Ransomware and the Tax Code’s Perverse Incentive

Ransomware payments are deductible, say tax experts. That’s the shocking finding from a recent investigation.

It’s yet more grist for the don’t-pay-ransoms mill. Seems like the FBI and the IRS should be talking to each other—stat.

AWS Builder Community Hub

There’s no accounting for taste. In today’s SB Blogwatch, can we smell bacon?

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Happy Fires.

Greedy Pigs

What’s the craic? Alan Suderman and Marcy Gordon report—“Hit by a ransomware attack? Your payment may be deductible”:

IRS is aware of this
The FBI is doubling down on its guidance to affected businesses: Don’t pay the cybercriminals. But the U.S. government also offers a little-noticed incentive for those who do pay.

Multiple tax experts [said] companies that pay ransomware demands directly are well within their rights to claim a deduction. … To be tax deductible, businesses expenses should be considered ordinary and necessary. Companies have long been able to deduct losses from more traditional crimes … and experts say ransomware payments are usually valid, too.

It’s unclear how many companies that pay ransomware payments avail themselves of the tax deductions. When asked at a congressional hearing whether the company would pursue a tax deduction … Colonial CEO Joseph Blount said he was unaware that was a possibility.

“The IRS is aware of this and looking into it,” said IRS spokesperson Robyn Walker.

And “James Wilson” argues, “To stop the ransomware pandemic, start with the basics”:

Secrecy and shame
Such attacks are evidence of an epoch of intensifying cyber-insecurity that will impinge on everyone, from tech firms to schools and armies. … The more the digital world is plagued by insecurity, the more people will shy away from it and the more potential gains will be lost.

Cyber-risk has more than quadrupled since 2002 and tripled since 2013. The pattern of activity has become more global and has affected a broader range of industries.

A cloud of secrecy and shame surrounding cyber-attacks amplifies the difficulties. Firms cover them up. The normal incentives for them and their counterparties to mitigate risks do not work well. … Fixing the private sector’s incentives is the first step.

Mash these two points together, and you might also reach CastrTroy’s conclusion:

Losing millions
I think this would be fine as long as the company had to publicly admit how much money they gave to the ransomware hackers. That way companies would be unlikely to lie about how much they lost. People wouldn’t really trust to do business with a company if they said they were losing millions to ransomware.

But there are plenty of good reasons not to pay. Lior Div led “A Global Study on Ransomware Business Impact”:

Avoid getting compromised with ransomware
[Our] research … reveals that the majority of organizations who chose to pay ransom demands in the past were not immune from subsequent ransomware attacks, often by the same threat actors. In addition, having cyber insurance coverage in place does not guarantee an organization will be able to recoup losses associated with a ransomware attack.

80% of those who paid a ransom experienced another attack. …
46% [of those] said they believed it was at the hands of the same attackers. …
46% regained access to their data following payment, but some or all of the data was corrupted. …
42% [said] cyber insurance did not cover all losses.

One of the biggest issues organizations grapple with … is whether they should pay the ransom demand. … There are numerous factors that need to be weighed … so most ransomware attack scenarios need to be evaluated on a case-by-case basis.

Good risk management requires organizations to have contingency plans. [But] the only good option is to avoid getting compromised with ransomware in the first place.

Sound advice. Or so Edward Nardella thinks:

Spend accordingly
Spend the money before the attack: … Figure out how much your organization would be willing to spend on a ransom, then … spend accordingly on prevention and preparation.

Wait. Pause. Ransomed firms get a tax break? That’s terrible! sandworm101 disagrees:

Actually help companies
I don’t see much that is controversial here. Losses due to crime such as assets being stolen are business losses. Certainly there is a modicum of willing victim participating here, but I don’t see it as any different than other practices whereby a company is allowed to make security cuts and then deduct the inevitable crime-related losses.

If the government really wants to reduce this then perhaps they should actually help companies. Setup teams to address these situations in real time.

Put that extensive NSA internet spying network to good use and track these situations. When a company calls the FBI to report an ongoing ransomware attack, they shouldn’t have to leave a message in hopes that maybe someone might call them back in a couple weeks, nor should they be told to report the situation to their local cops.

But jellomizer wobbles the other way:

Should be some strings attached
This doesn’t make sense. Tax Deductions are primary a tool to guide people and businesses to be doing the right thing, and rewarding them doing the right thing, even if it may cost them some extra money initially.

But the company failed to operate a proper IT Security policy for its organization [so] the company is now paying criminals money which could be put to who knows what. [And] the criminals are now more embolden to do it again because they made money from it.

I think if a company is to take Tax Credit, there really should be some strings attached. Such as working with the FBI to track the Criminals Down, possibly making sure they payments are traceable.

However, makeitdouble doubles down on ideology:

It’s crazy hard
“Never negotiate with terrorists” is a simple and clear mantra, and like most clear and simple concepts, it hides a lot of assumptions. One of them is you are ready to lose the hostage in the worst case scenario.

That’s how the police sees it, because the society benefits more from being firm in individual cases than losing a few of its members that might not come back anyway. That’s a hard one to swallow—hard enough that govs also sometimes can’t follow the mantra and just pay the ransom.

It’s crazy hard to get people to sacrifice themselves for the better good. It’s yet a bigger ask for corporations.

Meanwhile, are you thinking what okamiueru’s thinking?

How easy this would be to abuse by staging a ransomware attack?

And Finally:

“Something Warm & Fuzzy”

Hat tip: fred zeppelin

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Konstantin Evdokimov (via Unsplash)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 515 posts and counting.See all posts by richi