Cybersecurity was definitely front-and-center last year.
From the denial-of-service-attack (DDoS) against Dyn, Inc. to hacking during the last election cycle to compromised Yahoo accounts, last year emphasized the importance of top-notch cybersecurity for all businesses and organizations. As the Internet of Things continues to develop and other technologies continue to make our world more connected and automated, cybersecurity stands to become even more paramount in protecting confidential information and in ensuring supply chains remain undisrupted.
A Booming Market
To keep up with this spike in demand, companies are already making massive investments to enhance their cybersecurity systems – and the impact of these investments can be seen in the industry’s growth.
According to a report from Cybersecurity Ventures, it is estimated that worldwide spending on cybersecurity products and services will exceed $1 trillion from 2017 to 2021. The same report anticipates 12-15% year-over-year growth in the industry through 2021 and notes the steps many corporations have taken to increase their cybersecurity budgets (J.P. Morgan Chase & Co. for example has doubled its annual cybersecurity budget from $250 million to $500 million).
These numbers point to a booming sector, one whose innovative services will be needed by companies throughout nearly every industry.
Further Growth Opportunities
The key drivers in the cybersecurity boom have been demand and technological advancements. To keep pace with cybercrime, hacking and other cyber-attacks, those working within the industry have invested serious money and employee hours to enhance the effectiveness of their products and services.
It is this investment in time, labor and capital that also makes cybersecurity companies excellent candidates for another opportunity that could push the industry forward and stimulate even further growth – the Research and Development (R&D) Tax Credit.
The R&D Tax Credit: A Tax Break for the Cybersecurity Industry
The R&D Tax Credit has been around since the 1980s and isn’t new – but what is new with respect to the credit will have major implications for cybersecurity companies going forward. Due to new laws, new regulations and court rulings in the decades since its inception, the R&D Tax Credit has evolved for the benefit of a wide and diverse range of U.S. businesses. Through the years, the credit has expanded from just rewarding basic research (i.e. research you would traditionally see in a lab, such as test tubes, lab coats and petri dishes) to one that now qualifies applied research – the kind of technical work and problem solving that is done on the factory floor or behind a computer screen to create entirely new products or systems (or to improve upon existing ones).
In fact, the most recent expansion of the R&D Tax Credit was made in December of 2015 with the passage of the Protecting Americans from Tax Hikes (PATH) Act. Along with making the R&D Tax Credit permanent, the PATH Act included two key modifications that should be of immense interest to cybersecurity companies – as well as American businesses at large.
However, before we dive into these changes, let’s look at a real-world example to better understand the types of projects that qualify for the credit.
For three years’ worth of qualifying projects, a technology solutions company that works for both private sector clients as well as the U.S. military received over $200,000 in federal R&D tax credits. This company designed and developed custom security measures for the U.S. Air Force Life Cycle Management Center. Specifically, the company reviewed the center’s Case Management Control System (CMCS) to enhance the functionality and reliability of the security protocols and improved the imbedded security controls throughout the entire system. After initial evaluation and testing of the old system, the company improved the design of the back end architecture for the program to increase the functionality and reliability of the security measures.
If a cybersecurity company enhances processes to solve a customer issue or to make a system more secure and reliable, those activities can qualify for the R&D Tax Credit.
Other Qualifying Activities
To provide further insight into how cybersecurity qualifies for the credit, here is a list of activities that have traditionally qualified businesses in the past (but this is not a comprehensive list):
- Detecting and responding to cyber threats and vulnerabilities
- Designing software according to new and enhanced security protocols
- Designing, developing and engineering systems
- Integrating hardware, software and applications
PATH Act Changes
Now that we have a greater understanding of the type of activities that qualify, let’s discuss the PATH Act’s latest pro-taxpayer modifications to the credit:
The AMT Turn-off
Beginning in tax year 2016 (meaning this tax season), the AMT turn-off allows small businesses (defined as businesses with less than $50 million in gross receipts) to claim the credit against their alternative minimum tax (AMT). Historically, the AMT floor has been the greatest barrier preventing otherwise eligible companies from claiming the R&D Tax Credit – and considering the broad range of activities that qualify cybersecurity companies for the credit, the industry stands to benefit heavily from its removal.
The Startup Provision
Also starting in tax year 2016, the startup provision allows businesses with gross receipts of less than $5 million a year to claim the credit (capped at $250,000) against their payroll taxes. Since its inception, one of the main shortcomings of the R&D Tax Credit was that newer companies, which are some of the most innovative companies around and more likely to take risks and invest in improving their products or processes, could not utilize the credit. As these smaller companies rarely turn a profit in their first few years (and thus do not pay federal income tax) these companies were effectively prohibited from claiming the credit. The startup provision solves this issue and essentially expands access to the credit to smaller and newer businesses.
Combined together, these two provisions have opened the door for U.S. businesses from across the spectrum to take advantage of the credit – and cybersecurity companies, with a host of qualifying projects and activities, will be among the greatest beneficiaries of this expansion.
Other Driving Factors
In addition to the above expansions, there are two more key aspects to the credit working in favor of the cybersecurity industry.
First off, not only do activities ultimately factor into the credit, but so do the wages of the company’s employees. The R&D Tax Credit is a wage-based credit, meaning the salaries of the employees working on qualifying projects (i.e. your software developers, engineers, tech experts, system integrators, etc.) will factor into the total amount of tax savings, often times with the higher salaries of these technical employees driving up credit results.
Secondly, and despite popular misconceptions, cybersecurity companies getting paid by the government (or working on a contractual basis for the government) can still potentially qualify for the credit depending on the language contained in these contracts. Case in point, one of the qualifying projects of the tech company discussed above was done for the U.S. Air Force, proving there can be tremendous savings from defense and other forms of government contracting (it just may take the knowledge of a consultant experienced in these type of contracts to see if there is any value available).
R&D and the Future of the Industry
Due to the various modifications and expansions made to the credit over the years as well as the importance cybersecurity will hold for companies from a variety of different industries (including finance, software and tech, manufacturing, industrial automation, defense, etc.), the R&D Tax Credit represents the next great growth opportunity in what is already a vital and thriving industry.
For those companies looking to further capitalize on their cybersecurity efforts, the R&D Tax Credit can provide the immediate value necessary to grow their business – and cybersecurity companies would be wise to explore their options when it comes to this valuable opportunity.