Here’s one consolation for businesses that pay ransom to cybercriminals to regain use of their computer systems: The ransom apparently is tax-deductible.
It’s a business expense.
Tax experts told The Associated Press that deductions are usually allowed under law and established guidance — ordinary and necessary business expenses.
Companies already deduct losses from traditional crimes such as robbery or embezzlement, and experts say ransomware payments are usually valid, too.
“I would counsel a client to take a deduction for it,” says Scott Harty, a corporate tax attorney with Alston & Bird, told The AP. “It fits the definition of an ordinary and necessary expense.”
The IRS has yet to issue official guidance on the deductibility of ransomware.
“The IRS is aware of this and looking into it,” IRS spokesperson Robyn Walker told The AP.
At odds with cops
The deduction highlights a difference with other parts of the federal government.
The FBI, Homeland Security and other agencies urge companies not to pay ransomware lest cybercriminals be encouraged to hijack more computer systems for ransom.
“We’re in this boat we’re in now because over the last several years people have paid the ransom,” Stephen Nix, assistant to the special agent in charge at the U.S. Secret Service, said at a recent summit on cybersecurity, according to The AP.
Crime pays for many cybercriminals.
In a recent case, JBS SA, the world’s largest meat processing company, said hackers threatened to disrupt food supplies. The company said it paid some $11 million to the criminals who infiltrated its computer system.
The loss would not be tax deductible if the company collects insurance for its ransom. But insurance rates for cybercrime are rising because cybercrime is rising.