Somehow they need to be taken into account, if you pay US $ 100,000 to a consultant to harden your infrastructure or if you pay US $ 100,000 as a ransom, you have in both cases US $ 100,000 less, the difference is that in the first case you have an invoice, whilst in the second the IRS has to trust you.
Point might be how to "certify" whether the ransomware attack is "real" or if it could be simulated to only get away with hiding/divert the money (and pay no taxes on those).
The Key difference is that when I pay consultants they in turn pay the taxes (or in turn they have some expenses to towards somebody else who eventually pays the taxes), so overall they are not lost.
Paying a ransom by definition puts the whole sum in a black hole, tax-wise.
>The Key difference is that when I pay consultants they in turn pay the taxes (or in turn they have some expenses to towards somebody else who eventually pays the taxes), so overall they are not lost.
Not really-really.
The consultants pay taxes on the money they get from you only because (if) they respect the Law, it is none of your business (it is the IRS's one) if the consultants later comply.
If you prefer, whether the consultants pay taxes or not doesn't change anything in your company's accounts, you have an expense and proper documentation for it, what happens after and outside the transaction is irrelevant.
The issue (from your or your company's point of view) is how to properly document the expense (and it is IMHO a tough one to document a ransom).
You may not care whether the consultant pays the taxes. The lawmakers that define the tax laws (implemented by agencies like the IRS in the specific case of the USA) do take into consideration where the money goes.
If the IRS currently doesn't care or doesn't check, that's a specific implementation issue of your country. Laws can be changed
The insurance company reimburses you the US $ 100,000.
It is clear that financially that is 0.
But from a tax view point, if you cannot count the US $ 100,000 of the ransom as expenses you will be paying some form of taxation on the US $ 100,000 you received from the insurance.
This can be solved easily: let the insurance company pay the ransom, and factor in the full cost (since it wouldn't be tax-deductable) when computing the premium.
EDIT: otherwise, the collectivity effectively pays for what you deducted from your taxes. The missing money on the overall country balance has to come from somewhere.
EDIT2: If you're talking about private insurances covering your risk of ransoms, this means you assume it's your responsibility to pay for your losses (insurances just allow you to pay proportionally to the risk), and not e.g. have the government, say, paying it for you (through public funds, which can and IIRC has happened for kidnapping cases here some countries pay the cost of rescue). All I'm saying is that if it's private insurance, it should be private 100%
> Point might be how to "certify" whether the ransomware attack is "real" or if it could be simulated to only get away with hiding/divert the money (and pay no taxes on those).
Well, exactly this. Clarifying that ransom payments are tax-deductible creates a moral hazard whereby companies set up off-shore entities to conduct ransomware attacks. The parent company gets attacked, establishes a paper trail of "damages" (whether these damages are material is irrelevant, particularly as the stock market has shown that it won't punish companies for being the victim of cyberattacks), quickly pays the ransom, which moves the money off-shore into crypto accounts which can then be tumblered and funneled into shell companies. The off-shore cash can then be used off-the-books for a variety of purposes that indirectly benefit the parent company.
Good luck to the forensic auditors who try to follow the trail to show that the money never really left the parent company's control.
The choice is between paying $X (say, $10 million) to the government in taxes, where it is never seen again and only indirectly benefits the company (the roads and railroads argument), or "paying" that same money into dirty accounts that, yes, are limited in what they can achieve (i.e. you can't pay dividends from it or engage in capital construction in the name of the company) but can still achieve direct benefits for the company (e.g. paying for negative coverage of competitors' products, lining the pockets of influential people)
Somehow they need to be taken into account, if you pay US $ 100,000 to a consultant to harden your infrastructure or if you pay US $ 100,000 as a ransom, you have in both cases US $ 100,000 less, the difference is that in the first case you have an invoice, whilst in the second the IRS has to trust you.
Point might be how to "certify" whether the ransomware attack is "real" or if it could be simulated to only get away with hiding/divert the money (and pay no taxes on those).