Ransomware inquiry calls for evidence from UK organisations
Published on 7th Dec 2022
Parliament is looking to assess and address the threat to UK national security posed by ransomware attacks
The UK's Parliamentary Joint Committee on the National Security Strategy has launched (31 October 2022) a call for evidence for its new inquiry into ransomware. The call for evidence closes on Friday 16 December.
Organisations have been invited to submit evidence on topics including:
- Access to and availability of insurance cover, and regulatory requirements placed on ransomware victims.
- Reforms that might enhance the UK’s resilience to ransomware, reduce the economic and societal damage that it causes, and support the law enforcement response.
- The scope for international cooperation, including on crypto-currency regulation.
Does this indicate that the joint committee is laying the groundwork for the government to regulate or ban ransomware payments – and could a ban work? A payment ban might reduce the number of ransom payments and disincentivise threat actors from attacking UK organisations. As many as 82% of infected UK organisations do pay, according to a report by Proofpoint. The cybersecurity company also noted that this is 41% higher than the global average, so it is possible that the UK's more liberal approach to ransom payment makes it a tempting target for threat actors.
Paying a ransom is not necessarily illegal in the UK at present and many cyber insurance policies also cover the cost of paying ransom sums. Regulatory reform preventing this kind of coverage might be an alternative to banning ransom payments outright, although the evidence that this would significantly reduce the number of companies paying ransoms or their level is anecdotal. Likewise, as crypto-currency remains the preferred payment mechanism for threat actors, regulation (if properly applied) might make it harder for bad actors to use cryptocurrency as a financial safe haven.
Consequences of prohibition?
What might the consequences be if organisations are prohibited from paying? If organisations' systems remain encrypted or personal data is published online because a ransom hasn't been paid, this could result in increased harm to individuals, subject of course to what data is impacted in the incident. Likewise, the myriad costs of dealing with a ransomware attack can be significant – certain businesses could even face insolvency even if they are able to recover successfully from an attack.
If impacted organisations believe these consequences can be avoided by payment, then there is also a risk that payments will either be driven underground or that victims seek to make payments via group entities based in other jurisdictions.
Osborne Clarke comment
Clearly no organisation wants to have to pay a ransom, but any regulatory change should carefully consider the possible implications for impacted organisations and individuals. We will be looking closely at the outcome of the inquiry.