Firms warned against making ransomware payments

Lawyers have been asked to play their part in helping to tackle the rise in organisations paying out to ransomware criminals. The National Cyber Security Centre and the Information Commissioner’s Office believe that some businesses are paying ransoms with the expectation that this is the right thing to do and they do not need to engage with the ICO as a regulator, or incorrectly assume they will gain benefit from it by way of reduced enforcement.

In a joint letter, NCSC and the ICO have asked the Law Society to remind its members that they should not advise clients to pay ransomware demands should they fall victim to a cyber attack. The organisations say that paying ransoms to release locked data does not reduce the risk to individuals, is not an obligation under data protection law, and is not considered as a reasonable step to safeguard data.

The ICO has clarified that it will not take this into account as a mitigating factor when considering the type or scale of enforcement action. However, it will consider early engagement and co-operation with the NCSC positively when setting its response.

Lindy Cameron, CEO of the NCSC, said: “Ransomware remains the biggest online threat to the UK and we are clear that organisations should not pay ransom demands. Unfortunately, we have seen a recent rise in payments to ransomware criminals and the legal sector has a vital role to play in helping reverse that trend. Cyber security is a collective effort and we urge the legal sector to help us tackle ransomware and keep the UK safe online.”

In the event of a ransomware attack there is a regulatory requirement to report to ICO as the data regulator if people are put at high risk. The ICO says it will recognise when organisations have taken steps to fully understand what has happened and learn from it, and, where appropriate, they have raised their incident with NCSC and they can evidence that they have taken advice from or can demonstrate compliance with appropriate NCSC guidance and support.

John Edwards, UK Information Commissioner, added: “Engaging with cyber criminals and paying ransoms only incentivises other criminals and will not guarantee that compromised files are released. It certainly does not reduce the scale or type of enforcement action from the ICO or the risk to individuals affected by an attack.

“We’ve seen cyber crime costing UK firms billions over the last five years. The response to that must be vigilance, good cyber hygiene, including keeping appropriate back up files, and proper staff training to identify and stop attacks. Organisations will get more credit from those arrangements than by paying off the criminals.”

    Share Story:


Cyber risk in the transportation industry
The connected nature of the transport and logistics industries makes them an attractive target for hackers, with potentially disruptive and costly consequences. Between June 2020 and June 2021, the transportation industry saw an 186% increase in weekly ransomware attacks. At the same time, regulations and cyber security standards are lacking – creating weak postures across the board. This podcast explores the key risks. Published April 2022.

Political risk: A fresh perspective
CIR’s editor, Deborah Ritchie speaks with head of PCS at Verisk, Tom Johansmeyer about the confluence of political, nat cat and pandemic risks in a world that is becoming an increasingly risky place in which to do business. Published February 2022.