For the first time, the National Cyber Security Centre ("NCSC") has collaborated with the cyber insurance industry, namely; the Association of British Insurers ("ABI"), British Insurance Brokers' Association ("BIBA") and International Underwriting Association ("IUA"), to produce a joint guidance for organisations considering paying a ransom. The guidance was published on 14 May 2024 (the "Guidance").
Whether cyber-attack victims should pay or not pay ransom demands is always hotly debated. The Guidance does not answer this debate, noting that it is the victim's ultimate decision. However, the Guidance provides much needed advice for organisations that are considering paying, filling a clear knowledge gap that exists from publicly available sources.
This comes after the RUSI Report[1], published in July 2023, which detailed findings and recommendations following an independent study into the alleged role of the cyber insurance industry in driving the criminal ecosystem by covering ransom payments. The RUSI report criticised the British government’s “black-and-white position” on making ransom payments.
Critics might say that any guidance which does not lobby against payments will have a permissive effect. However, the fact that payments are made and that they are not always unlawful or illegal is a genie that can't be put back in its bottle. Instead this bold guidance ensures that organisations think through all the relevant considerations before making a payment. Whilst the Guidance at first glance may appear to be a list of "common-sense" considerations, often common-sense goes out the window when attempting to make a difficult risk-based decision amongst the panic of a ransomware attack. In doing so, the Guidance seeks to: (i) help cyber-attack victims minimise disruption and the cost of the incident; (ii) reduce the number of ransoms being paid; and (iii) reduce the size of the ransoms victims choose to pay.
This alliance between the NCSC and the cyber insurance industry in publishing this Guidance should be welcomed.
Do not panic and take time to investigate and assess your options
The Guidance emphasises how the claims and promises made by threat actors cannot be trusted. Threat actors apply pressure on companies to make rash decisions to pay by; enforcing deadlines, making it appear that there is no alternative to recover, and claiming that they will publish extorted data online, unless a payment is made. However, in reality, if the organisation took some time to investigate the scope of the attack and verify the threat actors' claims, before rushing into any decision, it may find that:
- there are alternative ways to recovery (partially or fully) – for example, through viable backups or access to a decryption key via third parties, such as law enforcement. Further, the Guidance states that payment does not guarantee access to the affected devices and data, and sometimes, particularly for large organisations with complex networks, it may in fact be quicker to use backups.
- the impact on the business, in terms of operations, data and financials, may be less than initially thought – the Guidance encourages organisations to consider: (i) feasible workarounds that can be adopted to manage the disruption; (ii) the nature and scope of the data compromised and thus, the associated risks to individuals; (iii) the business interruption costs and recovery efforts (including staff overtime costs and external support), which may in fact be less than any negotiated ransom demand.
Consult external experts
The Guidance recommends utilising external experts, such as cybersecurity/ IT incident response vendors, breach response counsel, and professional threat actor negotiators, to provide forensic investigatory support, advice on legal and regulatory obligations, and threat actor intelligence/ negotiation tactics, respectively – all of which significantly improve the quality of an organisation's decision making. The Guidance directs organisations to take advantage of their cyber insurers' approved panel of vendors, and the NCSC's list of recommended CIR companies.
Warnings
The Guidance also provides the following warnings:
- threat actors are criminals and cannot be trusted - it is important to remember that payment of a ransom is not a fail safe way to prevent the publication of stolen data – a cyber criminal's promise to delete data in exchange for payment cannot be trusted. It is also not a way to forego the need to carry out a thorough assessment of the compromised data, not only to verify the threat actor's claims, but also to risk assess the data and consider whether an Article 34 GDPR data subject notification exercise is required.
- payment of a ransom does not fulfil an organisation's regulatory obligations[2] - as previously communicated in the NCSC's and ICO's joint letter to the Law Society and Bar Council, payment of a ransom is not seen as a step which mitigates potential harm to data subjects, and will not help an organisation avoid regulatory repercussions, or reduce the amount of any ICO penalty.
- consider legal and regulatory practice around payment - the Guidance notes that payment may not be lawful, for example, if it is being made to an entity or area on the UK sanction list. It also flags that where subsidiaries located in other jurisdictions are impacted, additional local laws and regulations may also need to be considered.
Lastly, the Guidance recommends organisations to report incidents to the UK authorities, including the NCSC, and sets out the benefits in doing so, including, reminding organisations that it may result in a more favourable regulatory response, such as a lower fine from the ICO.
Comments
The Guidance is not a blanket instruction to not pay, but it does still discourage organisations from doing so without properly investigating all other options and assessing the risks. Payment is presented to be the absolute last resort, and even then, there is no guarantee that it can achieve the promised results the threat actor claims. The Guidance reflects a maturing of the British government's position, previously criticised by some to be an oversimplified "don't pay" stance.
This Guidance has international relevance, and it will be interesting to see whether other jurisdictions adopt a similar guidance formally.
Mervyn Skeet, the director of general insurance policy at the ABI, said: “This collaborative guidance is another positive step towards tackling cybercrime across the UK, and we look forward to continuing to work with NCSC on this shared goal.” Therefore, this united view between the NCSC and the cyber insurance industry, may be the first of more to come.
[2]https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/07/ico-and-ncsc-stand-together-against-ransomware-payments-being-made/
