibilities and activities that the audit committee is expected to accomplish. A wide variety of items can be included in the mandate.

Creating the governing board’s resolution is the first step on the road to your audit committee’s success.

Follow the Leader(ship)

In practice we see a combination of these attributes, ranging from the full board acting as the audit committee, committees with one or more independent outsiders appointed by the board, and/or members from management and combinations of all of the above. While there are advantages and disadvantages for all of these approaches, each government needs to evaluate how to work within their own governance structure to best arrive at the most workable solution.

Strike the Right Balance Between Cost and Risk

The overriding responsibility of the audit committee is to perform its oversight responsibilities related to the significant risks associated with the financial reporting and operational results of the government. This is followed closely by the need to work with management, internal auditors and the external auditors in identifying and implementing the appropriate internal controls that will reduce those risks to an acceptable level. While the cost of establishing and enforcing a level of zero risk tolerance is cost prohibitive, the audit committee should be looking for the proper balance of cost and a reduced level of risk.

Engage Your Audit Committee With Regular Meetings

Depending on the complexity and activity levels of the government, the audit committee should meet at least three times a year. In larger governments, with robust systems and reporting, it’s a good practice to call for monthly meetings with the ability to add special purpose meetings as needed. These meetings should address the following:

External Auditors

  • Confirmation of the annual financial statement and compliance audit, including scope and timing.
  • Ad hoc reporting on issues where potential fraud or abuse have been identified.
  • Receipt and review of the final financial statements and auditor’s reports
    • Opinion on the financial statements and compliance audit;
    • Internal controls over financial reporting and grants; and
    • Violations of laws and regulations.

Internal Auditors

  • Review of updated risk assessments over identified areas of risk.
  • Review of annual audit plan, including status of the prior year’s efforts.
  • Status reports of ongoing and completed audits.
  • Reporting of the status of corrective action plans, including conditions noted, management’s response, steps taken to correct the conditions, expected time-line for full implementation of the corrective action and planned timing to verify the corrective action plan has been implemented.
Establish Resources That Are at the Ready

Audit committees should be given the resources and authority to acquire additional expertise as and when required. These resources may include, but are not limited to, technical experts in accounting, auditing, operations, debt offerings, securities lending, cybersecurity, and legal services.

Taking Extra Steps Now Will Save Time Later

While no system can guarantee breakdowns will not occur, a properly established audit committee will demonstrate for both elected officials and executive management that on behalf of their constituents they have taken the proper steps to reduce these risks to an acceptable tolerance level. History has shown over and over again that breakdowns in governance lead to fraud, waste and abuse. Don’t be deluded into thinking that it will never happen to your organization. Make sure it doesn’t happen on your watch.

Credential Harvesting: What You Need to Know about this Emerging Cyber Threat

by Karl Kispert, Managing Director, MGO Technology Group

For many years, malware viruses have been the go-to tool for cyber attackers – and as a result, cybersecurity protocols and training have been engineered to minimize the impact of malware. More recently, a new threat has emerged that is changing the landscape of cyber and information security: credential harvesting. To protect personal and/or company information and resources, you must familiarize yourself with this new data breaching method and ways to manage related risks.

What is Credential Harvesting?

Credential harvesting, also known as password harvesting, is the process of gathering valid usernames, passwords, private emails, and email addresses through infrastructure breaches. The possible motivations for such a breach are many: the hackers could sell delicate personal and financial data on the dark web; gain access to a company network for purposes of corporate espionage and steal IP or other assets; or use the data to embezzle money.

How Credential Harvesting Occurs

A commonly cited source of credential harvesting is the use of phishing emails. These emails contain an attachment encoded with a hyperlink that, when clicked, uploads data-stealing programs onto your console. While phishing emails are the most common avenue,  password harvesting can also be performed by malware viruses, cloned website links, the use of unsecure third party vendors, and ransomware. In many cases, the breached user has no knowledge that the malicious attack has occurred, and continues to believe they are shielded by cybersecurity measures.

This is especially accurate in cases when cloned websites are the source of the credential harvesting, as they are extremely similar in features and makeup to the real webpages they emulate. When a user logs into any account on a cloned website, their login information is directly sent to the attacker. The number of users who access accounts on phony websites can be significant and the stockpile of valuable data collected can have disastrous consequences.

Taking an Active Stance Against Credential Harvesting Scams

There are proactive steps anyone can take to mitigate the chances of falling prey to credential harvesting. Cloned websites can be detected by spotting an unusual URL unrelated to the actual website. For example, when using Google, instead of seeing a normal Google webpage, a cloned Google webpage will have a URL that is not Google related. Another common indicator that a webpage is cloned is if an unexpected web browser window pops up without a user physically opening it. For example, if the Google Chrome application randomly opens up as you are analyzing sensitive data vital to your company, your system may be infected. If caught in such a situation, it is best to not log into any accounts on the opened tab and instead force quit the application, and immediately notify your IT Department of what happened.

When it comes to phishing emails, you must be vigilant when receiving emails and be sure not to click on any unknown or unusual links. This could lead to infected programs popping up that you did not intentionally download.

There a number of other ways a credential harvesting can occur. To protect  your vital information from an instantaneous and anonymous breach, you should regularly back up your devices to the cloud and promptly install all security patches and upgrades.

Protecting Your Organization Against Credential Harvesting

Credential harvesting is a real and rising threat… and anyone can be the next victim. Users must continually update their security software, backup their data, and be mindful of the links they follow and sites they visit. Following these simple steps will help protect you, and your business, from becoming the next victim of credential harvesting.

If you have any questions or fear your organization is at risk for credential harvesting, please reach out to the MGO Technology Group for a consultation.

Living Your Vision, Part 2: How to Create an Honest Brand for Your Present & Future

What is a “brand” and how does one go about creating it? A brand is a footprint. A brand is how you are seen, perceived, and remembered. It involves both real world and social media interaction and whether people are aware; we are all creating a brand for ourselves every day of our lives. Putting a stamp on it, and owning it as a brand is just a more definitive step.

Some have questioned the value of creating a brand for yourself. Does it really need to be done? Is it something that anyone actually looks at? Is it simply a social construct for media purposes that has no genuine bearing on the real world, and your life?

There is a simple answer. While your brand may be a “social construct” it can have an indelible impact on your life and career. When planned and utilized correctly, your brand is an essential part of the early journey in defining your vision for yourself and your continued financial success and security. The first step when approaching yourself as a brand is to decide what that brand and you will stand for. It should serve as a reflection of your current values and also what you aspire to achieve your dreams.

Develop Your Brand by Watching and Listening

Conceiving your brand starts with basic tenants you learned in elementary school: watch and listen. Take a look at people in your world and your chosen field. Look beyond any pre-conceived notions you may have and really look and listen to who they are, and the message they are projecting to the world. Examine them in person as well as via any kind of digital or social media and decide for yourself whether that person is succeeding or failing to represent what they are putting into the world. Look at any kind of context they put out in terms, of public goals, mission statements, and information for their personal journey and vision.

Doing your homework ahead of time and developing an understanding of what works and what doesn’t, helps you determine the trajectory of your brand and how it will propel you forward in living your vision. Remember, you are your own mid-sized Fortune 500 Company, and you need to run your business affairs as such. No one invests personally or financially in a company that has unfocused goals, trajectory, or has a brand that seems off the mark or undefinable.

Be Honest & Truthful When Creating Your Brand

The most important element in creating a brand for yourself is to be honest in what you are doing. There’s no lasting value in creating a brand and financial path that is no more than smoke and mirrors. Social media and the impression that you give people through your brand will appear hollow if you are not being truthful in what you are creating. Make sure that your brand represents your personal voice and views. Truth and hard work will always reap you a tangible benefit in the end. You can’t build a vision of the future on lies and public opinion. It’s much easier and more effective to maintain a brand that is honest and true. Sustaining falsehoods and superficial façades requires ten times the work and creates unnecessary risk and complexity.

Package Your Brand and Create Goals

Once you’ve decided how you are going to brand yourself, and what path you are taking; start working out a step by step financial plan with your advisors. There should be a series of definable goals and markers along the journey into living your vision. Working with your team of financial advisors, decide the duration of time you would like to spend on each element or part of your goals, and where exactly you see these goals fitting into the much larger picture of your present and future life.

Create your plan so that it is a package deal. It has to meet your needs, the needs of your financial vision, and all elements need to align correctly. All elements of your vision and financial scope need to feed into and allow your brand to exist on multiple planes and levels. Again, your finances should be run like a company’s, and there will always be elements that exist on separate levels but need to work in harmony for everything to move forward.

Earn Your Reputation for Your Brand

Reputations are earned, not just freely given. They take work, time, and patience. Creating and building your brand for yourself and your finances is no different. Stay true to what you and your financial advisory team have worked to create for you. This brand is a way to represent yourself in the world, and as such is as much a part of you as your body of work. In having others help you establish your brand, make sure you are doubling back to check on others and let everyone know that you are invested in them, just as much as you are in making this brand a reality and a success. Treat others well as you forge ahead to give your brand a life and longevity and keep it rooted in a reputation that you are working hard to maintain.

Let’s build something together.

At MGO, one of the keys to our business success is bringing together Atypical people, so that we create something extraordinary.

Connect with us to get started.


College Attended



Select One
InternshipFull-time position

Our focus is on hiring professionals who are driven to innovate and looking for an exceptional environment where creativity and bold thinking are not just encouraged, but rewarded. In fact, “IDEAS RULE” is one of our five core values.

We’re not looking for people who fit in with our culture, so much as, we’re looking for people who complement our culture. A culture that promotes collaboration and values teamwork. Where having a healthy balance between your work and your personal life is encouraged. Where your great work is celebrated and recognized across the firm.

At MGO, you define your own path. You’ll grow, develop, and thrive in our positive work environment. You’ll not only apply your valuable skill set to the work you do every day, but you’ll feel motivated and supported while you’re doing it.

Whatever your vision is for your career, we offer the tools, support, and mentorship that empowers you to go wherever you want to go. Your success is our success. Let’s build something together.

Who We Serve

State & Local Government: We have long-standing relationships with clients that represent some of the largest government institutions in the US.

Cannabis: As one of the first accounting firms to serve the cannabis industry, MGO counts both commercial enterprises and regulatory authorities as clients we’ve helped – and continue to help -- guide through this emerging industry.

Entertainment, Sports and Media: Many of Hollywood’s brightest stars and most influential agencies are our clients.

Gaming, Hospitality and Native Tribes: We work hand-in-hand with native tribes helping them navigate the unique landscape that exists for their hospitality and gaming enterprises.

Technology: Our fast-growing technology practice facilitates collaboration and delivery of services to a variety of established and emerging technology companies.

International: This burgeoning practice serves multi-national companies doing business overseas, as well as foreign corporations, providing guidance and support for growth opportunities across the globe.

What We Do

Assurance: We use a holistic, collaborative approach that builds upon our regulatory knowledge and operational insight to help organizations improve their operations, systems, processes, and controls.

Tax: Our industry knowledge provides guidance ensuring compliance while driving value for organizations and individuals navigating complex global tax codes.

Advisory: We deliver proven services across business functions, including strategy, operations, finance, and information technology.

Financial Advisory and Accounting Services: MGO’s outsourcing services allow us to match up seasoned professionals – with industry best practices and technology solutions – to the service areas where they are needed most.

Business Management: We work behind the scenes managing the financial details that make our clients’ lives simpler, while helping them build and protect their future interests.

Technology Consulting: Our dedicated team of cybersecurity and information security experts deliver peace of mind by creating custom security programs that utilize the confidentiality, integrity, and availability model (CIA Triad) designed to guide policies that protect our client’s critical data.

Wealth Advisory: Our advisors collaborate with High-Net-Worth individuals and families to grow and protect their financial legacy.

MGO Asia

Selling into new markets and setting up international operations is a complex process requiring intimate knowledge of the nuances of regulations, culture and politics in every country involved. MGO’s Asia Practice is dedicated to providing the specialized professional services necessary to guide companies with international interests to success.

International Technical Expertise Supported by a Strong Business Network

MGO Asia provides unmatched value to our clients by delivering the right mix of technical knowledge and a robust global network. We support international growth by helping clients identify strategic business and investment partners on both sides of the Pacific. We then work to optimally structure cross-border transactions through detailed knowledge of local regulations and market complexities. The result is strong, mutually beneficial business relationships built on a foundation of trust and exacting technical guidance.

MGO understands the Asia-based investment portfolio, distinct investment processes, and the varied business models for companies operating in Asia. Many MGO Asia team members are from the region and our language proficiencies include Cantonese, Mandarin, Japanese, Korean, and Vietnamese. While the “language of business” may be universal, we make sure nothing is lost in translation.

MGO Asia’s Comprehensive Suite of International Tax, Audit, and Accounting Services:
  • International Tax Compliance
  • Cross-Border Tax Structuring
  • International Private Client Tax Services
  • International Assurance Services
  • Audit Readiness Preparation
  • M&A Advisory
  • Transaction Advisory Services
  • Financial and Commercial Due Diligence
  • Bookkeeping and Outsourced Accounting Services
  • International Private Client Tax Services
MGO’s International Tax and Advisory Services

As one of the fastest growing professional services firms in the US, MGO offers a uniquely holistic, results-driven approach to client service. We’re the professional services firm that rolls up our sleeves and works alongside our clients to get the job done.

In order to make sure we help you reach your long-term strategy, we’ve developed an integrated, collaborative approach that aligns and optimizes the work of all your advisors. The coordination of our tax, assurance, advisory, business management, and wealth management practices allows us to provide a platform that truly serves clients by facilitating a holistic solution.

To learn more about how MGO Asia can help you or your organization, contact us or call +1 (866) 355-2453.

Cyber Hygiene: State Auditor Says It’s Time for State Agencies to Clean Up Their IT Act

By Karl Kispert

On July 16, 2019, the auditor of the State of California released a report taking to task at least 21 state agencies for not meeting adequate cyber security standards. The auditor claims that these lapses in security controls could potentially open up state residents to identity theft and harm the state’s finances.

It should be noted that these 21 state entities, among others audited, fall outside the authority of the governor’s office and, as a result, aren’t subject to the authority of the office the way other state agencies are. This means because these ‘Non-Reporting’ Entities (NREs) constitute an exception to the usual oversight structure, they’re free to choose the standards by which they apply their Cyber Security, and are not beholden to use the SAM-5300 compliance standard as directed by the governor’s office. That’s where the problems begin, one of which is in the form of deficiencies.

One of the more common deficiencies found among these entities is the lax attitude with which password security is employed. In many cases, the NREs fail to meet basic security hygiene standards, such as regular password changes and changing the default password of network equipment already in production.

Also of note is that while most of the NREs did employ a well-known security standard, such as SAM-5300 or NIST 800-53, they either didn’t use the standard properly or overlooked important parts of it when applying cyber security policy. For any organization, this type of audit result would be bad, but one could argue for state entities this is worse as it’s well-known they handle a large amount of personal information on a daily basis. This results in hackers having a field day launching ransomware attacks targeting intrinsic vulnerabilities.

Cybercriminals are savvy. The 24-page full report issued by the state’s auditor has, unfortunately, provided them with potential targets. Ironically, the report sounding the alarm about the high risk of cyber attacks at state agencies may have set into motion new attacks.

In the world of cyber security we talk about “the breach of the day,” and we’re seeing a large increase in ransomware attacks on cities and states of all sizes, like Atlanta and Baltimore. (See Prepare Now or Pay (Much More) Article.) This trend means municipalities must create a proactive plan immediately, if they haven’t already. Recent statistics show the amount of money hackers are demanding when holding entities for ransom is now upwards of six figures.

Many of the NREs have already implemented plans by choosing a standard they base their IT Security Policy on, such as NIST or SAM. However, a compliance standard is no replacement for policy written by, and for, your own organization. In order to meet the standards set out by these frameworks, you must have a well-written and clearly defined IT Security Policy that is both accessible and understandable to your employees and not just to your IT staff.

Granted, correcting security deficiencies takes time and resources, but there are actions that NREs and agencies alike can take now to get on the path to compliance with a more secure environment.

First and foremost, apply a framework ensuring that your organization’s policy is both comprehensive and coherent. As stated earlier, many of these California NREs have already chosen a popular standard to follow. Most are either using NIST 800-53 (created by the federal government), SAM 5300 (created by the State of California to augment NIST), or some combination of the two. These standards are both free to access, and would be a great place to start in deciding how you want to shape your company’s IT and Cyber Security Policy.

After choosing the standard, an assessment should be conducted to find out which parts of the standard should apply to your agency or organization. This step is crucial because when you’re conducting an honest assessment you’ll determine what controls are in place, noting controls that aren’t. You can then build a roadmap to ensure these gaps are closed in a timely manner. While this assessment is underway don’t wait to strengthen your defenses. In the interim you can establish or enhance the following:

  • Awareness – It’s time to change the culture of your agency or organization by making everyone more aware, not simply performing compliance training. Training is teaching a body of knowledge to someone, while awareness is changing the culture. The latter is what’s required to help ensure the bad guys don’t gain access to your IT environment. It’s worth the time it takes to create the required level of awareness by discussing the threats and applying an action plan that addresses the confidentiality, integrity, and availability of your data.
  • Password Management – This is your first line of defense, so use this simple tool to help protect the sensitivity of your data and the data entrusted to you by third parties. Passwords must be strong, consisting of numbers, letters, and symbols while staying away from commonly used phrases and sequences such as ‘54321’ and ‘aabbccdd’ or ‘password.’ Passwords should NEVER be shared with anyone unless they’re an authorized member of your technical support staff working on your computer. Even then, your password should only be shared through a secure channel such as a direct voice-to-voice phone call, a text message, or even a sticky note. Most importantly, if you have to share your password, the password should be changed as soon as the needed maintenance task is completed. Finally, your systems should force a password change at fixed intervals to ensure that passwords never become stale. You lock your car and your house with a unique key to keep them secure. You’re essentially applying the same principle to your IT environment by locking it to protect sensitive data.
  • Patch Management– Software that hasn’t been updated (patched) is a vulnerability waiting to be exploited by a hacker. Your IT department or vendor must take care of this basic task to help ensure the computers in your environment are at the proper protection level. It can be a simple system such as Microsoft WSUS, or a more complex system that allows you to control encryption, such as McAfee EndPoint. You also need to create a system in which your remote users ‘check in’ often with your network so they can also be updated and managed. Applying patch management is a ‘must do’ in order to make sure that recent vulnerabilities aren’t exploited by malicious actors seeking to gain access to your network.
  • Physical Asset Security – It’s important to think about the physical asset when considering Cyber Security. Ensuring the assets your employees use to reach your IT infrastructure are physically and logically secure is a major part of preventing improper access to your network. This goes beyond simply applying passwords to your machines. It should also include encrypting the asset’s hard drive, setting a lockout time for inactive use, applying physical privacy screens so that no one looks over your employee’s shoulder to see confidential information and, above all, making sure assets are not left out for anyone to take. It might seem mundane, but reminding employees to keep an eye on their laptops when traveling and to lock up their laptops or take them home at the end of the day, will go a long way in keeping your data secure.

After all, cybercriminals can’t get into your IT environment without a way to get in first. Don’t make it easy for them.

Tech Lockdown: Prepare Now or Pay (Much More) Later

By Mark Cousineau, CPA & Karl Kispert

Most businesses rely heavily upon technology and, arguably, it’s one of your soundest business assets.

But what happens when your technology leaves you vulnerable, such as in the case of your IT environment suddenly held hostage by a cybercriminal?

According to Recorded Future, since 2013 there have been 170 city, county and state governments that have been attacked using ransomware, a type of malicious software built to interrupt or shut down your business or government operations. That means it’s a good time to understand how it works and, more important, what you can do to prevent it.

How It Works

Ransomware blocks access to your data by encrypting it, then you’re informed you will only receive a decryption code when a sum of money is paid to these anonymous cybercriminals. The attack is sudden and the clock begins ticking for you to pay the ransom, or lose access to your computer system forever.

Fundamentally these attacks are successful because the proper safeguards are not in place for various reasons, the ain one being perceived cost. Statistics support the aphorism that it’s not so much a matter of “if” your organization will get hit, but rather a matter of “when” an attack will happen.

According to Malwarebytes’ Cybercrime Tactics and Techniques Q1 2019 Report, ransomware for businesses of all sizes is up 195 percent in the first quarter of 2019 since the final quarter of 2018, and up more than 500 percent when compared to the first quarter of 2018. This risk is certainly not going away anytime soon.

The financial backlash can be devastating, but even worse can be the loss of access to daily electronic processes, computer data, employee time, organizational records and invaluable information.

Recent Ransomware Attacks
  • City of Baltimore: On May 7, the RobbinHood ransomware infection hit. An estimated $18 million has been reported as likely damages, with $10 million going toward the repair of the city’s systems, while $8 million is in forgone interest and penalties. Some services are still not restored and others are using manual processes.
  • City of Atlanta: More than a year ago the city was brought to its knees as the result of a ransomware attack, when the cybercriminal demanded $51,000. Payment was not made and to date nearly $17 million has been spent repairing the damages. In addition, valuable police department dash cam video has been lost forever according to reports.
  • State of New York: Hackers demanded $30,000 from the Erie County Medical Center in Buffalo. When hospital officials refused to pay, 6,000 of the hospital computers were wiped. It took six weeks to get up and running again, during which time employees were forced to
    keep handwritten records. Officials estimate it cost $10 million to recover from the attack.
  • State of Florida: In December, just before Christmas, a Florida grocery store suffered a ransomware attack when its QuickBooks server was held for ransom. In this case, the cybercriminal wanted
    1.5 bitcoin or, at the time, $5,100. Because the owner did not have reliable back-up files they were compelled to pay the ransom, but they still lost a significant amount of data.

As you can see, regardless of the type of industry or size, cybercriminals are widely casting their nets, which reasonably ensures their catch will amount to a good payday.

8 Steps to Security

However, all is not lost. There are eight steps you can take that will go a long way in securing your IT environment, rendering it more difficult for cybercriminals to access.

1. Perform a security assessment of your IT environment. Do not rely upon “it hasn’t happened to me yet, so I doubt it will” reasoning. The risk is not worth it.

2. Provide security awareness to anyone accessing your IT environment to prevent the No. 1 cause of cyber-attacks: Phishing. Humans continue to be the weakest link. You need to go beyond training and make employees aware, so that it becomes part of the security culture.

3. Back up your data daily. If you find yourself in the unfortunate position of being a ransomware victim, the best way to recover from the attack is to have secure and reliable backups ready to use when you are held hostage.

4. Patch software immediately. When fixes are made available, don’t wait. Update your software so hackers can’t exploit a vulnerability.

5. Limit the number of people who can install software. This is the IT version of “too many cooks spoil the broth.” You need to trust that your employees are doing the right thing when installing and updating software, and that they’re not relying upon free software, which is a notorious gateway for malware.

6. Use a reputable antivirus software (AV). AV is a simple, yet powerful step that will lower your chances of being attacked by ransomware.

7. Perform security monitoring of your network. You MUST be aware of what is happening in your network by performing 24x7x365 monitoring, which will help ensure you’re actively looking for the bad guys.

8. Use two-factor authentication. Gone are the days of just a single password. Having two forms of authentication, such as a password and a biometric, to access your network will provide added assurance.

While nothing is foolproof, taking preventive measures maintains your brand, ensures customer retention and prevents a cyber breach. At the end of the day you want the peace of mind that’s provided when you know you have done everything you can—even when it’s “just in case.”

Mark Cousineau, CPA, CITP, CGMA, CIA, CFE, CGAP, CGFM, CRMA is a director at MGO and Karl Kispert is managing director of MGO’s technology group. You can reach Mark at or contact Karl Kispert here.

Published in California CPA magazine July 2019

Download article PDF >

Client Portal Terms of Use


Portal Purpose

Macias Gini & O’Connell LLP and its affiliated firms, (“FIRM”) provides the Client Portal Center located at, and the sections within (collectively the “Portal Site”) so that individuals or entities that have engaged FIRM to provide professional services (hereafter, “Client(s)”), Users (as defined below), FIRM Staff, and FIRM Staff’s designees can securely exchange documents and collaborate with each other relative to the engaged FIRM Services. The Portal Site is only intended to facilitate and enhance the exchange of documentary information between FIRM and its Client(s) related to an existing engagement. This Document governs the use of the Portal Site. Neither the Portal Site nor this Document shall be construed as modifying, amending, or altering the terms of the engagement agreement between FIRM and its Client(s) or be used to create a new engagement agreement between FIRM and the Client(s).

This Document describes FIRM’s practices in collecting and processing personal information through the Portal Site and defines the terms for use of the Portal Site. This document also describes the Client(s)’ responsibilities and obligations relating to the management of the Client(s)’ access to the Portal Site. By accessing or using the Portal Site, you (“You”, “Your”) signify that You have read, understand and agree to be bound by the terms and conditions stated within this Document. You agree to only use the Portal Site for its intended purpose, and not use it otherwise without FIRM approval.

All content, information, and services provided on and through the Portal Site may be used only under the terms and conditions of this Document.

FIRM may change this Document and the terms governing the Portal Site, and/or may change, edit, delete or revise portions of the Portal Site at any time. In the event of a change to this Document, the revised Document will be presented the next time You access the Portal Site. You should review this Document periodically to remain informed of any changes. FIRM shall have no responsibility to contact You individually regarding any such revisions.

Applicable Access Requirements

FIRM will invite representatives of the Client to access to the Portal Site only based on the expressed, written consent provided by the Client. The Client shall be responsible for designating a representative(s) that is authorized to provide such consent on behalf of the Client. FIRM will be responsible for designating a representative(s) authorized to receive such consents from the Client (“FIRM Designee”).

The Client shall not request an invitation for any individual to use the Portal Site unless such individual satisfies each of the following conditions: (a) he or she must be an employee of the Client, an independent contractor of the Client, or be a person otherwise working under the direction, supervision and control of the Client; and (b) he or she must need to access the Portal Site for the purposes of FIRM providing the engaged services to the Client. An individual satisfying these conditions for which the Client has provided the necessary consent and to which FIRM has, in accordance with the terms of this Document, extended an invitation to access the Portal Site shall be referred to throughout this Document as “User.” A request by the Client to the FIRM Designee for an invitation to the Portal Site shall constitute and shall be construed as approval by the Client for the invited User to have access to the Portal Site and a warrant and representation that the User satisfies the aforesaid conditions for any individual’s access to the Portal Site.

The request and consent must be provided in writing to the FIRM Designee and must include the following:

  • The intended User’s Full Name
  • The intended User’s Email address (to which an invitation and registration details will be sent)
  • The Client’s expressed consent to add the intended User(s) to a specific Portal Site

The FIRM Designee, upon receipt of satisfactory consent from the Client, is permitted to:

  • Invite Users to register for the Portal Site as described in this document.
  • Remove Users (as defined below) from the Portal Site as described in this document.

Any access granted by FIRM hereunder shall be limited to the access allowed by FIRM, in its sole discretion, and solely as reasonably necessary for the purposes of the services Client has specifically engaged FIRM to provide. Moreover, FIRM may also restrict or terminate access of the Client and any one or more Users as deemed appropriate by FIRM for any reason. Nothing herein obligates FIRM to provide any User(s) access to the Portal Site.

User Responsibilities

Upon invitation from a FIRM Designee and completing registration, You, as a User, will utilize a User ID and automatically generated temporary password that FIRM will provide to gain access to the Portal Site. You will be prompted to change your password after You access the Portal Site for the first time. Your User ID and password are solely for Your own use. You shall not disclose Your password or any password related information to any other person or entity. All activity on the Portal Site associated with Your User ID and password will be considered to have been performed by You.

You must promptly report to the FIRM Help Desk at 1-916-642-7000 if any of the following were to occur: (1) A User ID and/or password is suspected to have been compromised or has been compromised, (2) Any actual or suspected privacy and/or security violations, and/or (3) Your exposure or access to information that is not directly related to Your intended purpose for accessing the Portal Site. You must cooperate as requested by FIRM in the investigation of, and response to and mitigation of any, suspected or actual compromise, violation or breach of security.

Due to the nature of the Internet, and the nature and complexity of security risks, FIRM cannot, and does not, ensure the privacy, security or authenticity of Your communications with, within or through the Portal Site. Accordingly, You are solely responsible for determining whether the use of the Portal Site or the Internet is adequately secure to meet Your particular needs. Non-secure, public computers and or wireless hot spots pose additional risks to Your personal information than the risks of accessing the same information from a secured home or wired network. Public computers and wireless environments are focused on ease of use rather than complicated security and privacy configurations. Such networks may not be secure and software may not be up to date in these environments. Therefore it is important to note that using a public computer or wireless hot spot, be it in a restaurant, coffee shop, airport, airplane, hotel, library, school, or other public place, poses its own number of risks, and puts Your Internet privacy, and computer privacy, at risk and hence it is not advisable to access this Portal Site via a public computer or wireless hot spot.

Your use of the Portal Site is at Your own risk, and the security of Your personal information is Your responsibility. FIRM shall have no responsibility or liability to You for security breaches that occur as a result of Your use of the Portal Site.

Additional Client Responsibilities

The Client will exercise appropriate precautions to ensure that the information on the Portal Site is accessed and used by Users only as needed for the purposes set forth herein. The Client assumes any risks associated with any User’s access to the Portal Site and will be responsible for taking steps to ensure that Users maintain the confidentiality of information on the Portal Site, and that the information on the Portal Site is not accessed for reasons unrelated to the engaged FIRM services, nor disclosed to any unauthorized party or parties.

Furthermore, the Client is responsible for ensuring that the use of the Portal Site by its Users complies with the Client’s security and other policies, which shall comply with state and federal statutory and regulatory requirements, and that related sanctions for non-compliance are in place.

The Client agrees to immediately notify the FIRM Designee of the need to remove any User’s access based on any changes in employment, privileges or responsibilities of any such User that affect the need or right to access the Portal Site for the purposes set forth herein.

The Client is responsible for conducting at least quarterly reviews of Users with access to the Portal Site in order to determine whether that access is still required, and therefore should be retained, or no longer required and therefore be revoked. Consult the FIRM Designee or Help Desk for information on how to verify and remove access.

The Client agrees to defend, indemnify and hold FIRM and its members, managers, representatives, related or affiliated entities, staff and agents harmless against and from any and all claims, damages, lawsuits, fines, penalties, or other losses, including, but not limited to, attorneys’ fees and costs related thereto, relating to FIRM providing the Client or its Users with access to the Portal Site, information contained on the Portal Site (regardless of who provided such information), or that otherwise occur from, arise out of, or relate to, whether directly or indirectly, (a) the failure of the Client or any User to comply with this Document or applicable law in the course of accessing or using the Portal Site, or (b) the Client’s or any User’s use of the Portal Site.

Privacy Statement

FIRM values and respects Your right to privacy. Your privacy is very important to us and we will do our best to protect the security and confidentiality of Your personal information. We will use the personal information provided by You only in the normal course of our business. We will not share Your personal information with others without Your express consent except as necessary to comply with legal process or other applicable legal requirements, to provide access to, and use of, the Portal Site, to protect or defend our rights or property or as otherwise permitted or required by law. FIRM does not sell Your personal information to third-parties.

Your personal information is protected by computer software security programs and hardware installed in connection with the Portal Site which protect against the loss, misuse or alteration of personal information. In consideration of use of the Portal Site, You agree to provide accurate, current and complete information as prompted by any registration forms on the Portal Site.

What Personal Data is collected?

When You visit the Portal Site or register for an account on the Portal Site, You provide us with two types of information: personal and corporate information You knowingly choose to disclose that is collected by us (“User Data,” as defined below) and Portal Site usage information collected by us as You interact with the Portal Site (“Portal Site Data” as defined below).

User Data

You are solely responsible for the completeness and accuracy of the email address(es), personal information, company information, data, notes, documents, text, and other information that You provide or upload to or through the Portal Site (collectively, the “User Data”) or any other means. You are solely responsible at Your sole cost and expense for creating personal backup copies of any User Data You post or store on the Portal Site or provide to FIRM.

When You post User Data to the Portal Site, You authorize and direct FIRM to make such copies thereof as deemed necessary in FIRM’s sole discretion in order to facilitate the use and storage of the User Data by FIRM in performing services. By posting or providing User Data to the Portal Site, You represent that You have the authority and ability to post or provide such information for FIRM’s use and storage.

FIRM is not responsible for the content of the User Data provided by non-FIRM personnel.

Portal Site Data

When You enter the Portal Site, FIRM will store certain information about Your login ID using “cookies”. A cookie is a piece of data stored on the computer You use that is tied to information about You and Your use of the Portal Site. FIRM uses cookies to associate You with Your previous activity on the Portal Site. You can clear Your browser’s cookies (using the settings in the browser) to disable this convenience feature.

Data Transfers from the European Union

If you are transferring data from the European Union to the United States, please refer to the FIRM’s Privacy Statement Regarding Transfers of Personal Information Between the European Union and the United States. (This electronically links to said privacy statement)

Links to Other Materials

The Portal Site may include links to third party sites (“Linked Sites”). Linked Sites and information therein are not under FIRM control, and therefore FIRM is not responsible for the content of any Linked Site or any link contained in a Linked Site. Your use of a Linked Site is subject to the terms and conditions presented by that Linked Site. YOU REMAIN SOLELY RESPONSIBLE FOR COMPLYING WITH THE TERMS AND CONDITIONS OF ANY LINKED SITE. WE MAY AT ANY TIME, FOR ANY REASON OR NO REASON, IN OUR SOLE DISCRETION, DISCONTINUE ANY LINK TO ANY LINKED SITE.

Other Restrictions On Use

Except as otherwise agreed upon in writing, You will: (a) not interfere, breach or abuse the security measures implemented to limit access and protect the Portal Site and the resources used to provide the Portal Site; (b) not disrupt or interfere with the operation of the Portal Site or the resources used to provide the Portal Site; (c) not transmit through the Portal Site any virus, trojan horse, or similarly harmful, disruptive or destructive computer program, script or object; (d) not use another person’s User ID or password to access the Portal Site or otherwise obtain unauthorized access to the Portal Site or the data thereon; (e) not use the Portal Site in any illegal manner or for any illegal purpose, or any other manner or purpose that would expose FIRM or FIRM’s service providers to civil or criminal liability; (f) interfere with the security of, or otherwise abuse the Portal Site or the system resources, accounts, servers or networks connected to or accessible through the Portal Site. FIRM reserves the right to suspend or restrict the access to or use of the Portal Site as FIRM determines in its sole discretion.

Termination or Restriction of Access

FIRM, in its sole discretion, can restrict or terminate Your access to the Portal Site as FIRM deems appropriate for any reason at any time.

FIRM’s Disclaimer



Miscellaneous Provisions

You should assume that everything You see or read on the Portal Site including the “look” and “feel” thereof, is copyrighted unless otherwise noted and may not be used, except as provided in this Document or in the text on the Portal Site, without FIRM’s written permission. We neither warrant nor represent that Your use of materials displayed on the Portal Site will not infringe FIRM’s rights, or the rights of others.

Images of people, places or other items displayed on the Portal Site are either the property of, or used with permission by, FIRM. The use of these images by You, or anyone else, is prohibited unless specifically permitted by this Document or specific permission provided elsewhere on the Portal Site. Any unauthorized use of the images may violate copyright laws, trademark laws, the laws of privacy and publicity, and communications regulations and statutes.

The trademarks, logos, and service marks (collectively the “Trademarks”) displayed on the Portal Site are FIRM’s registered and unregistered Trademarks and the registered and unregistered Trademarks of others. Nothing contained on the Portal Site should be construed as granting, by implication, estoppel, or otherwise, any license or right to use any Trademark displayed on the Portal Site without FIRM’s written permission or the permission of such third party that may own the Trademarks displayed on the Portal Site. Your misuse of the Trademarks displayed on the Portal Site, or any other content on the Portal Site, except as provided in this Document, is strictly prohibited.

This Document will be governed by and interpreted according to the laws of the State of California, without regard to conflicts of law principles. At the option of FIRM, any dispute or controversy arising out of or relating to the Portal Site, its use, its performance and/or this Privacy Statement / Terms of Use may be settled by arbitration held in Los Angeles, California, following the rules then in effect of the American Arbitration Association. The arbitrator may grant monetary, injunctive and other relief. The decision of the arbitrator will be final, conclusive and binding on the parties. Judgment may be entered based on the arbitrator’s decision in any circuit court in the State of California having jurisdiction or in any court otherwise having jurisdiction outside of the State of California. You and FIRM will each pay one-half of the arbitrator’s costs and expenses. If You violate the terms of this Privacy Statement / Terms of Use, FIRM, in addition to the other remedies available to it under law, including monetary damages, shall have the right to apply to the State of California Courts of appropriate venue or the United States District Court sitting in the State of California for a temporary restraining order and an injunction restraining You from further violation, and You consent to and submit Yourself to the jurisdiction of such Courts. You further agree to pay any and all attorneys’ fees, court costs, and any other related fees and/or costs incurred by FIRM in enforcing this Document in a court and/or arbitration action.

To the extent You file any claims against FIRM relating to the Portal Site, its use, its performance and/or this Privacy Statement / Terms of Use, You agree that any such claims shall be brought in the State of California Courts of appropriate venue or the United States District Court sitting in California, and You consent to and submit Yourself to the jurisdiction of such Courts. FIRM, however, retains the right to elect arbitration as set forth above, and You agree to voluntarily dismiss any such lawsuit if FIRM so elects. You agree to bring any claims that You may have against FIRM relating to the Portal Site, its use, its performance and/or this Document within 30 days of the day that You knew, or should have known, of the facts giving rise to the cause of action and waive any longer, but not shorter, statutory or other limitations periods.

Use of the Portal Site is unauthorized in any jurisdiction that does not give effect to all provision of these terms and conditions, including without limitation this section.

All notifications to FIRM or any questions or inquiries pertaining to this Document should be sent to