Even as the FBI is actively discouraging ransomware (opens in new tab) victims to not pay cyber tormentors, the US government may indirectly be incentivizing the payments by treating them as tax (opens in new tab) deductible.
Several tax lawyers and accountants told the Associated Press (opens in new tab) that while the US’ Internal Revenue Service (IRS) doesn’t have separate guidance on ransomware, victims can claim these as “ordinary and necessary” business expenses.
“I would counsel a client to take a deduction for it,” a corporate tax attorney with Alston & Bird, Scott Harty, told the Associated Press.
- These are the best ransomware protection tools (opens in new tab)
- Here's our choice of the best malware removal (opens in new tab) software on the market
- Check our list of the best firewall apps and services (opens in new tab)
Don Williamson, a tax professor at the Kogod School of Business at American University, wrote a paper about the tax consequences of ransomware payments in 2017, and agrees that the growing number of ransomware attacks (opens in new tab) have indeed helped businesses claim the payments as ordinary business expenses.
Not a solution
FBI Director Christopher Wray recently testified before Congress, reaffirming the agency’s position that businesses should not give in to the demands of their attackers.
Despite this, Neustar recently discovered that over half of attacked businesses would simply pay their attackers (opens in new tab) and regain control of their networks, instead of prolonging the downtime, which could have a detrimental effect down the supply chain depending on the nature of their business.
Furthermore, in addition to the guidance from law enforcement agencies, a section of cybersecurity (opens in new tab) experts have long discouraged the payments, arguing that these only embolden the criminals and lead to more ransomware attacks.
This was underlined by a recent Cybereason survey, which revealed that over 80% of victims who pay a ransom are targeted again (opens in new tab) - often by the same ransomware operators.
But the tax deduction now emerges as another incentive, which although not very well-known, nor regularly exercised, indirectly neutralizes the guidance and recommendations of law enforcement agencies and security experts.
- Protect your devices with these best antivirus software (opens in new tab)