R&D Tax Credits for Cyber Vendors

I was cornered once by a financial advisor at a snobbish Upper West Side cocktail party. I’d casually mentioned that my back had been hurting and she pounced with the following gem: “You should put in a swimming pool,” she explained. “If the thing costs you, like 200K, and your home goes up in value, like 100K, then you just deduct the 100K difference as a medical expense.” She sipped her drink and added: “People do it every day.”

Apart from the fact that 200K seems like a lot for a pool, her comments made me want to go wash my hands. Look – now that I’m old enough to get AARP junk brochures in the mail, I can report having heard every version of the same crazy story: “You should do this-or-that-thing, you big dummy, and you will be able to deduct this-or-that-amount from your taxes. The story always seems to end with the claim that I am the only one not doing this.

It was thus with some hesitation that I agreed to take a call with a France-based financial advisory group called Leyton (see https://www.leyton.com/en/usa/home). Their Boston office had gotten hold of my number and they of course shared their own version of the you-can-deduct story. But since their sales narrative involved R&D tax credits for businesses – and they specifically mentioned cyber security – I felt obliged to take the call on behalf of you. Here’s what I learned:

“US companies of all sizes – and this includes security start-ups – might be able to deduct research and development expenses in their state and federal tax returns,” explained Taylor Kotas, a tax consultant from Leyton. “Many companies think these credits are restricted to large companies with research teams. But the truth is that any company creating new or improved products, software, or even processes will likely qualify under the tax code.”

I asked for a general idea of how this might affect the returns of a smaller technology company, so we used the example of a cyber security start-up doing $100K in applicable R&D in a given year. Kotas shared that as long as the R&D work covers the relevant assessment criteria (explained below), that the tax savings could approach as much as ten thousand dollars. This is not an insignificant percentage.

We also discussed the Qualified Small Business program, which allows eligible startups to reduce payroll tax liability rather than the standard income tax liability. To qualify, the company must be doing less than $5M per year in gross receipts (which is true for more vendors than are willing to admit). The company must also have been in business for five or fewer years. Again, this is common for the cyber security vendors we cover at TAG Cyber.

Hmmm. This all sounded good, so I shared my swimming pool story with Kotas. Then I asked her whether this R&D tax credit was some shady write-off that would get a company audited immediately. “That’s a common question,” she responded, “and we advise that if returns are completed properly with accurate numbers, and the return is not an amendment for previous years, then the likelihood of increased audit is between zero and three percent.”

The criteria for determining R&D applicability includes four components: First, the work must involve new or improved product builds. Second, the product must be technological in nature. Third, the work must include experimentation, where alternatives are considered. And finally, the work must include the elimination of uncertainty, which could involve commercialization of an idea. These components are covered in most cyber vendor settings.

As you’d expect, I wanted to know how Leyton factored into the equation: “Could some company pay you a fee,” I asked, “that might turn out to be lower than the tax savings?” Kotas also acknowledged that as a common question: “We do a free assessment to quickly determine whether moving forward looks appropriate,” she said. “And then we take a percentage of the savings. That way, companies cannot lose money by working with us.”

Hmmm. This really sounded good, so I caucused with Katie Teitler, senior analyst at TAG Cyber and we compared notes. Our conclusion – and our advice to you is the following: If you move forward with this type of credit, then you are likely to save money. Period. And Leyton seems like a capable organization that knows what it is doing. (And yes, they have the obligatory picture of the two super-rich guys on a boat on their website.)

But the risk of increased audit is not insignificant. At TAG Cyber, we work closely with roughly a hundred or so US-based cyber security companies. If every one of these companies decided to take this credit, then based on the guidance from Leyton, three of them would see an audit as a result. Knowing what we all know about the root-canal nature of an IRS or state audit, this added risk must be factored into the equation.

That said, I would recommend that you reach out to Leyton, and to Taylor Kotas, in particular. She offered clear explanations and reasonable answers to my snarky questions. And she’s also a Cornell graduate – which doesn’t hurt. Bottom line: If you are a cyber security technology company located in the US, then you should ensure that your finance team is making good decisions about whether you qualify for this R&D tax credit.

And I think Leyton can help. Let me know what you think.