Ransomware attack payments might be tax deductible, says US government
fox2detroit.comI think this is the key quote:
> "The cheaper we make it to pay that ransom, then the more incentives we’re creating for companies to pay, and the more incentives we’re creating for companies to pay, the more incentive we’re creating for criminals to continue," said Josephine Wolff
In an ECON 101 sense, ransomware attackers want to set the price as high as they can such that the victim will pay. A rational victim will consider their tax bill in the cost/benefit calculation. So although giving a tax deduction for ransomware seems like it reduces the burden on the victim, in the long run it just increases the reward for the hacker at the expense of the treasury.
To be fair, AFAIK it's just a consequence of how our tax code is structured. Business expenses are tax deductible, and ransomware payments just happen to meet the definition of business expense. It's not like congress got together and thought "yep, we should definitely make ransomware payments tax deductible!".
I'm not sure funding criminal enterprise should be legal, let alone a permissable business expense.
Obviously we should make the cost of recovering from an attack deductible instead.
And now taxpayers are on the hook for shitty security. Hell why not?
Taxpayers are "on the hook" for this in the same way that taxpayers are "on the hook" if I decide to take an early retirement and support myself by gardening rather than earning $300k a year in a Silicon Valley tech job, and paying income taxes on that, and the same way that society is on the hook because I have stopped producing any meaningful contributions to its well-being.
That is to say, it's a sliiiightly entitled way to look at the matter.
What? Help me connect the dots here.
There are rules about what is taxed. If a rule says that something is not taxed is that the same thing as "taxpayers are footing the bill for that thing"?
Yes obviously.
Let’s say Bob and Sue make up their own society. Both make 100k each and agree to a tax rate of 50% to build roads they will both benefit from.
However Bob gets a 30k tax exemption because his name begins with “B”. Therefore the tax burden on Sue is greater and she’s subsidizing Bob’s road usage (and potentially having crappier roads).
There are legitimate reasons for tax exemptions, but as tax payers we should always be critical of them.
So does a business dropping the ball on security mean everyone else who pays taxes should subsidize their screw up? Maybe… but it seems like a stretch to me and worthy of criticism.
If knowing the business will not incur a cost due to writing off ransom payments as tax deductions, would that become a new strategy for corrupt CEOs to funnel money to themselves? Double dipping at the tax payer's expense?
> And now taxpayers are on the hook for shitty security. Hell why not?
They already are for more conventional crimes. If a business burns to the ground, its loss of assets is a business loss for tax purposes. Even if it doesn't, insurance premiums are a deductible expense, so the government sees its deduction for the amortized fire damage regardless (since insurers recover expenses plus profit via premiums).
The full article covers this. It's not like there's a specific "pay criminals, get a refund" item in the tax code, it's that damages and losses from crimes are treated like any other business expense.
I’d be OK with that if it was unpreventable. I think there needs to be a burden on the business to show they had some level (TBD) of security practices and policies.
I’d prefer if they had to have insurance so the market can determine how much crappy security would cost them.
We should want to minimize these instances.
Trying to enact policy via the second order effects of the tax code is a terrible idea.
If companies should meet a minimum standard of security practices and policies, then this should be legislated. Same as fire codes and OH&S standards.
If companies should have ransomware insurance, then mandate that companies should have ransomware insurance. Same as how certain organisations require public liability insurance.
"If companies should have ransomware insurance, then mandate that companies should have ransomware insurance. Same as how certain organisations require public liability insurance."
This is what I'm saying. It's a far better solution than subsidizing bad security practices w/ tax. Require insurance and the insurance companies will ensure you have decent security practices (or pay a lot more). If you can't afford it for your business, well then your business can't compete in the market.
Obviously the details matter though. It would be rough at first, but eventually insurance companies would have a vested interest in quality security audits.
Brrrrrr goes the federal reserve printing press.
When you still have reserve currency status for the world you can do dumb things.
Unfortunately those dumb things are catching up to us…
with the Federal Government treating as a crime of terrorism does that mean the Airlines now have claim given 9-11 attacks?
Seems that everyone is choosing an easy way out instead of the hard choice that needs to be made.
I would rather see the hard choices made instead.
IE, Maybe Russia cannot be directly attacked but certainly Russia forces in Ukraine can be attacked in a cyber manner,
So I can pretend paying ransom in btc, pocket money from my own company anonymously for a self controled malware, and save on taxes ? Damn this loophole is getting better and better.
Old and busted: Sorry Tolkien estate, the LoTR movies didn’t turn a profit so we have no backend for you (because we spent a billion dollars on marketing though one of our shell companies).
New hotness: Sorry IRS, our entire business didn’t turn a profit so we don’t owe taxes (because we sent $5 billion in ransoms to one of our shell companies).
Similar thing happened in Canada. A uranium miner set up a shell company in Switzerland and sold its future production to them at a market low. If the price went up, all of the profits shifted. If it went down, the subsidiary would go bankrupt and void the contract.
The shell can shift its profits tax-free back to the Canadian parent.
Why go through the trouble of ransomware, which might get the FBI involved and put you in a bad light? You can very well just pay a "consulting fee" to some offshore shell company. Any business expense is tax deductible, not just ransomware payments.
You can also get access to your life insurance payout early by faking your death, or politely asking a friend to murder you.
If you're prepared to commit criminal tax fraud, there are many better ways you can earn money.
My friend asked for a complete list for an essay.
Not a complete list, but Key and Peele have one suggestion https://www.youtube.com/watch?v=ceijkZQI1HM
Ah, this one he already committed in the past. Doesn’t scale well.
It does when you oursource it. Call it staffing solutions or something like that.
Absolutely that would work. As well as any tax fraud would.
Save on taxes, get hit by fraud charges instead.
It‘s always funny and surprising to non-insiders, but tax law and criminal law don‘t have that many touchpoints.
If you pay extortion money or bribes as a company, it‘s not just that they‘re deductible, you‘re actually obligated to account for them.
Being illegal and being deductible don‘t have to do anything with each other.
Don‘t forget Al Capone was actually convicted for tax evasion in the end, as even illegal businesses have to pay taxes.
I'm pretty sure bribes specifically aren't tax deductible: https://www.irs.gov/publications/p535#en_US_2020_publink1000...
Is a ransomware payment a bribe? The linked page doesn't really say what constitutes a "bribe". The next paragraph says that it only covers illegal activities, which AFAIK isn't the case for ransomware groups unless they're a designated terrorist organization or something.
As far as I'm aware, ransomware payments wouldn't be considered a bribe. They're more similar to an expense incurred due to `kidnapping for ransom`, which is deductible.
So in summary:
- Kidnapping for ransom expenses are deductible
- Bribes are not deductible
- Ransomware payments may be deductible
Wait wait wait. So if I want to pay bribes, I can just say that I have been extorted that money and all will be legit?
Do you have a police report to go with it? If yes, then sure.
Shhhh you’re stealing business from my new tax consultancy startup
Wow that was fast.
I remember seeing that there is an actual section dedicated to income from illicit income in the tax forms. Which is honestly amazing to see, and confusing too.
I suspect that it being tax deductible is probably only true in the US.
Perhaps there is a UK, European, or other jurisdiction accountant on HN who could comment?
By default, all expenses reduce your profits. Unless there is a specific exception, ransom is just another expense and should therefore be deductible.
And more importantly, the income you get from accepting bribes needs to be reported and taxed.
I don't see much that is controversial here. Losses due to crime such as assets being stolen are business losses. Certainly there is a modicum of willing victim participating here, but I don't see it as any different than other practices whereby a company is allowed to make security cuts and then deduct the inevitable crime-related losses.
If the government really wants to reduce this then perhaps they should actually help companies. Setup teams to address these situations in real time. Put that extensive NSA internet spying network to good use and track these situations. When a company calls the FBI to report an ongoing ransomware attack, they shouldn't have to leave a message in hopes that maybe someone might call them back in a couple weeks, nor should they be told to report the situation to their local cops.
In Germany Theo Albrecht (one of the Aldi founders, Forbes richest #31) tried to deduct his kidnapping ransom payment ($2mil USD in 1971) as tax deductable business expense. It went to court and was denied.
Well yeah, seems like personal tax thing... which aren't necessarily but still can be profit/loss based.
I guess the founder wasn't key to the organization and wouldn't pay.
Are extortion payment and “protection fees” to mob groups already tax deductible? Ransomware payments aren’t qualitatively different.
Yep, losses due to theft are deductible [1], including blackmail, extortion and "kidnapping for ransom".
[1] https://www.irs.gov/publications/p547#en_US_2020_publink1000...
Misleading: pretty much all expenses incurred by a US business are "tax deductible" in the sense that you subtract expenses from income to arrive at profit and it is profit that is taxed. So an expense needs to be explicitly prohibited by the IRS as legitimate in order to make the equivalent amount of profit subject to tax. They didn't prohibit ransom payments.
Does anyone know how easy this would be to abuse by staging a ransomware attack?
About as easy as committing tax fraud by claiming losses from any other form of criminal activity, such as farmers burning down their barn and claiming the loss, or construction contractors claiming losses on "stolen" tools.
Ransomware as a (tax)service
thats what I said
gmta.
Also a nice way to keep profits in the hands of hard working management if those pesky shareholders fail to grant them sufficient bonuses /s
But I doubt that it could happen like that, the skillset requirements just don't have the overlap it would take.
But taking some liberties extrapolating a dark future, imagine what would happen if key persons who failed particularly hard at avoiding payment suddenly found themselves with unsolicited keys for wallets containing some amount of finder's fee. Deniable, yes, but how much would that deniability be worth in the end? If that could be the future of business computing, should we buy stocks of fax machine companies?
Curious why you think the skill sets don’t overlap. I see them as perfectly compatible and no different then any other embezzlement that can happen.
Could you really pull it off without some data actually missing? Perhaps, but with a big risk of discovery.
On the other hand, perhaps you are right: if you have a well established, highly authorized and maybe a bit isolated crisis intervention plan/team they should be able to initiate preventative lockdown protocols perfectly indistinguishable from the real thing, with only a very small conspiracy knowing that it was started for no good reason.
How comfortable are you about filing a police report against yourself?
If you're trying to illegal embezzle or evade taxes I think this is just one more thing to add to the list, wouldn't be a big problem.
Sure. But now transfer the money from the “criminals” back to you in some untraceable way. Oh, and that’s money laundering, so additional charges on top of tax fraud.
As much as fake donations I guess
> As much as fake donations I guess
So, a lot.
As the FBI stated, each incident should be reported. If 80% of them go under the radar it would only make it harder to stop ransomware groups. Also, I think unreported breach of data should be punished, as along business data there is probably customers data involved. I don't know about the US but I think that in Europe this would be the case.
So require reporting them for additional taxation. Not reporting being tax fraud is a stronger incentive than reporting for tax savings.
Expenses and losses related to 'kidnapping for ransom' are tax deductible [1], so it stands to reason that ransomware payments are also tax deductible.
[1] https://www.irs.gov/publications/p547#en_US_2020_publink1000...
Strangely i haven't heard kidnappings with a payment in cryptocurrency.
That's order of magnitude easier than requesting paper money
it happens, plenty reports out there, random kidnappings just don't make high-profile news as much.
Does anyone know what's going on with text in this article? Almost a collection of clipped statements
"Deductibility is a piece of a bigger quandary stemming from the rise in ransomware attacks, in which cybercriminals scramble computer data and demand payment for unlocking the files. The government
A ransomware attack on Colonial Pipeline last month led to gas shortages in parts of the United States. The company, which transports about 45% of fuel consumed on the East Coast,"
This what economists call "moral hazard." Simply, you get more of what you reward. https://en.wikipedia.org/wiki/Moral_hazard
What are the effects of mortgage interest payments being tax deductable, and given these, what do you think the effect of ransoms being deductable will be?
If this policy weren't just dumb, it would be like these government people actually just want to create more chaos so they can direct it at target groups then only selectively respond to it as a way to paralyze opposition. Not to be political, but any sufficiently idiotic policy is indistinguishable from partisanism, imo.
Unless you're arguing that the attacker is a shareholder I don't see how paying out money to them wouldn't just be seen as a loss.
I kind of find it funny how there are several threads were people discuss this as a tax loop hole, but assume that you'd actually have to stage a ransomware attack in order to use the loop hole.
That would entail actual work, reduce company productivity and induce steps that could go wrong along the way. I'd call that Rube-Goldberg style tax evasion.
I am not able to understand what you are saying.
You could just stage a ransomware before a prolonged downtime (eg. phishing happy new year emails from an account with a leaked credentials in the source code that's accessible via website.com/.git) and hope that one of your employees will click on the attachment.
That would be quite easy IMHO
You are thinking way too complicated.
Ok, let me just put the moral compass aside for a moment and put on my John Grisham fanfic hat so I can answer to this:
You simply buy $CRYPTO_CURRENCY, siphon the money off into a shell company in your favorite tax heaven, write it up as ransom payment, done. You might not even need the first step by having the shell company pretend to be a crypto currency exchange.
If you are a big enough company to bother with shell company tax evasion shenanigans, you probably have enough departments that some of them barely know each other or communicate. Spreading a rumor of a single department being hit by ransomware should be enough in case someone from the IRS actually bothers to come by and ask around.
If you really must, maybe pay someone in IT some hush money and ask them to turn a few servers off for a day or so to put up a convincing show. I'd advise against that though, since in my experience, technical people are notoriously bad at lying about technical things.
But actually phishing your own employees and staging a real ransomware attack is an unnecessary risk with too many variables where things might actually go wrong. Besides, the people pulling the strings here may have a law and/or accounting background, but probably not IT.
this seems like a bad idea
Well, they are anyway expenditures.
Somehow they need to be taken into account, if you pay US $ 100,000 to a consultant to harden your infrastructure or if you pay US $ 100,000 as a ransom, you have in both cases US $ 100,000 less, the difference is that in the first case you have an invoice, whilst in the second the IRS has to trust you.
Point might be how to "certify" whether the ransomware attack is "real" or if it could be simulated to only get away with hiding/divert the money (and pay no taxes on those).
The Key difference is that when I pay consultants they in turn pay the taxes (or in turn they have some expenses to towards somebody else who eventually pays the taxes), so overall they are not lost.
Paying a ransom by definition puts the whole sum in a black hole, tax-wise.
>The Key difference is that when I pay consultants they in turn pay the taxes (or in turn they have some expenses to towards somebody else who eventually pays the taxes), so overall they are not lost.
Not really-really.
The consultants pay taxes on the money they get from you only because (if) they respect the Law, it is none of your business (it is the IRS's one) if the consultants later comply.
If you prefer, whether the consultants pay taxes or not doesn't change anything in your company's accounts, you have an expense and proper documentation for it, what happens after and outside the transaction is irrelevant.
The issue (from your or your company's point of view) is how to properly document the expense (and it is IMHO a tough one to document a ransom).
You may not care whether the consultant pays the taxes. The lawmakers that define the tax laws (implemented by agencies like the IRS in the specific case of the USA) do take into consideration where the money goes.
If the IRS currently doesn't care or doesn't check, that's a specific implementation issue of your country. Laws can be changed
Let's try imagining another scenario.
You have ransomware insurance.
You fall victim to a ransomware attack.
You pay US $ 100,000 as ransom.
The insurance company reimburses you the US $ 100,000.
It is clear that financially that is 0.
But from a tax view point, if you cannot count the US $ 100,000 of the ransom as expenses you will be paying some form of taxation on the US $ 100,000 you received from the insurance.
This can be solved easily: let the insurance company pay the ransom, and factor in the full cost (since it wouldn't be tax-deductable) when computing the premium.
EDIT: otherwise, the collectivity effectively pays for what you deducted from your taxes. The missing money on the overall country balance has to come from somewhere.
EDIT2: If you're talking about private insurances covering your risk of ransoms, this means you assume it's your responsibility to pay for your losses (insurances just allow you to pay proportionally to the risk), and not e.g. have the government, say, paying it for you (through public funds, which can and IIRC has happened for kidnapping cases here some countries pay the cost of rescue). All I'm saying is that if it's private insurance, it should be private 100%
> Point might be how to "certify" whether the ransomware attack is "real" or if it could be simulated to only get away with hiding/divert the money (and pay no taxes on those).
Well, exactly this. Clarifying that ransom payments are tax-deductible creates a moral hazard whereby companies set up off-shore entities to conduct ransomware attacks. The parent company gets attacked, establishes a paper trail of "damages" (whether these damages are material is irrelevant, particularly as the stock market has shown that it won't punish companies for being the victim of cyberattacks), quickly pays the ransom, which moves the money off-shore into crypto accounts which can then be tumblered and funneled into shell companies. The off-shore cash can then be used off-the-books for a variety of purposes that indirectly benefit the parent company.
Good luck to the forensic auditors who try to follow the trail to show that the money never really left the parent company's control.
Why would you want to make clean money dirty as a company? Sure, to steal it for personal gain. But to benefit the company? For paying bribes maybe?
The choice is between paying $X (say, $10 million) to the government in taxes, where it is never seen again and only indirectly benefits the company (the roads and railroads argument), or "paying" that same money into dirty accounts that, yes, are limited in what they can achieve (i.e. you can't pay dividends from it or engage in capital construction in the name of the company) but can still achieve direct benefits for the company (e.g. paying for negative coverage of competitors' products, lining the pockets of influential people)
The first thing I thought of immediately was "paying no taxes has become easier than ever".
1. Sabotage your company security
2. Stage a ransomware attack with enough plausible deniability
3. Get a fat bonus
The IRS does not have enough muscle to get to the bottom of this, so this works out great.
A small business can always claim someone took there bag of cash on gunpoint. How common is that?
Yea, but 20 million?
“It’s just a business expense”
We should be doing the opposite. We should investigate how the ransomware occurred and then fine the business depending on how preventable the attack vector was and how much it effected public interest.
> fine the business
that would just incentivize businesses to hide and obscure their breaches.
Do American corporations even pay taxes?
In 2014, american corporations paid apx $600B in income taxes and $600B in wage taxes (the company's portion of social security). In addition, they pay another $100B in excise taxes and $400B in sales tax to state governments.
I see how it can be used to evade taxes.
Why wouldn't any legal business expense not be paid out of pre-tax dollars? Am I missing something?
Oh man. No, cybersecurity investments should be tax deductible.
They are...
Ugh. Legitimizing them will only exacerbate the attacks!
Can you explain this a bit more? I'm not sure how it contributes to the motivation for the attackers, as the motivation is already pretty high due to the ease of execution.
From my point of view, whether or not there is a legitimate process built around the ransomware attacks, the attackers will simply continue business as usual; there's no fear or penalty for them, the workflow of their process is not disrupted in the slightest (the bitcoin payments can still go through), and I don't really get the impression that the legal background of the victim's country is taken into consideration by the attackers.
(All of the above is why I'm pretty sure that the idea of "make paying the ransom illegal" will have no impact on the number of attacks, as such a policy does nothing to actually impede the workflow of ransomware; all it does is create another decision point for an already damaged group of persons as to whether they commit an illegal act or not to try to save their business)
I was thinking this plus the insurance will make it such that most companies will just pay the ransoms instead of working to secure their systems and train employees. No defense is perfect but also these criminals shouldn’t get paid.
but is it securities fraud if an org knows about the vulnerability and doesn't disclose?
It is my (lay) understanding that in the US in particular almost anything is securities fraud:
https://www.bloomberg.com/opinion/articles/2019-06-26/everyt...