Ransomware - How should organisations respond?

As has become increasingly apparent from media reports in recent months, ransomware attacks are on the rise, with the global COVID-19 pandemic apparently exacerbating the situation.  Both private sector businesses and public services are being targeted more and more by this increasing and serious worldwide threat, which can lead to both economic and financial consequences and potentially can also have public health and safety and national security implications.

Ransomware is malicious computer code that encrypts an organisation’s servers meaning that data cannot be accessed unless and until it is unencrypted, which usually only happens once a ransom (often demanded in some form of cryptocurrency) has been paid.

There are a number of possible consequences of ransomware attacks. For example, business disruption which, as demonstrated by the recent ransomware attack on Colonial Pipeline, can be considerable.  Other potential outcomes can include significant financial consequences (which can result both from an organisation’s inability to continue its business as usual and the payment of ransom demands).  It should be noted that some insurers have announced that they will no longer write cyber-insurance policies that reimburse for ransom payments (e.g. the European insurance company, AXA, announced that it was planning to adopt this position in France in May 2021).

Other possible effects include reputational damage and also the potential loss of data, (the loss of both business confidential and personal data can seriously impact upon businesses in a variety of ways).  Data breaches can also trigger various regulatory notification obligations.  For example, under the European General Data Protection Regulation (GDPR) and the UK GDPR and Data Protection Act 2018, there are various regulatory notification obligations regarding personal data breaches, while under the Cybersecurity Directive (EU) 2016/1148), (which was implemented in the UK by the Network and Information Security Regulations 2018 (SI 2018/506)) there are various reporting obligations regarding security incidents for operators of certain essential services and relevant digital service providers.

Organisations which fall victim to ransomware attacks are faced with a difficult decision – to pay or not to pay the ransom.  Businesses met by this dilemma will need to consider a number of factors.  For example, the UK Government has made it clear that it does not support the payment of ransoms, due to the fact that doing so may not, in fact, lead to the timely restoration of data and encourages the cyber-criminals involved.

Violations of sanctions and anti-money laundering/counterterrorist financing laws should also be taken into account and are currently attracting significant regulatory attention, particularly in the U.S.

Various recent initiatives have been launched to try to tackle the ransomware phenomenon.  For example, the UK has created a new National Cyber Force, while a worldwide group of technology companies, governments, academic institutions and law enforcement organisations, among others, including the UK’s National Crime Agency and National Cyber Security Centre have recently joined the Ransomware Task Force to address the global ransomware threat and challenge cyber-criminals.  Some commentators have called for ransom payments to be prohibited by law (subject to certain exceptions where there is a threat to human life) to assist in making ransomware attacks less attractive to cyber-attackers.

It is clear that ransomware incidents are a serious issue for both private and public sector organisations and that the subject of whether or not to pay ransom demands is a serious quandary for victims of attacks.  Financial institutions which process such payments are at risk of regulatory enforcement due to anti-money laundering and counterterrorist financing requirements.  However, currently, apart from the clear financial implications, there are usually few consequences for companies decide to cooperate with cyber-criminals by paying ransoms―unless the ransomware involves sanctioned countries or persons.  Having said that, regulatory changes may be introduced to try to address this growing and potentially highly disruptive and harmful threat.

For further information please click here.