The tax year ends on 5 April 2026. If your business has spent money on IT this year, most of it is claimable against your tax bill. If your business has not spent money on cyber security this year, you have three weeks to fix that and still claim the expense.

This is not about creative accounting. HMRC allows businesses to deduct legitimate operating expenses from taxable profits. IT security services, cloud subscriptions, hardware, training, and professional assessments all qualify. The question is whether you are claiming everything you are entitled to.

43% of UK businesses reported a cyber attack last year (DSIT 2025). The average impactful breach costs £8,260. For a 20-person professional services firm, that is not a rounding error. It is a quarter’s profit gone. The businesses that invested in security before the attack happened? They claimed those costs against tax. The ones that did not invest? They paid the breach cost out of post-tax profit.

Not sure where your business stands? Run a credential exposure check with us at no cost. It takes five minutes and shows you exactly which staff email addresses and passwords are circulating on criminal marketplaces. No commitment, no sales pitch. Just data you can act on. Call 0151 452 3060 or visit yourithealthcheck.co.uk.

What Counts as a Claimable IT Expense

HMRC treats IT costs as allowable business expenses when they are “wholly and exclusively” for business purposes. For most professional services firms, that covers virtually everything in your technology stack.

Here is what to check before 5 April.

Cyber Security Software and Services

Monthly or annual security subscriptions are revenue expenses, deductible in the year you pay them. This includes:

  • Endpoint protection (antivirus, endpoint detection and response)
  • Email security and anti-phishing tools
  • Credential monitoring services
  • Password management platforms
  • Backup and disaster recovery services
  • Security Operations Centre (SOC) monitoring

A managed security service like H-Protect Standard (£55/user/month) bundles all of these into one monthly cost. For a 20-person firm, that is £1,100/month or £13,200/year, fully deductible as a business operating expense. At a 25% corporation tax rate, you are effectively reducing the real cost to £9,900.

Cloud Subscriptions

If your team uses Microsoft 365, Azure, Google Workspace, or any cloud platform for business, the subscription fees are claimable. This also covers:

  • Cloud storage and file sharing
  • Cloud-hosted phone systems (VoIP)
  • Practice management software (Sage, Xero, IRIS, Proclaim, Bullhorn)
  • Project management and collaboration tools

Many businesses are already paying for these but not tracking them as deductible expenses. If you switched to cloud services partway through the year, make sure the full amount since the switch date is captured.

Hardware

Capital allowances let you deduct the cost of business equipment. Under the Annual Investment Allowance (AIA), businesses can claim up to £1 million in the year of purchase. For most SMEs, that means you can deduct the full cost of:

  • Laptops, desktops, and monitors
  • Servers and networking equipment
  • Firewalls and security appliances
  • Mobile devices used for business

If you have been putting off a hardware refresh, doing it before 5 April means the full cost reduces this year’s tax bill rather than next year’s.

Penetration Testing and Security Assessments

Professional security assessments are claimable as consultancy or professional services expenses. This includes:

  • CREST accredited penetration testing (from £2,495 with HiltDigital)
  • Vulnerability assessments
  • Cyber Risk Checks
  • Compliance gap analysis

A penetration test is not just a security measure. It is evidence you can show to insurers, regulators, and clients that you take security seriously. For FCA-regulated firms, SRA-regulated practices, and any business handling sensitive data, a documented pentest is increasingly expected.

Claim a penetration test before April 5

A CREST accredited penetration test from HiltDigital starts at £2,495. Book before 5 April and the full cost is deductible against this year’s tax bill. You get a detailed findings report, a prioritised remediation plan, and documented evidence of your security posture for insurers and regulators.

Call 0151 452 3060 or visit yourithealthcheck.co.uk to book your assessment.

Cyber Essentials Certification

The certification fee itself (typically £300-500 for Cyber Essentials, more for Plus) is a claimable expense. But the real value is what it unlocks:

  • 92% reduction in insurance claims for Cyber Essentials certified businesses (DSIT 2026)
  • Access to government contracts that require certification
  • Lower cyber insurance premiums
  • Documented compliance for client due diligence

Only 3% of UK businesses currently hold Cyber Essentials certification (DSIT 2025). If you are in that 97% without it, the tax year end is a practical trigger to get it done. The certification cost is deductible, the preparation work (if you use a consultancy) is deductible, and the resulting insurance savings start immediately.

Security Awareness Training

Staff training costs are fully deductible as a business expense. With 85% of cyber attacks starting with a phishing email (DSIT 2025) and only 19% of businesses providing cyber training to staff, this is one of the most cost-effective security investments available.

Training platforms, external training courses, and managed awareness programmes (like those included in H-Protect Complete at £89/user/month) all qualify.

The Expenses Most Businesses Miss

From conversations with accountants and business owners across the North West, these are the IT costs that most commonly slip through the net:

Software subscriptions paid by card. If someone in your team is paying for a SaaS tool on a personal or company card and it is not going through the books, you are losing the tax deduction. Audit your recurring card payments before 5 April.

Mobile phone costs. If staff use personal phones for business, a proportion of the cost is claimable. If you provide business mobiles, the full cost including the contract is deductible.

Home working IT costs. If your team works remotely, equipment provided for home use (monitors, keyboards, headsets) is claimable, as is a proportion of broadband costs where applicable.

Domain names and website hosting. Small costs that add up over a year and are often forgotten at tax time.

The Real Question: Are You Spending Enough?

Here is the uncomfortable part. If you are reading this and thinking “we do not have any cyber security expenses to claim,” that is not a tax problem. That is a business risk problem.

Only 40% of UK businesses use multi-factor authentication on email (DSIT 2025). The average breach takes 241 days to detect (IBM 2025). If someone accessed your systems today, you might not know until November.

The tax year end is a natural trigger to act. Not because HMRC requires you to have cyber security (they do not), but because any investment you make before 5 April reduces your tax bill this year. Wait until 6 April and you are paying out of next year’s allowance.

For context, H-Protect Standard at £55/user/month covers endpoint protection, email security, credential monitoring, backup, and quarterly vulnerability scanning. For 20 users, that is £13,200/year. After corporation tax relief at 25%, the effective cost drops to £9,900, or just under £2.30 per user per day.

H-Protect Complete at £89/user/month adds 24/7 security operations monitoring, ongoing vulnerability management, staff security training, and compliance support. For firms with regulatory requirements (FCA, SRA, GDPR), this is the package that keeps auditors satisfied. Twenty users costs £21,360/year before tax relief.

Start with a credential exposure check, at no cost

Before you spend anything, find out where you stand. Our credential exposure check scans criminal marketplaces for your company’s email addresses and passwords. It takes five minutes and costs nothing.

If the results are clean, you have peace of mind. If they are not, you have a clear starting point and three weeks to act before the tax year closes.

Call 0151 452 3060 or book online at yourithealthcheck.co.uk

Quick Checklist: IT Expenses to Review Before April 5

  • Security software and managed service subscriptions
  • Cloud platform subscriptions (Microsoft 365, Azure, Google Workspace)
  • Hardware purchases (laptops, monitors, networking equipment)
  • Penetration testing and security assessments
  • Cyber Essentials certification fees
  • Staff security training costs
  • Mobile phone contracts and devices
  • Domain names and website hosting
  • Home working equipment provided to staff
  • SaaS tools paid on company or personal cards

Print this list. Hand it to your accountant. Make sure nothing is missing from your return.

And if cyber security is the gap, you have three weeks to close it and claim the cost. That is about the most practical reason to act you will find.

HiltDigital provides security-first managed IT services for professional services firms across the North West. Call 0151 452 3060 or visit yourithealthcheck.co.uk to start with a credential exposure check at no cost.