Victims Of Ransomware Face Problems With Tax Deductions

Businesses are facing an onslaught of cybercrime, with hacking and financial theft on the increase and ransomware becoming a popular route for extorting funds ...

Any form of cybercrime usually involves malicious software being installed on a victim's computer. If this is inside a business network, it can spread easily to other computers and eventually into servers.

"Ransomware even locks up users data until a payment is made!"

One of the most high-profile examples was an attack on the NHS. Not only was the data locked up and demands for payment made, the hackers even threatened to publish the data online unless the ransom was paid by a particular date and time.

The UK's National Cyber Security Centre published a report showing a 935% increase in these 'double extortion' ransomware attacks compared with 2020!

Ransomeware attacks are usually paid for in cryptocurrency. Because of the decentralised nature of crypto, it can be easy to transfer funds to other jurisdictions and more difficult to track down hackers. It is possible to trace transactions made on the blockchain cryptocurrency uses, but the cash will have disappeared long before any breakthrough is made.

So, the question is, if a UK business falls victim to a ransomware attack and is forced to pay funds to get their data released, will they benefit from tax relief on those payments? Would HMRC class it as a legitimate business expense and therefore allow it as tax deductible?

There is actual legislation in England and Wales that states blackmail payments are not tax deductible. HMRC has made general references to ransomware payments, and I believe it would be reasonable to argue that payments should be a deductible expense as they were required to prevent any further loss to the business.

"However, HMRC may disagree!"

Due to the aforementioned legislation, HMRC may deny tax deductions on these payments. My advice would be to speak to your accountant should this happen to your business and be aware of the risk that HMRC may not see it as a legitimate business expense.

I think we all await clarity from HMRC on this subject in the face of the growing number of ransomware attacks.


If you feel inspired to find out more about anything I've said here, do call me on 01908 774320 or leave a comment below and I'll be in touch as soon as I can.