Focused on cyber-attacks: The financial crime dilemma in paying a ransom

• United Kingdom

• Fraud and financial crime

23-01-2023

Introduction

Cybercrime has increasingly become a profitable enterprise for criminals. Threat actors have a wide range of options at their disposal when undertaking cyber-attacks, including hacking, phishing and malicious software, often using ransomware to hijack IT networks, exfiltrate and encrypt data and leak it on the dark web unless a ransom is paid.

In recent years, cyber-attacks have grown in sophistication and frequency. Examples include the WannaCry ransomware campaign which affected the NHS and many other organisation globally and the SolarWinds attack which is believed to be affiliated with the Russian Government and involved a breach of major cybersecurity company FireEye. Earlier this year three suppliers of Toyota were targeted, causing Toyota to temporarily halt production.

Victims of a ransomware attack are confronted with the difficult decision of whether to either agree or refuse to make a ransom payment. When faced with this high-stakes decision, many organisations decide under pressure that paying out is the quickest and cleanest solution to recover stolen data and mitigate the risks. However, when dealing with criminal and malicious threat actors, it’s important to remember that their word is not always as good as their bond.

In reality, making a ransom payment does not guarantee decryption of data or networks and often still results in stolen data being released onto the dark web. The decision to pay may even incentivise further attacks by other threat actors who learn that the targeted business is one that is willing to pay out. “Double extortion” is also common, where the organisation makes an initial payment for the decryption key and is then hit with a demand for an additional payment to stop the publication of the data.

Deciding whether to pay or not to pay requires careful consideration, including an appreciation of the legal, regulatory, commercial and reputational risks that attend such a decision. In particular, the payment of a ransom presents a number of financial crime-related risks that warrant specific attention.

In this article, Ruth Paley (Partner), Philip James (Partner), Emma Gordon (Partner), Kim Jones (Senior Associate) and Theo Davidson (Associate) from Eversheds Sutherland outline the financial crime risks associated with making a ransom payment and highlight the key statements from UK regulators and law enforcement for organisations to be aware of.

The stance of UK law enforcement and regulators

Although it’s legally permissible for a ransomware payment to be made in response to a demand from a threat actor, this isn’t the end of the matter. Law Enforcement Agencies have been at pains to make clear that the payment of ransoms is not encouraged, endorsed or condoned.

The ICO has recently sought to publicise its position that it will not treat the payment of monies to criminals who have attacked a system as mitigating the risk to individuals, and such actions will not reduce any penalties incurred through ICO enforcement action. The ICO is prepared to recognise mitigation of risk where organisations: (a) have taken steps to fully understand how the attack occurred, (b) seek to learn from the experience and, (c) where appropriate, have raised the incident proactively with the relevant authorities and organisations responsible for cyber-crime.

We take a more detailed look at reporting below.

The Financial Crime Risks

While the payment of a ransomware demand is not unlawful in the UK, it may give rise to possible offences under terrorist financing, money laundering and sanctions legislation which should be carefully considered before any action is taken.

1. Anti-money laundering

Money laundering happens when the proceeds of criminal activity are processed in some way in order to disguise their illegal origin.

In the UK, it is illegal to deal with property which the person in question knows or suspects is criminal property.

Property is criminal property if it represents a person’s benefit from criminal conduct,

The question that arises is whether or not monies paid as part of a ransom demand will constitute criminal property, and whether the payment of the ransom will therefore engage the money laundering offences under the Proceeds of Crime Act 2002 (“POCA”).

The short answer is that the payment of a ransom by a business using funds legitimately held would be unlikely to create liability for money laundering under POCA, particularly in view of the fact that any money paid over would not, at the point of payment, ordinarily constitute criminal property.

Generally speaking, in order for property to be criminal property, it must already be criminal at the point at which it is transferred into the account of the threat actor, in that it would have to constitute a benefit from earlier criminal conduct. For most legitimate organisations targeted in cyber-attacks, this won’t usually be a live issue.

However, the status of the funds earmarked for the intended payment should be considered on a case-by-case basis as the legal analysis may depend on the specific facts.

Organisations should consider whether a decision to make a ransomware payment might be viewed as knowingly becoming concerned in an arrangement which would facilitate the acquisition of the proceeds of crime by, or on behalf of, another person. Whilst this risk is viewed as largely theoretical by most commentators, some organisations choose to add a layer of protection by submitting a request for a Defence Against Money Laundering (“DAML”) to the National Crime Agency (“NCA”) at the point at which the ransomware payment is made. Where the ransomware attack creates a time-critical situation, the protection afforded by a DAML should be considered against the potential detriment that might be suffered if further delays occur. It is important to know that the NCA may take up to seven working days to respond to a DAML.

2. Sanctions

The UK imposes a variety of country-related and thematic sanctions regimes. In particular, a specific set of cyber-related sanctions in force under The Cyber (Sanctions) (EU Exit) Regulations 2020 aim to deter and respond to cyber-attacks by imposing targeted measures on individuals and entities who are responsible for or provide support for them, or who are associated with such persons. For example, under the cyber-sanctions regime, six individuals and three entities responsible for or involved in various cyber-attacks, including the ‘WannaCry’ attack, have been designated as subject to an asset freeze.

If a UK person transfers of funds, directly or indirectly, to an ultimate beneficiary that is an individual or entity designated as subject to an asset freeze by The Office of Financial Sanctions Implementation (“OFSI”), that person will be in breach of UK sanctions, which under UK sanctions regulation is a criminal offence.

For the purposes of the UK sanctions regime, the definition of “funds” includes cryptocurrency. Therefore, even if the funds are converted into cryptocurrency (as is commonly the case), in the event that the threat actor is a designated person this would still constitute a violation.

It’s important to be aware that depending on the parties involved, there is also a risk that EU and/or US sanctions may be engaged, for example, in the event that payment is cleared by a US financial institution.

The challenge in the context of a cyber-attack is that the organisation is unlikely to be able to ascertain the identity of the threat actor at the time of the attack. Typically this information won’t be uncovered by law enforcement until after the attack. Assessing the risks is therefore a complex matter and will require specific due diligence and investigation before any action is taken. Relevant checks might include, for example, screening the name of the malware used to understand if it is associated with a specific individual or entity and the address of the crypto wallet(s) provided by the threat actor, or IP address screening, and open source due diligence.

Currently, the Office of Foreign Assets Control, the US sanctions authority, is the only sanctions authority which lists the known wallet addresses of designated individuals and entities on its Specially Designated National List. However, this should still be considered useful intelligence in light of the similarities between those designated by the UK and the US. This is especially so in the context of Russia, where the EU, UK and US, amongst others, have worked hard to coordinate efforts with respect to specific sanctions targets.

In the event that there is knowledge or reasonable cause to suspect that a ransomware payment has been made in violation of sanctions, the victim should take advice and report the potential violation to OFSI.

3. Countering terrorist financing

Financing terrorism is an offence under the Terrorism Act 2000 (“TACT”). However, if a ransom payment is made by the victim without knowledge or cause to suspect that the money will be used for the purpose of financing an act of terrorism, then an offence is unlikely to have occurred.

As set out above, the key challenge is that, in the context of a cyber-attack, the organisation is unlikely to unearth the identity of the threat actor in real time. However, the organisation should still ensure it takes steps to at least try to identify the threat actor. As with the mitigation of sanctions risk, organisations should conduct additional due diligence and checking in order to assess the CTF risk associated with any payment.

Reporting – Who should be notified in the event of a cyber-attack?

In the UK, reporting obligations will vary depending on the facts and the nature of the business. There are many different organisations involved in the management and investigation of cyber-crime and each has a different remit. Therefore, cyber-attacks will commonly need to be reported to a number of different organisations.

The key authorities that organisations should assess whether to report to are as follows:

• National Cyber Security Centre (“NCSC”)

The NCSC is the UK’s independent authority on cyber security. It was set up to help protect critical services from cyber-attacks, manage major incidents and improve the underlying security of the UK internet through technological improvement and advice to citizens and organisations. The NCSC supports small and medium enterprises as well as larger organisations and public bodies.

Although the NCSC is not a law enforcement or regulatory body, the NCSC will be able to provide technical advice and guidance with respect to an attack suffered by an organisation.

Therefore, organisations are strongly encouraged to report the incident to the NCSC using the NCSC reporting form.

• Action Fraud

ActionFraud is the UK’s national reporting centre for fraud and cyber-crime. Reports can be made via the online reporting tool or by telephone on 0300 123 2040 immediately. This service is available 24 hours a day, 7 days a week. By reporting to ActionFraud you will receive a police crime reference number.

ActionFraud is run by the City of London Police working alongside the National Fraud Intelligence Bureau who are responsible for assessment of the reports made to them. ActionFraud also provides help and advice over the phone.

Although ActionFraud does not investigate the case, other third parties potentially impacted by the attack, together with other law enforcement authorities and regulators will expect an organisation to report to ActionFraud as a matter of good practice.

• The NCA

The NCA leads the UK Law Enforcement response to ransomware attacks and it works closely with the National Police Chiefs Council, Regional Organised Crime Units and Local Police forces to investigate offenders and deliver services to support victims of ransomware. This includes Cyber Resilience Centres, which are police-led groups funded by the Home Office and are located in every region in England and Wales.

As set out above, organisations should consider whether a decision to make a ransomware payment might be viewed as knowingly becoming concerned in an arrangement which would facilitate the acquisition of the proceeds of crime by, or on behalf of, another person. If so, consideration should be given to submitting a DAML to the NCA as soon as practicable before making payment. This can be done by using the NCA’s SAR online portal.

Organisations operating in the regulated sector (and their employees) are subject to specific reporting obligations and must submit a SAR if – in the course of business - they come to know, or suspect that a person is engaged in, or attempting, money laundering or terrorist financing. This can be a complex judgement, often supported by external advice, and will need to be considered carefully on a case-by-case basis.

• NIS Directive Competent Authorities

Those organisations that are Operators of Essential Services under the NIS Directive must report to the NCSC, in conjunction with the Competent Authority (i.e. regulatory body) for their sector under the NIS Directive. For example, The Secretary of State for the Department for Business Energy and Industrial Strategy, together with Ofgem are the Competent Authority for the electricity subsector and downstream gas services within the gas subsector under the NIS Directive.

There are specific requirements for the method and timing of any reports depending on your sector and as determined by the relevant Competent Authority which are outside the scope of this article.

• The Information Commissioners Office (the “ICO”)

The ICO is a UK independent body charged with upholding information rights in the public interest. The ICO is also the primary enforcement authority for breaches of data privacy legislation in the UK.

If there has been a breach of personal data, the incident may need to be reported to the ICO. This will be the case if the personal data breach reaches the threshold for reporting under UK GDPR. The threshold is that the personal data breach should be reported, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals.

Should this threshold be met, the data controller (i.e. the organisation who determines the purposes and means of the processing of personal data in question), must notify the ICO without undue delay but not later than 72 hours after having become aware of it. It should be noted that ‘becoming aware’ is not the same as confirming a data breach, and so the timings can be quicker than many organisations realise.

The 72 hour timing requirement includes weekends and bank holidays, and so, should a breach occur on a Friday before a bank holiday weekend, the clock keeps ticking over the weekend and into the bank holiday itself.

The notification must: (a) describe the nature of the breach, such as the number of individuals affected and the types of data involved; (b) the contact details of the contact point for the organisation; (c) the likely consequences of the breach; and (d) measures taken by the organisation to address and mitigate the breach.

Where the threshold for reporting to the ICO is met, the notification form can be found here on the ICO’s reporting page. If preferred, the report can be made via call or email (details on the ICO website).

There is also a separate and additional obligation to notify individuals if the breach is likely to result in a high risk to their rights and freedoms, subject to exemptions in the UK GDPR.

• The Financial Conduct Authority (the “FCA”) and the Prudential Regulation Authority (the “PRA”)

Under the FCA’s Principles for Business and the FCA Handbook, regulated firms must notify the FCA as soon as they know of “material” cyber incidents affecting the firm (Principle 11 and relevant provisions in SUP 15.3 of the FCA Handbook).

An incident is likely to be considered to be “material” if it:

- results in a significant loss of data;
- results in the unavailability or control of the organisation’s IT systems;
- affects a large number of customers; or
- results in unauthorised access to the organisations’ IT systems.

In such circumstances, the firm’s named FCA Supervisor should be notified. In addition, if the firm is dual-regulated, it should also be notifying the PRA.

Firms will also need to consider their obligations pursuant to the FCA’s Operational Resilience Framework which are outside the scope of this article.

• OFSI

OFSI is the authority responsible for implementing the UK’s financial sanctions on behalf of HM Treasury. OFSI helps to ensure that financial sanctions are properly understood, implemented and enforced in the UK.

As explained above, in the event that you make a payment and you have knowledge or reasonable cause to suspect that you have breached UK sanctions as a result, you should report to OFSI.

Conclusion

Navigating a cyber-attack is extremely complex and challenging. The stakes are high, and the consequences of getting it wrong are very serious.

Preparing ahead of time is absolutely key and organisations should ensure that key stakeholders are aware of the risks and there is a plan in place in the event of an attack. This includes the need to implement a clear crisis management strategy to facilitate a quick and effective response which accounts for the various risks and issues that an organisation will be faced with. Separately, a data breach action plan should be developed, setting out roles and proposed steps following a data breach, given the tight timings for notifying the ICO.

Key Resources

- The NCSC and ICO Joint Letter - Letter from the Information Commissioner (ico.org.uk)
- The ICO’s Ransomware Guidance - Ransomware and data protection compliance | ICO
- The NCSC Ransomware Portal – A guide to ransomware - NCSC.GOV.UK
- Action Fraud Guidance – RansomAware Guidance
- NCA Guidance – Cyber Crime Guidance
- FCA – Ransomware Infographic