Several tax lawyers and accountants told the Associated Press that while the US’ Internal Revenue Service (IRS) doesn’t have separate guidance on ransomware, victims can claim these as “ordinary and necessary” business expenses.
“I would counsel a client to take a deduction for it,” a corporate tax attorney with Alston & Bird, Scott Harty, told the Associated Press.
- These are the best ransomware protection tools
- Here's our choice of the best malware removal software on the market
- Check our list of the best firewall apps and services
Don Williamson, a tax professor at the Kogod School of Business at American University, wrote a paper about the tax consequences of ransomware payments in 2017, and agrees that the growing number of ransomware attacks have indeed helped businesses claim the payments as ordinary business expenses.
Not a solution
FBI Director Christopher Wray recently testified before Congress, reaffirming the agency’s position that businesses should not give in to the demands of their attackers.
Despite this, Neustar recently discovered that over half of attacked businesses would simply pay their attackers and regain control of their networks, instead of prolonging the downtime, which could have a detrimental effect down the supply chain depending on the nature of their business.
Furthermore, in addition to the guidance from law enforcement agencies, a section of cybersecurity experts have long discouraged the payments, arguing that these only embolden the criminals and lead to more ransomware attacks.
This was underlined by a recent Cybereason survey, which revealed that over 80% of victims who pay a ransom are targeted again - often by the same ransomware operators.
But the tax deduction now emerges as another incentive, which although not very well-known, nor regularly exercised, indirectly neutralizes the guidance and recommendations of law enforcement agencies and security experts.
- Protect your devices with these best antivirus software