View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
July 8, 2022updated 16 Aug 2022 1:36pm

UK regulators warn lawyers to stop making ransomware payments for clients

Businesses that pay ransoms will not benefit from lower penalties for a breach, the ICO and NCSC say.

By Matthew Gooding

Lawyers have been told to stop facilitating ransomware payments for their clients. The UK’s National Cyber Security Centre (NCSC) and data watchdog the Information Commissioner’s Office (ICO) have issued a joint statement warning that paying ransoms “is not the right thing to do” and that it will not lead to hacked organisations benefitting from lower penalties for a breach.

Lawyers have been told to stop helping clients make ransomware payments. (Photo by George Clerk/iStock)

The NCSC and ICO say they “have been told that some firms are paying ransoms with the expectation that this is the right thing to do and they do not need to engage with the ICO as a regulator, or will gain benefit from it by way of reduced enforcement.” They say this is incorrect and have written to the Law Society, the professional body for UK solicitors, to ask them to remind members not to give in to ransomware demands.

NCSC: businesses should not make ransomware payments

Ransomware attacks are a growing problem for businesses around the world. Though many go unreported, analysis from law firm RPC shows that the number of ransomware breaches in the UK reported to the ICO doubled from 326 in 2020 to 654 in 2021.

Though paying ransoms is not illegal in the UK, the NCSC and ICO say that giving in to criminals’ demands to release locked data does not reduce the risk to individuals, is not an obligation under data protection law and is not considered as a reasonable step to safeguard data.

“Ransomware remains the biggest online threat to the UK and we are clear that organisations should not pay ransom demands,” said NCSC CEO Lindy Cameron.

“Unfortunately we have seen a recent rise in payments to ransomware criminals and the legal sector has a vital role to play in helping reverse that trend.

“Cybersecurity is a collective effort and we urge the legal sector to help us tackle ransomware and keep the UK safe online.”

Making ransomware payments will not mitigate ICO action

The ICO has clarified that making ransomware payments will not be taken into account as “a mitigating factor when considering the type or scale of enforcement action”. Information commissioner John Edwards said that his office will consider early engagement and co-operation with the NCSC positively when setting its response.

Content from our partners
Why all businesses must democratise data analytics
How start-ups can take the next step towards scaling up
Unlocking the value of artificial intelligence and machine learning

“Engaging with cyber criminals and paying ransoms only incentivises other criminals and will not guarantee that compromised files are released,” Edwards said. “It certainly does not reduce the scale or type of enforcement action from the ICO or the risk to individuals affected by an attack.

“We’ve seen cybercrime costing UK firms billions over the last five years. The response to that must be vigilance, good cyber hygiene, including keeping appropriate back up files and proper staff training to identify and stop attacks. Organisations will get more credit from those arrangements than by paying off the criminals.”

He added: “I want to work with the legal profession and NCSC to ensure that companies understand how we will consider cases and how they can take practical steps to safeguard themselves in a way that we will recognise in our response should the worst happen.”

Law Society will work with regulators on ransomware

A spokesperson for the Law Society said it welcomes the letter and “the opportunity it provides to remind our members of the importance of cyber security to their legal businesses.”

“We do not advise members to pay ransoms, nor suggest that is what they should advise their clients,” they said.

“We provide advice to our members about the steps they should take to meet their obligations to keep their businesses cyber secure through our Practice Notes, regular updates on our website, and events, and we promote the helpful resources and guidance provided by both the NCSC and the ICO in doing so.”

The spokesperson said the Law Society and another industry body, the Bar Council, had “reacted swiftly to recent ransomware attacks by producing our questionnaire on IT security for the use of firms when instructing Chambers, and we welcome the support we have had from the NCSC in this work.”

They added: “We and the Bar are committed to building on this and maintaining our ongoing dialogue for better cyber security in the profession.

“We welcome the offer to meet to discuss future collaboration with both the ICO and NCSC and our keen to play our part in helping combat ransomware criminals.”

Read more: ICO fines Clearview AI £7.5m for facial recognition misuse

Topics in this article:
Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy
SUBSCRIBED
THANK YOU