хищение средств
Телефон
Saint-Petersburg

ACCOUNTING FOR LOSSES FROM CYBER ATTACKS

ACCOUNTING FOR LOSSES FROM CYBER ATTACKS

PUBLICATIONS \ 02.02.2019

The Ministry of Finance has issued an explanation concerning a recent problem of the XXI century – accounting for losses from hacker attacks on the bank accounts of companies. Now companies will be able to account for such embezzlements in order to reduce profits tax by including these expenses in non-operational ones. Valentina Alexandrova, Head of Acsour’s Audit and Strategic Projects Department, studied the government department’s document especially for the “Raschet” magazine.

Every year, the number of cybercrimes committed is growing, without mentioning the scale of the consequences of each specific case of hacker attacks for companies. It is useful enough to recall the sensational stories of WannaCry and NotPetya. The conducted surveys confirm the growing relevance of information security issues in the list of priorities of companies.

THE REVERSE OF DIGITALIZATION

Speaking about the new problem, first of all, it is worth noting that Russia currently does not have complete and accurate statistics on the number of hacker attacks. Now, the Central Bank, namely the Centre for monitoring and responding to computer attacks in the credit and financial sphere (FinCERT), monitors and controls the number of cyber attacks on companies’ accounts.

According to its data, the damage from hackers in 2018 significantly decreased compared to 2017. This is largely owing to the successful counteraction of bank security services to hackers. However, according to the data of the General Prosecutor Office, the number of violations in the field of information technologies is increasing every year, for example, in 2017, the number of attacks increased by 38 percent compared to 2016. Data for 2018 is still not available, but as estimated by the representatives of the General Prosecutor Office, the growth may be up to 50 percent.

Small and medium-sized businesses often become a target of hackers, since such companies tend to be less protected from fraud’s acts of that nature. After all, small organizations usually do not have a single employee responsible for information security. Such firms do not make serious efforts to prevent such attacks, do not have a business continuity plan in case they encounter the consequences of hacker actions, etc. Many organizations also do not allocate budgets for information security issues in principle and do not plan to do so in the near future.

DECLARATIVE ORDER

What should a company do if it is faced with embezzlement? First of all, it is necessary to reach an initiation of criminal case. The cause for this is a crime incident report. The document may be submitted either in writing or orally to the police.

In addition to the company’s report, it is also necessary to have registration documents, as well as papers for evidence of identification and authorities of the company’s representative. Therefore, if you are faced with fraud, before appeal to police, it is necessary to prepare the following set of documents:

  • Principal State Registration Number (Russian acronym – OGRN) certificate;
  • certificate of Taxpayer ID Number (Russian acronym – INN) of the company;
  • the Charter of the company;
  • decision on the appointment of the General Director (if the report is made by the direct head of the company);
  • power of attorney for an employee representing the interests of the company (if the report is submitted by another employee);
  • general civil passport of the person submitting the report.

It is also possible to send a report to the police via the official website of the Ministry of Internal Affairs of Russia. If you decide to submit a report via the website, do not forget to attach all the necessary documents listed above to the form. In the Ministry of Internal Affairs there is a special Department “C”, which is engaged in the fight against cybercrimes.

Unfortunately, sometimes there are situations when law enforcement agencies refuse to accept the report under various pretexts. Please note that acts of that nature are illegal, instruction, approved by the the Ministry of Internal Affairs, stipulates 24-hour acceptance of statements and reports on crimes and incidents, which is performed by the duty officer of the territorial body of the Ministry of Internal Affairs of Russia. A police officer is obliged to accept a report regardless of where and when the crime was committed. For refusing to accept a document, a police officer can be punished up to and including dismissal.

The company can also file an application to the Prosecutor’s Office. The document may be submitted both in paper and in electronic form, via the Internet reception office. The Prosecutor’s Office is the supervisory authority, therefore the report will most likely be passed to the police. However, the appeal to the Prosecutor’s Office increases the likelihood that members of the Ministry of Internal Affairs will not leave the report unattended. But it also happens that even when a Crime Incident Report was accepted by law enforcement agencies, the company can wait a long time for any result. According to the established regulations, the preliminary investigation of a criminal case should be completed within a period not exceeding two months from the date of its initiation, but it may be extended firstly to three, and then to 12 months (article 162 of the Code of Criminal Procedure of the Russian Federation). Further extension of the investigation period is also possible, but this is already an exceptional case. Therefore, companies should not expect to quickly receive the required documents for accounting expenses. And they will be necessary!

ACCOUNTED LOSS

Starting from 2018, even if the police do not find those responsible for the cyber attack committed, companies will be able to account for this type of losses to reduce their profits tax, including these expenses in non-operational ones.

The Ministry of Finance in its letter No. 03-03-06/1/92021 dated December 17, 2018, referring to article 265 of the Tax Code, informed that losses from embezzlement from bank accounts may be accounted for profits tax purposes in non-operational expenses. However, this can be done only in the absence of the those responsible, which may only be confirmed by documents issued by the competent authority.

Please note: the judges point out that the Tax Code does not establish a specific type of document for confirming losses from embezzlement, consequently it is legal to use any supporting document.

In its letter, the Russian Ministry of Finance does not specify what specific papers are necessary to write off losses. However, in this issue, it is possible to be guided by the litigation practice and other explanations of the government department. As such documents may be used a Resolution to suspend the preliminary investigation in connection with an unidentified person, subject to arraignment (the letter No. 16-15/112954 of Federal Tax Service Directorate of Russia in Moscow dated November 22, 2011), and the Resolution on termination of criminal case (letter No. 03-03-04/1/52 of the Ministry of Finance of Russia dated January 20, 2006).

In general, the judges point out that the Tax Code does not establish a specific type of document for confirming losses from embezzlement, consequently it is legal to use any supporting document (Resolution of the Federal Antimonopoly Service (the Russian acronym – FAS) of the Moscow District dated October 8, 2012 in case No. A40-15384/12-99-73). Despite all the nuances, the explanation of the Russian Ministry of Finance is good news for conscientious taxpayers, even considering that the process of obtaining the necessary document may take a long time. Many companies would probably like to take an opportunity to account for such expenses in the event of c

Valentina Alexandrova

Head of Audit Department