Regulator and cyber intelligence agency write joint letter seeking engagement with trade body for solicitors

Credit: rawpixel.com/PxHere/Keith Hall//Clker-Free-Vector-Images/Pixabay/CC BY 2.0   Images have been remixed

Regulatory and intelligence agencies have teamed up to implore the legal profession not to advise clients to pay the ransoms demanded by cybercriminals.

A joint letter to the Law Society – undersigned by information commissioner John Edwards and Lindy Cameron, chief executive of the National Cyber Security Centre – told the professional body for solicitors that “in recent months, we have seen an increase in the number of ransomware attacks and ransom amounts being paid”.

“We are aware that legal advisers are often retained to advise clients who have fallen victim to ransomware on how to respond and whether to pay,” the letter added. “It has been suggested to us that a belief persists that payment of a ransom may protect the stolen data and/or result in a lower penalty by the ICO should it undertake an investigation. We would like to be clear that this is not the case.”

Edwards and Cameron noted that, while obliging with ransom demands is “not usually unlawful, payers should be mindful of how relevant sanctions regimes, particularly those related to Russia… may change that”.

The letter said: “More importantly, payment incentivises further harmful behaviour by malicious actors and does not guarantee decryption of networks or return of stolen data.”

Related content

• Ransomware: Cabinet minister sounds alarm over ‘greatest cyberthreat to the UK’
• Departments to undergo independent audits of cyber resilience
• NCSC warns UK organisations to bolster defences against Russian cyberthreat

It added: “For the avoidance of doubt the ICO does not consider the payment of monies to criminals who have attacked a system as mitigating the risk to individuals and this will not reduce any penalties incurred through ICO enforcement action.”

The two leaders told the Law Society that their organisations are “keen to engage” with the legal profession to ensure solicitors understand the standards and practices their clients should follow in the event of a data breach or cyberattack.

“If it would be helpful to meet to discuss how we might collaborate further on this we would be pleased to do so,” the letter said.

A report recently published by law firm RPC concluded that the number of ransomware attacks reported to the ICO doubled last year, rising from 326 to in 2020 to 654 in 2021.

As part of an eight-point compliance checklist for organisations, the data protection watchdog’s website says that it has “seen a steady increase in the number and severity caused by ransomware” in the past couple of years.

The NCSC – a GCHQ-based agency which helps set government’s cyber policy and guidance, and assists businesses and public bodies in responding to the gravest attacks – also has dedicated advice and support materials aimed at helping organisations understand the threat posed by ransomware, and what they should do in the event of a successful attack.

The letter from the two organisational leaders claimed that the annual cost to the UK of cybercrime is “billions” of pounds.