Jun 19, 2021 - Economy

IRS: Ransomware payments may be deductible

Colonial Pipeline fuel tanks in Baltimore in May 2021.

Colonial Pipeline fuel tanks in Baltimore in May 2021. Photo: Jim Watsim/AFP via Getty Images

The federal government for years has recommended that companies do not pay criminals during ransomware attacks, but the feds have a consolation for those who do pay: the ransoms may be tax deductible.

Why it matters: The IRS offers no formal guidance on ransomware payments. But multiple tax experts interviewed by AP said deductions are usually allowed under law and established guidance.

  • It's a "silver lining" to ransomware victims, as some tax lawyers and accountants put it.

The fine print: If the loss to the company is covered by cyber insurance — something that also is becoming more common — the company can't take a deduction for the payment that's made by the insurer.

The big picture: Cyber criminal groups have hit several crucial businesses with ransomware attacks so far this year, and at least one — Colonial Pipeline — has made a massive payment in an effort to get their computer systems back online.

  • The pipeline made a ransom payment of $4.4 million in cryptocurrency, but around $2.3 million of the payment was later recovered by the federal government from the cybercrime group responsible for the attack.
  • The Biden administration has urged businesses to take "immediate steps" to increase their ransomware defenses, and the Department of Justice said its going to treat ransomware attacks with similar protocols it uses for terrorism cases.

Go deeper: Ransomware becomes an industry

Go deeper