Earlier this year it was revealed that hackers had seized 1.5 terabytes of data from HBO, and over the course of the summer the hackers released the stolen property, including script summaries for "Game of Thrones," as well as scripts and entire seasons of other HBO shows.
On August 7, the hackers' motivations became clear. In a video they said that they wanted HBO to pay them up to $7.5 million in bitcoin. This ransomware attack, similar to the one that hit Sony previously, is part of a wave of attacks that continue to cripple companies and governments around the world.
Ransomware is an internet-based crime perpetrated by hackers who seize a computer or computer system’s data, and demand ransom (usually in the form of bitcoin) in order to release the data. Sometimes, victims of ransomware attacks have backups or other capabilities that make paying the ransom unnecessary. Other times - and it’s hard to know how frequently this occurs because it’s often not publicized - victims simply pay the ransom to get access to their networks and data back. Paying the ransom in this case is risky; the attacker could simply take the money and choose not to release the data or leave a backdoor open for a future attack. However, the payment of ransom in response to a cyberattack gives rise to an important question:
Can ransomware payments be deducted for tax purposes?
In short: probably. However, businesses should be aware that no public decision or pronouncement has been issued by the IRS or otherwise. We will explore two potential bases under the U.S. Tax Code for businesses to deduct ransomware payments below.
1 – Ordinary and Necessary Business Expense
In order to deduct a ransomware payment under Tax Code section 162(a), a ransomware payment must be an "ordinary and necessary" business expense. The U.S. Supreme Court has defined “ordinary” to mean “normal, usual and customary.” Given the increasing prevalence of cyberattacks, there is a strong argument that could be made that ransomware payments are “ordinary.”
According to the Supreme Court, for a payment to be “necessary,” it must be “appropriate and helpful” for “the development of the taxpayer’s business.” To the extent that a cyberattack has crippled a business’s network, a payment made to regain control over the network would almost certainly be deemed “appropriate and helpful” and thus “necessary.”
Therefore, it is likely that taxpayers have a strong argument for deducting ransomware payments as ordinary and necessary business expenses.
2 – Theft Loss
An alternative to an ordinary and necessary business expense would be to deduct a ransomware payment as a theft loss. Under Tax Code section 165(a), an expense is deductible for any theft loss sustained that is not compensated by insurance or some other means.
The Internal Revenue Service defines theft as, “the taking and removal of money or property with the intent to deprive the owner of it. The taking must be illegal under the law of the state where it occurred and must have been done with criminal intent.” Further, courts have defined theft to include "any criminal appropriation of another's property to the use of the taker, particularly including theft by swindling, false pretenses, and any other form of guile" or any "illegal takings" other than larceny.
In fact, the IRS has applied this rule to kidnapping and found that where the kidnapped person was integral to a company, such as its president, the ransom payment was fully deductible. Considering how important a business's data and operational systems are, it is likely that ransomware payments would be deductible as a theft loss.
Illegal Payments are not Deductible
Businesses should keep in mind that illegal payments, even if otherwise ordinary and necessary, are not deductible under Tax Code section 162(c)(2). This section provides that no deduction is allowed for payments that constitute “an illegal bribe, an illegal kickback, or other illegal payment under any law of the United States, or under any law of a [s]tate…” Further, courts may consider whether a payment goes against national policy. For example, many have suggested, and in some cases proved, that cyberattacks are increasingly carried out or aided by non-U.S. governmental actors. Businesses should be wary of funding anti-U.S. cybercrime efforts. At present, however, it is unlikely that a ransomware payment would directly violate a statute.
Stay Vigilant and Stay Informed
In today’s interconnected world, the threat of cyberattacks is real. It is incumbent upon businesses and organizations to be ready. This means developing disaster recovery plans, and training staff, so that if (or perhaps when) an attack occurs, it won’t cripple critical systems. Businesses and organizations are also increasingly obtaining cyberinsurance to guard against these risks, too.