Even as the FBI is actively discouraging ransomware victims to not pay cyber tormentors, the US Government may indirectly be incentivizing the payments by treating them as tax deductible.
Several tax lawyers and accountants told the Associated Press that while the US’ Internal Revenue Service (IRS) doesn’t have a separate guidance on ransomware, the victims can claim these as an “ordinary and necessary” business expense.
“I would counsel a client to take a deduction for it,” corporate tax attorney with Alston & Bird, Scott Harty, told the Associated Press.
Don Williamson, a tax professor at the Kogod School of Business at American University, wrote a paper about the tax consequences of ransomware payments in 2017, and agrees that the growing number of ransomware attacks have indeed helped businesses claim the payments as ordinary business expenses.
Not a solution
FBI Director Christopher Wray recently testified before Congress, reaffirming the agency’s position that businesses should not give in to the demands of their attackers.
Despite this, Neustar recently discovered that over half of the attacked businesses would simply pay their attackers and regain control of their networks, instead of prolonging the downtime, which could have a detrimental effect down the supply chain depending on the nature of their business.
Furthermore, in addition to the guidance from the law enforcement agencies, a section of cybersecurity experts have long discouraged the payments, arguing that these only embolden the criminals and lead to more ransomware attacks.
This was underlined by the recent Cybereason survey, which revealed that over 80% of victims that pay the ransom are targeted again, often by the same ransomware operators.
But the tax deduction now emerges as another incentive, which although not very well-known, nor regularly exercised, indirectly neutralizes the guidance and recommendations of law enforcement agencies and security experts.