I was at a conference recently where a cybersecurity adviser from the Department of Homeland Security discussed cybercrime in agriculture. Cybercrime in agribusiness is on the rise, and no one is immune from an attack. If anything, small and midsize farms are more at risk since they don't have an internet technology (IT) department.
Considering the amount of money a producer, processor or elevator handles in a given week or month, a cyberattack could be devastating. However, when I talk to my clients, most think it will never happen to them. But, what if it does? Let's run through a couple of different fact patterns.
A grain farmer gets $1 million of deferred payments placed in his bank account on Jan. 2. Unfortunately, because of spyware, someone has access to his account and transfers $1 million to a bank account in a foreign country. If the farmer (or the FBI) is unable to get any of the money back, what can he do?
As the farmer received the money, it is Schedule F income. Under Internal Revenue Code (IRC) 165, a taxpayer is allowed a deduction from a theft if they can prove (1) the occurrence of a theft, (2) quantifiable loss and (3) the date the taxpayer discovers the theft. Although there is no clear guidance, there is a revenue rule that implies the deduction would offset self-employment income.
Keep in mind that between tax years 2015 and 2018 a deduction is only available for losses that occurred in a trade or business, or a transaction entered into for profit. Personal losses (nonfarm) for cybercrime are not deductible.
A farmer or agribusiness company has a computer system hacked and is locked out. The cybercriminal contacts the farmer/company and demands $1 million to release and unlock the software. Under IRC 162(a) the taxpayer can deduct an ordinary and necessary business expense. As cybercrime is more common, an argument can be made that ransomware payments are ordinary and necessary. If the argument is accepted, the taxpayer can expense the ransomware payment.
A couple of things strike me about the facts from the two scenarios. If you are an individual, and the cybercrime does not relate to a trade or business, you have little recourse. Even if you are in a trade or business, you get a deduction/expense resulting in reduced taxable income, but this doesn't make you whole. In regard to cybercrime, no matter the resolution, it's a lose-lose situation.
What can you do?
The easiest thing would be to change your passwords regularly. Another simple step is to look at your bank accounts frequently and identify fraudulent transactions.
As many of my farm clients deposit and withdraw millions of dollars a year, I often recommend talking to a cybersecurity expert and developing an IT security plan (including testing). With cybercrime, the old adage is true, an ounce of prevention is worth a pound of cure.
DTN Tax Columnist Rod Mauszycki, J.D., MBT, is a tax principal with CLA (CliftonLarsonAllen) in Minneapolis, Minnesota. Read Rod's "Ask the Taxman" column at about.dtnpf.com/tax. You may email Rod at email@example.com.
(c) Copyright 2021 DTN, LLC. All rights reserved.