News and Publications

Directors beware! The civil penalties for ransomware

Posted: 07/09/2021


Over the past six months or so, you would be hard pressed not to have read or heard about a cyber-attack. Attacks on the Colonial Pipeline in the United States; on Brenntag, a German chemical distribution company operating in over 77 countries; on the Harris Federation Schools, the largest academy trust in the UK where data from 38,000 pupils was stolen; the more recent attack on Kaseya, a US information technology company, over the 4 July weekend; and the two recently reported attacks on barristers chambers in London with threats to publish sensitive client data if ransoms were not paid, are just a small handful of those recently reported. Such an attack can be highly damaging, with sensitive data being published on the dark web or more widely distributed if a high ransom is not paid, reputations being damaged or destroyed and, in circumstances where healthcare organisations such as the NHS have been attacked, lives can (and have) been put at risk.

It may surprise some to learn that cyber-security is a board level responsibility - directors could fall foul of the individual duties that they personally owe to the company if they do not consider and take reasonable steps to mitigate against potential losses and damage arising from such an attack. While directors can obtain insurance cover to protect them and the company against such risks, they will still need to demonstrate that they have taken reasonable steps to prevent a cyber-attack to escape potential liability.

Some statistics

In the UK, the National Cyber Security Centre (the NCSC) has been working hard, along with law enforcement, including the National Crime Agency, and other governmental bodies across the globe, to fight cyber-crime: the NCSC has dealt with over 2,000 significant incidents since its creation in 2016, and has taken down more than 700,000 online scams in the UK in the last year alone; 80,000 of which were discovered from tip offs from the British public through the NCSC’s ‘Suspicious Email Reporting Service’[1]. The Information Commissioner’s Office recorded a total of 8,815 data security incidents during 2020/21 and, over the past three years, police forces across England and Wales suffered an average eight breaches a week[2].

It is, however, anticipated that hundreds, if not thousands, more attacks have taken place but have not been reported. Many victims of cyber-attacks choose not to report the crime to law enforcement, or to publicise payment of the demanded ransomware for fear of repeat offending, incrimination from regulators or law enforcement, bad press and / or the potential withdrawal of cover from their insurer if a ransom is paid or dealt with in the wrong way. That is unsurprising given that the payment of ransomware – usually cryptocurrency - being demanded by the attackers is not illegal in the UK (despite the fact that the payment of a bribe is).  

What is a cyber-attack?

A cyber-attack is typically carried out by an unknown third-party gaining access to a computer system, server or a set of files which are held to ransom and threatened to be released to the public unless a demand is met. The third party often gains access by sending a fishing email asking for sensitive information (such as bank details) or encouraging the recipient to visit a fake website. In the UK alone, HMRC fishing scams are reported to have grown 87% during the Covid-19 pandemic, surging from 572,029 during 2019/20 to 1,069,522 during 2020/21[3]. Another way in which attackers can access systems is by the dispatch of an email which contains a trojan horse - an attachment, or a link for the unsuspecting to click on - which, once downloaded, hides malicious code within legitimate software for the task that the attacker designed it for, often to steal sensitive data or to spy on online activity and learn of passwords / sensitive information etc.

Is payment of a ransom demand illegal?

It is not currently illegal to pay a ransom demand in the UK which may surprise some considering the payment of a bribe, which is akin to a ransom payment, is illegal, as is making a payment to terrorists and other prescribed groups. Equally, those falling victim to an attack in the UK are not required by law to report it, although law enforcement bodies strongly recommend reporting it at the earliest opportunity to seek their assistance and expertise to maximise opportunities and to mitigate the threat.

Conversely, Australia – whose meat operations were impacted following the attack on JBS Foods until it paid a ransom of $11 million in June 2021 - has introduced a parliamentary bill seeking to make the reporting of a ransom demand compulsory, and it is thought that the Biden administration in the US is considering doing the same. While both of these positions are encouraged, the reporting of a ransom demand will only help law enforcement to collect information and data about such attacks; without the payment of a demand being made illegal, ransomware demands will almost certainly continue to increase and so directors in particular ought to take steps to protect themselves and their companies from such attacks.

Why should directors concern themselves with cyber-attacks?

As explained above, cyber-security is a board level responsibility – directors are likely to be held liable by the company if they fail to consider how best to mitigate against potential cyber-attacks.   

As will be known from just the handful of examples set out above, when the existence of an attack enters the public domain, it can damage a company’s reputation (and stock value, if listed) and may have widespread repercussions on the future trading of the company. Add to that the fact that attacks take significant time, effort and costs to seek to resolve, often requiring the assistance of a specialist incident response company (IRC), lawyers and other professionals, which augments the layer of cost required in addition to the demand of a ransom payment, it is clear why this tangible risk ought to be considered by the board of a company.

By way of demonstration, the Harris Federation Schools estimated that, in addition to the ransom of nearly £3 million that was demanded, they paid around £500,000 in costs over the course of three months dealing with the attack while the education of their pupils was impacted – they could not access school buildings which were electronically controlled, the CCTV was down, and registers were inaccessible from day one. They were required to hire the services of a foreign IRC (all UK companies were too busy to deal with this attack) to assess the level of penetration and, in parallel, work with others to understand the extent of the data stolen, contain it, seek to recover it, eradicate the virus, monitor the system, remediate it and negotiate the ransom payment demanded. The impact of a cyber-attack is far reaching and so steps must be taken to deter an attack and to prepare for one should the worst-case scenario come true.

How to escape liability

Given the increasing number of reported cyber-attacks of late, companies, directors and all key stakeholders ought to be on high alert and ready to act as soon as possible to provide sufficient protection against attacks and breaches.

Companies ought to consider obtaining sufficient insurance to protect themselves against the worst-case scenario and to fund (or indemnify) the urgent response team required to deal with the attack and to remediate the systems to ensure that they  are operating as normal as soon as possible. They also ought to prepare a detailed disaster recovery plan and to test it on a regular basis (noting the results in doing so by way of board minutes) so that they are ready to act out a doomsday scenario in real life should the (hopefully unlikely) need arise. On a more practical level, directors should ensure that their IT teams or directors responsible for IT / cyber matters are implementing sufficient security measures with, at the very least, regular backups of all data on, ideally, an off-site location; two-factor authentication; the regular changing of passwords; offering their employees cyber-security training etc.

If a director can demonstrate that they acted reasonably by, for example, seeking professional advice in this respect and acting upon such advice, it is likely that they will not fall foul of the Companies Act 2006 and other duties which they owe to the company.

What next?

The situation is far from straightforward. Some sympathy must be offered to the victims who choose not to report or publicise the attack – it can be seen how knowledge of an attack could fuel the risk of further attacks. By way of example, on learning of the attack, criminals will know that certain companies have sufficient insurance cover to meet any such demand and that, if they breach these companies’ systems, they are almost guaranteed a pay-out. Further, if a company has sufficient insurance, it could be considered more relaxed with regard to its cyber security and so the criminals may be encouraged to attack those systems assuming they will be easier to penetrate than others.

That being said, while the reporting of an attack remains voluntary, and the payment of a demand legal, it is no surprise that cyber-attacks are increasing in monumental percentages on an almost daily basis. These criminal gangs prosper by the anonymity of the attacks and the payments being made: the cryptocurrency often used to pay the demands will no doubt be used for other criminal activities and will continue to fuel the dark web and black markets if it is not cleaned and taken out as fiat in another, more favourable jurisdiction. Until reporting becomes compulsory and the payment of a ransom illegal, the trend in cyber-attacks will continue to grow and so swift action must be taken now to prevent, prepare for and know how to remediate any attack should the worst happen. 

 

[1] https://www.ncsc.gov.uk/speech/rusi-lecture (14 June 2021)

[2] https://www.thetimes.co.uk/article/hackers-9000-data-leaks-recorded-cyber-crime-56nvs7t6w#:~:text=Over%20the%20past%20three%20years,important%20information%20was%20being%20lost. (accessed 5 July 2021)

[3] https://www.infosecurity-magazine.com/news/hmrc-phishing-scams-grew-covid/?__cf_chl_jschl_tk__=b6112f6bede274ac8c1c74c8f4f01089bacec0d8-1626270646-0-AatADEvcRMkBv1NVr2udLFvDKLKHECHyyCeWi4IUR80dFU11IuxFgI9RQ6XWChz0I9pIXTjbaILNuMGONhajlzfD1PUkx1Qi7y5yr9eR-UHgIldwMZVqk8pWms1eg79OsqDOvQlZQUTfOsFWE6zSPrUG6Lxj5YAJ_2ykxs8JM134ZeBY7KscC522auMfAX3guClFO9dJO3JDeAjp1h1EcwBJwUCYLvisFDJhipewLMgcBCs1I5ORXu8MEKj-mlLuhQSWl0Pk6_LEjT2sxtm0slw4kN7t8zURyFFmb-j_r6Q-_LV-uSlKQrTetCDs_yLv43Hun1WRKtiEsgB_TyCNPFDNHwF4SgF4caGaqV_cU1fyK392g-gwrGNizeM74ANEuJwIzlkdzYX9mczF9WQ1GCvaGV2Dq6k-WcS6ZMGni1mOWIXqfKhD5JT_CcVygjknjw (accessed 14 July 2021)


Return to news headlines

Penningtons Manches Cooper LLP

Penningtons Manches Cooper LLP is a limited liability partnership registered in England and Wales with registered number OC311575 and is authorised and regulated by the Solicitors Regulation Authority.

Penningtons Manches Cooper LLP