Cyber attacks: due diligence essential prior to paying ransoms

Out-Law News | 01 Sep 2020 | 3:56 pm | 3 min. read

Businesses that pay ransoms to cyber attackers to regain access to systems and data they have been locked out from are unlikely to face prosecution in the UK for doing so, experts in cyber risk and financial crime law have said.

David McIlwaine and Andrew Sackey of Pinsent Masons, the law firm behind Out-Law, said, though, that businesses that fall victim to so-called ransomware attacks should carry out due diligence before deciding whether to pay the ransom requested.

Ransomware is a type of cyber attack that sees hackers install malicious software on to computer systems that prevent organisations carrying out everyday operations or accessing data or other assets. Organisations are prompted to make a payment to the hackers to bring about an end to the attack. Ransomware attacks have been growing in prominence in recent years, with foreign exchange business Travelex among those reported to have fallen victim to such an attack.

McIlwaine and Sackey were commenting on the potential risk of prosecution stemming from the payment of ransoms to cyber attackers after Ciaran Martin, the departing chief executive of the National Cyber Security Centre, told the Financial Times that it is "illegal to pay a ransom to a terrorist organisation" and said he would "not be against" the UK government taking legislative action to ban ransom payments to "other groups".

Martin suggested new laws merits consideration "if ransomware continues to exist as such a chronic strategic problem". A CyberEdge survey of IT business managers earlier this year found that 58% of companies that were victims of ransomware attacks had admitted to making a ransom payment, the Financial Times reported.

"Although the payment of ransom, directly or indirectly, is not of itself illegal, depending on to whom the money is paid and in what circumstances, there is a possibility that a money laundering or terrorist financing offence may be committed and professional advice should always be sought on the specific facts," McIlwaine said.

"On balance, though, where ransom payments are made following cyber extortion this risk is very low, and that public interest considerations militate against the prosecution of any residual risk," he said.

However, Sackey said that victims of ransomware attacks should not "ignore the possibility that the payee may have links with terrorism or designated terrorist organisations or individuals". A failure to conduct due diligence prior to paying ransoms could expose payors to the risk of illegality and potential prosecution in some cases, and insurers should also be mindful of the potential implications for paying out on cyber policies without first enquiring as to the identity of the attackers, he warned.

Sackey said: "In each case under the UK's Terrorism Act 2000 it must be established that the payer knew or had reasonable cause to suspect that the funds would or may be used for the purposes of terrorism. So in the case of a ransomware attack, unless the ransom-payer is aware or has reasonable cause to suspect that the ransom is to be paid to a designated terrorist organisation or to a group concerned with terrorism, it is unlikely, although not inconceivable, that an offence will have been committed."

"Those perpetrating extortion are usually anonymous, and their underlying aim, together with the ultimate destination of any ransom payments, is usually entirely unknown. Cyber attacks tend to be carried out by faceless individuals and entities, without affiliation to a cause, political or otherwise. Therefore, it will be difficult, if not impossible, to identify those behind the attack with any degree of certainty. In circumstances where the identity of the person or persons issuing the threat is unknown, and there are no contradictory indicators, there may be no actual or inferred knowledge, or 'reasonable cause to suspect', that the cyber extortion threat comes from someone potentially connected to terrorism," he said.

"It is worth understanding, however, that even if the insured, or any third party making payments on the insured’s behalf, had not committed an offence under the Terrorism Act when paying a ransom, if subsequent information emerges which gives insurers reasonable cause to suspect links to terrorism, it may then be an offence then to indemnify the insured under the policy," Sackey said.

Thorough due diligence can also help prospective ransom payers minimise the risk of engaging in related illegality under other legislation, including the Proceeds of Crime Act, the Serious Crime Act or an asset-freezing regime, Sackey said.