Font Size: A A A


ICO, NCSC against ransomware payments

To pay or not to pay? It’s a live and pressing enough question about ransomware for the Infosecurity Europe show in London last month to have run a debate on it.

In a joint letter, the National Cyber Security Centre (NCSC) and Information Commissioner’s Office (ICO) are asking the Law Society to remind its members that they should not advise clients to pay ransomware demands should they fall victim to a cyber-attack. The authorities are saying that ransoms to release locked data do not reduce the risk, it’s not an obligation under data protection law, and it’s not considered as a reasonable step to safeguard data.

The ICO has clarified that it will not take this into account as a mitigating factor when considering the type or scale of enforcement action. It will however consider early engagement and co-operation with the NCSC positively when setting its response.

NCSC CEO Lindy Cameron said: “Ransomware remains the biggest online threat to the UK and we are clear that organisations should not pay ransom demands. Unfortunately we have seen a recent rise in payments to ransomware criminals and the legal sector has a vital role to play in helping reverse that trend. Cyber security is a collective effort and we urge the legal sector to help us tackle ransomware and keep the UK safe online.”

And John Edwards, UK Information Commissioner, added: “Engaging with cyber criminals and paying ransoms only incentivises other criminals and will not guarantee that compromised files are released. It certainly does not reduce the scale or type of enforcement action from the ICO or the risk to individuals affected by an attack.

“We’ve seen cyber-crime costing UK firms billions over the last five years. The response to that must be vigilance, good cyber hygiene, including keeping appropriate back up files, and proper staff training to identify and stop attacks. Organisations will get more credit from those arrangements than by paying off the criminals.

“I want to work with the legal profession and NCSC to ensure that companies understand how we will consider cases and how they can take practical steps to safeguard themselves in a way that we will recognise in our response should the worst happen.”


In the event of a ransomware attack there is a regulatory requirement to report to ICO as the UK data regulator if people are put at high risk; whereas NCSC – as the UK technical authority on cyber security – provides support and incident response to mitigate harm and learn broader cyber lessons. The ICO has some ransomware and data protection compliance online.


Charl van der Walt, head of security research at Orange Cyberdefense, said: “If victims keep paying the ransoms demanded of them by cybercriminals, there is no reason to believe that the ransomware crimewave will abate. As Mr Edwards presciently points out, there is not just the impact on individual businesses to consider, but also broader societal harm. Crime theory teaches us that to tackle crime we must demotivate the offender, which, in this case, means cutting off their flow of money. However, because there is no legal barrier to victims claiming ransom payments back on cyber-insurance, they are in some ways being incentivised to pay. Therefore, it is worth evaluating the pros and cons of regulating these payments.

“On one hand, ransom payments essentially fund cybercrime. Paying out leads to more attacks and there is no guarantee that hackers will release the data after receiving payment. It could even result in further demands. However, criminalising ransom payments could shift the focus of criminality from the perpetrator to the victim, and set off a chain of unintended consequences, such as a reluctance to report breaches. Combined, this could force the issue underground and make the practice more lucrative for cybercriminals.

“Whether criminalised or not, it is undoubtable that businesses should not pay the ransom demanded of them. Instead, they should alleviate the threat of being targeted by adopting services such as threat detection and response, and ensuring staff are trained on how to spot and respond to the threat of ransomware to ensure it doesn’t overcome a business’ defences in the first place.”

And Steve Bradford, Senior Vice President EMEA at SailPoint, said: “Ransomware is now so destructive that many organisations are simply paying the ransom upfront, sometimes to the tune of thousands – if not millions – of pounds. But, as the NCSC and ICO warn, paying a ransom is no guarantee of a recovery. And giving into cyber criminals only risks fuelling their practices in the long run.

“To mitigate the impact of ransomware, organisations across all sectors must implement multiple security controls. Two factor authentication for all data – including that which is backed up – is a must. So too is regular data backup, preferably daily or weekly, and across different mediums, for example external hard drives, USB sticks and cloud space. But to reduce the risk of a breach occurring in the first place, technology like identity security is crucial, to manage who has access to what and immediately flag any suspicious behaviour within an organisation.

“This should be a standard best practice for cyber security and will also reduce the risk of other malicious malware threats.”


Related News