CRA indicates that ransomware payments generally are deductible

Regarding whether amounts related to ransomware attacks and business email compromise (“BEC”) scams, including ransom payments, payments to a BEC scammer, and recovery costs, were deductible, CRA stated:

[E]xpenses resulting from a ransomware attack or BEC scam appear to be an inherent risk of most businesses in an increasingly digital age. Accordingly, we would generally consider them to be deductible in computing income from a business where the expense is reasonable compared to the income earning activities of the business.

Neal Armstrong. Summary of 21 September 2023 External T.I. 2023-0984251E5 under s. 18(1)(a) – income-producing purpose.