Regarding whether amounts related to ransomware attacks and business email compromise (“BEC”) scams, including ransom payments, payments to a BEC scammer, hiring an incident response company, and recovery costs, were deductible by a victimized business, CRA adverted to the tests under ss. 18(1)(a), (b) and (h), and 67, and then stated:
While it is always a question of fact whether a particular amount is deductible for income tax purposes, expenses resulting from a ransomware attack or BEC scam appear to be an inherent risk of most businesses in an increasingly digital age. Accordingly, we would generally consider them to be deductible in computing income from a business where the expense is reasonable compared to the income earning activities of the business.