As ransomware attacks surge, the FBI is doubling guidance to affected companies. Don’t pay cyber criminals. However, the US government also offers incentives that are almost unnoticed by payers. Ransom may be tax deductible.
The IRS does not provide formal guidance on ransomware payments, but several tax experts interviewed by the Associated Press have stated that deductions are usually allowed under legal and established guidance. It was. As some tax accountants and accountants say, this is a “silver lining” for ransomware victims.
But those who are trying to discourage payments are not so optimistic. They fear that deductions are a potentially problematic incentive that can tempt businesses to pay the ransom against law enforcement advice. At the very least, deductibility sends a discordant message to the companies being coerced, they say.
“I feel a little uncomfortable,” said John Katko, a top Republican member of the House of Representatives Homeland Security Commission.
Deductibility is part of a larger issue resulting from an increase in ransomware attacks where cybercriminals scramble computer data and demand payment to unlock files. The government does not want payments that could fund criminal gangs and encourage more attacks. However, failure to pay can have devastating consequences for businesses and potentially for the economy as a whole.
A ransomware attack on the Colonial Pipeline last month caused a gas shortage in parts of the United States. The company, which transports about 45% of the fuel consumed on the East Coast, paid a ransom of 75 Bitcoins. This is worth about $ 4.4 million. The attack on JBS SA, the world’s largest meat processing company, could disrupt food supply. The company said it paid $ 11 million worth of hackers who broke into computer systems.
According to Palo Alto Networks, ransomware has become a multi-billion dollar business, with average payments exceeding $ 310,000 last year, an increase of 171% from 2019.
Companies that pay ransomware requests directly are within the scope of their right to claim deductions, tax experts said. To be eligible for tax deduction, project costs should be considered normal and necessary. Companies have long been able to deduct losses from traditional crimes such as robbery and embezzlement, and experts say that ransomware payments are also usually valid.
“I advise clients to get a deduction,” says Scott Harty, a corporate tax attorney at Alston & Bird. “It fits the usual definition of cost required.”
Don Williamson, a tax professor at the Cogod School of Business at American University, wrote a treatise in 2017 on the tax implications of ransomware payments. Since then, the increase in ransomware attacks has only strengthened the cases allowed by the IRS, he said. Ransomware payment as a tax deduction.
“It’s becoming more common, so it’s more common,” he said.
That’s not the only tax deduction for ransomware payments, according to critics.
“The cheaper the ransom, the more incentives companies pay, and the more incentives companies pay, the more incentives criminals have to continue.” One Josephine Wolf said.
For years, ransomware has been an economic annoyance rather than a major national threat. However, attacks launched by foreign cybergangs out of the reach of US law enforcement agencies have scaled up over the past year, pushing the ransomware issue to the top page.
In response, US law enforcement officials are urging businesses not to meet ransomware demands.
“It’s our policy that businesses shouldn’t pay the ransom for many reasons, and the guidance from the FBI,” FBI Secretary Christopher A. Wray testified before Congress this month. The message was repeated at another hearing this week by Eric Goldstein, Chief Executive Officer of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.
Authorities warn that payments will lead to more ransomware attacks. “We’re on board now because people have paid ransoms in the last few years,” Steven Knicks, an assistant special agent for the US Secret Service, said at a recent summit on cybersecurity. It was.
It’s unclear if the number of companies that pay for ransomware uses tax credits. When asked at a parliamentary hearing whether the company would pursue tax deductions for payments, colonial CEO Joseph Brant said he was unaware that it was possible. ..
“It’s a great question. I didn’t know about it. I didn’t notice it at all,” he said.
There is a limit to the deduction. If a company’s losses are covered by cyber insurance (which is also becoming commonplace), the company will not be eligible for deductions for payments made by the insurer.
The number of active cyber insurance policies surged from 2.2 million to 3.6 million between 2016 and 2019, up 60%, according to a new report from the Government Accountability Office, Parliamentary Audit Department. In this regard, premiums paid increased by 50% from $ 2.1 billion to $ 3.1 billion.
The Biden administration has promised to prioritize ransomware control in the wake of a series of high-profile intrusions and said it is reviewing US government policies related to ransomware. No details are provided as to what changes may be made in connection with the ransomware tax deduction.
“The IRS is aware of this and is investigating it,” said IRS spokesman Robyn Walker.
Suderman reported from Richmond, Virginia.
Have you been hit by a ransomware attack?Your payment may be deductible – NBC New York
Source link Have you been hit by a ransomware attack?Your payment may be deductible – NBC New York