Some lawyers are wrongly advising clients to pay ransoms when they fall victim to cyber-attacks, the National Cyber Security Centre (NCSC) and Information Commissioner’s Office (ICO) have warned.
The heads of the two bodies have written to the Law Society and Bar Council asking that they spread the message among their members.
The joint letter from Information Commissioner John Edwards and NCSC chief executive Lindy Cameron said: “In recent months, we have seen an increase in the number of ransomware attacks and ransom amounts being paid and we are aware that legal advisers are often retained to advise clients who have fallen victim to ransomware on how to respond and whether to pay.
“It has been suggested to us that a belief persists that payment of a ransom may protect the stolen data and/or result in a lower penalty by the ICO should it undertake an investigation. We would like to be clear that this is not the case.”
The pair acknowledged that ransomware payments were not usually unlawful but said “payers should be mindful of how relevant sanctions regimes (particularly those related to Russia) – and their associated public guidance – may change that position”.
More importantly, they went on, “payment incentivises further harmful behaviour by malicious actors and does not guarantee decryption of networks or return of stolen data”.
The letter added that some victims were paying ransoms with the expectation that they did not need to engage with the ICO as a regulator or would gain benefit from it by way of reduced enforcement.
Paying was not considered a reasonable step to safeguard data and the ICO would not take it into account as a mitigating factor when considering the type or scale of enforcement action.
“Where the ICO will recognise mitigation of risk is where organisations have taken steps to fully understand what has happened and learn from it, and, where appropriate, they have raised their incident with the NCSC, reported to law enforcement via Action Fraud, and can evidence that they have taken advice from or can demonstrate compliance with appropriate NCSC guidance and support.”
Ms Cameron commented: “Ransomware remains the biggest online threat to the UK and we are clear that organisations should not pay ransom demands. Unfortunately we have seen a recent rise in payments to ransomware criminals and the legal sector has a vital role to play in helping reverse that trend.
“Cyber security is a collective effort and we urge the legal sector to help us tackle ransomware and keep the UK safe online.”
Mr Edwards added: “Engaging with cyber criminals and paying ransoms only incentivises other criminals and will not guarantee that compromised files are released. It certainly does not reduce the scale or type of enforcement action from the ICO or the risk to individuals affected by an attack…
“I want to work with the legal profession and NCSC to ensure that companies understand how we will consider cases and how they can take practical steps to safeguard themselves in a way that we will recognise in our response should the worst happen.”
A Law Society spokesman welcomed the letter “and the opportunity it provides to remind our members of the importance of cyber security to their businesses”.
He continued: “We do not advise members to pay ransoms, nor suggest that is what they should advise their clients.
“We provide advice to our members about the steps they should take to meet their obligations to keep their businesses cyber secure through our practice notes, regular updates on our website, and events, and we promote the helpful resources and guidance provided by both the NCSC and the ICO in doing so.
“The Law Society and Bar Council have reacted swiftly to recent ransomware attacks by producing our questionnaire on IT security for the use of firms when instructing chambers, and we welcome the support we have had from the NCSC in this work.
“We welcome the offer to meet to discuss future collaboration with both the ICO and NCSC and our keen to play our part in helping combat ransomware criminals.”
In the event of a ransomware attack, there is a regulatory requirement to report to ICO as the data regulator if people are put at high risk, whereas NCSC – as the technical authority on cyber security – provides support and incident response to mitigate harm and learn broader cyber-security lessons.