Ransomware attacks continue to surge from the levels seen just a few years ago and the threat such attacks present against companies and organisations remains very real – not least because the sums involved also continue to surge. According to a recent report by software company Acronis1, global ransomware damages are predicted to reach more than US$30 billion by next year, with that figure set to increase exponentially, potentially reaching the hundreds of billions of dollars a year within the next decade.
Directors and senior management therefore must not only work to prevent ransomware and other cyber attacks from happening, but be prepared if the company's cyber defences are breached. One critical point for senior management can be boiled down to the question: to pay or not to pay?
This update highlights some of the key legal issues facing businesses that have suffered a ransomware attack with particular reference to the latest UK guidance and the relevant sanctions regimes.
Businesses in all sectors and industries remain vulnerable to ransomware attacks, and there is evidence of continued occurrences of ransomware stemming from targeted phishing attacks, and malicious emails and websites. However, trends show that companies increasingly finding their defences breached as a result of attacks on their third-party suppliers or other partners that connect to their network. A notable third-party breach was the 2021 Kaseya VSA ransomware attack perpetrated by the now disbanded REvil ransomware group – affecting some 1,000 companies who utilised Kaseya software.
Whilst senior management should, in the first instance, continue to employ appropriate technical and organisational risk management procedures targeted at incident avoidance, they should also ensure that an appropriate incident response plan is developed, implemented, and tested in the event the business finds itself on the receiving end of a ransomware attack. The Kaseya VSA ransomware attack demonstrates how even the best prepared and best protected businesses can fall victim to such attacks through a third party vendor over which they have no control. This article does not address the potential notification requirements arising out of a ransomware or other cyber breach. Such requirements are onerous and subject to complex jurisdictional considerations specific to the nature of the breach in question. Mayer Brown regularly publishes updates in relation to notification requirements and other cybersecurity related issues, which can be viewed here.
To pay or not to pay?
The executive leadership of a company that falls prey to a ransomware attack, will likely be faced with a demand to pay a ransom, and may face substantial pressure to pay a ransom. Under English law it is not currently illegal to pay a ransom. Senior management will have to consider a host of practical issues when assessing whether or not to pay a ransom demand, including: the viability of available backups, the nature and extent of affected data, the viability of continuing operations without a decryption key, the company’s reputation were it to become public knowledge that the company opted to pay a demand, and the reputational impact of any deliberate release of data by the threat actor. Senior management will have to consider these factors in light of general guidance issued by law enforcement on the topic of ransom payments, as well as concerns about possible sanctions and terrorist financing.
UK law enforcement guidance
The position of a majority of government and law enforcement guidance in the US and UK has been generally consistent in advising against the payment of any form of ransom.2 UK government guidance notes that "[UK] Law Enforcement does not encourage, endorse nor condone the payment of ransom demands"3; a position which remains unchanged since the pre-cybercrime era.
A recent joint letter from the UK's National Cyber Security Centre ("NCSC") and the Information Commissioner's Office ("ICO", the UK's national data protection authority) to the Law Society of England and Wales (the "Joint Letter") seeks to dispel the belief that the payment of a ransom might protect the stolen data or somehow act in mitigation for the purposes of the fine set by the ICO. It also highlights that the payment of such ransoms serves to further incentivise ransomware threat actors by: i) encouraging attacks on other victims, and ii) marking the specific payer of a ransom demand as an organisation which is prepared to pay ransoms. Additionally, it is well understood that obtaining a decryption key in exchange for a ransom payment does not guarantee the decryption of impacted systems or the return of stolen data.
The Joint Letter reiterates the guidance provided by the ICO suggesting that factors that may be taken in mitigation by the ICO will include, inter alia, whether organisations: i) have taken steps to fully understand what has happened; ii) can demonstrate that they have learnt from the incident; and iii) can evidence that they are compliant with relevant NCSC guidance. Such guidance bears similarities to a September 2021 Advisory issued by the US Department of the Treasury's Office of Foreign Assets Control ("OFAC") which was the subject of this previous update.
Notwithstanding the ICO guidance, by not explicitly prohibiting ransomware attack victims from paying ransom demands, UK and US law enforcement guidance also recognise that there may be situations in which such victims face substantial pressure to pay a ransom demand. Such demands are, however, generally negotiated down and paid by a suitably qualified cyber extortion or ransomware negotiation service provider.
In certain instances, ransomware attacks may also present a direct threat to human life, such as attacks against hospitals or other healthcare infrastructure. Similarly, businesses with operations that have national security implications or represent critical infrastructure must contend with even greater implications of a loss of service caused by a ransomware attack. The special status of critical infrastructure providers as potential victims of cyberattacks, and particular regulatory obligations arising out of that status, is recognised both in the EU's current Network and Information Society ("NIS") Directive and its draft replacement "NIS2" Directive, which was covered in our recent alert.4
Businesses should therefore consider whether adding ransom payment specific information to the company’s incident response plan, including clear guidance in relation to authorisations and practical mechanisms required to make such a payment, as well as guidance on associated legal requirements may be helpful in the context of the company’s business. Alternatively, the company might consider including such detailed guidance in a cyber legal playbook.
Terrorist financing and sanctions issues
Under s15(3) and s17 of the Terrorism Act 2000 ("TACT"), a party will be liable for a ransomware payment if they knew or had reasonable cause to suspect that the funds would or may be used for the purposes of terrorism. However TACT also contains a provision, s21ZA, which allows organisations to seek a defence to carry out a transaction which would otherwise be an offence by seeking prior consent from the NCA. Given that the majority of ransomware and other cyber-attacks are carried out by anonymous perpetrators, it has previously been understood to be the case that it is unlikely that the payer will be liable under TACT. That position may now have changed.
Prior to the coming into force in June 2022 of the Economic Crime (Transparency and Enforcement) Act 2022 (the "EC(TE)") it would likely not have been an offence under TACT to make a ransom payment if the payer could demonstrate that they did not know, or have reasonable cause to suspect, that the funds would be made available, directly or indirectly to a designated individual or entity, provided that reasonable due diligence has been conducted by the payer.
However, the EC(TE) introduced a strict liability offence, such that the UK's Office of Financial Sanctions Implementation ("OFSI") is now able to impose civil monetary penalties on parties who have made a payment to a sanctioned individual or entity – i.e., regardless of their actual knowledge. In subsequent guidance issued in June 2022 OFSI indicated that, notwithstanding the introduction of a strict liability offence, due diligence undertaken to prevent any breach of sanctions would be taken into account when deciding on whether to proceed with enforcement action. The introduction of the EC(TE) brings the UK sanctions regime into line with US OFAC guidance, which has made sanctions violations a strict liability offence for a number of years, as explained in our October 2020 update.
In addition to this specific risk, senior management should also be aware of the general risk of sanctions violations in making payments, whether directly or indirectly, to designated individuals or entities listed in the consolidated list of financial sanctions targets prepared by OFSI. Making a payment to such a group is a criminal offense in the United Kingdom.
A number of ransomware groups and other cybercriminals are included in the sanctions regimes of the UK, the EU and US. However, the nature of ransomware groups in particular makes the sanctions risk analysis particularly complex. Such groups are largely anonymous and operate using sophisticated tools to mask their identities and methods, making attribution and identification difficult. They are also prone to disintegration, may form new groups or join other groups with a different brand name or moniker. The constantly shifting nature of ransomware actors or groups may make due diligence more challenging, as businesses seek to understand the sanctions risk.
The payment of a ransom has significant practical implications, including for the reputation of the business that has suffered a ransomware attack. As noted in the recent UK guidance, the payment of a ransom may not guarantee the recovery or decryption of affected systems and data, and may encourage threat actors to carry out further attacks against the same target organisation.
It is therefore recommended that businesses and organisations ensure they have a robust cyber incident response plan, and consider incorporating the business’ approach to ransomware payments. To facilitate preparation for incident response, it can be helpful to provide updates to the board on the incident response plan, and ensure that it is approved by senior management. Such a plan may include guidance produced by the relevant regulatory bodies and recognise that the payment of a ransom demand, if any, should be determined on a case-by-case basis by reference to the nature of the specific incident and the organisation's risk management profile, operational down-time costs, legal risk, regulatory considerations and business continuity considerations.
Organisations should also consider engaging outside legal counsel at the earliest possible stage of an incident, given the various legal as well as business factors that must be considered when responding to a ransomware attack – including the important question of whether or not to pay the ransom. As noted above, whilst there is generally no outright prohibition against ransomware payments, businesses should consider such payments in the context of the relevant legal and regulatory requirements, as well as the expectations of their customers and stakeholders. This can be a complex question and often must be addressed under the intense pressure brought about by a business critical cyber-attack.