As hacking ransom-money attacks are on the rise, the FBI is doubling down on its guidance for affected businesses: Don’t pay cybercriminals. But the U.S. government also offers a rare incentive for those who do pay: Bailouts may be tax deductible.
The IRS does not offer formal guidance on ransomware payments, but several tax experts interviewed by The Associated Press said that deductions are generally allowed by law and established guidance. It is a “ray of light” for the victims of ransomware, as some tax and accounting lawyers say.
But those looking to discourage payments are less optimistic. They fear the deduction is a potentially problematic incentive that could prompt companies to pay ransoms against the advice of law enforcement. At the very least, they say, deductibility sends a jarring message to companies under duress.
“It seems a bit incongruous to me,” said New York Rep. John Katko, the top Republican on the House Homeland Security Committee.
Deductibility is part of a larger dilemma stemming from the increase in attacks from ransomware, in which cybercriminals encrypt computer data and demand payment to unlock the files.
The government does not want payments that finance criminal gangs and could encourage more attacks. But not paying can have devastating consequences for businesses and, potentially, the economy as a whole.
Some 13 million people may be eligible for this readjustment.
THE ‘RANSOMWARE’ HAS BECOME A MULTIMILLIONAIRE BUSINESS
A ransomware attack on Colonial Pipeline last month caused gas shortages in parts of the United States. The company, which transports around 45% of the fuel consumed on the East Coast, paid a ransom of 75 bitcoins, then valued at roughly $ 4.4 million.
An attack on JBS SA, the world’s largest meat processing company, threatened to disrupt the food supply. The company said it had paid the equivalent of $ 11 million to hackers who broke into its computer system.
Ransomware has grown into a multi-billion dollar business and the average payout was over $ 310,000 last year, up 171% from 2019, according to Palo Alto Networks.
Beware: criminals hack accounts on this social network to ask for money from people’s contacts.
Companies that directly pay ransomware lawsuits are entitled to claim a deduction, tax experts said. To be tax deductible, business expenses must be considered ordinary and necessary.
Companies have long been able to deduct losses from more traditional crimes, such as theft or embezzlement, and experts say that ransomware payments are often valid as well.
“I would advise a client to take a deduction for it,” says Scott Harty, a corporate tax attorney at Alston & Bird. “It meets the definition of ordinary and necessary expense.”
Don Williamson, a tax professor at American University’s Kogod School of Business, wrote an article on the tax consequences of tax payments. ransomware in 2017. Since then, he said, the increase in attacks has only strengthened the case for the IRS to allow payments of ransomware as tax deductions.
“It is becoming more common, therefore it is becoming more ordinary,” he said.
CRITICS SAY THAT INCENTIVES PROMOTE PAYMENTS TO CYBER CRIMINALS
That’s one more reason, critics say, not to allow payment of ransomware as tax deductions.
“The cheaper it is to pay that ransom, the more incentives we are creating for companies to pay, and the more incentives we are creating for companies to pay, the more incentives we are creating for criminals to continue,” said Josephine Wolff, a professor of cybersecurity policy at the Fletcher School of Tufts University.
For years, ransomware was more of an economic nuisance than a major national threat. But attacks launched by foreign cyber gangs outside the reach of US law enforcement agencies have proliferated on a scale over the past year, bringing the problem of ransomware to the front pages.
The authorities are warning about this call that can cost you hundreds or thousands of dollars.
In response, top US law enforcement officials have urged companies not to comply with ransomware demands.
“It is our policy, it is our guidance, from the FBI, that companies should not pay the ransom for a number of reasons,” FBI Director Christopher Wray told Congress this month. That message was echoed at another hearing this week by Eric Goldstein, a senior official with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.
Officials warn that the payments lead to more ransomware attacks. “We are in this ship that we are in now because in recent years people have paid the ransom,” Stephen Nix, assistant special agent in charge of the US Secret Service, said at a recent summit on cybersecurity.
It is unclear how many companies that pay ransomware payments benefit from tax deductions.
When asked in a congressional hearing if the company would seek a tax deduction for the payment, Colonial CEO Joseph Blount said he did not know that was a possibility.
“Big question. I had no idea about that. I’m not aware of that at all,” he said.
There are limits to the deduction. If the loss to the business is covered by cyber insurance, something that is also becoming more common, the business cannot take a deduction for the payment made by the insurer.
The number of active cyber insurance policies jumped from $ 2.2 million to $ 3.6 million from 2016 to 2019, an increase of 60%, according to a new report from the Government Accountability Office, the audit arm of Congress. Linked to that, there was a 50% increase in insurance premiums paid, from $ 2.1 billion to $ 3.1 billion.