21 September 2023 External T.I. 2023-0984251E5 - Ransomware attacks and BEC scams

Please note that the following document, although believed to be correct at the time of issue, may not represent the current position of the CRA.
Prenez note que ce document, bien qu'exact au moment émis, peut ne pas représenter la position actuelle de l'ARC.

Principal Issues: 1. Whether losses related to ransomware attacks and BEC scams are deductible for income tax purposes. 2. Whether a deduction is available for forgone revenue due to a cyber attack 3. Whether an insurance deductible reduces taxable income.

Position: 1. Question of fact, but generally yes. 2. No. 3. Yes.

Reasons: 1. Payment must be within parameters of subsection 9(1), paragraphs 18(1)(a) and 18(1)(b), section 67, etc. 2. Forgone revenue is not an amount that has been incurred. 3. Only the net insurance recovery is recorded for tax purposes.

XXXXXXXXXX								Sarah Springate
									2023-098425

September 21, 2023

Dear XXXXXXXXXX:

Re: Ransomware attacks and income tax deductions

This is in response to your request of July 12, 2023, and subsequent telephone conversation (Burnley/XXXXXXXXXX) wherein you requested our views on whether various amounts related to ransomware attacks and business email compromise (“BEC”) scams are deductible for income tax purposes by a victimized business.

Our understanding is that a ransomware attack is where criminals use malicious software to encrypt, steal, or delete data, then demand a ransom payment to restore it. (footnote 1) We note that additional information on ransomware attacks and how to defend against cyber threats can be found on the Canadian Centre for Cyber Security’s Canada.ca webpage “Ransomware playbook (ITSM.00.99).” (footnote 2)

A BEC scam may involve a criminal emailing a business pretending to be a trusted person (such as an executive or supplier of the business) using a spoofed or compromised email address, and using various means to convince the recipient of the email to send money or share financial information.

Our Comments

This technical interpretation provides general comments about the provisions of the Income Tax Act (the “Act”) and related legislation (where referenced). It does not confirm the income tax treatment of a particular situation involving a specific taxpayer but is intended to assist you in making that determination. The income tax treatment of a particular transaction proposed by a specific taxpayer will only be confirmed by this Directorate in the context of an advance income tax ruling request submitted in the manner set out in Information Circular IC 70-6R12, Advance Income Tax Rulings and Technical Interpretations.

Deductibility of Payments due to Ransomware and BEC Scams from Business Income

As noted in paragraph 1.8 of Income Tax Folio S4-F2-C1, Deductibility of Fines and Penalties (“the Fines and Penalties Folio”), subsection 9(1) of the Act states that a taxpayer’s income for a tax year from a business or property is the taxpayer’s profit from that business or property, subject to the rules in Part I of the Act. Deductions are allowed under subsection 9(1) to the extent that they are consistent with well accepted principles of business and are not prohibited by another provision within the Act. Generally, in order to qualify as a deductible business expense, an expense must:

• be made or incurred by the taxpayer for the purpose of gaining or producing income from the business (paragraph 18(1)(a) of the Act – see also paragraphs 1.14-1.18 of the Fines and Penalties Folio);
• must not be on account of capital (paragraph 18(1)(b) of the Act – see also paragraphs 1.19-1.22 of the Fines and Penalties Folio);
• not be a personal expense (paragraph 18(1)(h) of the Act); and
• must be reasonable in the circumstances (section 67).

Accordingly, expenses incurred due to ransomware attacks and BEC scams will generally be deductible against business income where the above conditions are met. Such expenses may include the actual payment made to recover access to data or computer systems following a ransomware attack, payments to a BEC scammer, hiring an incident response company, or other costs incurred to recover from a cyber attack or BEC scam. In cases where the allowable expense is already reflected in the reported income or loss of a business, the amount reported will not have to be adjusted. This might be the situation where a payment is reflected in an overstated expense account (for example, where a payment to a BEC scammer was recorded in a particular expense account before realizing the payment was related to a scam).

While it is always a question of fact whether a particular amount is deductible for income tax purposes, expenses resulting from a ransomware attack or BEC scam appear to be an inherent risk of most businesses in an increasingly digital age. Accordingly, we would generally consider them to be deductible in computing income from a business where the expense is reasonable compared to the income earning activities of the business.

We note that the comments made on losses from theft and embezzlement in paragraphs 1.33 and 1.38-1.39 of Income Tax Folio S3-F9-C1, Lottery Winnings, Miscellaneous Receipts, and Income (and Losses) from Crime (the “Losses from Crime Folio”) would generally be applicable to losses from ransomware attacks and BEC scams.

Lost or Foregone Revenue

Under paragraph 18(1)(a) of the Act, an expense must be incurred in the year for it to be deductible, meaning that a taxpayer must have an obligation to pay it. No deduction is allowed for lost or forgone revenue due to a business shutting down or being less functional following a cyber attack or similar event. A similar comment is made in paragraph 1.33 of the Losses from Crime Folio, which states that “only out-of-pocket losses are eligible for deduction; profits lost or forgone as a result of theft of embezzlement are not deductible.” It should be noted, however, that since lost or forgone revenue is not recorded by a business, the businesses income would already reflect the lower than anticipated earnings.

Impact of Insurance Recoveries

When a taxpayer receives insurance proceeds to compensate for an expense, the related deduction should generally be recorded as the net amount of the expense after taking into account the insurance recovery or restitution in the year. A recovery in any other year is income in the year in which it is received. See similar comments in paragraphs 1.38 and 1.40 of the Losses from Crime Folio.

Where a taxpayer’s insurance coverage has a deductible, the insurance recovery used to offset the related outlay would be net of the deductible. For example, assume a taxpayer is the victim of a ransomware attack and pays $10,000 to recover encrypted business data. The taxpayer has an insurance policy that will cover $8,000 of this amount, less a deductible of $1,000, so that the company recovers $7,000 through insurance. The net deduction allowed to the taxpayer in the year for their loss is $3,000 ($10,000 – ($8,000 - $1,000)).

We trust that these comments will be of assistance.

Yours truly,

Pamela Burnley
Manager
Business Income and Capital Transactions Section
Business and Employment Division
Income Tax Rulings Directorate
Legislative Policy and Regulatory Affairs Branch

FOOTNOTES

Note to reader: Because of our system requirements, the footnotes contained in the original document are shown below instead:

1 www.cyber.gc.ca/en/guidance/ransomware

2 www.cyber.gc.ca/en/guidance/ransomware-playbook-itsm00099