To pay or not to pay: Another regulator weighs in on the decision to pay a ransom

On February 4, 2021, the New York State Department of Financial Services (NYDFS) became the latest government entity to provide ransomware guidance when it released a statement recommending that ransomware victims not make ransom payments to cyber threat actors. NYDFS, calling cybersecurity the “biggest risk for government and industry, bar none,” noted that the “biggest driver” in the increasing impact of cybercrime on organizations and insurers is the rise in the frequency and cost of ransomware incidents. According to NYDFS, ransomware payments continue to drive this growing risk because they “fuel the vicious cycle” by enabling cybercriminals to develop and deploy more frequent and sophisticated ransomware campaigns.

In publishing this recommendation as part of the voluntary circular guidelines applicable to insurance companies, NYDFS joins a chorus of other U.S. regulators and law enforcement making similar recommendations of varying applicability to businesses more broadly. For example:

• the Office of Foreign Assets Control (OFAC) issued guidance in October 2020, which we previously covered in depth, warning of the risk of potentially violating OFAC sanctions when making ransomware payments;
• the FBI issued a warning that paying a ransom fails to guarantee that an organization will regain control of its data; and
• the Office of the Comptroller of the Currency (OCC), in its Fall 2020 Semiannual Risk Perspective, warned that ransomware attacks were increasing, while noting that if organizations refused to pay a ransom, the market for ransomware may evaporate.

While this guidance rightfully identifies the societal risks of paying ransoms, these regulators and law enforcement agencies thus far have not gone as far as prohibiting payment to non-sanctioned threat actors. Other federal agencies have provided perspectives that acknowledge the complicated nature of ransomware:

• the Federal Trade Commission (FTC) noted that law enforcement recommends against making ransom payments, but leaves it to businesses to weigh the risks and costs;

• the Department of Health and Human Services (HHS), echoing the FTC, noted that law enforcement recommends against making ransom payments, while also highlighting the difficult position of victims; and
• the Cybersecurity and Infrastructure Security Agency (CISA) discouraged paying ransoms, noting several potential drawbacks, including the risks of failing to regain access to data, being subject to increased ransom demands, becoming a future target of ransomware attacks, and encouraging criminal activity, but CISA ultimately noted that paying a ransom may be the prudent business decision when organizations are faced with an inability to function.

Implicit in this guidance is the recognition of a significant collective action problem in the community of ransomware victims. While the reward for perpetrating ransomware crimes would be diminished if every victim refused to pay, the practical reality is that a ransomware attack can mean failure or survival for a business. In weighing the societal impact articulated by regulators against the obligation to make a decision in the best interest of the company, all victims will not reach the same decision, and many may grudgingly conclude that paying a ransom is the most sensible – if extremely difficult – business decision. 

While the business community cheers recent reports of law enforcement take downs of ransomware networks, including actions against those responsible for Netwalker and Emotet, organizations should continue to strengthen their cyber and ransomware incident response plans. For example, it is increasingly important to notify and cooperate with law enforcement in the early aftermath of a ransomware attack and provide law enforcement with information to help bring cybersecurity threat actors to justice. Meanwhile, the clear trend in regulator recommendations is that ransomware payment is an important legal issue that requires careful consideration and reflection in incident response planning and response. 

Authored by Scott Loughlin, Peter Marta, Paul Otto, Tim Tobin, Gregory Lisa, Asmaa Awad-Farid, and Jacob Wall.