Those looking to discourage payments fear the deduction may be a potentially problematic incentive that would entice businesses to pay ransoms against the recommendation of enforcement .
As ransomware attacks surge, the FBI is doubling down on its guidance to affected businesses: Don't pay the cybercriminals. But the United States government also offers a little-noticed incentive for those that do pay: The ransoms could also be tax deductible.
The IRS offers no formal guidance on ransomware payments, but multiple tax experts interviewed by The Associated Press said deductions are usually allowed under law and established guidance. It’s a “silver lining” to ransomware victims, as some tax lawyers and accountants put it.
But those looking to discourage payments are less sanguine. They fear the deduction may be a potentially problematic incentive that would entice businesses to pay ransoms against the recommendation of enforcement . At a minimum, they say, the deductibility sends a discordant message to businesses under duress.
“It seems a touch incongruous to me,” said ny Rep. John Katko, the highest Republican on the House Committee on Homeland Security .
Deductibility may be a piece of a much bigger quandary stemming from the increase in ransomware attacks, during which cybercriminals scramble computer data and demand payment for unlocking the files. the govt doesn’t want payments that fund criminal gangs and will encourage more attacks. But failing to pay can have devastating consequences for businesses and potentially for the economy overall.
A ransomware attack on Colonial Pipeline last month led to gas shortages in parts of the us . the corporate , which transports about 45% of fuel consumed on the East Coast , paid a ransom of 75 bitcoin — then valued at roughly $4.4 million. An attack on JBS SA, the world’s largest meat processing company, threatened to disrupt food supplies. the corporate said it had paid the equivalent of $11 million to hackers who broke into its computing system .
Ransomware has become a multibillion-dollar business, and therefore the average payment was quite $310,000 last year, up 171% from 2019, consistent with Palo Alto Networks.
The companies that pay ransomware demands directly are well within their rights to say a deduction, tax experts said. To be tax deductible, businesses expenses should be considered ordinary and necessary. Companies have long been ready to deduct losses from more traditional crimes, like robbery or embezzlement, and experts say ransomware payments are usually valid, too.
“I would counsel a client to require a deduction for it,” says Scott Harty, a company tax attorney with Alston & Bird. “It fits the definition of a standard and necessary expense.”
Don Williamson, a tax professor at the Kogod School of Business at American University, wrote a paper about the tax consequences of ransomware payments in 2017. Since then, he said, the increase of ransomware attacks has only strengthened the case for the IRS to permit ransomware payments as tax deductions.
“It’s becoming more common, so therefore it becomes more ordinary,” he said.
That’s all the more reason, critics say, to disallow ransomware payments as tax deductions.
“The cheaper we make it to pay that ransom, then the more incentives we’re creating for companies to pay, and therefore the more incentives we’re creating for companies to pay, the more incentive we’re creating for criminals to continue,” said Josephine Wolff, a cybersecurity policy professor at the Fletcher School of Tufts University.
For years, ransomware was more of an economic nuisance than a serious national threat. But attacks launched by foreign cybergangs out of reach of U.S. enforcement have proliferated in scale over the past year and thrust the matter of ransomware onto the front pages.
In response, top U.S. enforcement officials have urged companies to not meet ransomware demands.
“It is our policy, it's our guidance, from the FBI, that companies shouldn't pay the ransom for variety of reasons,” FBI Director Christopher Wray testified this month before Congress. That message was echoed at another hearing in the week by Eric Goldstein, a top official at the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency.
Officials warn that payments cause more ransomware attacks. “We’re during this boat we’re in now because over the last several years people have paid the ransom,” Stephen Nix, assistant to the agent responsible at the U.S. United States Secret Service , said at a recent summit on cybersecurity.
It's unclear what percentage companies that pay ransomware payments avail themselves of the tax deductions. When asked at a congressional hearing whether the corporate would pursue a tax write-off for the payment, Colonial CEO Joseph Blount said he was unaware that was an opportunity .
“Great question. I had no idea that . Not conscious of that in the least ,” he said.
There are limits to the deduction. If the loss to the corporate is roofed by cyber insurance — something that is also becoming more common — the corporate can’t take a deduction for the payment that’s made by the insurer.
The number of active cyber insurance policies jumped from 2.2 million to three .6 million from 2016 to 2019, a 60% increase, consistent with a replacement report from the govt Accountability Office, Congress’ auditing arm. Linked thereto was a 50% increase in insurance premiums paid, from $2.1 billion to $3.1 billion.
The Biden administration has pledged to form curbing ransomware a priority within the wake of a series of high-profile intrusions and said it's reviewing the U.S. government’s policies associated with ransomware. it's not provided any detail about what changes, if any, it's going to make associated with the tax deductibility of ransomware.
“The IRS is conscious of this and searching into it,” said IRS spokesperson Robyn Walker.
