Navigating these ransomware issues requires extra caution and the consequences can be severe, as illustrated this year when the former Chief of Security of a large technology company, who helped pay a ransom to malicious actors, was criminally convicted in the US for covering up the cybersecurity breach.
In the UK, according to their joint statement, the National Cyber Security Centre (NCSC) and Information Commissioner’s Office have stated that they neither encourage nor condone such ransom payments. However, the statement indirectly encourages organisations to take advice from the NCSC in case of ransomware attacks – suggesting that one can open dialogue with NCSC just after receiving a ransom demand. For decision makers, it may constitute an essential step because in certain cases payments of ransom are unlawful, qualifying as terrorism financing pursuant to s.17 of the Terrorism Act 2000 (TACT 2000).
The essential criterion for the s.17 offence is whether there is a reasonable cause to suspect that either a payment made, or property made available, will or may be used for the purposes of terrorism. 'Reasonable cause to suspect' amounts to a lower threshold than actual knowledge and actual suspicion is not required either, as the Supreme Court reiterated in R v Lane [2018] UKSC 36. It is sufficient, that based on the information known to the accused, there exists (when assessed objectively) reasonable cause to suspect that the money may be used for the purposes of terrorism. The above has considerable implications to the legality of ransom payments – ignoring or remaining clueless about the non-exhaustive list of red flags is imprudent and does not provide a defence under s.17.
The following considerations are essential in the context of possible ransom payment:
- S.17 essentially implies a positive duty to assess terrorism financing risk when considering fulfilling ransom payment in any extent.
- An assessment of terrorism financing risk has to be undertaken on the earliest occasion, shortly after a ransom demand.
- Such assessment has to consider circumstances surrounding the breach and whether the organisation has exposed itself to any organisations from the Home Secretary’s list of prescribed terrorist groups or organisations.
- Communications with adverse groups need to be managed with great caution to avoid potential offences under s.12(2) and s.12(3) of the TACT 2000.
Pursuant to s.21ZA of TACT 2000, an organisation can obtain a letter from the National Crime Agency granting a defence to the terrorist financing offence (e.g. a ransom payment).
Other international terrorist lists may be relevant for global organisations bound by additional local laws, for example, an individual can be prosecuted pursuant to the 18 U.S. Code § 2339B (having extraterritorial reach) for providing material support or resources to designated foreign terrorist organisations. As a result, the US Office of Foreign Assets Control (OFAC) list ought to be under equal consideration.
The issues raised above are only a handful amongst a plethora of considerations that require detailed legal and operational analysis, including risk-based considerations. However, by considering and documenting the analysis of the points above, businesses will have a more robust due diligence report, subsequently providing a stronger defence against any potential scrutiny.
However, we acknowledge that there is still a lot of grey area concerning ransomware payments.
We regularly advise clients around the potential benefits against the challenges of making ransomware payments. If you would require legal assistance or advice, or would like to discuss any points raised above, please reach out to the authors below.