As ransomware attacks escalate, the FBI is doubling down on its instructions to affected companies: Don’t pay the cyber criminals. But the US government also offers a little-noticed incentive for those who pay: the ransom can be tax deductible.
The IRS doesn’t provide formal guidance on ransomware payments, but several tax experts interviewed by The Associated Press said that deductions are usually allowed under the law and established guidelines. For ransomware victims, this is a “silver lining”, as some tax lawyers and accountants call it.
But those who want to discourage payments are less optimistic. They fear the withdrawal is a potentially problematic incentive that could trick companies into paying ransom against law enforcement advice.
“It seems a little inappropriate to me,” said Rep. John Katko, the top Republican on the House Committee on Homeland Security.
Deductibility is part of a larger dilemma arising from the rise in ransomware attacks, in which cyber criminals encrypt computer data and demand payment to unlock the files.
The government does not want payments to fund criminal gangs and could encourage further attacks. However, failure to pay can have devastating consequences for businesses and potentially the economy as a whole.
A ransomware attack on the Colonial Pipeline last month caused gas shortages in parts of the United States.
The company, which carries about 45 percent of the fuel consumed on the east coast, paid a ransom of 75 bitcoin – valued at about $ 4.4 million at the time.
An attack on JBS SA, the world’s largest meat processing company, threatened to disrupt food supplies.
The company said it paid the equivalent of $ 11 million to hackers who broke into its computer system.
Ransomware has grown into a multi-billion dollar business, and the average payment was more than $ 310,000 last year, up 171 percent from 2019, according to Palo Alto Networks.
The companies that pay for ransomware requests directly are entitled to a deduction, according to tax experts. To be tax deductible, business expenses should be considered common and necessary.
Businesses have long been able to deduct losses from more traditional crimes like robbery or embezzlement, and experts say ransomware payments are usually valid too.
“I would advise a client to make a deduction for this,” said Scott Harty, corporate tax attorney at Alston & Bird. “It corresponds to the definition of an ordinary and necessary effort.”
Don Williamson, a tax professor at the American University’s Kogod School of Business, wrote an article in 2017 about the tax consequences of ransomware payments.
Since then, he said, the rise in ransomware attacks has only bolstered the IRS’s arguments to allow ransomware payments as tax deductions.
“It’s getting more and more common, so it’s getting more common,” he said.
All the more reason not to allow ransomware payments as a tax deduction, according to critics.
“The cheaper we make it to pay this ransom, the more incentives we create for companies to pay, and the more incentives we create for companies to pay, the more incentives we create for criminals to keep going,” said Josephine Wolff , Professor of Cybersecurity Policy at Tufts University’s Fletcher School.
For years, ransomware has been more of an economic nuisance than a major national threat. But attacks by foreign cyber gangs outside the reach of US law enforcement have skyrocketed over the past year, bringing the issue of ransomware to the front pages.
In response, senior US law enforcement agencies have urged companies not to comply with ransomware requirements.
“It’s our policy, it’s our guidance from the FBI that corporations shouldn’t pay the ransom for a number of reasons,” FBI Director Christopher Wray testified before Congress this month.
That message was echoed this week at another hearing by Eric Goldstein, a senior official in the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency.
Officials warn that payments will lead to more ransomware attacks. “We are in this boat that we are in now because people have paid the ransom in recent years,” said Stephen Nix, assistant to the special agent in charge of the US secret service, at a recent summit on cybersecurity.
It is unclear how many ransomware payment companies are making use of the tax deductions.
When asked at a congressional hearing whether the company would take a tax deduction for the payment, Colonial CEO Joseph Blount said he did not know it was a possibility.
“Great question. I had no idea about that. I’m not aware of that at all, ”he said.
There are limits to the deduction. If the company’s damage is covered by cyber insurance – which is also becoming more common – the company cannot deduct the insurer’s payment.
The number of active cyber insurances rose from 2.2 million to 3.6 million from 2016 to 2019, a 60 percent increase according to a new report from the Government Accountability Office, the congressional audit arm. Associated with this was an increase in insurance premiums paid by 50 percent from USD 2.1 billion to USD 3.1 billion.
The Biden government has pledged to make containment of ransomware a priority after a series of high profile break-ins, and said it is reviewing the U.S. government’s guidelines on ransomware. No details were given on what changes, if any, will be made to the tax deductibility of ransomware.
“The IRS is aware of this and is investigating it,” said IRS spokeswoman Robyn Walker.
