Article

The ransomware hostage’s dilemma - should you pay the price?

Paying a cyber ransom will, allegedly, secure your data and give you back control of your systems. But there are legal, operational and ethical risks to consider. 

Ransomware attacks can paralyse companies. Exposure of your sensitive commercial, customer and employee information has huge effects. Paying a ransom will, according to attackers, secure your data and enable you to regain control of your systems. But there are legal, operational, ethical and other commercial risks to consider.

In the article, we explore:

  • how to identify and analyse the various sanctions, terrorist financing and other legal restrictions that may apply to payment of a ransom;
  • how to assess the regulatory environment in which you operate and its impact on your decision to pay (or not);
  • the ethical dilemma of paying a ransom; and
  • how to approach the practical and operational challenge of dealing with a ransom request.

The legal risks: key questions to ask

The payment of a ransom is not illegal, in most situations. But there are various legal risks and questions to consider. Knowing the attackers' identity and location can help with your legal analysis. Forensic IT specialists can often provide insights based upon advanced threat intelligence and their experience.

1. What laws will apply?

First, you need to consider what laws are applicable to your business, to the decision and the act of making payment. This can be difficult where a ransom incident occurs across multiple countries. As a minimum, you should consider the laws of the countries where:

  • the group entity that would make the payment is incorporated;
  • the business or group impacted is headquartered;
  • any entities within the group are listed publically;
  • the key decision makers and individuals facilitating payment live, work or originate from. For example, if the CFO of a Spanish business is a UK national, you will want to consider UK laws that may apply to that individual; and
  • the impacted data subjects reside, if personal data is affected.

If the ransom is to be paid in a national currency, such as USD, you should also consider the laws applicable in the jurisdiction that currency originates from.

2. Will making a payment breach sanctions or terrorist financing rules?

In many countries, including across the EU, the UK and the US, sanctions and terrorist financing rules can make it illegal to pay a ransom. Doing so may result in criminal or civil sanctions. In some cases, these offences operate on a strict liability basis meaning it is important to carefully consider the risks before you make any payment.  In our full article, we provide an overview of the key sanctions regimes you should be aware of.

3. Will you breach any financial covenants or key third party agreements?

Many organisations rely on a variety of complex financing arrangements and credit facilities. Before you pay a ransom, it is important to check that doing so will not trigger a breach of financial covenants or other events of default under those arrangements or other key contracts you have in place with third parties.

4. What regulatory environment do you operate in?

If your organisation operates in a heavily regulatory sector, such as financial services or telecoms, or if it is a listed business, you should consider carefully the regulatory environment in which you operate before you make a ransom payment.  Our full analysis includes discussion of the regulatory requirements you would need to consider in practice.

5. Do you have insurance?

Many cyber insurance policies will not cover the payment of ransoms. But they may cover other losses arising from a ransomware attack, enabling your organisation to recover without paying the attackers.

However, this may change in the future. For example, with effect from 25 April 2023, the French Insurance Code provides for the possibility of insurance policies to cover losses and damages caused by a cyberattack, which may include the payment of ransoms. This is dependent on the sole condition that the victim files a complaint with the competent authorities within 72 hours of becoming aware of the breach.

The ethical dilemma – what is the right thing to do?

During a live incident, businesses need to balance the reality of funding criminals against the potential impact of the attack continuing. Ransomware incidents often cause ongoing business interruption. If this continues unresolved, it can lead to loss of revenues, potential insolvency and significant job losses.

In addition, the publication of large volumes sensitive personal data on the dark web can cause severe harm to individuals. That may result in legal claims against the organisation to recover those losses. These considerations combined may arguably swing the ethical dilemma in favour of paying the ransom.

Organisations should have a clear policy on how to deal with a ransomware incident before one happens. They need to be prepared to communicate their decision and its rationale if it becomes public that a ransomware incident has occurred.

A practical and operational challenge - where to start?

Often organisations focus on the legal and public relations risks associated with paying a ransom. In our full analysis, we explore the practicalities of the hostage dilemma including:

  • Who in your organisation will be involved in the decision making process?
  • How will you determine if the attacker is “trustworthy”?
  • How will you make the payment, particularly if cryptocurrency is required in large volumes?
  • Who will be responsible for making the payment?
  • How will you assess the commercial risk of paying, versus not paying?

How can we help?

Click here to request a copy of the full article, and reach out to our cybersecurity experts to discuss any questions you may have. 

Organisations face a difficult ethical dilemma when deciding whether to pay a ransom to cyber criminals. On one hand, paying may fund and encourage more crime. On the other, not paying may cause severe damage to the business, its employees, its customers and its reputation.

Content Disclaimer
This content was originally published by Allen & Overy before the A&O Shearman merger