New York Ruling Explains Sales Tax Treatment of Cybersecurity Services
December 16, 2024
By: Jess Johannesen, SALT Director
At a glance
- The main takeaway: A New York tax opinion concluded that cybersecurity services are subject to sales tax as a “protective service.” Could your services be subject to sales tax in New York or other states with similar tax laws?
- Assess the impact: As technology services continue to rapidly evolve, it is important for businesses to consider how each state may classify new service offerings under existing taxable and nontaxable service classifications.
- Take the next step: Aprio’s State and Local Tax (SALT) team can assist your business to determine whether its services are taxable, and where the rules may be unclear, we can draft and submit ruling requests to get specific guidance from the state.
Schedule a free consultation today to learn more!
The full story
In several states, security services can be subject to sales and use tax, even though we often think of these services in the traditional sense of protecting our tangible possessions or body. However, for sales tax purposes, the interpretation of security services may be more expansive. For example, New York recently issued an Advisory Opinion which concluded that cybersecurity and related advisory services were taxable “protective services.”[1]
A closer look at the case
In the ruling, the Taxpayer describes itself as a Managed Detection and Response service provider, which is “an all-encompassing cybersecurity service used to detect and respond to cyber-attacks.” The Taxpayer provides two main service offerings — Network Security Monitoring Services (NSMS) and Professional Advisory Services (PAS).
NSMS is a subscription-based service that detects, provides alerts, and prevents cyberattacks on network-connected assets. No software is downloaded or installed by customers; instead, a control box or sensor is installed on the customers’ servers. When these sensors detect an abnormality, the Taxpayer alerts the customer and assists to address the issue. While there are several components to the solution, the NSMS service works to:
- Contain identified threats
- Detect and capture threats via 24/7 monitoring
- Collect, centralize, and correlate event data from any network-attached asset
- Scan for vulnerabilities across the customer’s infrastructure and assets
PAS provides customized services including the creation, oversight, and implementation of formal cybersecurity policies and procedures. Once in place, the Taxpayer continually assesses these programs to ensure success. Information gained from the NSMS tools form the basis of PAS, and without such information the PAS deliverable would be more “speculation” with limited usefulness. The Taxpayer notes that none of its customers purchase PAS by itself.
The ruling explained
Under New York sales tax law, taxable services include protective services provided by, “protective systems of every nature.”[2] Based on prior advisory opinions, this includes services that are designed to prevent unauthorized access to or use of a customer’s information technology (IT) assets located in New York and also includes the service of monitoring for such unauthorized access.
The Advisory Opinion concluded that the primary purpose for each NSMS component is to monitor, protect, and/or secure customers’ IT assets from cyberattacks on an ongoing basis, noting that this is “the very essence of a protective service.” Likewise, the Advisory Opinion determined that PAS is also a taxable protective service even though the Taxpayer describes it as an advisory or consulting service. PAS includes the development of cybersecurity programs as well as their ongoing assessment, and it is noted to have “limited usefulness” by itself and is generally not purchased without NSMS.
The bottom line
As technology and related services continue to rapidly evolve, it is important to consider how states may classify new service offerings within the states’ existing classifications and definitions of taxable and nontaxable services. While New York’s definition of protective services was broad enough to include the Taxpayer’s cybersecurity services due to the inclusion of “protective systems of every nature,” this may not be the case in other states that tax security services. In addition, the object of the protective service (i.e., what is being protected) must be covered under the applicable rules. For example, is the rule broad enough to include IT assets such as data or similar types of property?
Aprio’s SALT team has experience analyzing taxable and nontaxable services and the varying ways in which states may interpret their definitions. We can assist your business to determine whether its services are taxable, and where the rules and guidance may be unclear, we can draft and submit ruling requests to get specific guidance from the state. Our goal is to help ensure that your business complies with its sales and use tax obligations and does not incur unexpected liabilities and penalties. We constantly monitor these and other important state tax topics, and we will include any significant developments in future issues of the Aprio SALT Newsletter.
[1] New York TSB-A-24(12)S, 07/30/2024.
[2] NY Tax Law §1105(c)(8)
Recent Articles
About the Author
Jess Johannesen
Jess Johannesen, Senior Tax Manager at Aprio, is a state and local tax advisor with experience in sales/use tax and state income tax matters, state tax credits and incentives, and state and local tax M&A due diligence. Known for quick response times and technical knowledge, Jess helps business leaders and decision makers in an array of industries maximize state tax benefits, and minimize risks and exposures while keeping in compliance. Defined by kindness and passion for Georgia sports, Jess is a thoughtful, curious and detail-oriented advisor.
Stay informed with Aprio.
Get industry news and leading insights delivered straight to your inbox.