It is difficult to overstate the challenges that organisations may encounter when in the midst of managing a cyber attack: lack of access to systems, confidential information stolen, operations brought to a stop.

When they are then presented with a demand for payment from the threat actors, with an offer to return access to systems and/or data, it can be tempting to make the payment, but organisations must consider the risks of doing so.

Following a three-month-long public consultation, the government has published its report following the receipt of over 300 responses. It intends to bring in a series of measures which would include banning ransom payments by public sector bodies and providers of critical national infrastructure. In addition, private companies (not covered by the ban) would be required to notify authorities before paying a ransom, and all ransomware attacks would have to be reported.

In the course of the last few months, we have seen high-profile ransomware attacks across a range of sectors. While some companies have confirmed that no payment has been made, others have not confirmed their position. There is limited transparency in the market as to the frequency of ransom demands, or the extent to which they have been complied with. This is one of the areas the proposed legislation will tackle with its new notification obligations. While this won’t necessarily directly impact the frequency of ransomware attacks, it represents a further step for businesses to take which will allow for greater intelligence gathering on a national scale.

The details and extent of any legislation is unclear, and it remains to be seen how the legislation is implemented and monitored for compliance, as well as what the consequences will be in the event of breaches.

Challenges in reporting

Organisations understandably look to disclose as little information regarding cyber attacks as possible, driven by wanting to limit their exposure to negative publicity, regulatory enforcement and litigation, and to avoid disclosing sensitive technical information which could expose them to further cyber risk. As such, organisations will be wary as to the level of detail they are required to provide, how that detail may be shared, and the extent to which this increases the risk of an ensuing regulatory investigation.

For many public sector / critical national infrastructure entities, it will be helpful to have binary requirements in place, taking a potentially difficult decision about whether to pay a ransom away from the decision-makers. Regardless, in reality many public sector bodies are reluctant and unable to make a ransom payment.  

However, private sector entities may feel that these changes expose them further as ransomware attackers could move from targeting public sector entities to private businesses more likely to pay up. Furthermore, the additional notification obligations will increase the existing reporting burden on organisations and risk leading to slow engagement with authorities which impedes the organisations’ ability to react promptly to an ongoing cyber attack.

Changes beyond ransom payments

The overarching intention of these legislative changes is ultimately to tackle the threat of ransomware and protect businesses and critical services.  It is an important recognition of the scale of the threat of cyber attacks. The government is looking to demonstrate that it takes cyber security seriously and is taking action to resolve the growing threat.  

The bill will therefore give regulators more extensive enforcement powers, allowing them to order regulated entities to implement specific security improvements. A failure to download patches to address widely exploited vulnerabilities could lead to daily fines of £100,000 or 10 per cent of turnover should a digital break-in occur.  

Where this leaves organisations

For many in the public sector, anything that limits the potential impact of attacks, and increases awareness and transparency, should be a positive step. However, there are clear risks for private sector businesses as they are potentially being pushed further into the crosshairs of threat actors.

Equally, all regulated organisations should be conscious of the intent to grant regulators more extensive enforcement powers, and the importance of ensuring their cyber security systems are regularly reviewed and updated with available patches without delay.

Whatever form the legislation takes, ransomware continues to be a fast-growing and hugely damaging form of cyber attack and the risks posed by cyber criminals remain high. Robust cyber security is therefore vital for all organisations.  All organisations should have fully tested systems and processes in place to reduce the risk of cyber incidents occurring and to understand how to deal with them effectively if they do occur.

How we can help

Burness Paull’s leading cyber security, data protection and group litigation experts have significant experience in managing cyber security risks, including ransomware attacks, and best practices. We understand the potential issues and how to deal with them quickly, practically and sensitively to ensure that the client’s legal, commercial and reputational interests are protected at every stage. Our team are on hand to support you on your cyber resilience journey, from implementing protective measures to handling a full-scale incident.

Please get in touch with any of our team to discuss your needs.

Related News, Insights & Events