Hit by a ransomware attack? Your payment can be deductible



Associated press

WASHINGTON (AP) – As ransomware attacks escalate, the FBI is doubling down on its instructions to affected businesses: Don’t pay the cyber criminals. But the US government also offers a little-noticed incentive for those who pay: the ransom can be tax deductible.

The IRS doesn’t provide formal guidance on ransomware payments, but several tax experts interviewed by The Associated Press said that deductions are usually allowed under the law and established guidelines. It is “silver lining” for ransomware victims, as some tax lawyers and accountants put it.

But those who want to discourage payments are less optimistic. They fear the withdrawal is a potentially problematic incentive that could trick companies into paying ransom against law enforcement advice. At the very least, they say, deductibility sends a contradicting message to companies under duress.

“It seems a little inappropriate,” said New York MP John Katko, the top Republican on the House Committee on Homeland Security.

Deductibility is part of a larger dilemma arising from the rise in ransomware attacks, where cyber criminals encrypt computer data and demand payment to unlock the files. The government does not want payments to fund criminal gangs and could encourage further attacks. However, failure to pay can have devastating consequences for businesses and potentially the economy as a whole.

A ransomware attack on the Colonial Pipeline last month caused gas shortages in parts of the United States. The company, which carries about 45% of the fuel consumed on the east coast, paid a ransom of 75 bitcoin – valued at about $ 4.4 million at the time. An attack on JBS SA, the world’s largest meat processing company, threatened to disrupt food supplies. The company said it paid the equivalent of $ 11 million to hackers who broke into its computer system.

Ransomware has grown into a multi-billion dollar business, and the average payment was more than $ 310,000 last year, up 171% from 2019, according to Palo Alto Networks.

The companies that pay for ransomware requests directly have their right to claim a deduction, according to tax experts. To be tax deductible, business expenses should be considered common and necessary. Businesses have long been able to deduct losses from more traditional crimes like robbery or embezzlement, and experts say ransomware payments are usually valid too.

“I would advise a client to make a deduction for this,” said Scott Harty, corporate tax attorney at Alston & Bird. “It corresponds to the definition of an ordinary and necessary expense.”

Don Williamson, a tax professor at the American University’s Kogod School of Business, wrote a paper on the tax consequences of ransomware payments in 2017. Since then, he said, the rise in ransomware attacks has only bolstered the IRS ‘arguments about ransomware payments as tax deductions.

“It’s getting more and more common, so it’s getting more common,” he said.

This is one more reason, say critics, not to allow ransomware payments as a tax deduction.

“The cheaper we make it to pay that ransom, the more incentive we create for companies to pay, and the more incentive we create for companies to pay, the more incentive we create for criminals to move on.” said Josephine Wolff, professor of cybersecurity policy at Tufts University’s Fletcher School.

For years, ransomware has been more of an economic nuisance than a major national threat. But attacks by foreign cyber gangs outside the reach of US law enforcement agencies have skyrocketed over the past year, bringing the issue of ransomware to the front pages.

In response, senior US law enforcement agencies have urged companies not to comply with ransomware requirements.

“It’s our policy, it’s our FBI policy, that companies shouldn’t pay the ransom for a number of reasons,” FBI Director Christopher Wray testified before Congress this month. That message was echoed this week at another hearing by Eric Goldstein, a senior official in the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency.

Officials warn that payments will lead to more ransomware attacks. “We are in this boat that we are in now because people have paid the ransom in recent years,” said Stephen Nix, assistant to the special agent in charge of the US secret service, at a recent summit on cybersecurity.

It is unclear how many ransomware payment companies are making use of the tax deductions. When asked at a congressional hearing whether the company would take a tax deduction for the payment, Colonial CEO Joseph Blount said he did not know it was a possibility.

“Good question. I had no idea about that. I wasn’t even aware of that, ”he said.

There are limits to the deduction. If the company’s damage is covered by cyber insurance – which is also becoming more common – the company cannot deduct the insurer’s payment.

The number of active cyber insurers rose from 2.2 million to 3.6 million from 2016 to 2019, a 60% increase according to a new report from the Government Accountability Office, the congressional auditing arm. Associated with this was a 50% increase in insurance premiums paid, from $ 2.1 billion to $ 3.1 billion.

The Biden government has pledged to make containment of ransomware a priority after a series of high profile break-ins, and said it is reviewing the U.S. government’s guidelines on ransomware. No details were given on what changes, if any, will be made to the tax deductibility of ransomware.

“The IRS is aware of this and is investigating it,” said IRS spokeswoman Robyn Walker.


Suderman reported from Richmond, Virginia.



Leave A Reply