UK: Cyber Extortion - Legality Of Ransom Payments And The Approach Of Businesses And Insurers

Last Updated: 24 January 2017
Article by Sami Paracha

Cyber Security is an omnipresent risk for most businesses. And it is a growing risk given the more frequent and serious cyber attacks, higher costs for proactively managing these risks (or curing a cyber security breach), and potentially higher fines following a breach with implementation of the GDPR on the horizon. The approximately 500 million recently compromised Yahoo accounts are a pertinent reminder of these risks. CFC Underwriting has also recently commented that it is being notified of claims under its policies at a rate of more than one a day, particularly from SMEs with revenue under £50m and "ransomware" is behind a significant number of claims1.

Cyber extortion, including threats and/or ransom demands connected with cyber attacks, is a risk which can cause great uncertainty for businesses – particularly in relation to how the extortion threat should be handled, for example, whether a ransom demand should be paid, whether such payment is legal and whether insurers may cover the ransom payments. This can be further complicated by the fact that the threat is often made with a short deadline for compliance with the demand. We address below the nature of cyber extortion threats and the approach businesses and insurers may take when cyber extortion arises.

The nature of cyber extortion

Cyber extortion can arise in various forms. It can arise in the form of malicious software ("malware" or, in this case, "ransomware") which infects an IT system and encrypts the business's information with release of the information promised on payment of the ransom demand. Common methods of cyber extortion include:

  • Ransomware in malicious code disguised in an attachment on an innocuous email sent to any number of individuals in the business and which may spread across the business's entire IT system once any one person opens the attachment.
  • Hackers obtaining sensitive information and demanding payments with the threat of releasing the information to the public.
  • A business may receive a threat of a cyber attack (for example, a DDoS attack which would take down the business's website – a particularly serious threat if it is an online business) and a demand for payment to avoid the attack.
  • Malware jeopardising the running of infrastructure or devices connected by the Internet of Things ("IoT") – again with a ransom demand to prevent damage. Some malware may be too large to run on IoT devices but ransomware can be much lighter with only a few commands and an encryption algorithm.

With the frequency of attacks on the rise, cyber extortionists are certainly finding a lucrative business for themselves. The approximate sums demanded by cyber extortionists generally range from several hundred to several housand Pounds/Dollars (although the demand may be made out in Bitcoins rather than traditional currency). These relatively low sums tend to prompt businesses to pay the demand – particularly as it potentially results in the decryption and return of sensitive company information. However, there is at least one high-profile example of a much higher demand from a ransomware attack on a US hospital in February 2016. Hollywood Presbyterian Medical Center received a demand for 9,000 Bitcoins (approximately $3.4-3.6m at the time) and eventually paid 40 Bitcoins (approximately $17,000) in order to regain access to its systems2. The amounts demanded by cyber extortionists may well rise in the future.

The legality of ransom payments

There is no broadly applicable English legislation which makes ransom payments illegal. Additionally, there is also no general duty on ransom payers to report incidents to the police (but they have the option to report these to the police or specialist policing teams such as Action Fraud, IFED or Falcon). Ransom payments are also not illegal under international law.

Legal commentary and case law on the likely approach of the courts in respect of ransom payments is limited. However, in Masefield AG v Amlin Corporate Member Ltd (The Bunga Melati Dua)3, a case related to maritime piracy and ransom demands for safe return of the vessel and crew, the Court of Appeal held that there was no general public policy argument against paying ransoms and stated4 that:

"...there is no universal morality against the payment of ransom, the act not of the aggressor but of the victim of piratical threats, performed in order to save property and the liberty or life of hostages. There is no evidence before the court of such payments being illegal anywhere in the world. This is despite the realisation that the payment of ransom, whatever it might achieve in terms of the rescue of hostages and property, itself encourages the incidence of piracy for the purposes of exacting more ransoms. (Perhaps it should be said that the pirates are not classified as terrorists. It may be that the position with regard to terrorists is different)."

The Court in Masefield aptly highlighted that the public policy position in respect of terrorists may well be different. Section 17 of the Terrorism Act 2000 ("TA00") created an offence in respect of any person who enters into a funding arrangement and knows or reasonably suspects that it will or may be used for the purposes of terrorism. The actions and modus operandi of Somali pirates or cyber extortionists are usually not linked with terrorism. However, if the victim of the cyber attack knows or reasonably suspects that the attackers are linked to terrorism then section 17 of the TA00 would make payments to these attackers illegal.

The Proceeds of Crime Act 2002 ("POCA") creates various offences making dealings with criminal proceeds illegal. However, POCA is not relevant to ransom payments since the payments do not become proceeds of crime until they are received by the cyber extortionists. POCA does not make illegal any payments which subsequently become proceeds of crime.

Risk to businesses and their approach

At present, given the low sums demanded in most cyber extortion attacks, there is a tendency for businesses to simply pay the demand. Such payments may well be made by employees without proper internal reporting procedures – perhaps, for example, by employees who enabled ransomware to intrude into the business's IT systems by clicking on an email attachment and feel they are directly responsible.

There is no universal approach as regards the merits of making ransom payments. On a broader view, terrorism is a scenario where a strict stance against payments is frequently taken, including by English law under the TA00. Conversely, the Court in Masefield noted the reality of the fragile status quo between the pirates and ransom payers and was guided by expert evidence which stated that negotiation and payment of ransoms was the only realistic and effective manner of obtaining the release of a vessel and its crew.

There are various commercial and sensible arguments against making ransom payments and, to cite a few here: (i) making payments would likely encourage further attacks; (ii) the attackers gain knowledge that the particular business is in fact willing to pay ransoms; (iii) the ransom payments ultimately fund criminal activity; and (iv) making a ransom payment does not guarantee the outcome which the business is hoping to achieve.

Ultimately, it will be for businesses to decide how to mitigate the risks of, and respond to, cyber extortion attacks and the exact response may differ on the specific facts of a breach. However, any business should maintain robust reporting procedures, adequate policies/guidance and training for its staff to know how to react, and a systematic and rehearsed response which the business can rely upon rather than improvising when an attack occurs. Businesses can also mitigate this risk by obtaining insurance cover and being aware of their policy provisions (see below).

Insurance coverage for cyber extortion

Businesses are increasingly obtaining cyber insurance cover as an element of their risk mitigation plan. Such policies generally provide coverage for costs to the insured victim of responding to a cyber attack ("first party costs") and potential liabilities/costs to third parties ("third party costs"). Cyber extortion coverage is for a first party cost.

Cyber policies vary drastically in respect of coverage and there is no standard basis of cover. Any given policy may well provide cover in respect of cyber extortion costs, be silent on such losses (and it would likely be difficult to argue they fall under a different insuring clause), or expressly exclude such cover. Further, the policies which do provide coverage for cyber extortion vary in their wording. It is, therefore, crucial to review and understand the policy provisions.

Insuring clauses for cyber extortion usually provide cover for the ransom payment itself (or in some policies, if goods/services are demanded, the monetary value of those goods or services) as well as the costs for responding to the cyber extortion threat. However, this coverage will be subject to various conditions which may include:

  • taking reasonable steps to ascertain that the cyber extortion threat is genuine;
  • promptly notifying the insurer and providing updates;
  • obtaining the insurer's prior written consent;
  • reporting the threat to the police (or allowing the insurer to do so); and/or
  • ensuring that the ransom payment is made or approved by a company director or senior manager.

As more businesses look to purchase cyber cover, there may be more insurance policies in the market that provide cover for cyber extortion threats. Of course, if cyber extortion coverage does become more prevalent, the practice of cyber extortion may simply expand in response.

Footnotes

1 Insurers handling 'hundreds' of breach claims

2 Los Angeles hospital paid $17,000 in bitcoin to ransomware hackers

3 [2011] EWCA Civ 24

4 Ibid, paragraph 66.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions