Ransomware and SR&ED – Are You Prepared?

Updated to Reflect New Policies (2022) 
*** Some of the policies referenced were updated 2021-08-13. This article has been updated and is accurate as of 2022. *** 
Ransomware and SR&ED - Are You Prepared?
Ransomware and SR&ED: Is your SR&ED documentation safe?

Ransomware and SR&ED – Are You Prepared?

If you’ve applied for, or even just heard about the SR&ED tax credit you will be familiar with the five eligibility questions. These are the criteria by which the CRA determines whether or not your work qualifies and you are eligible for SR&ED Investment Tax Credits. (If you’re not familiar with the questions we have an excellent post on eligibility for SR&ED that will walk you through the details.)

As a reminder, the final question relates to documentation:

Was a record of the hypotheses tested and the results kept as the work progressed?

The CRA explains that keeping the evidence that is generated as the work progresses is necessary to be able to “distinguish between a systematic approach to carrying out work and the approach that is a systematic investigation or search called for in the definition of SR&ED”1

In essence, it is all well and good to have advanced (or attempted to advance) your knowledge base but do you have proof of the work performed?

The CRA requires contemporaneous documentation of SR&ED work in order to assist them in determining the validity of a claim. A record of the work as it progresses is required to clearly show the purpose of each element and how it fits into the larger project.2

On the T4088 form lines 270 – 282 require evidence to support your SR&ED claim as follows:

Lines 270 to 282 – Evidence to support your claim

Indicate what evidence you have to support your SR&ED claim. Tick all items on the list that apply. If you have items or documents to support your claim that are not listed, tick the box at line 281 and use 15 words or less to describe them on line 282.

If you fail to tick a box when you initially file your claim, you can still provide the evidence to the CRA reviewer during the review of your claim even if the reporting deadline has passed.3


The CRA also has a handy table in Appendix 2 of this document that lists other types of supporting evidence for your SR&ED claim. 4

Without adequate documentation, if you are selected for a review you may be denied as your work is labelled as “unsubstantiated”. Aside from being useful from a knowledge management perspective (ie, you can share prior test results with other team members) this is a good reason to be adamant about backing up your data to support your eventual SR&ED claim.

So what happens if you have kept good documentation, but someone else restricts your access to the supporting documentation?

In this article, we will discuss a growing challenge facing companies worldwide: ransomware.

What is Ransomware?

Just like it sounds, ransomware is a malicious software program that encrypts your files, essentially holding them hostage until you agree to the hacker’s ransom demands (usually of bitcoin or another cryptocurrency). Ransomware attacks are unfortunately on the increase to the tune of approximately 1.5 instances every minute.5. In fact, ransomware was the most prevalent form of cyber attack in 2018 and the trend is continuing into 2019, with attacks increasing 97% over the past two years6 In fact, it is estimated that every 14 seconds a new organization will become a victim of such an attack and on average it takes a week or more before businesses regain access to their data7

A recent, global instance of ransomware occurred in 2017 and was aptly known as WannaCry because that’s exactly what victims felt like doing. This particular “worm” spread through a number of high profile (government) networks to encrypt files on windows machines making them inaccessible to the user.8 This particular worm specifically targeted machines and networks who weren’t using the latest software updates. The loophole had already been identified and patched; however, many organizations simply did not have their systems updated with the latest protective fixes. The takeaway lesson from this? Always run your windows updates! Yes, that pop up can be annoying and comes at the most inopportune times but you can bet the UK’s National Health Services wished it had updated systems as it would have prevented the 2017 attack on their servers9

Along with WannaCry, there are other, less well-known types of ransomware from malware to scareware and they all operate differently but with a similar goal – to disrupt access to your data.

Ransomware and SR&ED: A Bad Combination

In the event you are a victim of such an attack what will the impact be on your SR&ED claim? As stated in Eligibility Question 5, documentation is required for any claim and it must be contemporaneous.

A claimant may ask: I have lost access to my data in a ransomware attack. Will my SR&ED claim be denied?

This hasn’t been tested in the courts yet, but if you failed to take basic precautions to protect your contemporaneous documentation, we wouldn’t recommend relying on the goodwill of the CRA. Let’s discuss why.

Many years ago, a researcher suffered extensive data loss after a fire. While he produced what evidence he had available and submitted oral testimony, the CRA argued that “the evidence of the SR&ED work done is insufficient to meet the requirements for proof.”10 While this position was tested in the  courts and the judge ruled in favour of the company, there was evident reluctance from the judge: “it is not without hesitation that I come to this conclusion.” 11 Even with the extenuating circumstances of the fire, there were other factors weighing in to allow for the positive outcome, most notably the credibility of the Appellant and the fact that he was the individual who carried out the work.

While this ruling is discussed in the Claim Review Manual for Research and Technology Advisors where guidance is provided to take into account extenuating circumstances, there are no hard and fast rules about what is considered the minimum amount of documentation. 12 Thus, it is preferable that not all information to support your claim takes the form of electronic documentation – so even if you’ve lost your files you may be able to rely on other sources of data.

That said, if you only have electronic documentation and are not the shining example of a research scientist, you may be in a difficult position. In this case, you may ask: should I pay the ransom? 

To Pay or Not to Pay – That is the Question

If a patch hasn’t been released yet and if the value of your SR&ED submission under review is high you may be tempted to pay up, but should you?

Pay Cons

Paying to get your information back after it’s been stolen won’t just leave you feeling sick, it can actually do more harm and it might not even work. There is no guarantee the hacker can or will release all your data, depending on how well it has been encrypted. In a survey conducted by CyberEdge of approximately 1,200 cybersecurity professionals in 17 different countries, it was determined that

“Of the 38.7% who opted to pay the ransom, a little less than half (19.1%) recovered their files using the tools provided by the ransomware authors”.13

Paying also encourages future hackers to pursue the same potentially lucrative line of work. It may get you unwanted notice from other hackers/groups who now know that you are willing to pay. Furthermore, the hacker may only release a portion of the data and may still have bugs in your system to target you again further down the road.14

This strategy works best when:

  • You expect a patch to be released soon.
  • It costs less to recover the files through a backup than through a ransom.
  • The ransom is excessive
  • You have additional supporting documentation that allows you to continue to function despite the loss of some files

Pay Pros

Often times it can even be cheaper to pay off the requested fee rather than trying to recover the files and do the necessary tech work to re-establish document data and block off access. There have been many instances documented in which the amount requested for the encryption fee is much less than the fix itself. For example, in this article, it is reported that the Erie County Medical Center in Buffalo paid $10 million 15 to recover its 6,000 computers and system instead of paying a $30,000 ransom to hackers. 16

This strategy works best when:

  • It is a targeted (not a random) attack, as these generally have better “tech support” from the ransomware owners, meaning you are more likely to recover your files.
  • The cost to pay the ransom is less than the cost to recover the files.
  • You are on a short timeline and this is, put bluntly, your best option.
  • If the encrypted data is vital to the organization’s function and you have no data the only option may be to pay.

The best scenario is that the hacker that you’re dealing with treats this as a business transaction and, once paid, gives you the decryption key. This is, after all, another business model – and if no one regains access to their files, the next victim is even less likely to pay.

How can you minimize your risk?

Like the old saying, an ounce of prevention is worth a pound of cure. These are a few tips from various forums:

  • Frequently and reliably back up your data somewhere other than the cloud if at all possible. Makes restoration of any impacted files much faster and less costly.
  • Have adequate antivirus software installed and maintained.
  • Update software with the newest patches and fixes. This measure alone would have made the WannaCry virus much less impactful.
  • Don’t open emails, email attachments, or click on embedded links that look even remotely suspicious. A good rule of thumb is to avoid clicking any live links from unknown sources and be judicious about what personal contact information you give out and to whom. When in doubt, call the sender of the email. 


The statistics are staggering and unfortunately, no one sees the trend dissipating as it is an extremely lucrative business. Whether or not to pay to get all or some of your documents back is ultimately an organizational decision that requires a detailed, comprehensive cost-benefit analysis to determine the best course of action. If your SR&ED refund is in the realm of hundreds of thousands of dollars you will want to plan ahead. Of course, the best option is to not find yourself in this situation in the first place. You just need to be prepared.

Connect With Us! 

Share your thoughts by commenting below or joining the conversation on our LinkedIn page, Facebook page, or via Twitter. 

Show 16 footnotes

  1. Government of Canada. (2021, August 13). “Guidelines on the eligibility of work for scientific research and experimental development (SR&ED) tax incentives.” Retrieved September 28, 2022, from:
  2. Government of Canada. (2020, December 14). “T4088 Scientific Research and Experimental Development (SR&ED) Expenditures Claim – Guide to Form T661” Retrieved September 28, 2022, from:
  3. Ibid.
  4. Ibid.
  5. Deb Erdley. Tribute Review. (2018, September 24). “To Pay or Not to Pay? Ransomware Demands Can be Less Costly than Mitigation.” Retrieved February 27, 2019, from
  6. Bojanna Dobran. PhoenixNap. (2019, January 31). “27 Terrifying Ransomware Statistics and Facts You Need to Read.” Retrieved April 9, 2019, from:
  7. Ibid.
  8. Josh Fruhlinger. CSO. (2018, August 30.) “What is WannaCry ransomware, how does it infect, and who was responsible?”. Retrieved February 27, 2019, from:
  9. Justin. My Private Network. (2018, October 15.) “How to Prevent and Fix Wannacry Ransomware.”. Retrieved April 11, 2019, from:
  10. CanLII. (June 9, 1998). 116736 Canada Inc. v. The Queen, 1998 CanLII 560 (TCC). Retrieved on September 28, 2022, from:
  11. Ibid
  12. SR&ED Education & Resources. SREDucation. (2015, April 21.) “Claim Review Manual for Research and Technology Advisors.” Retrieved February 28, 2019, from
  13. Catalin Cimpanu. Bleeping Computer. (2018, March 9). “Only Half of Those Who Paid a Ransomware Were Able to Recover Their Data.” Retrieved February 27, 2019, from
  14. Deb Erdley. Tribute Review. (2018, September 24). “To Pay or Not to Pay? Ransomware Demands Can be Less Costly than Mitigation.” Retrieved February 27, 2019, from
  15. Henry Davis. The Buffalo News. (2017, July 26). “ECMC spent nearly $10 million recovering from massive cyber attack.” Retrieved February 28, 2019, from
  16. Deb Erdley. Tribute Review. (2018, September 24). “To Pay or Not to Pay? Ransomware Demands Can be Less Costly than Mitigation.” Retrieved February 27, 2019, from

Leave a Reply