Here is a story that is hitting a cybersecurity nerve.
If you make a ransomware payment to cybercriminals, your organization may save money on U.S. taxes.
The news of this spread quickly on social media, and some people were doing the equivalent of a virtual jaw drop after hearing about this possibility.
Are ransomware payments a tax deductible?
Don Williamson wrote a paper about the tax implications of ransomware payments in 2017, and since that time the number of ransomware attacks has surged. Williamson is a tax professor at American University, and he told the Associated Press that the rise of ransomware attacks is making it more likely the IRS will accept ransomware payments as tax deductions.
"It's becoming more common, so therefore it becomes more ordinary," Williamson said.
And that word, ordinary, is key:
"I would counsel a client to take a deduction for it," says Scott Harty, a corporate tax attorney with Alston & Bird. "It fits the definition of an ordinary and necessary expense."
Perhaps this is true, but should handing cybercriminals money save an organization on its taxes?
Twitter goes off: should ransomware payments be deductible?
Those on #InfoSecTwitter and beyond sounded off about this as news of tax deductible ransom payments spread quickly.
Here are some of our favorite comments and tweets.
@hackerfantastic wrote the following gem:
Cybersecurity Experts: "DO NOT PAY RANSOMWARE"
US Government: "Yes that.... but let's also make ransomware payments tax deductibles."
Ransomware remains a hot topic for discussion, and now that includes the deduction of ransom payments.
