Ransomware attacks have become increasingly ubiquitous, presenting significant legal and operational challenges for organisations. The sophistication of threat actors, often bolstered by advancements in artificial intelligence (AI), necessitates proactive legal and strategic preparation to mitigate potential impact.
The implications of both the rising volume and impact of cyber incidents are profound. The European Union Agency for Cybersecurity (ENISA) reported a significant increase in both the diversity and the quantity of cyberattacks and their associated repercussions from late 2022 to early 2023. The misuse of AI, particularly in social engineering, has also begun to exacerbate threats. The UK NCSC’s January 2024 report on the impact of AI on cyber operations predicts a substantial amplification in the volume and impact of cyberattacks in the next 12 months, with cyber threat actors leveraging AI to enhance reconnaissance and social engineering capabilities, thus complicating detection and response efforts.
In this complex environment, organisational preparedness for cyber threats is imperative. Comprehensive preparation can mitigate legal liability and minimise operational, financial, and reputational damage. Even well-prepared organisations often struggle in the face of an attack as multiple teams, including information security, legal/privacy, communications, and HR, must all coordinate seamlessly in a time-pressured environment. Organisations with robust cybersecurity preparedness can better recover from cyberattacks, while preserving their business integrity and reputation.
From a legal perspective, enhanced cybersecurity preparedness involves, at a minimum, a thorough understanding of the risk, actionable response plans, and predefined contact points, both internal and external. Organisations should have comprehensive policies and plans in place, such as a cybersecurity incident response plan, that are effectively and efficiently executable. Such policies, should be rigorously tested. We find conducting tabletop exercises involving all organisational levels is the best method to practise and refine these plans, ensuring that any weaknesses are identified and addressed before a real incident occurs.
In most cases, ransomware is used by the attacker to encrypt files and demand a ransom payment for decryption. Organisations should have a strategy as regards their response to demands for ransom payments and should take into account law enforcement’s stance. The decision to pay or not pay the ransom is often fraught with legal and ethical considerations and places immense pressure on senior management to make swift, informed decisions within a legally compliant framework. Organisations do need to deliberate carefully; the decryption of files is never guaranteed following payment.
Unsurprisingly therefore, UK/EU law enforcement typically discourages such payments, as highlighted recently by the UK NCSC. There has even been discussion on making ransomware payments illegal. However, while doing so may, in theory, remove the incentive for threat actors to launch ransomware attacks, it potentially punishes the victims. It is also difficult to see how any law against paying ransom demands would be enforced. Furthermore, it is worth noting that threat actors have other means available to them so cyber-attacks would continue regardless.
Discouraging ransom payments, rather than outright criminalisation, may prove more effective, particularly when actively promoted by the likes of the NCSC. Sanctions considerations could also indirectly prohibit ransom payments under certain conditions, without the need for specific laws prohibiting the payment of ransom demands.
In conclusion, the landscape surrounding ransomware is complex and evolving. Organisations must take comprehensive, proactive measures to prepare for inevitable cyber threats. By doing so, they can better navigate the legal and operational challenges, safeguarding their interests and maintaining resilience in the face of increasing threats.
By Sarah Pearce, partner, Hunton Andrews Kurth