The question is: Are ransom payments made by a business to access its IT systems tax deductible?
Everyday more and more news reports highlight the threat ransomware and cyber terrorism impose on our institutions and businesses. Workplaces are increasingly dependent upon IT systems and infrastructure and data breaches have a catastrophic impact on business. Malicious individuals often upload malware on business’ systems to ‘kidnap’ the organisation’s data including private client details. In many cases, paying a ransom is the easiest and cheapest way for businesses to regain access.
There are no questions too trivial or strange for us to tackle here in the Tax Advisory team Indeed, in the relatively grey world of tax-deductible expense claims and workplace benefits, often the weird questions can be the most wonderful!
Broadly speaking, business expenses are tax deductible providing the expense was incurred ‘wholly and exclusively’ for the purposes of the business and there is no specific legislation which prevents it.
Whereas the payment of ransom is not illegal per se under English law, there are specific restrictions in tax legislation that prevent a deduction where an expense is incurred in relation to blackmail in England, Wales and Northern Ireland. Please note, a payment of ransom is not deductible if paid in Scotland. The legislation states that no deduction is allowed if the payment relates to:
- A criminal offence; or
- An inducement to a demand which constitutes the offence of blackmail.
HMRC guidance indicates that payments of ransom will follow the same legislation and would deny relief on a payment of a ransom on the same basis, however, it may be possible to argue there is a distinction between ransom and blackmail as there are differences in law.
The offence of blackmail is created in England and Wales by s21 Theft Act 1968. This says it is an offence for anyone to make an unwarranted demand with menaces with a view of gain to himself or with intent to cause loss to another. An ’unwarranted demand’ is made unless the person making the demand has reasonable grounds for doing so and the use of menaces is a proper means of reinforcing the demand. Accordingly, money demanded may be properly due but there would still be an offence if improper menaces are used.
There is no specific legislation which disallows ransom payments. It may therefore be reasonable to argue that any ransom payments should be a deductible expense on the basis they were “wholly and exclusively” required to prevent any further loss to the business due to the capture of client data/suspension of IT systems.
However, although the payment of ransoms is not illegal under English law any payment is likely to breach anti-terrorism and National Crime Agency sanctions and therefore be associated with crime. It is clear from HMRC guidance they view blackmail and ransom as one and the same and would deny tax relief on any payments.
Finally, many businesses are increasingly vulnerable to ransomware and cyber attacks. Current debate indicates, legislation which specifically disallows ransom payments is something which may be introduced soon. Any tax deductions on the basis that the cost was incurred ‘wholly and exclusively’ for the purposes of the business should therefore be approached with caution as they would almost certainly be challenged by HMRC.