Ransomware response requires specialist advice

Ransomware attacks cause severe direct financial consequences. We know this, but we must also understand the potential for wider collateral damage to businesses arising from sustained, ongoing disruption. The indirect effects of an extortion event can cause long-standing, indirect (and often unforeseen) damage which has the potential to be at least as harmful as the initial event itself.

Due to the complexity of these breaches and the various consequences that may ensue, specialist ‘breach response’ advice may be required to help businesses consider all options and take the most appropriate actions.

The Law Society/NCSC statement

Recently, The Law Society of England and Wales published an article (opens a new window) mirroring the government’s National Cyber Security Centre (NCSC) and the Information Commissioner's Office’s (ICO’s) warning (opens a new window) about the role of solicitors paying or advising clients to pay ransoms to cyber criminals, with the message ‘[w]e do not advise members to pay ransoms, nor suggest that is what they should advise their clients.' However, adopting a singular mindset in this new and evolving digital world (which is anything but one-dimensional) may not be suitable.

Ransom payments are controversial, but the payment of a ransom is not of itself illegal (opens a new window) in much of Europe. That said, all individuals and legal entities incorporated, located or conducting business within the EU and UK must comply with the local financial, trade and other sanctions in force.

Any payments could also be illegal if there is reasonable cause to suspect that the ransom will (or may) be used for causes connected to terrorism and is being handed over in response to a demand (s 17A Terrorism Act 2000). Complicating matters further is the fact that malicious actors in any extortion situation are usually anonymous, and their underlying aim, together with the ultimate destination of any ransom payments, is usually entirely unknown.

The ICO and NCSC have made their position clear whereby they ‘will not encourage or condone paying ransom demands to criminal organisations’, regardless of the payment being deemed unlawful or not. The reasoning behind this stance is that by paying a ransom, a business may be incentivising criminals while, adding insult to injury, not even receiving a guarantee that any stolen data will be securely returned. Firms also run the risk of infringing their sanctions regimes (Russia being a hot topic of discussion), which could result in further economic consequences for the business, the organisations warned. These are valid points and must be taken into consideration when evaluating and resolving a breach.

The statement, while a stark proclamation to law society members, may also come across as an inflexible ‘one size fits all’ approach.

The reality

Extortion attacks (and the effects of them) are as varied and nuanced as the businesses which are targeted. Law firms must contemplate every risk and solution that may arise from a cyber-attack. As well as the extortion demand itself, other costs to consider include loss of revenue due to the associated downtime. Ransomware attacks cost (opens a new window) the US $159.4bn in downtime alone in 2021 based on publicly-confirmed ransomware (opens a new window) attacks and data compiled by pro-consumer website Comparitech.

For small and medium-sized enterprises especially, access to response teams may be limited and time-consuming, meaning they may be more heavily affected from losses relating to downtime. These costs could potentially outweigh that of a ransom, with cybersecurity and data backup company Datto suggesting (opens a new window) that it can be up to 50 times more.

If the company does not have secure or separate back-ups in place, without an encryption key lost data may become complicated to recover or, in a worst-case scenario, impossible.

Consequences can be catastrophic in other fundamental ways. Consider the hospital suffering a ransomware attack, battling with network outages which are impacting on the operation of life-saving medical devices…or the effect of an outage on critical infrastructure such as power or water suppliers.

While these risks are not something a law firm need typically consider, the point also has validity in the context of legal business; if court and/or commercial deadlines are not met, the indirect implications to the firm, its clients and/or third parties, could indeed be significant.

Prevention is part of the cure

One thing that is evident is the necessity to resolve these breaches as quickly and effectively as possible to limit or reduce the ramifications. It is vitally important for law firms to keep tight security measures in place, which should include:

  • utilising multi-factor authentication,

  • maintaining segregated backup systems for any critical data, and

  • deploying regular employee phishing training.

Various other cyber hygiene protocols can help to minimise the risk and consequences of a breach.

Despite increased security measures reducing these risks, in this dynamic tech world new ways of hacking are evolving each day, meaning the risk of a breach will always be present. For many law firms, standalone cyber insurance cover may no longer be considered a discretionary spend.

A market-leading cyber policy contemplates cover for the costs of a cyber-security incident response team as well as ransomware specialists, who can negotiate with bad actors and run forensics respectively. This may help to reduce the period of downtime, and the costs responding to the event (including the amount of the demand itself), and minimise reputational harm.

Keeping the options open

Clearly firms should not be encouraged to provide any motivation (not to mention their hard-earned money) to cybercriminals. However, ruling ransom payments out as an option, in specific circumstances, could have dramatic effects on a firm, its clients, and the wider community. Providing law firms (and their insurers) with the casting vote as to whether or not payment of a ransom demand should be made, seems eminently sensible. Law firms cannot anticipate how severe cyber-attacks may be - paying a ransom might be the only way to save a business.

For further information, please contact:

Vanessa Cathie – Vice President, Professional and Financial Services

T: +44 (0)20 7933 2478 | M: +44 (0)7780 487830

E: vanessa.cathie@lockton.com