To Pay or Not to Pay, a very Modern Business Conundrum

Ransomware is that invidious preeminent cyber threat. Have you asked yourself or your executives what would they do if they were subjected to a ransom demand following a Cyber attack that encrypted IT systems?

“Ransomware remains the biggest online threat to the UK and we are clear that organisations should not pay ransom demands”. Quote: NCSC CEO Lindy Cameron (2022)

Would you pay the ransom?

Its worth considering and getting some clear optics on your position as it is not as straightforward as it may first appear.

I am coming at this subject from a UK perspective, but it is important to recognise that many organisation operate globally and that means dealing with very different regional regulatory regimes that all need to be taken into account.

It is also important for you to recognise that this article is designed to stimulate awareness to support you getting ahead of a decision best taken outside of the heat of an actual incident and to recognise this is predominantly a business decision. THIS ARTICLE IS NOT LEGAL ADVICE. You need to seek your own legal advice independently.

Lets get one thing clear, as of the time of writing in the UK, paying a ransom is not explicitly illegal, such as those demanded in a ransomware attack. While it is not illegal per se to pay a ransom in the UK, that does not mean you should just get out your checkbook or crypto-wallet. First you must carefully consider the legal, regulatory and ethical implications of such a decision. Consulting with legal experts, cybersecurity professionals and law enforcement is highly recommended BEFORE taking any action.

To help you, you should be considering and taking into account many legal and ethical considerations including:

Regulatory Compliance – For example, under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, organizations must protect personal data. A ransomware attack could result in a data breach, and organizations are required to report such breaches to the Information Commissioner’s Office (ICO) within 72 hours.

Financial Regulations –  If the ransom payment involves moving large sums of money, financial regulations, including anti-money laundering (AML) laws, may apply.

Criminal Implications – Funding criminal activity by paying a ransom may be seen as funding criminal organizations, which could have broader implications under UK law.

Terrorism Financing – If there is a risk that the ransom payment could be linked to terrorist organizations, this could fall under laws related to terrorism financing, which is illegal.

Ethics – Encouraging further attacks on the organization or others, as it demonstrates that such attacks can be profitable.

Lack of Guarantees – There is no guarantee that paying the ransom will result in the recovery of data or that the attackers will not demand more money. In fact in most cases the recovery is never a clean as you would hope and in most cases a labour intensive exercise in itself.

Insurance Contractual Obligations – Where cyber insurance policies exist that cover ransomware payments, these policies often come with strict conditions and reporting requirements. Make sure you engage your insure at the right time.

Third-Party Contracts – What are your contractual obligations to third parties? Including customers and partners, that influence their decision to pay a ransom.

Government and Law Enforcement Guidance – The UK’s National Cyber Security Centre (NCSC) and Information Commissioners Office (ICO) advises against paying ransoms. Their stance is that paying does not guarantee the return of data and may encourage further criminal activity. Similarly the police and other law enforcement agencies typically advise against paying ransoms for similar reasons.

If you have got this far and you feel compelled to still pay a ransom, then consider your readiness to do so. Securing Cryptocurrency in itself is not a 10 minute exercise. It comes with its own risks and ramifications … Buy cryptocurrency today! Enjoy the thrilling bonus that comes with your purchase, the risk of accidentally laundering money or funding terrorism, all while watching your share price plummet faster than a lead balloon!

The best defense is a prepared mind and in our fast moving digital society preparation is the key to resilience.

Also on the same theme you may be interested in reading “Why Ransomware?” (Dec’23).