Out-Law / Your Daily Need-To-Know

There continues to be exponential growth in the use of ransomware as a criminal business model; recent specialist surveys revealed that there were nearly three times as many ransomware incidents in the UK in 2020 than in 2019, and the estimated global cost of ransomware could now be as high as £120 billion annually – the impact of this trend is driving a need for action.

There is greater awareness than ever of this risk of ransomware attacks, spurred by high-profile examples of organisations being locked out from accessing core systems and data. However, some organisations fail to take sufficient action to reduce the likelihood that they will fall victim to such attacks and are unaware of the risks entailed in making ransom payments.

A report by the US-based Ransomware Task Force has set out what organisations can do to reduce the risk of criminals succeeding with ransomware attacks and in their response to such attacks.

In our experience, organisations that devote the time and resources to preparing for a potential ransomware attack are more likely to be able to repel it or at least limit the disruption it can cause them and those they serve. Such preparedness is likely to make those organisations better placed to engage more meaningfully with regulators.

What is ransomware?

Ransomware is an increasingly prevalent form of cyber attack. It involves hackers installing malicious software on to computer systems to prevent organisations carrying out everyday operations or accessing data or other assets. Organisations are then prompted to make a payment to the hackers to bring about an end to the attack. 

Ransomware attacks have been growing in prominence in recent years, across many jurisdictions. Thousands of organisations were targeted by ransomware attacks in 2020, according to the Ransomware Task Force, a US based team which brings together software companies, government agencies, cybersecurity suppliers, financial services companies, non-profits and academic institutions to combat the problem of ransomware. Examples of those reported to have been impacted by ransomware attacks include foreign exchange business Travelex, NHS trusts in the UK and hospitals in Ireland, and universities across the UK and North America.

The Ransomware Task Force report

In a report setting out actions that could be taken to combat ransomware, published in April 2021, the Ransomware Task Force said that tackling the “global criminal enterprise” behind ransomware attacks cannot be achieved by one single entity acting in isolation.

Many of the report’s 48 recommendations are aimed at driving action by government agencies – from taking action to disrupt ransomware criminals’ business models, increasing intelligence sharing and updating regulations – but an entire chapter of the report sets outs the actions that can be taken to better prepare organisations for a ransomware attack.

The Task Force’s recommendations point to actions individual organisations can take to prepare themselves for the possibility of a ransomware attack.

Davey Stuart

Stuart Davey

Partner

We find that those organisations which have taken steps to consider cyber risks are typically best placed to respond when they happen

The actions organisations can take to prepare

The actions that the Ransomware Task Force has endorsed include:

  • Mapping organisational security processes and controls to existing popular cybersecurity frameworks, such as the cybersecurity framework developed by the National Institute of Standards and Technology (NIST) in the US;
  • Undertaking ransomware-specific risk assessments, and;
  • Leveraging contractual terms to hold managed service providers and IT suppliers accountable in respect of their cybersecurity measures.

These proposals are to be welcomed, and the report’s focus on cyber readiness chimes with our experience in the market. We are seeing organisations take steps to do more in advance to be prepared for when, not if, they are the subject of a cyber attack.

The Ransomware Task Force endorsed the development of business-level materials oriented towards organisational leaders to help them address ransomware risk. Pinsent Masons’ Cyturion – a cyber readiness tool helping organisations become better prepared to managing incident response – is an example of the resources available to businesses. The recommendation is also consistent with the significant uptick in interest we have seen for training sessions or cyber simulation sessions to stress-test preparedness.

We find that those organisations which have taken steps to consider cyber risks are typically best placed to respond when they happen. Organisations with well-developed incident response plans, which have been tested and rehearsed, are best able to react quicker and more effectively. 

Similarly, those organisations which have considered their corporate attitude to engaging with threat actors will have done a lot of the hard thinking in advance of a real-time event. As the Ransomware Task Force put it, “there is a stark difference between being aware of ransomware as a threat and having a real understanding of the dynamics, mitigations, and potential impacts of an attack”. It has urged organisational leaders to view ransomware as a “whole-organisation event, in non-technical, business risk-relevant terms”. We agree and welcome the Task Force’s calls for additional materials to help educate organisational leaders about the threat.

If a ransomware attack does hit, it is important to be nimble and adaptable in practice. Considering these difficult issues in advance can pay dividends in a crisis scenario, however.

It is critical that any actions pertaining to ransom payments are built on the foundations of specialist compliance due diligence

Whether to pay a ransom

With the ransomware threat constantly evolving and challenging the measures organisations put in place to address cyber risk, there remains a real possibility that criminals will succeed in implementing a ransomware attach – however comprehensive the defences organisations implement.

The Ransomware Task Force’s report also therefore sets out a series of recommendations on what can be done to make the response to ransomware attacks more effective.

Businesses and practitioners alike would benefit from a more consistent understanding of what, in practice, constitutes appropriate due diligence in determining hackers’ identity – and therefore better understanding whether they may be prohibited individuals, or associated with sanctioned entities or countries – and who might be criminally liable for any such failing. In this regard, a business’ status as the victim of crime carries no special shield of immunity to authorities investigating potential sanctions, terrorist payment or money laundering breaches.

The Ransomware Task Force’s call for clarity does not stand in isolation. It is echoed by increasing calls in the UK for the government to carry out an urgent policy review to consider all options, including the possible future prohibition on the payment of cyber ransoms.

Until such time as businesses have greater clarity, specialist real time advice is essential.

When a critical incident occurs, business leaders are forced to make a number of extremely difficult and time-sensitive business, regulatory and reputational decisions. It is critical that any actions pertaining to ransom payments are built on the foundations of specialist compliance due diligence, and that those processes allow for documented risk-based thinking to be evidenced.

If businesses or their agents fail to take proper account of the compliance risks that flow from making a payment to an anonymous threat actor, it is unlikely that, should the need arise, they will be able to satisfy authorities that they took all reasonable steps to avoid potential transgressions.

Cyturion is a one-stop-shop cyber response tool offered by Pinsent Masons which enables clients to develop a cyber incident response plan tailored to their needs, which sets out what to do, who does it, how they do it, and how the response is managed. Cyturion can help businesses mobilise quickly in response to a ransomware attack, or any other cyber incident.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.