As attacks have evolved and become more sophisticated, cyber criminals have learnt that their best hope of being paid is to request a sum that is relatively affordable, leaving the big question to the business as to whether to pay it or not. This also means that it is not just the larger businesses and organisations that are on the receiving end of these attacks; small and medium sized enterprises are being targeted, often for their lack of security.
In addition to the financial considerations, there is also a moral issue if a ransom is paid. In recent years, many ransomware attackers have been linked to money laundering schemes or terrorist finances. This, together with the cost of ransomware attacks to businesses on a global scale, has led to governments all over the world looking at whether to introduce legislation to ban the payment of ransom demands.
A report by outgoing MP Stephen McPartland published at the end of May 2024 addressed the issues of Cyber Security and Economic Growth.
His review was based on sessions with business organisations, academics, law firms, IT providers and members of the insurance industry. The review offered up a series of recommendations including a suggestion that the rules on ransom payments should be tightened, and a proposal to increase reporting obligations. The review also said [page 8]:
“Government should tighten the rules on ransom payments to cybercriminals and increase reporting, in line with international counterparts, and supported by other key players responding to ransomware including insurers and lawyers. The UK should leverage the influence of insurers, lawyers, banks, and other service providers to create a market-driven framework that motivates and rewards organisations for adopting robust cyber security standards and practices and holds accountable those who do not. This would create a positive feedback loop that enhances the cyber resilience of the UK economy and society.”
After the election, the new Labour government set out its stall in the King’s Speech. Within the speech was made mention of a Cyber Security and Resilience Bill. The background briefing notes to the speech expanded on the scope of the Bill, detailing how it will “make crucial updates to the legacy regulatory framework by mandating increased incident reporting to give government better data on cyber attacks, including where a company has been held to ransom – this will improve our understanding of the threats and alert us to potential attacks by expanding the type and nature of incidents that regulated entities must report.”
If and when the Bill is passed, it’s clear that there are likely to be requirements to notify the authorities in cases where they have been asked to pay a ransom.
However, the authorities usually advise businesses not to make ransom payments, as do lawyers when clients are hit by ransom demands.
“Law enforcement do not encourage, endorse, nor condone the payment of ransom demands. The [Information Commissioner’s Office] supports this position.”
The ICO has said that even if a ransom is paid, this will not mitigate the effects of a personal data breach:
“If you do decide to pay the ransom to avoid the data being published, you should still presume that the data is compromised and take actions accordingly. For example, the attacker may still decide to publish the data, share the data offline with other attack groups or further exploit it for their own gains. You still need to consider how you will mitigate the risks to individuals even though you have paid the ransom fee.”
You can find out more on the ICO website here.
For some organisations, even taking the ICO’s warning into account, making ransom payments is commercial pragmatism and in certain circumstances it could be considered to be the only viable option if the locked data is business-critical and there is no other way to access it.
Our Cyber, Data and Information Law team will be monitoring the progress of the Bill and will analyse what it says and what that means for business, including if and when there are new legislative requirements regarding payment of ransom demands. Be sure to follow our bulletins and updates via our website to make sure that you and your business stay compliant.