8th June 2023
In a recent joint blog post, representatives from the National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO) reflected on why it’s so concerning when cyber attacks go unreported; and looked at some of the misconceptions about how organisations respond to them. They say they’re increasingly concerned about what happens behind the scenes of the attacks they don’t hear about, particularly the ransomware ones. In this article, Regulatory & Compliance Partner Andrew Northage looks at ransomware and sanctions – one aspect of sanctions compliance that doesn’t necessarily grab the headlines, but which is essential for all businesses to be aware of.
Earlier this year, HM Treasury’s Office of Financial Sanctions Implementation (OFSI) published guidance on ransomware and sanctions, specifically financial sanctions. Financial sanctions prohibit making funds or economic resources available to an individual or entity subject to an asset freeze. That includes through a ransomware payment. Breaching financial sanctions is a serious criminal offence. It can carry a custodial sentence and/or the imposition of a monetary penalty of up to £1 million or 50% of the value of the breach.
OFSI and the National Crime Agency (NCA) say that, if the mitigating steps outlined in the guidance are followed, they will be more likely to resolve a breach case involving a ransomware payment through means other than a monetary penalty or criminal investigation. The guidance applies not only to victims/potential victims of ransomware attacks. It also applies to those who engage with victims to facilitate or process ransomware payments, for example financial institutions or cryptoasset businesses.
So, what should you do? The guidance sets out the following key steps:
OFSI assesses each case on its own merits, taking into account both mitigating and aggravating factors. Aggravating factors include regulated professionals not complying with regulatory standards; and repeated, persistent or extended breaches.
Taking proactive cyber resilience measures is key. The NCSC’s CEO said in the NCSC’s latest Annual Review that ransomware “remains the most acute threat that businesses and organisations in the UK face“. OFSI’s guidance explains that implementing the NCSC’s advice and guidance drastically reduces the risk of a successful ransomware attack. It lists links to the various tools and resources available, including the recently updated Cyber Security Toolkit for Boards.
OFSI’s guidance sets out some basic practical steps to follow if you do fall victim to a ransomware attack. That includes disconnecting the infected device from all network connections; and attempting to restore from back-ups, resulting in no need to consider a payment. We recommend seeking specialist advice to help navigate the particular circumstances in each case.
Our Regulatory & Compliance and International Trade experts have a great deal of experience advising businesses on sanctions compliance. Together with our Technology & Digital and Dispute Resolution colleagues, we can provide advice and assistance on all aspects of cyber security and risk, including dealing with cybercrime. Please contact Andrew, who will be very happy to help.
 See our earlier briefing on managing cyber risk following Interserve’s £4.4 million data breach penalty.