Share
This article was co-authored by Jacqueline Baker, Legal Executive.
Since the government’s announcement last year, Kennedys has been closely monitoring proposals to introduce a new ransom payment prevention and reporting regime for businesses. The three-part plan is unsurprisingly stirring up plenty of heated discussions amongst businesses, incident response providers and insurers alike.
There are, of course, a good number of “unknowns” at this stage and, as ever, the devil is likely to be in the detail. There is little doubt that the overarching objectives are admirable and ambitious, but there are some very significant practical considerations in their implementation that cannot be overlooked.
Proposal 1: Targeted ban on ransom payments in the public sector
It is fair to say that no organisation enters into discussions or negotiations with a threat actor lightly. In particular, cyber insurers have historically been unfairly accused of causing an increase in ransom payments through threat actors deliberately targeting those with insurance policies in place. However, this myth has been busted, not least through a study sponsored by the NCSC themselves.
In our experience, some of the most cautious about threat actor engagement are those organisations either directly within, or with significant links to, the public sector. This is typically through understandable concerns about making a payment from public funds and the already significant legal and regulatory considerations that exist. Therefore, the proposed ban on public sector/Critical National Infrastructure (CNI) payments is perhaps unlikely to make a material difference.
There are, of course, some situations where the ban will make a difference!
Kennedys has supported numerous organisations in the healthcare and education sectors where there has been no viable option but to pay for a decryptor (i.e. the key to get their data back). In cases where a ransom payment has become necessary, it has typically been because alternative routes to recovery have been exhausted and business critical data would be lost, or there would be ongoing significant disruption to operations. For a hospital, it is easy to see how these scenarios could cause a real risk to life; in education it can mean students being disadvantaged by disrupted exams or loss of coursework.
In these situations, it seems unhelpful to place additional hurdles into an already very fraught decision making process. The Home Office acknowledges that they will have to tackle difficult questions like this through the consultation process.
It is also worth highlighting that threat actors are not ordinarily looking to target a particular organisation; rather, they will be scanning for a vulnerability. This is relevant as, in many cases, threat actors may have no real knowledge of who, or what, their victim is. Others specifically target particular sectors (like healthcare or charities) to cause maximum disruption to their victims. This slightly undermines the argument that preventing payment under the targeted ban will limit attacks.
Proposal 2: Payment prevention regime
This proposal lays out a four step process, which would broadly require all UK organisations to notify the Home Office of an intention to make a ransom payment. This would be followed by ongoing dialogue with the government, culminating in it confirming whether a payment ought to be blocked.
This proposal brings with it numerous potential difficulties:
- The government would be putting barriers in the way of ransom payment in circumstances where time is likely to be of the essence. A decision to negotiate is often taken where all other options have been exhausted and, therefore, when progressing with any such decision is time critical. We anticipate that the government may struggle to streamline this process to a significant enough degree to avoid practical difficulties in the majority of circumstances.
- Some sectors in particular (manufacturing and logistics are just two examples) operate on fine cashflow margins. Additional time added to the negotiation process can legitimately be the difference between an organisation recovering, or having to wind up their business entirely. If the government were to find cause to block a payment, without the business critical data they need to operate, companies could similarly find themselves in liquidation. Both of these scenarios are likely to be unpalatable to business leaders.
- In real terms, payment of ransom demands are rarely directly paid by a UK entity, but rather by a third party payment facilitator. Our experience is that these tend to be located outside the UK. Whether this amounts to a “loophole” for the purposes of this proposal is unclear, but the fact that it is not addressed does potentially indicate a lack of practical understanding of how the cyber market operates.
- Finally, it is possible to envisage a situation in which the government’s decisions around whether a payment ought to be blocked could lead to significant disputes. For example, if organisations perceive that one payment was allowed in circumstances where under similar conditions, others were not. It is not clear how these rules would be implemented in order to ensure fairness and consistency as the decision to make a payment is so subjective.
Proposal 3: Mandatory reporting
The final proposal outlines a regime under which organisations would be required to notify a ransomware attack to the Home Office, irrespective of intention to pay.
This would create an obvious overlap with other regulatory reporting obligations and would potentially duplicate data already gathered by other public bodies (e.g. the ICO, law enforcement or other applicable regulators under the NIS Regulations).
The Home Office appear to acknowledge this, at least tangentially. Specifically, they flag that proportionality “is at the core of all the reporting proposals” they set out and that their “intent is to ensure that UK victims are only required to report a ransom and extortion demand once, as far as possible”.
Ultimately, this is probably the least controversial of the proposals and would likely be seen as simply one more form filling exercise required in the early stages of responding to an incident. However, it remains to be seen how involved the government would intend to be in the incident post notification.
To be continued…
The proposals are only at ‘consultation stage’, but they provide useful insight into the government’s thinking around ransomware threats.
While the proposals are arguably well-reasoned on a theoretical level, they do seem to overlook some of the practical realities facing an impacted entity. Our overarching view is that providing full effect to these proposals will require a level of coordination at government level that will be challenging to deliver successfully.
Subject to the ultimate position, we envisage that the proposals will further increase the legal complexity around ransomware events, particularly with regards to compliance and the legality of payments.
Aviation
Banking and finance
Construction and engineering
Education
Healthcare
Information technology
Insurance and reinsurance
Life sciences
Public sector
Rail
Retail
Shipping and international trade
Sport
Transport and logistics
Travel and tourism
United Kingdom