View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
July 8, 2022updated 16 Aug 2022 1:36pm

UK regulators warn lawyers to stop making ransomware payments for clients

Businesses that pay ransoms will not benefit from lower penalties for a breach, the ICO and NCSC say.

By Matthew Gooding

Lawyers have been told to stop facilitating ransomware payments for their clients. The UK’s National Cyber Security Centre (NCSC) and data watchdog the Information Commissioner’s Office (ICO) have issued a joint statement warning that paying ransoms “is not the right thing to do” and that it will not lead to hacked organisations benefitting from lower penalties for a breach.

Lawyers have been told to stop helping clients make ransomware payments. (Photo by George Clerk/iStock)

The NCSC and ICO say they “have been told that some firms are paying ransoms with the expectation that this is the right thing to do and they do not need to engage with the ICO as a regulator, or will gain benefit from it by way of reduced enforcement.” They say this is incorrect and have written to the Law Society, the professional body for UK solicitors, to ask them to remind members not to give in to ransomware demands.

NCSC: businesses should not make ransomware payments

Ransomware attacks are a growing problem for businesses around the world. Though many go unreported, analysis from law firm RPC shows that the number of ransomware breaches in the UK reported to the ICO doubled from 326 in 2020 to 654 in 2021.

Though paying ransoms is not illegal in the UK, the NCSC and ICO say that giving in to criminals’ demands to release locked data does not reduce the risk to individuals, is not an obligation under data protection law and is not considered as a reasonable step to safeguard data.

“Ransomware remains the biggest online threat to the UK and we are clear that organisations should not pay ransom demands,” said NCSC CEO Lindy Cameron.

“Unfortunately we have seen a recent rise in payments to ransomware criminals and the legal sector has a vital role to play in helping reverse that trend.

“Cybersecurity is a collective effort and we urge the legal sector to help us tackle ransomware and keep the UK safe online.”

Making ransomware payments will not mitigate ICO action

The ICO has clarified that making ransomware payments will not be taken into account as “a mitigating factor when considering the type or scale of enforcement action”. Information commissioner John Edwards said that his office will consider early engagement and co-operation with the NCSC positively when setting its response.

Content from our partners
Sherif Tawfik: The Middle East and Africa are ready to lead on the climate
What to look for in a modern ERP system
How tech leaders can keep energy costs down and meet efficiency goals

“Engaging with cyber criminals and paying ransoms only incentivises other criminals and will not guarantee that compromised files are released,” Edwards said. “It certainly does not reduce the scale or type of enforcement action from the ICO or the risk to individuals affected by an attack.

“We’ve seen cybercrime costing UK firms billions over the last five years. The response to that must be vigilance, good cyber hygiene, including keeping appropriate back up files and proper staff training to identify and stop attacks. Organisations will get more credit from those arrangements than by paying off the criminals.”

He added: “I want to work with the legal profession and NCSC to ensure that companies understand how we will consider cases and how they can take practical steps to safeguard themselves in a way that we will recognise in our response should the worst happen.”

Law Society will work with regulators on ransomware

A spokesperson for the Law Society said it welcomes the letter and “the opportunity it provides to remind our members of the importance of cyber security to their legal businesses.”

“We do not advise members to pay ransoms, nor suggest that is what they should advise their clients,” they said.

“We provide advice to our members about the steps they should take to meet their obligations to keep their businesses cyber secure through our Practice Notes, regular updates on our website, and events, and we promote the helpful resources and guidance provided by both the NCSC and the ICO in doing so.”

The spokesperson said the Law Society and another industry body, the Bar Council, had “reacted swiftly to recent ransomware attacks by producing our questionnaire on IT security for the use of firms when instructing Chambers, and we welcome the support we have had from the NCSC in this work.”

They added: “We and the Bar are committed to building on this and maintaining our ongoing dialogue for better cyber security in the profession.

“We welcome the offer to meet to discuss future collaboration with both the ICO and NCSC and our keen to play our part in helping combat ransomware criminals.”

Read more: ICO fines Clearview AI £7.5m for facial recognition misuse

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU