New York Advisory Opinion on Taxability of Network Security Monitoring and Professional Advisory Services

The New York State Department of Taxation and Finance (DTF) recently issued Advisory Opinion TSB-A-24(12)S. The Petitioner sought clarification on whether their Network Security Monitoring Services (NSMS) and Professional Advisory Services (PAS) sales are subject to New York State and local sales tax. The DTF concluded that both services are considered protective and subject to New York State and local sales tax.

Overview of Petitioner's Service Offerings

The Petitioner is a Managed Detection and Response (MDR) service provider that collaborates with mid-sized financial institutions and various other public and private entities. Specializing in cybersecurity, the Petitioner offers solutions designed to detect and respond to cyber-attacks.

Their Network Security Monitoring Services (NSMS) service is a subscription-based offering focusing on preventing cyber-attacks on network-connected assets. NSMS operates by installing sensors on the customer's servers. When an abnormality or potential threat is detected, the Petitioner alerts the customer and works to address the issue.

The Petitioner also offers Professional Advisory Services (PAS), which provides customized cybersecurity consultation. This service involves advising customers on how to reduce their exposure to threats and developing continually assessed cybersecurity programs. The insights gained from NSMS tools form the basis of PAS, which is typically purchased in conjunction with NSMS.

The DTF’s Analysis of Taxability of Petitioner's Services under New York Tax Law

Under New York Tax Law §1105(c)(8), sales tax is imposed on the sale of protective services provided by "protective systems of every nature," except when sold for resale. This includes services designed to prevent unauthorized access to or use of a customer's information technology (IT) assets in New York State.

Services that monitor unauthorized access or use of IT assets are also taxable under this provision. Relevant case law supports this interpretation, such as Robert Bruce McLane Assoc. v. Urbach, 232 AD2d 826 (2d Dept. 1995). Furthermore, a service’s taxability depends on its primary function. As established in Matter of SSOV ’81 Ltd. d/b/a People Resources, Tax Appeals Tribunal, January 19, 1995, the analysis focuses on the service as a whole.

Network Security Monitoring Services (NSMS)

The Petitioner's NSMS subscription operates through sensors installed on the customer's servers, providing real-time threat detection and prevention without the customer downloading or installing software. The primary purpose of NSMS is to secure customers' IT assets from cyber threats continually.

Given its core function of providing continuous protective services against cyber-attacks, NSMS falls squarely within the definition of taxable protective services under Tax Law § 1105(c)(8). Therefore, the sale of NSMS is subject to New York State and local sales tax.

Professional Advisory Services (PAS)

The Petitioner's PAS involves creating, overseeing, and implementing formal cybersecurity policies and procedures tailored to each customer. While it includes consultation on reducing exposure to threats, it also encompasses developing and ongoing assessment of cybersecurity programs.

Although advisory or consulting services are generally not subject to sales tax (see, e.g., TSB-A-15(16)S), PAS extends beyond mere consultation. Its primary function is to enhance and maintain the security of customers' IT assets. Furthermore, PAS is closely integrated with NSMS and is typically not purchased separately.

Therefore, PAS is considered a taxable protective service under Tax Law § 1105(c)(8) based on its primary purpose and integral role in safeguarding IT assets.

Sourcing of Protective Services

Protective services are deemed to be provided in New York if the protected property is located within the state. This includes assets or data residing on servers in New York. If the protected assets are located both inside and outside New York, the Petitioner should collect sales tax only for the portion of services that protect assets within the state.

To accurately determine where the services are being provided, the Petitioner may rely on a letter from the customer indicating the locations of the protected assets. The customer or an authorized representative should sign this letter, including a statement acknowledging its purpose. The Petitioner must retain these letters as part of its sales tax records and associate them with related sales for at least three years after the date of the last sale covered by the letter.

Customers are responsible for updating the Petitioner if the locations of the protected assets change. To ensure ongoing compliance, the Petitioner should review the information with customers at least every three years.

Contact a New York Sales Tax Professional for Advice

If you're in the cybersecurity business, your protective services are likely subject to New York State and local sales tax. If you need clarification about how these tax rules apply to your business, consulting with a New York sales tax professional is wise.

Our team of experienced sales tax experts is here to help you understand your obligations and develop tailored strategies. Don't leave your compliance to chance—contact our talented sales tax professionals today for personalized advice and guidance to protect your business.