Accounting and tax oversight needs to address ransomware costs

Managing IT infrastructure to protect customer data from potential cyberattacks is an important social capital sustainability concern, but companies may also be vulnerable to possible ransomware attacks that can potentially paralyze their day-to-day operations. 

A ransomware attack, depending upon the severity of the breach, may lead to a suspension of operations or insolvency. Companies must take measures to efficiently manage their IT infrastructure through effective backup, antivirus strategies and practices, staff training and recordkeeping.

In one case study, a small, local veterinarian’s office recently suffered a ransomware attack. The following narrative highlights the office’s experiences as shared by one of its veterinarians and an office manager:

The office, based in New York’s Hudson Valley, has been in business, uneventfully, for the last eight and a half years. The office used an IT professional to handle its internet needs. The IT professional managed the office’s IT, computers and software needs. However, perhaps they got a bit complacent, which led to the office not being diligent and current with its backups.

The IT professional advised that the office should update its system, but never pushed it forward; this could have been the fault of the office or the IT professional. The office was complacent, not aggressive, which is why things went the way they did. The office had the backup for its computer onsite, as opposed to a remote or cloud backup. The system was outdated and still running Windows 7, which made it more of a target. In addition, the office did not have sufficient antivirus protection. Its IT professional said the hackers infiltrated the system with a virus once it got hit with an email cyberattack.

Even though the attack felt personal to the office, employees learned the hackers did not know who or which business they were actually targeting. Their virus infected the office’s systems and effectively shut them down; the office received ultimatums regarding how to retrieve its client data.

How the cyberattack unfolded

According to the office manager, that morning the computers seemed to be working fine, but nobody could log in when they brought up their software. They left word with their IT professional to investigate the situation so they could get up and running and conduct business for the day. He immediately contacted the office in a panic to let them know they had been hacked and their business was being held for ransom; the hackers had left a message containing their demands, which included a five-figure bitcoin payment. The office’s systems were not working, and they could not access their medical veterinary database. They didn’t know what to do because their business still had to function.

Their first concern was determining if they had to deal with the hackers, or if they had a backup. The office contacted a second IT technician and an FBI agent acquaintance. Not only was the office’s external hard drive backup corrupted, but because they didn’t have a system in place to do a routine check, they learned their system hadn’t been backed up in nearly six months.

After a few weeks without access to their records, the office went completely “old school.” Employees were forced to return to paper medical records and invoices, which was stressful because while some in the office were familiar with paper documentation, others were not. Younger employees found it challenging because everything normally typed on the computer had to be written down, adding to the chaos. Since scheduling and file access were impacted, it was stressful for employees as well as clients.

It’s common for businesses to lack backups, and some businesses never recover because employees may just quit. According to the office manager, when the IT professional exhausted every option and determined that none of their computerized records could be retrieved, the office decided to investigate if it could safely deal with the hackers to get back on track.

The IT professional was able to access the hackers’ notes so the office could contact them. At first, the hackers requested a $50,000 bitcoin transfer to release the data. The office initially claimed the money requested was unattainable, but ultimately felt compelled to pay, although it was able to negotiate a lesser amount and followed the hackers’ instructions to get the data back.

After paying the ransom, the office cleaned its computers, installed antivirus protection, and hired another IT company. According to the office manager, employees thought they were set, but many files were still not opening properly. Through a secure internet messaging channel like a chat box, the office was able to continue communications with the hackers, who had their own IT support.

After receiving the ransom, the hackers spent approximately 16 to 18 hours fixing the office’s system and providing input to prevent future cyberattacks. The office workers joked that they should send the hackers a thank you note! It was as if the hackers had a moral code: If you got hit once, they didn’t want you to get hit again. According to the office’s FBI associate, hackers want to be known for holding up their end of the deal, so when other businesses get hacked, they’ll feel confident that if they pay the ransom, their system will be released. The office manager joked that perhaps there is honor among thieves.

Moving forward

The office is now running a current version of Windows and has a cloud-based backup. Everything gets saved every 10 seconds. However, getting the records back in order took months, especially having to input paper records and transfer older data to their new medical database. It was a long, painful process for the office’s clients and staff.

According to the veterinarian, the office was compelled to pay because they were paralyzed. Within the first hour of the hack, they realized they had a full day of appointments with no clue as to who was scheduled. Several clients decided to go elsewhere when they learned that they could not access their pets’ medical records.

Early in the process, the office contacted its accountant, who told them they should continue working with tech support; there was nothing he could do because he did not have IT expertise. However, according to the veterinarian, his accountant conveyed that the proceeds used to pay the ransom could be written off as a business expense.

Rather than being reactionary, the office’s “takeaway” is to focus on preventative measures moving forward. Businesses should be involved, not complacent, with their current systems. Having an accounting professional who is versed in cybersecurity is ideal. 

A knowledgeable accountant and IT support staff can give recommendations to prevent cyberattacks. If the office’s hard drive had been protected, they would have had backup and would not have had to pay a ransom. Thus, having up-to-date software, firewalls and procedures for multifactor employee authentication is essential.

Cybersecurity and the accounting profession

There is a shortage of business professionals with the expertise to effectively consult with clients regarding cybersecurity. Clearly, IT skill sets are crucial in the marketplace. New accounting hires must have a technical knowledge of accounting and an understanding of IT systems and protections to be competitive in the job market.

That’s reflected in the CPA Evolution initiative from the American Institute of CPAs and the National Association of State Boards of Accountancy, which has overhauled accounting programs in higher education throughout the United States. IT training is now included as part of the updated learning objectives for the accounting curriculum.

Thus, accounting students will need training to understand cybersecurity risks and how to advise future clients to prevent or address a ransomware attack. In addition to providing consulting services, accounting practitioners need to be knowledgeable about the accounting and tax implications regarding cybersecurity attacks.

Although CPAs do not necessarily have to be experts in IT systems, they must know how to advise clients regarding cybersecurity and cyberattacks. Hopefully, given the revised accounting curriculum mandated by CPA Evolution, future accounting professionals will be better trained to address cyber risks and business threats.

Accounting for ransomware costs

Companies are writing off premiums paid for business interruption insurance and preventative IT costs associated with cybersecurity, such as implementing antivirus protection or establishing a cybersecurity response team. Despite the increased number of cyberattacks, the Financial Accounting Standards Board has yet to issue authoritative statements on the accounting and disclosure treatments for ransomware payouts.

Likewise, neither the Internal Revenue Service nor Congress has specifically addressed the tax deductibility of ransomware payments made to hackers. Since these ransom payments arise from illegal electronic theft, there is cause for concern regarding tax deductibility alternatives. However, according to IRS Publication 535, “Business Expenses,” to be tax deductible, business expenses must be “ordinary and necessary.” 

Unfortunately, with the prevalence of cyberattacks, a case can be made that ransomware payments are an ordinary and often necessary cost of doing business; the statistics confirm that cyberattacks are on the rise. Between 2019 and 2020, ransomware attacks rose 62% worldwide, cybersecurity firm SonicWall reported, and by 158% in North America alone. 

Accountants must improvise regarding the accounting and tax treatment for ransomware costs, since there currently are no official FASB or IRS pronouncements. The trend among CPAs is to recognize ransom costs as an ordinary and necessary cost of doing business. How should these costs be treated? Should ransomware costs be classified as an IT expense or perhaps as a legal expense if company attorneys make bitcoin payments on behalf of their business clients who had been hacked? What should be the disclosure requirements, if any, regarding these costs? How much detail should be provided?

There is a need for accounting and tax oversight addressing the deductibility and disclosure of ransomware costs.