Engaging with governments is a data security priority

Global tax systems are responsible for handling and storing vast amounts of data. Whether it’s details of a supplier’s transactions with its customers, or personal financial information, this data is an important commodity, the protection of which is paramount.


It’s also increasingly vulnerable. Over the last 18 months, opportunistic cyber criminals have taken advantage of crisis conditions to infiltrate the networks of organizations across the globe.

Cyber attacks increased in both frequency and intensity at the height of the COVID-19 pandemic – the first half of 2020 saw a 273 percent rise in the number of large-scale data breaches compared to the same period 12 months earlier.

Protecting the sensitive data contained within B2G transactions and interactions is mission critical for businesses and governments alike. And with tax authorities increasingly abandoning paper-based invoices and introducing electronic invoicing and real-time reporting to create a digital audit trail, prevent fraud, and streamline their countries’ economies, there is a clear need for more enhanced security measures to support these changes.

Closer to a company’s transactions
Accounting for 15 to 40 percent of all public revenue, the collection of VAT is dependent on companies meeting public law obligations as part of their sales, purchasing, and general business operations. This dependency makes it necessary for tax authorities to audit or otherwise control a company’s business transaction. Despite such audits, however, fraud and malpractice can often result in governments collecting significantly less VAT than they’re entitled to. In the EU alone, the VAT gap – the difference between the expected revenue and the amount actually collected – currently amounts to about €140 billion every year – a loss of 11 percent of the expected VAT revenue across the EU.

To reduce fraud and close their respective country’s VAT gap, tax authorities are increasingly implementing continuous transaction controls such as electronic invoicing, auditing, and real-time reporting, to insert themselves ever closer to companies’ transactions.

Originally introduced by governments across Latin America over 20 years ago, these controls are now being adopted throughout Europe. And as more governments continue to adopt digital transaction controls, ensuring the security of these techniques, and the data they involve, must take priority.

Heightened need for security
The potential exposure of this data to breaches and cyber criminals varies according to geography, with different countries implementing their own variation of transaction controls.

Certain EU member states, including Hungary, Portugal, and Spain, are still in the discovery phase, and are currently only looking to digitize parts of their local tax processes. Others are far more mature. Brazil, for instance, began its drive for electronic tax processes back in the early 2000s, and now applies a “tax first, goods second” approach to all transactions, in which mandatory e-invoices must be declared to the relevant tax authorities before any goods are dispatched. When a tax authority is fully digital, like Brazil’s, it only heightens the need for greater cybersecurity.

Encryption is one of the most powerful means of protecting the sensitive information shared within these digital transaction controls. Encrypting the data both in transit and at rest means that, in theory, only the transmitting organization and the receiving tax authority can access the contents of the various electronic invoices and reports going back and forth.

For additional security, any APIs used by an organization for integration should be authenticated via security certificates, to ensure that any data transmitted directly from its ERP system or point-of-sale solution is fully protected. Likewise, redundancy should be in place across any data centers an organization uses, to make sure its security processes are always on, and its data always safe from prying eyes.

Regulatory headaches
There are legal issues to be considered, too, especially by international companies that operate across several jurisdictions. Each country / confederation has its own data privacy laws that must be complied with, such as the GDPR in the EU, India’s Personal Data Protection Bill, and Australia’s Privacy Act (to name a few).

Non-compliance with a country’s regulations can not only result in serious financial penalties, but it can also put the security of a company’s transactional data at risk in that region. Technological solutions are available that, using a centralized live feed, will keep up to date with new and changing data privacy legislation and tax regulation in every country in which an organization does business.

As more tax authorities implement continuous transaction controls such as electronic invoicing in a bid to close their country’s VAT gap, the amount of sensitive financial and corporate data being shared between companies and governments is increasingly hugely. The more data there is, of course, the more attractive it becomes to criminals. Ensuring the security of the growing number of business-to-government transactions must therefore now be a key focus for every business.

Related Training

Caicedo, Oscar (2021) Engaging with governments is a data security priority. Recovered on 17 August 2021 https://www.helpnetsecurity.com/2021/07/30/governments-data-security-priority/