Business Insight

Ransomware - To pay or not to pay

26 July 2022

Share Share
Insight Hero Image
Share

    What you need to know

    • The ICO and the National Cyber Security Centre (NCSC) have issued a joint letter to the legal profession clarifying their position in relation to payment of ransoms to release locked data.
    • The letter seeks to dispel any perceived belief that payment of a ransom may protect the stolen data and/or result in a lower penalty by the ICO.
    • It confirms that UK Law Enforcement Agencies do not encourage, endorse or condone the payment of ransoms, and emphasises that payment of ransoms incentivises further harmful behaviour by malicious actors. It also makes the point that payment of a ransom does not guarantee decryption of networks or return of stolen data.
    • It provides helpful guidance on actions an organisation can take to mitigate risk which will be taken into account by the ICO. An organisation should:
      • take steps to fully understand what has happened and learn from; and
      • where appropriate, raise the incident with the NCSC, report it to Law Enforcement via Action Fraud, and evidence that they have taken advice from, or can demonstrate compliance with, appropriate NCSC guidance and support.

    What you need to do

    • Take what steps you can to guard against a ransomware attack. The ICO has produced a checklist containing some key recommendations to help you mitigate the risk of being the victim of a ransomware attack. These include:
      • establishing and communicating a set of suitable security policies;
      • identification of data, information and technology assets;
      • implementing security controls based on NCSC guidance; and
      • staff education and awareness.
    • Start having the conversations and planning how you might respond to a ransomware attack now. There are many factors to take into account when deciding on the best course of action, including:
      • availability of back-ups;
      • impact on the business, and the data subjects, of the data not being available;
      • cost of restoring the data through other means;
      • cost of the ransom itself;
      • whether payment of a ransom is legal; and
      • ethical and potential reputational issues involved in paying a ransom.
    • Test the ransomware response plans at all levels of your organisation.
    • Assess Board-level decision governance in relation to ransom payments – do notification systems get the right information to the right people at the right time?
    • Undertake Board-level training for cyber risk management and ransomware responses.

    Ransomware: a growing threat

    Ransomware involves the encryption of an organisation’s systems and data by cyber criminals, thereby preventing access to corporate IT and/or operational technology systems. Increasingly, it also involves the exfiltration of sensitive and personal data. Cyber criminals then demand money in exchange for providing encryption keys to unlock system access, and to prevent them from publishing and selling stolen credentials, company and personal data. The NCSC considers ransomware the biggest cyber threat facing UK organisations. 

    Ransomware cyber criminals are increasingly targeting larger companies, and companies which provide critical infrastructure or essential services, where they perceive greater consequences, target deeper pockets, and demand larger ransoms.

    The scale of attacks, combined with the potentially significant levels of disruption to services and exposure of sensitive data, means ransomware is both a national and an organisational security issue. In recent decades, few issues have had a bigger impact on the boardroom agenda. 

    UK's legal position on payment of ransoms 

    In response to the persistent and growing threat of ransomware attacks, the ICO and NCSC have released a joint letter to the legal profession clarifying their position in relation to payment of ransoms. The letter states that paying ransoms to release locked data does not reduce the risk to individuals, is not an obligation under data protection law, and is not considered a reasonable step to safeguard data. 

    UK data protection law requirements  

    UK data protection law requires organisations to take appropriate technical and organisational measures to keep personal information secure, and to restore information in the event of an information security incident.  

    A personal data breach is defined as 'a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed'. 

    ICO guidance is clear that, if personal data is affected by a ransomware attack, this amounts to the loss of access to personal data and therefore falls within the definition of a personal data breach. This has led many organisations to consider whether they are under an obligation to pay the ransom in order to restore access to the personal data. In the joint letter, the ICO confirms that it does not consider the payment of monies to criminals who have attacked a system as mitigating the risk to individuals and this will not reduce any penalties incurred through ICO enforcement action.

    The ICO will recognise mitigation of risk where organisations have taken steps to both fully understand what has happened and learn from it, and, if appropriate, where they have raised the incident with the NCSC, reported it to Law Enforcement via Action Fraud, and can evidence that they have taken advice from NCSC, or can demonstrate compliance with appropriate NCSC guidance and support.

    The message from the ICO and NCSC is clear: they wish to discourage payment of ransoms. Beyond this, however, the guidance for companies as to the legality of paying a ransom is scant.

    Is it illegal to pay a ransom in the UK?

    While it is not currently illegal to pay a ransom demand in the UK, the circumstances of making the payment may constitute an offence:  

    • Terrorist financing - it is an offence for an entity to pay a ransom if it knows, or has reasonable cause to suspect, that the money will or may be used for the purposes of terrorism. Attackers generally do not identify themselves, so in most cases the ransom payer will not have reasonable cause to know or suspect this.
    • Sanctions - it is an offence, under the provisions of much of the legislation which underpins various sanctions, to make funds available directly or indirectly to a 'designated' individual or entity. Designated individuals and entities appear on lists published by the Office of Financial Sanctions Implementation in the UK.

    Provided that reasonable due diligence has been conducted, it will not be an offence under English law to make such a payment if you can show that you did not know, or have reasonable cause to suspect, that funds would be made available, directly or indirectly, to such a designated individual or entity. However, following passage of the Economic Crime (Transparency and Enforcement) Act 2022, from 15 June 2022 the Office of Financial Sanctions Implementation (OFSI) is able to impose civil monetary penalties for payments to sanctioned parties on a ‘strict liability’ basis. OFSI has indicated that due diligence undertaken will be taken into account in mitigating civil penalties, as will contact with UK crime and enforcement agencies, and OFSI retains the right not to proceed with civil penalties where it would not be in the public interest to do so.

    Directors' duties 

    Directors have two principal duties which they owe to the company: first, to act in good faith to promote the success of the company for members as a whole, and, second, a duty to exercise reasonable care, skill and diligence.

    In the context of ransomware and cybersecurity, these duties will require that directors remain vigilant and educate themselves of cyber and ransomware risks facing their sector and, specifically, the business in order to manage imminent threats and make informed decisions on their company's behalf. 

    Directors must have a sufficient level of knowledge of ransomware risks, and the potential responses to those risks, so that they are able to challenge and assess the decisions of management and set the risk appetite and tolerance of the company relative to those risks. They must ensure that the business has adequate system protections and procedures in place to prevent possible threats materialising and to deal with them should they do so, and that these are regularly reviewed given the ever-evolving nature of threats. 

    A director may breach their duties if they fail to stay appropriately informed of cyber and ransomware-related issues, and ensure that appropriate protections and responses are in place. 

    Directors of companies with securities admitted to public markets will also need to consider the potential requirement to disclose such a ransomware attack to the market should its seriousness mean that it constitutes 'inside' or price sensitive information.

    Ransomware gets personal

    An added dimension to the current ransomware dilemma is the increasing trend of attackers to hunt for sensitive data relating to senior executives. Attackers use both private (and potentially embarrassing) information and highly confidential company information to blackmail executives and directors personally. This can result in a conflict between corporate and personal decision-making, and the need to balance privacy, discretion and an individual's personal reputation against organisational obligations and objectives. 

    Exercising good decision governance is critical. This includes:

    • enabling experts and leaders to give transparent, frank and fearless advice to the executive and the Board;
    • planning for (rather than denying) probable worst-case scenarios; and
    • having clear decision-making processes, delegation of decision-making authority and reporting requirements, such that quality decisions can be made on a timely basis.

    All of these matters must be discussed and debated as part of an organisation's ransomware response plan; a plan which should be in place, regularly updated, and ready to be activated if needed.

    The bigger picture 

    In nearly all cases, cyber criminals are part of a highly profitable, highly sophisticated network of transnational criminals and rogue states. By paying ransomware demands, companies are not only encouraging more attacks, they are also providing the funding to develop technologies that increase the threat to corporate operations, private data and critical infrastructure.

    It is easy to imagine a scenario where tomorrow's terrorists have been enabled by technological advances funded by today's ransomware payments. So, any plan to make a ransomware payment, or a history of making such a payment, may be more damaging to an organisation’s reputation and social licence than the disruption caused by the attack itself. It certainly does not sit easily with good corporate values and ethics.

    What should directors do now?

    The question, to pay or not to pay, is an immediate problem. It requires the balancing of complex legal, operational, reputational and strategic decisions. Directors need to be actively preparing and discussing how to react to a ransomware demand. 

    While every case is unique, the decision to pay a ransom is often made with a false expectation that it is the fastest route to recover, or the best way to protect, stolen information.

    Directors play an essential role in stress-testing the assumptions used in recovery planning, in setting their company's recovery priorities and in determining how effective a ransomware payment might be in meeting recovery objectives. Probing questions will help shape the company's response to any attack, such as:

    • How likely is it that the attackers will have the technical capability to fully restore systems?
    • What are the viable alternative paths and timelines for recovery?
    • Can the attackers be trusted not to release stolen data?

    Assessing ransomware readiness

    Most large organisations have some form of ransomware response plan which includes critical actions for detection, containment, analysis, eradication and recovery. As plans are often developed by or within an IT function, directors play a key role in assessing 'whole of company' readiness. This includes: 

    • ensuring cross-functional interdependencies and priorities are addressed (for example, how the ransomware response plan aligns with privacy breach response planning managed by the legal team, and with shareholder communication planning managed by the investor relations team);
    • a clear articulation of escalation, communication and decision-making protocols at all levels, including between senior executives and the Board;
    • impact analysis and response-planning across the business for a range of ransomware scenarios; and
    • a measurable and accountable training and testing programme, including Board-level cyber simulations, at least annually.

    War-gaming is one of the most effective risk mitigant returns on investment. Simulations can identify critical vulnerabilities and cross-functional dependencies, as well as anticipate disagreements about key decisions, which improves the speed and quality of decision-making in a ransomware crisis. 

    Ultimately, increased vigilance and targeted risk planning are of paramount importance to proactive stewardship in the evolving cyber-threat environment. 

    AuthorsRhiannon Webster (Partner and Head of UK Data Privacy and Cybersecurity Practice), Will Chalk (Partner, Corporate Transactions), John Macpherson (Director, Risk Advisory), Rob Hanley (Partner, Legal Governance Advisory), and Renée Green (Expertise Counsel, Digital Economy Transactions)

     

    This publication is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, which are part of the Ashurst Group.

    The Ashurst Group is global, and comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst.  Some members of the Ashurst Group are limited liability entities.

    Ashurst Risk Advisory Pty Ltd (ABN 74 996 309 133) provides services under the Ashurst Risk Advisory brand. The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.

    For more information about the Ashurst Group and the services offered, please visit www.ashurst.com.

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.

    Key Contacts