How IR35 is changing the landscape for cyber security contractors

Published on: 5 Apr 2022

It's now been a year since new IR35 rules for contractors were extended to the private sector. While these regulations affect contractors across all parts of the economy, they are particularly important to the IT sector, and cyber security especially.

Contracting has long been a way of life for professionals in this industry, as well as for businesses, who have increasingly turned to outside personnel in order to address continuing skills shortages. 

However, with IR35 making reforms to the way these individuals are taxed on their income, there have been concerns that this could have a major impact on cyber security operations, both for contractors who could see their earnings fall, and for employers who may need to make changes to their hiring practices.

So, one year into the new regime, what has the impact been, and how is it affecting the landscape for cyber security professionals when it comes to looking for their next role?


What is IR35 and how does it affect cyber security?

IR35 came into force for private sector firms on April 6th 2021, following a year-long delay due to the challenges caused by the pandemic.

It's designed to clamp down on tax avoidance by workers who claim to be self-employed contractors when they are in fact working as a full-time employee, but there have been many concerns that the legislation itself is overly-complex and onerous for businesses and contractors alike.

The biggest result of the reforms to IR35 is that it makes medium and large-sized firms responsible for determining whether the limited company contractors they employ should be taxed in the same way as their salaried workers (known as being inside IR35) or as off-payroll employees (outside IR35).

If contractors are considered to be working inside IR35, they will have to pay income tax and National Insurance Contributions (NICs) as if they were employed - which could result in a significant hit to their take-home income. 

Cyber security is one sector that is likely to be significantly affected by this. For many professionals, working as a contractor has become the norm, as it offers greater freedom and means they aren't tied down long-term to a single employee, at the expense of fewer guarantees over benefits like sick pay and paid holidays.


The impact of IR35 on firms and contractors

The changes of April 2021 meant a major shift in responsibility for firms who employ cyber security contractors. It is now up to them to consider whether their contractors should be regarded as employees for tax purposes, taking into account factors such as the degree of control the company has over their work and the amount of direct supervision and management of the contractor.  

If they are found to be employing contractors under the wrong status, there can be significant financial penalties, which has resulted in many businesses taking a more risk-averse approach to working with off-payroll employees. In many cases, firms were said to be implementing policies to avoid the use of limited company contractors completely. 

For contractors, this has resulted in there being fewer options available. There have been many anecdotal reports of employers no longer offering positions to limited company contractors - instead stating they will only consider contractors who are working as part of umbrella companies. 

Another consequence is that many workers may be opting to leave the contracting way of life completely, giving up some of these freedoms in exchange for greater security and clarity. According to Office for National Statistics data, for the 12 months between April 2016 to March 2017 - before IR35 changes for the public sector came in - there were 130,700 self-employed people working as IT and telecommunications professionals in the UK.

However, in the 12 months after the public sector reforms came into effect, this fell to 116,000. Meanwhile, for the year ending September 2021, which encompasses the change for private sector firms and are the most recent available figures, the number was down to 97,700.

This suggests that contracting has become a significantly less-appealing option since IR35, with the prospects for pay falling and fewer options available. Computer Weekly, for instance, reported recently that many contractors have faced difficulty finding work, and have considered options such as working abroad, or reluctantly taking on inside-IR35 positions through umbrella companies.


What will the future hold?

With demand for people with cyber security skills remaining high, there is uncertainty as to whether this is a sustainable solution, and there are signs that firms are beginning to rethink their efforts to avoid outside-IR35 contractors.

Computer Weekly highlighted one survey from IR35 compliance and insurance consultancy Qdos that found 64 percent of them said they had managed to successfully secure an outside-IR35 contract in the second half of 2021.

Chief executive of the company Seb Maley said many firms are starting to reverse "ill thought-out" contractor bans. He added: "We still have some distance to go until the market fully recovers, but contracting outside IR35 is still very much a possibility as more businesses get to grips with the changes."

Meanwhile, for those who are looking at other options such as permanent employee positions, there is still significant competition among employers for the top talent, which could allow former contractors to secure lucrative roles with compensation to match their abilities.

Check our range of permanent and contracting positions today to find your next exciting cyber security role.