Are Ransom Payments Tax Deductible?
Understand the nuanced tax treatment of ransom payments. Learn when these payments may or may not be tax deductible for individuals and businesses.
Ransom payments, whether for cyberattacks or kidnapping incidents, represent a significant financial burden that can raise questions about their tax treatment. The deductibility of such payments under United States tax law is a complex area, depending heavily on the specific circumstances surrounding the payment.
General Principles of Tax Deductibility
Under U.S. tax law, personal expenses are generally not eligible for tax deductions. This principle applies to ransom payments made for personal reasons, such as securing the release of a kidnapped family member or recovering personal data held hostage by ransomware. Such payments do not qualify as “ordinary and necessary” personal expenses and are therefore not deductible.
These personal payments cannot be claimed as a casualty loss deduction. The Tax Cuts and Jobs Act of 2017 significantly limited personal casualty and theft loss deductions for tax years 2018 through 2025. During this period, individuals can only deduct casualty losses if they are attributable to a federally declared disaster. A personal ransomware attack or kidnapping incident does not meet the criteria of a federally declared disaster.
When Ransom Payments Are Business Expenses
A different set of rules applies when ransom payments are made by businesses. A ransom payment may be tax deductible if it qualifies as an “ordinary and necessary business expense” under Internal Revenue Code Section 162. An “ordinary” expense is one that is common and accepted in the particular business or industry. Given the increasing prevalence of cyberattacks, ransomware payments have become an ordinary occurrence for many businesses.
A “necessary” expense is defined as helpful and appropriate for the business, though it does not need to be indispensable. For example, a business might pay a ransom to restore critical operational data locked by ransomware or to prevent further disruption to its continuity.
The payment itself must not be illegal or a fine or penalty. While paying a ransom is not illegal in the U.S., payments that violate sanctions laws or are made in furtherance of illegal activities would not be deductible. A ransom payment made for data recovery is not classified as an illegal fine or penalty. Businesses may also consider deducting ransomware payments as a theft loss under Internal Revenue Code Section 165, as ransomware attacks are often viewed as theft by extortion.
Claiming a Ransom Payment Deduction
For businesses that determine a ransom payment meets the criteria for deductibility, thorough documentation is essential. The Internal Revenue Service (IRS) requires taxpayers to maintain records that substantiate all claimed deductions. These records should clearly demonstrate the amount, time, place, and business purpose of the expense.
Documentation should include evidence of the incident, such as cyberattack reports or, in the case of a kidnapping, police reports. Proof of the ransom payment, including transaction records, blockchain data for cryptocurrency payments, or bank statements, is also essential. Businesses should also document the impact of the incident on operations and the reason why the payment was necessary for business continuity. Records of communications with the attackers, if any, can further support the claim.
This expense would be reported as an “other expense” on the appropriate business tax form, such as Schedule C for sole proprietors, Form 1120 for corporations, or Form 1065 for partnerships. Consulting with a qualified tax professional is advisable due to the complex and potentially scrutinized nature of such deductions.