Silver lining for ransomware victims: payments may be tax deductible

The incentive could entice businesses to pay ransoms - funding continued criminal activity

The rising number and severity of ransomware attacks has made 'to pay or not to pay' an impossible dilemma in most cases. But an investigation by The Associated Press has revealed that payments may not hold quite the sting they used to.

Last year, the FBI issued a public service announcement advising organisations on how to handle ransom demands.

The main advice is not to pay, and instead report the incident as early as possible. The agency also warned that paying ransoms only funds criminals' efforts.

However, while the FBI has been advising against paying ransoms, experts have drawn attention to the fact that the US government itself offers a little-known incentive that could swing the decision in the other direction.

According to The Associated Press (AP), a business in the US can normally claim tax deduction on ransoms.

The Internal Revenue Service (IRS) has not published any formal guidance on ransomware payments. However, several tax experts told The AP that tax deductions are usually allowed on ransoms, under law and established guidance.

US businesses have long been allowed to deduct losses as a result of traditional crimes, such as theft or robbery, and experts believe ransomware payments are also valid in most cases.

"I would counsel a client to take a deduction for it," said Scott Harty, a corporate tax attorney with Alston & Bird.

According to Cricpa, losses arising from theft - explicitly including ransomwre - are deductible under Internal Revenue Code (IRC) Section 165.

'Ransomware attacks - where a threat actor encrypts a victim's files or data and only releases those assets once the business pays a ransom - are considered theft by extortion and are therefore deductible,' it claims.

'The IRS makes this clear in Revenue Ruling 72-112, when they state that ransom payments qualify as a theft loss deduction as long as the extortion was illegal in the state where it occurred.

'It fits the definition of an ordinary and necessary expense.'

There are, of course, limits to any deductions claimed. For example, a company can't claim a deduction if the loss was covered by cyber insurance.

According to HG, there could be a multitude of ways for a company to claim a ransomware payment as a tax deduction. These may include a form of deductible loss through theft, a standard and needed expense required to run business, etc.

'The company owner must treat the specifics properly so that the payment to the scam artist or entity is on the books appropriately.'

Claiming deductions may require a specific explanation, and the owner may make mistakes in providing such details without a tax expert. Asking a professional to assist in checking over the books increases the chance that a deduction is applied.

Ransomware now represents the biggest threat to online security in the UK, the head of GCHQ's cybersecurity arm warned last week.

Speaking to the Rusi thinktank, Lindy Cameron, the chief of the National Cyber Security Centre, said the ransomware phenomenon is escalating and increasingly professional.

A report by US cyber security firm Emsisoft last shows year that British firms were hit by nearly 5,000 ransomware attacks in 2019, forcing them to pay out nearly £210 million to cyber criminals.

The UK was sixth in the list of countries paying out most ransoms to cyber criminals. The US topped the list (paying $1.3 billion to hackers), followed by Italy, Germany, Spain and France in that order.