
ICO and NCSC make statement advising against making ransomware payments amid uptick in cases

The National Cyber Security Centre (NCSC) and the Information Commissioner's Office (ICO) have issued a joint letter asking the Law Society to remind solicitors that they should not advise clients to pay ransomware demands should they fall victim to a cyber-attack.

Both bodies say they are aware that some organisations are paying the ransoms with the expectation that they do not need to engage with the ICO as a regulator or will gain benefit from it by way of reduced enforcement.

Ransomware involves the encrypting of an organisation's files by cyber criminals, who demand money in exchange for providing access to them.

In the event of a ransomware attack, there is a regulatory requirement to report to ICO as the data regulator if people are put at high risk, whereas NCSC – as the technical authority on cyber security – provides support and incident response to mitigate harm and learn broader cyber security lessons.

Paying a ransom to release locked data does not reduce the risk to individuals, is not an obligation under data protection law, and is not considered a reasonable step to safeguard data, the NCSC and ICO said.

John Edwards, UK Information Commissioner, said engaging with cyber criminals and paying ransoms "only incentivises other criminals and will not guarantee that compromised files are released".

Mr Edwards added: "We've seen cyber-crime costing UK firms billions over the last five years. The response to that must be vigilance, good cyber hygiene, including keeping appropriate back up files, and proper staff training to identify and stop attacks. Organisations will get more credit from those arrangements than by paying off the criminals.

"I want to work with the legal profession and NCSC to ensure that companies understand how we will consider cases and how they can take practical steps to safeguard themselves in a way that we will recognise in our response should the worst happen."

NCSC CEO Lindy Cameron added that the legal sector has a "vital role" to play in helping reverse the trend of organisations making payments to ransomware criminals.

A number of local authorities have been affected by ransomware attacks, with at least ten councils having had their operations significantly disrupted as a result.

Adam Carey

(c) HB Editorial Services Ltd 2009-2022