Mitigo’s response to the Governments proposed ban on ransomware payments for members of CharterGroup
However, a number of points should be born in mind.
The proposal for a complete ban on the public sector and critical national infrastructure paying ransom demands, intended to deter these types of attacks against them, may result in the redirection of attacks against businesses in the private sector, with accountancy firms being a prime target.
Although the headlines in the press feature the high profile attacks against public bodies, the reality is that the overwhelming majority of ransomware attacks are against businesses in the private sector.
The proposals in relation to the private sector would make it mandatory to report ransomware incidents to the authorities, and also to notify an intention to pay the ransom before actually doing so. Law enforcement would then review the proposed payment to see if there is a reason to block it, for example if it breached sanctions. This would create an additional burden on the victim firm, on top of the stress of negotiating with the criminals over payment and trying to limit the damage and disruption to its business and client affairs.
And what if the payment is blocked? It could be the difference between the firm surviving or not. Firms decide to pay ransom demands because commercially they feel forced to. Losing all client data and access to systems could leave the firm permanently crippled.
The prevention of a payment will not itself prevent criminal gangs from capitalising on data theft, for example by selling it on to facilitate other serious crime, such as card not present fraud, identity theft, breaking passwords or user names to get into bank accounts etc.
Also bear in mind that these proposals relate to ransomware attacks. Cyber crime and cyber disruption involves a much fuller range of attacks which these proposals do not touch. For accountancy firms, the most common form of attack is email account takeover, where the criminal gains access to the firm’s email, frequently resulting in data and financial loss.
The bottom line is that firms should prioritise prevention of a cyber breach in the first place. Cyber risk management should be right at the top of any firm’s risk register and a board level responsibility.”