The wide-reaching field of Network Security consists of the actions taken to prevent unauthorised access to a computer network and its resources. There are very few companies who are developing fundamentally new encryption algorithms and protocols, but we find that companies are often creating new security architectures, developing new monitoring components and integrating encryption technologies into legacy systems. These are the types of activities that qualify for R&D Tax Credits.
For a Network Security project to qualify for R&D Tax Credits, it must adhere to the BEIS guidelines that define what it means for projects to be R&D for Tax Purposes. The UK Department for Business, Energy & Industrial Strategy (BEIS) issued these guidelines.
These guidelines apply to all fields of Science and Technology (not just Network Security projects). Being general across many industries can mean that they are hard to apply to Network Security projects, as the definitions are evening including everything from structural engineering to pharmaceuticals. However, the guidelines state:
Typically, there is overlap between Network Security and general software development, especially where a project is developing new software to support the security requirements. However, in all cases, the Advance must be a Technological Advance that is relative to the current industry baseline within Software Development.
Unfortunately, many companies mistake the Technological Advance with a functional Advance within the field or an Advance which is specific to their company. For example, applying SSL encryption to a website itself would not typically qualify as a Technological Advance, as there is a significant amount of information regarding its application (so it is generally considered a BAU task). However, if the Technology you are using has a profound incompatibility with SSL, and complex Technological changes are required to overcome the Uncertainty, then this is where the project may start to look more like an R&D Tax Credits project.
The Uncertainty of a Network Security project could be that the competent professional/s are don't know how to achieve the compliance requirements without introducing new vulnerabilities when bringing together components which were never designed to work together.
Alternatively, it may be that there is a sure way to achieve the required security, but this may come with a significant performance overhead. Hence the Technological Uncertainty would be how the company could adhere to security requirements without adversely affecting the security of the Technology. However, HMRC wants companies to be specific when discussing their Technological uncertainties. So, specifically, what were the options and why were the outcomes uncertain?
The R&D Tax Project starts when work to resolve the Technological Uncertainty commences. Once the team has overcome the Technological Uncertainty (or the Project otherwise ceases), the R&D Project ends.
This timeline means that the initial Network Security requirements gathering would not usually qualify but once Technological aspects of the project commence (e.g. architecture or development) this would be seen as the start of the claim period. Any dev, test, setup of non-prod environments and project management can be included (until the resolution of Technological Uncertainty has occurred). You should exclude costs incurred after this point, such as support and maintenance of the end product (unless the new work results in an additional period of R&D.