Cybercrime victims face tax deduction difficulties

Ransomware is an increasingly popular route for cybercriminals to extort funds from businesses, charities and other organisations. It typically involves malicious software being installed on the victim’s computer system which prevents users from accessing data unless a ransom is paid.

Perhaps the most high-profile example in the UK was the WannaCry ransomware attack in 2017 which impacted the NHS, but the tactics used by cybercriminals have evolved since then. In a tactic known as ‘double-extortion’, cybercriminals not only demand payment to access the data, but they also blackmail victims by threatening to publish the data online unless the ransom is paid within a certain timeframe. A recent threat report from the National Cyber Security Centre highlights analysis which shows there has been a 935 per cent increase in ‘double extortion’ ransomware attacks compared to 2020.

These ransomware attacks often require the victims to make payment in cryptocurrency which, because of its decentralised nature, can make it easier to quickly transfer funds to different jurisdictions. However, it is also possible to trace transactions made on the blockchain. The 2022 Crypto Crime Report published by Chainalysis highlights how ransomware is being used, including its use as a geopolitical weapon, and identifies high-risk locations generating disproportionate ransomware cybercrime activity.

For UK businesses that fall victim to ransomware attacks and are forced to pay funds to regain access to their systems, it is not immediately clear whether they will benefit from any tax relief for such payments.

There are specific restrictions in tax legislation that prevent a deduction where an expense is incurred in relation to blackmail in England, Wales and Northern Ireland and in relation to extortion in Scotland. While HMRC guidance makes reference to ransom and blackmail payments more generally, it is not clear whether it would deny tax relief for a payment made in relation to ransomware or associated ‘double extortion’ attacks.

In many cases it may be reasonable to argue that any ransomware payments should be a deductible expense, on the basis they were ‘wholly and exclusively’ required to prevent any further loss to the business due to losing access to its systems. However, the increase in ‘double extortion’ activity and the fact it effectively represents a form of cyber blackmail could potentially result in tax deductions being denied due to the legislation in this area. The ransomware threat to UK businesses is very real, so businesses and their advisers should be alive to the risks, including the tax risks pending HMRC providing clarity on its approach .

Chris Etherington
Chris Etherington
Partner
View profile
Chris Etherington
Chris Etherington
Partner
Contact Chris Etherington +44 (0)113 285 5080
Services

Related insights

Business relief changes could spell trouble for entrepreneurs

Chris Etherington
24 Apr 2024

Beware of VAT rules when offering vouchers to customers

Philip Munn
24 Apr 2024

New VAT relief for food bank donations by businesses

Audrey Fearing
24 Apr 2024

Impact of stealth taxes laid bare

Chris Etherington, Matthew Todd
24 Apr 2024

Rocky road for snack manufacturers on VAT treatment

Sarah Halsted
17 Apr 2024

Which businesses are impacted by changes to the R&D tax regime?

James Tetley
17 Apr 2024