Ransomware is an increasingly popular route for cybercriminals to extort funds from businesses, charities and other organisations. It typically involves malicious software being installed on the victim’s computer system which prevents users from accessing data unless a ransom is paid.
Perhaps the most high-profile example in the UK was the WannaCry ransomware attack in 2017 which impacted the NHS, but the tactics used by cybercriminals have evolved since then. In a tactic known as ‘double-extortion’, cybercriminals not only demand payment to access the data, but they also blackmail victims by threatening to publish the data online unless the ransom is paid within a certain timeframe. A recent threat report from the National Cyber Security Centre highlights analysis which shows there has been a 935 per cent increase in ‘double extortion’ ransomware attacks compared to 2020.
These ransomware attacks often require the victims to make payment in cryptocurrency which, because of its decentralised nature, can make it easier to quickly transfer funds to different jurisdictions. However, it is also possible to trace transactions made on the blockchain. The 2022 Crypto Crime Report published by Chainalysis highlights how ransomware is being used, including its use as a geopolitical weapon, and identifies high-risk locations generating disproportionate ransomware cybercrime activity.
For UK businesses that fall victim to ransomware attacks and are forced to pay funds to regain access to their systems, it is not immediately clear whether they will benefit from any tax relief for such payments.
There are specific restrictions in tax legislation that prevent a deduction where an expense is incurred in relation to blackmail in England, Wales and Northern Ireland and in relation to extortion in Scotland. While HMRC guidance makes reference to ransom and blackmail payments more generally, it is not clear whether it would deny tax relief for a payment made in relation to ransomware or associated ‘double extortion’ attacks.
In many cases it may be reasonable to argue that any ransomware payments should be a deductible expense, on the basis they were ‘wholly and exclusively’ required to prevent any further loss to the business due to losing access to its systems. However, the increase in ‘double extortion’ activity and the fact it effectively represents a form of cyber blackmail could potentially result in tax deductions being denied due to the legislation in this area. The ransomware threat to UK businesses is very real, so businesses and their advisers should be alive to the risks, including the tax risks pending HMRC providing clarity on its approach .