“Government action against ransomware necessary”

the editorial team

11 April 2024

The government should actively support the business community in the fight against cybercrime through targeted measures such as investment deductions and reduced VAT rates for security services. This is the position of Orange Cyberdefense Netherlands, according to a recent press release.

Ransomware is the main threat to corporate digital security. When enterprises choose to pay a ransom, they feed the attackers’ criminal ecosystem. “Simple solutions, such as banning ransom payments, are not the way to go. However, the government has other effective means at its disposal, says Matthijs van der Wel-ter Weel,” strategic advisor.

How often ransom payments occur is unknown, but Orange Cyberdefense estimates that at least 60 percent of affected companies make the requested payment. That’s understandable, but it compounds the problem. Every euro that goes toward cybercriminals funds new attacks. There is also evidence that ransom-driven money flows support terrorist activities.

Various measures to prevent ransom payments have already been proposed, such as banning or taxing them. However, companies often see no way out, as downtime causes them great financial damage. Banning ransom payments not only jeopardizes their survival but also raises the threshold for reporting to the Autoriteit Persoonsgegevens (Personal Data Authority).

At the same time, attackers are increasing the pressure on companies to pay up. Not only do they encrypt corporate networks. They also threaten to steal and publish sensitive employee and customer information.

The key lies in better-arming companies against these cyber threats. However, many organizations struggle with a lack of security specialists. As a result, they turn to specialized security companies. This entails additional costs, which are especially burdensome for SMEs. Van der Wel-ter Weel suggests some measures that the new cabinet might consider:

Investment deduction

Currently, tax breaks apply mainly to physical capital goods and sustainable initiatives. The government should consider supporting investments in cybersecurity as well. For example, a new cabinet could examine whether security solutions could fall under the investment tax deduction. Security services, which are currently seen as operational costs, might also qualify.

Tax credit

Current tax credits in the Netherlands focus on important goals, such as economic growth, sustainability and employment. Meanwhile, however, there is a new, urgent concern: digital security. Cyber attacks are a growing threat to businesses and citizens, and it is crucial that we respond proactively. With specific tax credits for companies investing in (ongoing) cybersecurity services, the government can support business in this regard.

Lowering the VAT rate

Entrepreneurs in the Netherlands can of course reclaim VAT paid on business purchases through their VAT returns. Therefore, a reduction in the VAT rate on cybersecurity services seems at first glance to make little sense. Nevertheless, this measure has indirect positive effects: a reduction in the VAT rate improves cash flow, as companies no longer have to pre-finance the VAT. This helps small business owners in particular. The government would also signal that cybersecurity is crucial.

“As a security provider, we understand that advocating certain measures can be seen as favoring our industry,” said Van der Wel-ter Weel. However, the reality we face is inescapable. Every day we see companies, from small to large, being targeted by devastating cyber attacks. This is not just a problem for the affected businesses; it is an issue that affects the stability of our entire digital infrastructure. Without focused action and cooperation between government and the private sector, we fear the number of victims will only increase.”