Solicitors have been urged to stop advising clients to pay ransomware demands in a joint letter issued last week by the UK’s National Cyber Security Centre (NCSC) and Information Commissioner’s Office (ICO).
The open letter urged the Law Society to remind all its members that they should not advise clients to pay ransomware demands when they fall victim to a cyber attack. The letter emphasised that paying ransom does not reduce the risk of further attacks or necessarily guarantee the return of stolen goods or decryption of networks. Similarly, paying ransomware groups “will not reduce any penalties incurred through ICO enforcement action.”
The NCSC and ICO warned lawyers that paying ransomware demands incentivises further cyber-attacks by malicious actors. The letter suggests that the annual cost of cybercrime is estimated to be in the billions, with the actual cost much higher as this does not take into consideration the cost to businesses.
Instead, the letter reminded the Law Society that it is a regulatory requirement for ransomware incidents to be reported to the ICO if people are likely to be put at high risk. In addition, the NCSC are able to provide support and incident response to mitigate harm following a report. It will also help businesses that have suffered from attacks to protect themselves from similar incidents.
The letter added that the ICO “will recognise mitigation of risk is where organisations have taken steps to fully understand what has happened and learn from it, and, where appropriate, they have raised their incident with the NCSC, reported to Law Enforcement via Action Fraud, and can evidence that they have taken advice from or can demonstrate compliance with appropriate NCSC guidance and support.”< ..
Support the originator by clicking the read the rest link below.
