Ransomware attack payments might be tax deductible, says US government

I think this is the key quote:<p>&gt; &quot;The cheaper we make it to pay that ransom, then the more incentives we’re creating for companies to pay, and the more incentives we’re creating for companies to pay, the more incentive we’re creating for criminals to continue,&quot; said Josephine Wolff<p>In an ECON 101 sense, ransomware attackers want to set the price as high as they can such that the victim will pay. A rational victim will consider their tax bill in the cost&#x2F;benefit calculation. So although giving a tax deduction for ransomware seems like it reduces the burden on the victim, in the long run it just increases the reward for the hacker at the expense of the treasury.

So I can pretend paying ransom in btc, pocket money from my own company anonymously for a self controled malware, and save on taxes ? Damn this loophole is getting better and better.

It‘s always funny and surprising to non-insiders, but tax law and criminal law don‘t have that many touchpoints.<p>If you pay extortion money or bribes as a company, it‘s not just that they‘re deductible, you‘re actually obligated to account for them.<p>Being illegal and being deductible don‘t have to do anything with each other.<p>Don‘t forget Al Capone was actually convicted for tax evasion in the end, as even illegal businesses have to pay taxes.

I don&#x27;t see much that is controversial here. Losses due to crime such as assets being stolen are business losses. Certainly there is a modicum of willing victim participating here, but I don&#x27;t see it as any different than other practices whereby a company is allowed to make security cuts and then deduct the inevitable crime-related losses.<p>If the government really wants to reduce this then perhaps they should actually help companies. Setup teams to address these situations in real time. Put that extensive NSA internet spying network to good use and track these situations. When a company calls the FBI to report an ongoing ransomware attack, they shouldn&#x27;t have to leave a message in hopes that maybe someone might call them back in a couple weeks, nor should they be told to report the situation to their local cops.

In Germany Theo Albrecht (one of the Aldi founders, Forbes richest #31) tried to deduct his kidnapping ransom payment ($2mil USD in 1971) as tax deductable business expense. It went to court and was denied.

Are extortion payment and “protection fees” to mob groups already tax deductible? Ransomware payments aren’t qualitatively different.

Misleading: pretty much all expenses incurred by a US business are &quot;tax deductible&quot; in the sense that you subtract expenses from income to arrive at profit and it is profit that is taxed. So an expense needs to be explicitly prohibited by the IRS as legitimate in order to make the equivalent amount of profit subject to tax. They didn&#x27;t prohibit ransom payments.

Does anyone know how easy this would be to abuse by staging a ransomware attack?

As the FBI stated, each incident should be reported. If 80% of them go under the radar it would only make it harder to stop ransomware groups. Also, I think unreported breach of data should be punished, as along business data there is probably customers data involved. I don&#x27;t know about the US but I think that in Europe this would be the case.

Expenses and losses related to &#x27;kidnapping for ransom&#x27; are tax deductible [1], so it stands to reason that ransomware payments are also tax deductible.<p>[1] <a href="https:&#x2F;&#x2F;www.irs.gov&#x2F;publications&#x2F;p547#en_US_2020_publink1000225208" rel="nofollow">https:&#x2F;&#x2F;www.irs.gov&#x2F;publications&#x2F;p547#en_US_2020_publink1000...</a>

Does anyone know what&#x27;s going on with text in this article? Almost a collection of clipped statements<p>&quot;Deductibility is a piece of a bigger quandary stemming from the rise in ransomware attacks, in which cybercriminals scramble computer data and demand payment for unlocking the files. The government<p>A ransomware attack on Colonial Pipeline last month led to gas shortages in parts of the United States. The company, which transports about 45% of fuel consumed on the East Coast,&quot;

This what economists call &quot;moral hazard.&quot; Simply, you get more of what you reward. <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Moral_hazard" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Moral_hazard</a><p>What are the effects of mortgage interest payments being tax deductable, and given these, what do you think the effect of ransoms being deductable will be?<p>If this policy weren&#x27;t just dumb, it would be like these government people actually just want to create more chaos so they can direct it at target groups then only selectively respond to it as a way to paralyze opposition. Not to be political, but any sufficiently idiotic policy is indistinguishable from partisanism, imo.

Unless you&#x27;re arguing that the attacker is a shareholder I don&#x27;t see how paying out money to them wouldn&#x27;t just be seen as a loss.

I kind of find it funny how there are several threads were people discuss this as a tax loop hole, but assume that you&#x27;d <i>actually</i> have to stage a ransomware attack in order to use the loop hole.<p>That would entail <i>actual work</i>, reduce company productivity and induce steps that could go wrong along the way. I&#x27;d call that Rube-Goldberg style tax evasion.

this seems like a bad idea

The first thing I thought of immediately was &quot;paying no taxes has become easier than ever&quot;.<p>1. Sabotage your company security<p>2. Stage a ransomware attack with enough plausible deniability<p>3. Get a fat bonus<p>The IRS does not have enough muscle to get to the bottom of this, so this works out great.

“It’s just a business expense”

We should be doing the opposite. We should investigate how the ransomware occurred and then fine the business depending on how preventable the attack vector was and how much it effected public interest.

Do American corporations even pay taxes?

I see how it can be used to evade taxes.

Why wouldn&#x27;t any legal business expense not be paid out of pre-tax dollars? Am I missing something?

Oh man. No, cybersecurity investments should be tax deductible.

Ugh. Legitimizing them will only exacerbate the attacks!

but is it securities fraud if an org knows about the vulnerability and doesn&#x27;t disclose?