The Ethics of Paying Ransomware: Compliance vs. Consequences

In Episode 3 of our Continuous Compliance podcast series, The Ethics of Paying Up: Compliance vs. Consequences, Commvault’s Field CTO for EMEA, Darren Thompson, and Associate General Counsel for EMEA, Jakub Lewandowski, delve into the critical issue of ransomware with Chief Trust Officer Danielle Sheer.

An interesting discussion on the ethical, legal, and practical issues around ransomware payments and the importance of a strong cyber-resilience strategy; read on for a recap of their discussion.   

The Oracle Ransomware Breach: A Wake-Up Call

Danielle brought up the Oracle ransomware breach from earlier this year. While still in flux as to how much data was compromised, as of the podcast recording, Oracle had not agreed to pay a ransom.

When Danielle asked about that decision, and Darren said, “The advice I give people is, is that you should have a good enough plan in place, [so] you never need to consider paying ransom.”

A strong cyber recovery plan can provide the confidence needed to restore operations without succumbing to the demands of cybercriminals. It certainly would be an easier decision if you had a well-prepared and tested cyber resilience plan.

Ethical Considerations of Paying Ransomware

Paying a ransom is a contentious issue, and the podcast explored the ethical implications of this decision. While it might seem like a quick fix, paying a ransom often doesn’t guarantee the recovery of data and can fuel further attacks.

Jakub pointed out that paying a ransom doesn’t fulfill regulatory obligations and can lead to additional legal and reputational risks. The speakers stressed that organizations should focus on building and testing recovery plans to quickly restore their operations and protect their data.

Multidisciplinary Approach to Ransomware

Ransomware attacks require a multidisciplinary approach to address them effectively. Our speakers discussed a few considerations when faced with a ransom:

• Technical: Organizations must have robust cyber resilience capabilities, including the ability to restore data and recover from attacks.
• Legal: Decision-making processes should be well-documented to serve as evidence for regulators and potential litigation. Compliance with laws such as anti-money laundering, sanction regimes, and export compliance is crucial.
• Economic: The financial impact of paying a ransom vs. the costs of business continuity and recovery must be evaluated.
• Reputational: The potential damage to an organization’s reputation and the impact on customer trust, especially if sensitive data is threatened, are significant concerns.

U.K. Government’s Proposal to Ban Ransomware Payments

The podcast also addressed the UK government’s proposal to expand its ban on ransomware payments to the entire public sector and operators of critical national infrastructure. This proposal is seen as a world-leading approach to deter ransomware attacks by cutting off the flow of payments to criminals.

However, our speakers highlighted some potential unintended consequences of such a ban, including the optics of punishing victims and the lack of robust cyber resilience plans in the public sector. If the ban is implemented, organizations must rely on their incident response plans and cyber resilience capabilities to recover, rather than paying the ransom.

Recent research by Censuswide, commissioned by Commvault, showed that 94% of respondents support a public sector ban and 99% support a private sector ban. However, 75% admitted they would still pay a ransom if it meant saving their company.

Building a Comprehensive Cyber Resilience Strategy

To avoid the need to pay ransoms, we keep coming back to the same idea: Be prepared with a comprehensive cyber resilience strategy. Here are a few tips from our speakers:

• Understand your data: Know what data is critical to your business and how to protect it.
• Define minimum viability: Establish and understand the data and systems essential for business continuity.
• Test recovery plans: Test and audit recovery plans regularly, so you’re confident they work effectively in a real-world situation.
• Data encryption: Implement strong data encryption to improve security.
• Clear incident response procedures: Define and document clear procedures for responding to ransomware attacks.

To pay, or not to pay, that is the question. Ransomware attacks are a significant and growing threat, and the decision to pay a ransom is fraught with ethical, legal, and practical challenges.

While we hope you never find yourself in a position to consider paying a ransom, if you do, this podcast will help you better understand the factors to consider. Watch today to hear our experts discuss the latest trends and take the first step toward securing your organization’s future.