UK legal firms are being urged not to sanction ransomware payments by their clients aiming to get their systems back online, following increasing concerns solicitors have become the middle-men in handing over hundreds of thousands of pounds to cybercriminals.
The National Cyber Security Centre (NCSC) and Information Commissioner’s Office have rifled off a joint letter to the Law Society, calling on the organisation to remind its members that they should not advise clients to cough up should they fall victim to a cyber-attack.
Paying ransoms to release locked data does not reduce the risk to individuals, is not an obligation under data protection law, and is not considered as a reasonable step to safeguard data.
The move follows reports that some firms are mistakenly paying ransoms under the illusion that this is the right thing to do and they do not need to engage with the ICO as a regulator, or will gain benefit from it by way of reduced enforcement.
The ICO has clarified that it will not take this into account as a mitigating factor when considering the type or scale of enforcement action. It will, however, consider early engagement and co-operation with the NCSC positively when setting its response.
NCSC chief executive Lindy Cameron said: “Ransomware remains the biggest online threat to the UK and we are clear that organisations should not pay ransom demands.
“Unfortunately we have seen a recent rise in payments to ransomware criminals and the legal sector has a vital role to play in helping reverse that trend. Cyber security is a collective effort and we urge the legal sector to help us tackle ransomware and keep the UK safe online.”
Information Commissioner John Edwards added: “Engaging with cyber criminals and paying ransoms only incentivises other criminals and will not guarantee that compromised files are released. It certainly does not reduce the scale or type of enforcement action from the ICO or the risk to individuals affected by an attack.
“We’ve seen cyber-crime costing UK firms billions over the past five years. The response to that must be vigilance, good cyber hygiene, including keeping appropriate back up files, and proper staff training to identify and stop attacks. Organisations will get more credit from those arrangements than by paying off the criminals.
“I want to work with the legal profession and NCSC to ensure that companies understand how we will consider cases and how they can take practical steps to safeguard themselves in a way that we will recognise in our response should the worst happen.”
In the event of a ransomware attack there is a regulatory requirement to report to ICO as the data regulator if people are put at high risk whereas NCSC – as the technical authority on cyber security – provides support and incident response to mitigate harm and learn broader cyber security lessons.
The ICO insists it will recognise when organisations have taken steps to fully understand what has happened and learn from it, and, where appropriate, they have raised their incident with NCSC and they can evidence that they have taken advice from or can demonstrate compliance with appropriate NCSC guidance and support.
The NCSC has a wide range of guidance on mitigating the ransomware threat, for example advising companies to keep offline back-ups. All of its advice can be found on its ransomware portal. The ICO recently updated ransomware guidance, which can be found on its website.
Related stories
42 million finance records lost in ransomware tsunami
UK firms urged to act after major rise in online attacks
ICO updates cyber attack guidance as Russia fears rise
Ukraine invasion fuels cyber attack warning to UK firms
New cyber security laws threaten mega fines for firms
Spy chief warns of ‘alarming’ increase in ransomware
