* Software R&D Amortization - taxes on make-believe profits
* Patent law - protect small businesses from patent trolls
* Automate government-driven compliance standards - enable small businesses to sell into large companies/government entities, automatic certification when using pre-approved cloud solutions.
* Healthcare insurance - employees of SMBs automatically get access to medicare
> * Automate government-driven compliance standards - enable small businesses to sell into large companies/government entities, automatic certification when using pre-approved cloud solutions.
I don't see how this will end well. I appreciate the reasoning behind it, but this is not a good solution.
I'd prefer to see more "startup friendly" compliance frameworks that don't require tens to hundreds of thousands of dollars and make both the startup and their customers satisfied with the outcome. Something like a SOC2-lite that isn't so onerous but still provides a decent snapshot of their current situation from a third party's perspective.
I'd also prefer to see these standards go away. I haven't seen any proof they are providing meaningful security at any company I've been at and several of them have had massive hacks despite being SOC2 on paper. They also eat up InfoSec time instead of being productive on meaningful stuff like "Hey, are patching everything?"
Most of these compliance just seem like barber licenses. A way for existing entities entrench themselves.
Here here. The only thing SOC2 has done in my opinion is to create a multibillion dollar business that mainly just drains resources from companies that may not have them, with no guarantees you're actually secure. This usually devolves into security theatre where the CISO and underlings are putting in tools that drown teams with so much noise it's hard to detect the signal.
The people running these programs rarely understand the security space well enough to even tell you what a lot of the hits even mean, which ramps up disdain and division between the groups. This is arguably more detrimental to security as the scanners give execs/management a false sense of security while the noise makes it incredibly difficult to run a holistic security strategy.
(It’s "hear hear," since you want people to hear it. Honestly I have no idea whether to say something or not. But I’d want to know, so, just in case it’s helpful.)
I agree that regulatory compliance and industries around that can often be theater and it creates regulatory barriers that inhibit startups and competition generally but there must be some method of oversight to ensure that people can trust a system or company without needing to see the internals. For example, we trust our food is healthy because the firm that made it is authorized to do so by the FDA as they comply with the rules established by those regulators. Obviously there are flaws, loopholes, etc, and obviously software is different than health but to an extent we want some guarantees from an externally trusted actor. What is needed in the current SOC2 world that might solve some of the issues you outlined without getting rid of it, or the idea of it, entirely?
>What is needed in the current SOC2 world that might solve some of the issues you outlined without getting rid of it, or the idea of it, entirely?
IMO, nothing. It's not redeemable at all. Since you asked though, here is some thoughts:
Be more like FDA process where software is extensively reviewed, rollback procedures established, and you launch specific version with compliance. So basically two releases, maybe 4 a year.
Disallowing risk mitigation because IMO, that's result of most of problems. Oh yea, we are doing "Terrible Security thing but since fixing is too expensive, here is a bunch of lies about how we have mitigated it."
There is also option to make a government audit with criminal liability for falsifying/misleading auditors. This third-party system where auditors are getting paid results in problems. I've seen plenty of audits where bosses write up auditor requests is extremely specific ways that creatively leave out thing that should never be approved. I've also seen auditors be made aware of problem, then people backtrack, and auditors accept it because "They are also our customer and we need repeat business."
Vanta/Drata and other are starting to build solutions that are somewhere in-between checkbox compliance and real security. To the extent they integrate with your cloud providers and security tools, they can validate you have secure settings, active monitoring, and have remediated the things that have been flagged in a timely manner. Doesn't mean you are secure, but does ensure some baseline tablestakes.
They are goldmine of enumerated attack surface. But it would likely require some kind of secondary exploit of the identified vulns. The API connections are generally scoped to read-only access of security settings. Though it wouldn't surprise me if there was some way to get lateral movement from the access these tools have to monitor an environment.
At $LastCompany, someone gave them Contributor (Create/Read/Update/Delete) access to Azure because it was easier than scoping to 5 roles they required. I wouldn't be shocked if we were not only ones.
Edit: Their software should really check and refuse to work if someone does that but obviously Vanta doesn't care. They can begin scanning and billing.
It's what's annoying about NIST and DFARS: you can be fully compliant despite having made stupid decisions as long as you have documented that you are in fact making this stupid decision.
Thanks for the feedback. What we should probably do is take the credential, start scanning, and then nag them with a failing test about overly-permissive roles. Our own role is an easy check because we know what to expect, but there's other best practices here we can check for (and in some cases do, though not 100% comprehensively across all clouds.)
Try ISO 27001. Everyone says it's more onerous, but for startups, it's actually a lighter lift. It is a lot worse for big companies than SOC2, but it's a lot easier for startups.
Interesting! Do you have any resources or tips on how startups / small companies can keep the ISO 27001 process lightweight?
On a first scan, it seems that the amount of mandatory processed and documents is quite high...
Yeah, the only thing worse than the current status quo would be giving some SV startups a privileged position as gatekeepers for regulatory compliance (the Watershed strategy).
Couldn't agree more. In the SMEs that I've been involved with, this has had a huge chilling effect on both hiring and innovation. I think that the change is a primary contributing factor to the layoffs and offshoring that have seized the market ever since.
I'm not convinced that this wasn't the intent of the change in the first place.
Could someone elaborate this for an uninformed like me? Does it mean if you (a company) pay $1M as salary this year, only $0.2M can be treated as cost?
Essentially. An extremely oversimplified scenario: On paper if you made $1M in revenue, and had $1M in salary expenses that were all R&D, you would deduct $200k of that salary and be left with $800,000 in "profit" that you have to pay taxes on.
Yikes. I kept wondering why R&D has been dead for so long. I have made comments here on HN about how R&D is responsible for so many tech advancements we still use, especially at Bell Labs.
To be fair; the pressure to use office space again helps US workers. A lot of us don’t like it, but it’s a fair bit better than someone in Guatemala getting your job.
(Better for the US engineers, not for the Guatemalan, who is probably a competent engineer himself. But the topic is the outlook for US engineers).
The house passed a bill, but the senate is working on their own version. I havent looked too deeply at either proposal, I just hope it doesnt make it even worse. I am waiting till the final proposal gets voted on.
No one cares because most software developers are employed at big companies that can amortize. Even YC will probably just increase its seed instead of complain and consider it a "cost of business". This affects only marginal people. I am interested to talk with you about this if you want (feel free to reach, my email is in my profile).
Why do you speculate that number? With $1M in revenue and $1.2k in profit, there must have been $998.8k in expenses. I assume "pay yourself" was part of the $998.8k. But I don't know the answer to the other part of your question: I don't know if the $90k in taxes are included in the $998.8k expenses.
Given you’ll eventually get that full software deduction tax break back, just spread across several years, I am surprised there aren’t companies that will finance that to have the money upfront (with a fee of course :( )
But most startups get broke in several years, and codebases can't be repurposed as easily as, say, a fries-making machine, so the fee need to be very high to compensate the risk.
How about health insurance not being tied to profits. Startups pay the full brunt of health insurance since they don't have real profits they have nothing to write off. Meanwhile large orgs get to write off a ton of profits as Healthcare costs for employees.
So startups tend to have real garbage insurance. As someone older with kids startups are getting more and more prohibitive because I need that Healthcare. Maybe startups should be a young man's game. Maybe not.
Here’s a radical suggestion: stop calling welfare-for-doctors insurance. If you want insurance, those are known as major-medical policies under which the sniffle visits are still the patient’s responsibility — just like how insured car owners pay for their own oil changes.
With “health” “insurance,” neither side has price sensitivity. Patients ask whether it’s covered and if so, back the truck up to get as much as possible. Physicians see enormous pots of money in tax-favored plans and seek to scoop out as much as they can. The inevitable result of such an awful system — that traces back to workarounds on executive pay limits imposed during the FDR administration — is unbounded price increases. Politicians scream about getting spending under control, and regulators impose rationing. This is a terrible system, but it’s a self-inflicted wound.
In the U.S., at least, we’re seeing cash-only practices become more common. Their fees are affordable because their customers pay out of pocket and because they don’t have to hire entire departments just to deal with “insurance” providers.
Take a look at Switzerland's medical system for how nationalized health insurance can work well. When the insurance system isn't privatized, it isn't for profit. This drives prices down to become affordable, even without insurance.
Just FYI, Switzerlands medical system is not nationalized. It is private and run for a profit (though there is centralized price setting for necessary procedures and basic insurance is mandatory and regulated well)
No one but the US considers Swiss healthcare to be affordable, and prices are certainly not being driven down. And as insurance is legally mandated, “even without insurance” is not something that can be properly evaluated here.
I am not sure where you got this info but it is very wrong.
What you are saying makes sense IN THEORY. however in practice in the US most people have the shittiest insurance, at the highest cost. A chunk of america doesn't have insurance and we all pay a lot extra for their problems, and a friend of mine is in the chunk who is taking medication he is alergic to, because the stuff he isn't he can't afford, and finally we have the wealthy who have the best healthcare in the world.
Insurance for an optional thing makes sense: You don't _have_ to drive (okay, I'm in NYC), but you can, and you need insurance if you do. And mainly its to cover damage _you_ do to others.
For health insurance. Everyone in the world will need healthcare. Period. The only exception is if you're super healthy and then get your head suddenly cut off and are dead instantly. Other than this one case, you will need health care. The problem is that in america, breaking your arm, or getting alcohol poisoning may bankrupt you. And as any doctor will tell you: An ounce of prevention is worth 2 in cure. Let people get treated before things get bad, and they can stay productive members of society. As John Oliver said "the national anthem should be people holding out their medical bills and complaining in unison, because it is the only experience that ever single american has in common"
There is no particular linkage between health insurance and profits. Small businesses such as early-stage startups tend to have worse and more expensive employee health plans because they lack the scale to go self-insured or to negotiate lower premiums with payers for fully-insured plans. Profitable small businesses face the same problem.
Can you remind me what the issue with software R&D amortization (or point me to something that explains it)? I remember reading about the issue in the past and thinking it was a problem, but I've forgotten all the details.
This seems like a very strange take on 174. The author seems to be saying that all developer expenses can be expensed under old 174, but that’s not true (under my reading). My take was that exclusively research and development - where you are unsure of the outcome - is eligible under old 174.
Notice the analysis of big companies and their tax bills. Author notes that Google only expensed software development expenses until the software met some qualification threshold. After that, it’s not research anymore.
Read 26 CFR section 1.174-2. “Activities intended to discover information that will eliminate uncertainly concerning the development or improvement of a product.”
Specifically, check out example three in this section. I would be very careful about sweeping all my expenses in this category, but my familiarity with this part of the law is not deep.
I’d love a 174 practitioner to jump in here but that might be asking a lot.
For purposes of this section, any amount paid or incurred in connection with the development of any software shall be treated as a research or experimental expenditure.
We've heard a mix of advice from various tax professionals on what should be classified as R&D or not. The messaging gets expecially mixed since the R&D tax credit is often handled by a 3rd party that specializes in it. The company specializing in the tax credit may be incentivized to classify as much of your activity as R&D as they can, since they are usually paid a percentage of the total credits they are able to claim for your company.
It certainly complicates running a software company. My cofounder and I need to look at the amortization schedule before making any engineering hire as we basically need to consider their salary nearly 100% R&D. I imagine it's even more complicated for founders with overseas teams.
It would certainly be easier for us to do business if Section 174 was revised :)
As to software “development,” when you finish your software and publish it and get customer installs, then what happens? More software development? Or is ongoing operation/bug fixes still R&D under (c)(3)? I think your average software person has a strong belief about the answer to this question but having read some of the code® in the area, I share your opinion that this section needs more detail.
Pretty sure any updates to the software count as additional R&D. Just running software you've already created doesn't count though. Something interesting we were asked was how much of our cloud costs involved developing software vs running existing software to determine if those costs must also be amortized over 5 years.
> Automate government-driven compliance standards - enable small businesses to sell into large companies/government entities, automatic certification when using pre-approved cloud solutions.
This is something the market can solve. You can't lobby it into existence.
> * Healthcare insurance - employees of SMBs automatically get access to medicare
Perhaps better decouple healthcare insurance from employment status? (Perhaps remove the tax dodge where companies can buy health insurance cheaper than individuals can?)
While you're there, try to help the Army National Guard Incentive Management System, or GIMS, not have multi-year downtimes, while the corporate sector wrings their hands over minutes. It's funny, yet hurtful to read. They exist in different universes.
> the system crashed in late 2018 and was inoperable for about 10 months; another 10-month outage occurred in 2021. While the system was down, bonuses had to be filed through a complicated manual process, creating a backlog that states are still trying to fix. (2023 story) [1]
> Two adjutants general, top commanders in their respective states, described discovering their staff tracking enlistment bonuses on dry-erase boards or through email traffic and handwritten notes. [1]
Sorry, your bonus is goin around on somebody's handwritten note somewhere. Also, see if you can maybe do something about that VA medical data system. Heard they still hate it last reference.
Healthcare insurance - employees of SMBs automatically get access to medicare
This puts you in the same company of abusing the system as Walmart, the nation's biggest welfare queen.
Employers should just have to give health benefits. You want workers, you pay benefits. Period. Maybe then you all will get on board for a single payer system. Its what you want, but only in fits and starts. quit fucking around already.
I really don't want my at-will employment status to be the arbiter of whether an unforeseen health issue will bankrupt me. Tying either private insurance or public insurance eligibility to your employer seems like a bad pattern we should be trying to get away from.
It's a bad pattern for the employee, but a good pattern for employers and the healthcare industrial complex. The possibility that you could be bankrupt if you let your insurance lapse is an enormous concern for employees that may want to leave but can't; much more powerful, and cheaper, than golden handcuffs.
COBRA is a joke, as if most could afford multi-thousand dollar a month bill when unemployed.
What that communicates to me is that those in power, both of the gov and of businesses, are primarily concerned with forcing productivity to make line go up than they are with incentivizing treating people humanely. But really I don't think that's so surprising considering the timeline we find ourselves in.
IME, COBRA is almost always a better deal than the marketplace offerings typically, unless you qualify for marketplace-only subsidies. COBRA premiums for whatever reason are hundreds of dollars (or more) cheaper than marketplace plans.
I've also had the opposite experience. My workplace plan through COBRA was around $500/mo, while only the highest-end marketplace plans were around that range. I took a middle-end plan at ~$300/mo.
To be fair I hadn't looked closely at what all my workplace plan covered, but I was doing physical therapy when I switched that wasn't covered (had to reach high deductible) on my workplace plan and was covered on my marketplace plan!
It depends heavily on location. When I last ended up on Cobra in California it was a touch more expensive than the marketplace plan but my work plan was much better than the best available on the marketplace so it was worth it to go Cobra.
And it’s great how your employer can change which insurance provider they offer every year and along with it your coverage, provider network, prescription costs, etc.
Sometimes even more frequently than once per year if an acquisition takes place.
It's a frustrating situation for employees (and their dependents) but the ability for self-funded employers to shop around and switch health plans is one of the only things that is preventing healthcare prices from rising even faster than they already are. Most of those "insurers" no longer really do insurance, they largely construct provider networks and administer claims on behalf of self-insured group buyers. Some payers drive harder bargains with providers and you can see significant price differences in the price transparency files.
Sure, the employer is doing what is best for them in the current system. Everyone is. But the results can be rough for real people to actually live with.
One of the big scary talking points when politicians start talking about changing our insurance system is that people like their current plans and doctors and are scared to change things.
I just think this is silly since my plan has changed roughly annually since I've been in the workforce due to a combination of employers shopping plans, employers changing ownership and moving to the new company's plans, and switching jobs.
An in-between step to single payer would be to let me pick a marketplace plan and then let my employer reimburse it directly, provider a voucher, or something like that. At least that way I have the freedom to switch jobs without entering a whole new health insurance world, and which health plan I pick is none of my employer's business.
Nice, I hadn't heard of that but yeah I think that's a much better system than employer group plans. If more of the market went that way, insurers would have to actually compete at a consumer level and not just offer "go away" pricing when you try to get insurance outside of a group plan.
Fuck that employers should be legally barred from offering health benefits. Combining the two might have been one of the worst things to happen the health system in this country.
I’ve never understood the idea that employers like Walmart are “abusing the system” or “welfare queens”. If Walmart employees were capable of getting jobs that paid enough that they weren’t eligible for public assistance, they wouldn’t work for Walmart. Conversely, if Walmart didn’t employ those people, they would be an even greater burden on the welfare state.
* Software R&D Amortization - taxes on make-believe profits
* Patent law - protect small businesses from patent trolls
* Automate government-driven compliance standards - enable small businesses to sell into large companies/government entities, automatic certification when using pre-approved cloud solutions.
* Healthcare insurance - employees of SMBs automatically get access to medicare