Ransomware: effective governance
Ransomware is a type of malicious software that prevents you from accessing your computer system (or the data that is stored on it).
The computer itself may become locked, or the data on it might be stolen, deleted, or encrypted. Cybercriminals then demand money in exchange for providing encryption keys to unlock system access and agreeing not to publish any data obtained from the attack.
The National Cyber Security Centre (NCSC) recognises ransomware as the biggest cyber threat facing the UK.
The legal framework
The legal framework relating to ransomware in the UK is based on cybersecurity, privacy and national security legislation that applies to specific organisations, specific sectors or to all organisations generally.
The key pieces of legislation which set out the UK's cybersecurity standards are:
- the Data Protection Act 2018 (DPA 2018) which implements the UK GDPR;
- the Network and Information Systems Regulations 2018;
- the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) (e-Privacy Directive); and
- sector-specific rules and guidance.
European cybersecurity legislation may also continue to have extraterritorial effect on UK-based organisations in some circumstances.
The legislation is generally principles-based and often does not contain prescriptive requirements, which means that organisations have an element of flexibility on how they implement cybersecurity measures. Organisations are required to assess the risk posed by cyber-attacks and perform a balancing exercise based on what is possible, reasonable and affordable given their particular circumstances and risk profile.
Is your business prepared?
It is important that you assess how ransomware may affect your business. Businesses are increasingly implementing some form of response plan for dealing with ransomware and other cyber-attacks but often these are aimed at dealing with attacks once they have already happened, rather than protecting against attacks from the outset.
Whilst IT and legal departments can assist with identifying and mitigating against ransomware attacks, the overall management of cyber risks must be a priority for boards of directors and senior leaders as no IT system in the world is entirely secure. Increasingly, stakeholders and business partners are seeking assurances regarding cyber security and, going forward, these assurances are likely to be required by regulators, investors, customers, employees, and lenders.
Directors have a duty to act in good faith to promote the success of their company and must exercise reasonable care, skill and diligence in their actions. In the context of ransomware and cybersecurity, these duties will require that directors remain vigilant and educate themselves of cyber and ransomware risks facing their business in order to manage and make informed decisions on potential threats. Directors must ensure that their organisation has adequate system protections and procedures in place to, to the extent possible, prevent threats materialising and to deal with them should they do so and ensure that these are regularly reviewed. Directors must play an essential role in stress-testing the assumptions used in recovery planning, in setting recovery priorities, and in determining how effective a ransomware payment might be in meeting recovery objectives.
Directors must understand the cyber risks facing the business and ensure that ransomware and other cyber risks are given the same level of attention as other legal, regulatory, financial, and operational risks. Failure to do so could result in severe criticism being directed at the board and could potentially result in claims against individual directors for breach of fiduciary duty.
Should you pay a ransom?
The decision to pay a ransom is often made with a false expectation that it is the fastest route to recover or protect stolen information. In response to the growing threat of ransomware attacks, the Information Commissioner's Office (ICO) and NCSC released a joint letter in July 2022 stating that paying ransoms does not reduce the risk to individuals, is not an obligation under data protection law, and is not considered a reasonable step to safeguard data. The letter also emphasises that UK law enforcement agencies do not encourage, endorse or condone the payment of ransoms, and states that payment of ransoms incentivises further harmful behaviour by malicious actors.
It is not currently illegal to pay a ransom demand in the UK, however, the circumstances of making the payment may constitute an offence, for example in relation to:
- Terrorist financing - it is an offence to pay a ransom if you know, or have reasonable cause to suspect, that the money will or may be used for the purposes of terrorism. Attackers generally do not identify themselves, making it difficult to ascertain who is the actual recipient of funds.
- Sanctions - it is an offence, under the provisions of much of the legislation which underpins various sanctions, to make funds available directly or indirectly to a 'designated' individual or entity. Designated individuals and entities appear on lists published by the Office of Financial Sanctions Implementation in the UK. As with terrorist financing, it is unlikely that an attacker would identify themselves and the payment of ransoms is likely to undergo a series of payments to reach its end destination.
Provided that reasonable due diligence has been conducted, it will not be an offence under English law to pay a ransomware demand if you can show that you did not know, or have reasonable cause to suspect, that funds would be made available, directly, or indirectly, to such a designated individual or entity. As attackers do not generally identify themselves it is difficult to set out clear due diligence steps to ascertain whether the attacker is part of a terrorist organisation or sending the funding on to a terrorist organisation
The question of whether to pay a ransom is an immediate problem that requires the balancing of complex legal, operational, reputational, and strategic decisions. Directors need to be actively preparing and discussing how to react to a ransomware demand.
What are the consequences?
Where personal data is taken as part of a ransomware attack it typically results in unauthorised disclosure or access to personal data and therefore is a type of personal data breach. You are required to notify the ICO of a personal data breach without undue delay and no later than 72 hours after having become aware of the breach, unless it is unlikely to result in a risk to the rights and freedoms of individuals. This means once you have established a personal data breach has occurred, you should undertake a formal risk assessment to determine the risks to individuals and the likelihood of such risks occurring so that you can notify the ICO if required. You must keep a record of any personal data breaches, regardless of whether you are required to notify the ICO, together with the risk assessment undertaken.
In addition to the requirement to notify the ICO of a data breach, a failure to implement appropriate security measures to safeguard personal data can result in enforcement action, including the imposition of significant fines (up to the greater of £17.5 million or 4% of annual global turnover).
Your organisation may also face the costs of notifying affected customers as well as potential fines and penalties. Cyber-attacks also affect customer confidence and may result in a potential downturn in sales. In addition to the significant cost of investigating the cause of the attack and repairing cyber defences, the reputational damage resulting from a cybersecurity breach can potentially be at great cost, for example affecting share price or investor relations. The threat of collective actions (whether representative or group claims) from individuals is also becoming more prevalent.
What should you do now?
The importance of good governance in preparing for and dealing with ransomware attacks cannot be overstated. There are several key steps that organisations should take as part of their risk management regime in an effort to mitigate cyber risk, including:
- Establishing a cyber risk management policy and ensuring that this is part of the governance framework, giving it the same level of attention as financial and other risk management regimes and documenting the fact that the policy is considered periodically by the board.
- Undertaking risk assessments of any personal data maintained or processed by your organisation and the manner in which that information is used, transmitted and stored.
- Ensuring internet safety and network security by protecting networks against external and internal attacks and taking steps to reduce the scope for a ransomware attack. Appropriate access requirements should also be put in place to ensure that employees only have access to data on a 'need to know' basis.
- Employee training and user awareness. Every organisation has a cyber defence weak spot in its own employees. An adequate cyber security system should not only have the relevant defences and policies in place, but staff should be adequately trained on all relevant policies and procedures.
- Establishing an incident response and disaster recovery team and putting in place an incident response plan that has been adequately tried and tested. This should include legal and IT team members to be called on to advise in relation to potential legal or regulatory issues, including the need to notify regulators and customers, and practical steps to take.
- Ongoing management. Cybercrime is constantly evolving which means a pro-active approach to cyber risk is essential.
The loss or compromise of personal customer information resulting from a ransomware attack carries with it potential legal and regulatory issues and immediate reputational and brand damage. Our cyber and data protection experts are on hand to advise you about preparing for and responding to these types of attacks.