Ransomware: UK NCSC and ICO tell solicitors not to advise clients to pay ransoms

Published: Tuesday, 12 July 2022 08:52

In a joint letter, the UK National Cyber Security Centre (NCSC) and Information Commissioner’s Office (ICO) have asked the Law Society to emphasise to its members that paying a ransom will not keep data safe or be viewed by the ICO as a mitigation in regulatory action.

In their letter, the NCSC and the ICO state that they have seen evidence of a rise in ransomware payments, and that in some cases solicitors in the UK may have been advising clients to pay, in the belief that it will keep data safe or lead to a lower penalty from the ICO.

The two organizations ask the Law Society to clarify to its members that this is not that case, and that they do not encourage or condone paying ransoms, which can further incentivise criminals and will not guarantee that files are returned.

NCSC CEO Lindy Cameron said:

“Ransomware remains the biggest online threat to the UK and we do not encourage or condone paying ransom demands to criminal organizations.

“Unfortunately we have seen a recent rise in payments to ransomware criminals and the legal sector has a vital role to play in helping reverse that trend.

“Cyber security is a collective effort and we urge the legal sector to work with us as we continue our efforts to fight ransomware and keep the UK safe online.”

John Edwards, UK Information Commissioner, added:

“Engaging with cyber criminals and paying ransoms only incentivises other criminals and will not guarantee that compromised files are released. It certainly does not reduce the scale or type of enforcement action from the ICO or the risk to individuals affected by an attack.

“We’ve seen cyber crime costing UK firms billions over the last five years. The response to that must be vigilance, good cyber hygiene, including keeping appropriate back up files, and proper staff training to identify and stop attacks. Organizations will get more credit from those arrangements than by paying off the criminals.

“I want to work with the legal profession and NCSC to ensure that companies understand how we will consider cases and how they can take practical steps to safeguard themselves in a way that we will recognise in our response should the worst happen.”

In the event of a ransomware attack or other cyber crimes, UK organizations should report directly an ongoing incident to Action Fraud on 0300 123 2040 (which is available 24/7), Information Commissioner’s Office (for data breaches under the GDPR), or to the NCSC for any major cyber incidents. Law enforcement will then be able to mitigate the impact of the attack and secure evidence that can assist an investigation. 

The ICO will recognise when organisations have taken steps to fully understand what has happened and learn from it, and, where appropriate, they have raised their incident with the NCSC and they can evidence that they have taken advice from or can demonstrate compliance with appropriate NCSC guidance and support.

Read the joint letter (PDF).