Lawyers have been told to stop facilitating ransomware payments for their clients. The UK’s National Cyber Security Centre (NCSC) and data watchdog the Information Commissioner’s Office (ICO) have issued a joint statement warning that paying ransoms “is not the right thing to do” and that it will not lead to hacked organisations benefitting from lower penalties for a breach.
The NCSC and ICO say they “have been told that some firms are paying ransoms with the expectation that this is the right thing to do and they do not need to engage with the ICO as a regulator, or will gain benefit from it by way of reduced enforcement.” They say this is incorrect and have written to the Law Society, the professional body for UK solicitors, to ask them to remind members not to give in to ransomware demands.
NCSC: businesses should not make ransomware payments
Ransomware attacks are a growing problem for businesses around the world. Though many go unreported, analysis from law firm RPC shows that the number of ransomware breaches in the UK reported to the ICO doubled from 326 in 2020 to 654 in 2021.
Though paying ransoms is not illegal in the UK, the NCSC and ICO say that giving in to criminals’ demands to release locked data does not reduce the risk to individuals, is not an obligation under data protection law and is not considered as a reasonable step to safeguard data.
“Ransomware remains the biggest online threat to the UK and we are clear that organisations should not pay ransom demands,” said NCSC CEO Lindy Cameron.
“Unfortunately we have seen a recent rise in payments to ransomware criminals and the legal sector has a vital role to play in helping reverse that trend.
“Cybersecurity is a collective effort and we urge the legal sector to help us tackle ransomware and keep the UK safe online.”
Making ransomware payments will not mitigate ICO action
The ICO has clarified that making ransomware payments will not be taken into account as “a mitigating factor when considering the type or scale of enforcement action”. Information commissioner John Edwards said that his office will consider early engagement and co-operation with the NCSC positively when setting its response.
“Engaging with cyber criminals and paying ransoms only incentivises other criminals and will not guarantee that compromised files are released,” Edwards said. “It certainly does not reduce the scale or type of enforcement action from the ICO or the risk to individuals affected by an attack.
“We’ve seen cybercrime costing UK firms billions over the last five years. The response to that must be vigilance, good cyber hygiene, including keeping appropriate back up files and proper staff training to identify and stop attacks. Organisations will get more credit from those arrangements than by paying off the criminals.”
He added: “I want to work with the legal profession and NCSC to ensure that companies understand how we will consider cases and how they can take practical steps to safeguard themselves in a way that we will recognise in our response should the worst happen.”
Law Society will work with regulators on ransomware
A spokesperson for the Law Society said it welcomes the letter and “the opportunity it provides to remind our members of the importance of cyber security to their legal businesses.”
“We do not advise members to pay ransoms, nor suggest that is what they should advise their clients,” they said.
“We provide advice to our members about the steps they should take to meet their obligations to keep their businesses cyber secure through our Practice Notes, regular updates on our website, and events, and we promote the helpful resources and guidance provided by both the NCSC and the ICO in doing so.”
The spokesperson said the Law Society and another industry body, the Bar Council, had “reacted swiftly to recent ransomware attacks by producing our questionnaire on IT security for the use of firms when instructing Chambers, and we welcome the support we have had from the NCSC in this work.”
They added: “We and the Bar are committed to building on this and maintaining our ongoing dialogue for better cyber security in the profession.
“We welcome the offer to meet to discuss future collaboration with both the ICO and NCSC and our keen to play our part in helping combat ransomware criminals.”