Ransomware – what is it and what should you do if it affects you?

As a business owner, charity or trustee, how would you react if you saw this on a computer used by you, an employee or a volunteer?

Ransomware is computer malware or malicious software – software that denies access to your files or even your computer system itself unless you pay a ransom. A recent Online Trust Alliance (OTA) report estimated that ransomware is becoming the standard way of targeting businesses.

Following a recent ransomware attack on Lincolnshire Council, it was reported that an initial ransom of £1m was demanded although it later transpired that the ransom was £350. The council’s systems were, however, taken down for a week with staff having to check some 458 servers and at least 70TB of data to make sure the infection hadn’t spread beyond wherever it entered the network. As with most ransomware attacks, a member of staff apparently opened a booby-trapped email that wasn’t filtered by the Council’s security systems and set off the infection.

The disturbing fact about ransomware is its simplicity and predictability for attackers who see ransom demands to return encrypted files as a percentage game – whilst most victims won’t pay, a small fraction will, making it worthwhile.

For many organisations, data is their life blood and if it cannot be accessed, what choice do they have but to pay a ransom to get it back?

It goes without saying that prevention is always better than cure. A back-up of your data is essential and if this is available, why would you need to pay a ransom? All you would need to do is remove the threat, restore the data and off you go. Simple enough to say but it will be inconvenient and involve system downtime.

A far more serious problem arises where no back-up is available. Do you pay the ransom and hope that the criminals will restore access to your data? This is a gamble and consideration must be given to the following – if you pay the ransom, is access to your data guaranteed? Unfortunately, the answer is probably no.

If you pay a ransom, how likely is it that you will be targeted again in the future, the criminals now knowing that you are likely to pay up?

Let us now suppose that you agree to pay a ransom. It’s your business – nothing to do with anyone else, right?

Well, not necessarily. Stop and think for a moment. Whose money is it that is being paid to criminals? If you are a sole trader, it is your own. If your business is a partnership, the money belongs to the partners. In a limited liability company, the money will be that of the company, a separate legal entity and that means it is not yours to give away. The company is owned by the shareholders and they might not like it if you fund criminals.

In many SMEs, the managing director is often the major shareholder but even if you’re the managing director, that doesn’t mean you have the right to do whatever you want. Remember that under the Companies Act 2006, a director has a number of statutory duties. These includes a duty to promote the success of the company. The Act states:

“A director of a company must act in the way he considers, in good faith, would be most likely to promote the success of the company for the benefit of its members as a whole, and in doing so have regard (amongst other matters) to:

• the likely consequences of any decision in the long term,

• the interests of the company’s employees,

• the need to foster the company’s business relationships with suppliers, customers and others,

• the effect of the company’s operations on the community and the environment,

• the desirability of the company maintaining a reputation for high standards of business conduct, and

• the need to act fairly as between members of the company.”

(Section 172)

This needs to be taken into account when deciding whether to make a ransom payment. It could mean that you need to consult with other shareholders, even if you have a controlling interest in the company.

Section 174 of the Companies Act 2006 requires directors to exercise reasonable care, skill and diligence. It could be the case that having to consider paying a ransom to gain access to data or a computer system could be indicative of poor IT security, a failure in systems of control, lax processes or lack of training – possibly due to a failure of directors to act with reasonable care, skill and diligence.

Breaches of such statutory duties have the potential to expose a director to personal liabilities if a claim is subsequently made against them.

At the start of this article, I posed the question “what would you do if a piece of ransomware was found on your computer?” The initial answer may well have been simple and straightforward, requiring little thought. Organisations should have adequate back-up systems in place so there is no need to have to pay any ransom. For those unfortunate not to be in that position, the decision whether to pay may not be as simple as it seems.

Hopefully, I have highlighted some of the issues that may need to be considered. If you are targeted by ransomware and you have a Management Liability insurance policy with AXA Insurance, you should contact the ARC (Advice Resource Centre) operated by rradar where advice and guidance can be obtained, ensuring the best outcome for you and your business.

Ransomware is a cybercrime and it should be reported in the same way as if you had experienced a physical break-in or malicious damage. Action Fraud is the UK’s national reporting centre for fraud and cybercrime – details of what they do and how to report information can be found on their website:

http://www.actionfraud.police.uk/

How rradar can help:

For more information about how rradar can help, please visit our Broker services, or speak to Alan Hornby our Broker engagement professional for available training services.

Please follow us on Twitter and Linkedin to keep up to date with current industry and Broker news.