• Login
    • Advanced search
    • Title
    • Channel
    • Module
  • Home
  • Industry
    •  

      • Aerospace, Defense, and Government Services
      • Automotive and Mobility
      • Consumer
      • Manufacturing and Industrials
      • Education
      • Energy and Natural Resources
      • Financial Institutions
    •  

      • Insurance
      • Life Sciences and Health Care
      • Private Capital
      • Real Estate
      • Sports, Media and Entertainment
      • Technology and Telecoms
      • Transportation and Logistics
  • Practice
    • Corporate & Finance

      • Banking and Loan Finance
      • Business Restructuring and Insolvency
      • Capital Markets
      • Corporate Governance and Public Company Representation
      • Digital Assets and Blockchain
      • Infrastructure, Energy, Resources, and Projects
      • Leveraged and Acquisition Finance
      • Mergers and Acquisitions
      • Pensions
      • Private Equity, Venture Capital and Investment Funds
      • Real Estate
      • Real Estate Investment Trusts (REITs)
      • Tax
      • Transfer Pricing
    • Global Regulatory

      • Administrative and Public Law
      • Antitrust and Competition
      • Communications, Internet, and Media
      • Education
      • Energy Regulatory
      • Environment and Natural Resources
      • Financial Services
      • Food Law
      • Gaming Law
      • Government Contracts and Public Procurement
      • Government Relations and Public Affairs
      • Health
      • Immigration
      • International Trade and Investment
      • Medical Device and Technology Regulatory
      • New Nuclear
      • Pharmaceuticals and Biotechnology Regulatory
      • Privacy and Cybersecurity
      • Space and Satellite
      • Strategic Operations, Agreements and Regulation
      • Transportation Regulatory
    • Intellectual Property

      • Copyright
      • Designs
      • Domain Names
      • IP and Technology Transactions
      • IP Enforcement
      • Patents
      • Trade Secrets and Confidential Know-how
      • Trademarks and Brands
      • Unfair Competition
    • Litigation, Arbitration, and Employment

      • Business and Human Rights
      • Construction and Engineering
      • Corporate and Securities Litigation
      • Employment
      • International Arbitration
      • Investigations, White Collar, and Fraud
      • Products Law
      • Risks, Disputes, and Litigation
  • Comparative guides
  • Engage Premium
  • Login
  • Register
Hogan Lovells Engage 5.7.22
      • Title
      • Channel
      • Module
    • Hit ENTER to search in content
    • Advanced search
    • Login
  • Home
  • Industry
    •  

      • Aerospace, Defense, and Government Services
      • Automotive and Mobility
      • Consumer
      • Manufacturing and Industrials
      • Education
      • Energy and Natural Resources
      • Financial Institutions
    •  

      • Insurance
      • Life Sciences and Health Care
      • Private Capital
      • Real Estate
      • Sports, Media and Entertainment
      • Technology and Telecoms
      • Transportation and Logistics
  • Practice
    • Corporate & Finance

      • Banking and Loan Finance
      • Business Restructuring and Insolvency
      • Capital Markets
      • Corporate Governance and Public Company Representation
      • Digital Assets and Blockchain
      • Infrastructure, Energy, Resources, and Projects
      • Leveraged and Acquisition Finance
      • Mergers and Acquisitions
      • Pensions
      • Private Equity, Venture Capital and Investment Funds
      • Real Estate
      • Real Estate Investment Trusts (REITs)
      • Tax
      • Transfer Pricing
    • Global Regulatory

      • Administrative and Public Law
      • Antitrust and Competition
      • Communications, Internet, and Media
      • Education
      • Energy Regulatory
      • Environment and Natural Resources
      • Financial Services
      • Food Law
      • Gaming Law
      • Government Contracts and Public Procurement
      • Government Relations and Public Affairs
      • Health
      • Immigration
      • International Trade and Investment
      • Medical Device and Technology Regulatory
      • New Nuclear
      • Pharmaceuticals and Biotechnology Regulatory
      • Privacy and Cybersecurity
      • Space and Satellite
      • Strategic Operations, Agreements and Regulation
      • Transportation Regulatory
    • Intellectual Property

      • Copyright
      • Designs
      • Domain Names
      • IP and Technology Transactions
      • IP Enforcement
      • Patents
      • Trade Secrets and Confidential Know-how
      • Trademarks and Brands
      • Unfair Competition
    • Litigation, Arbitration, and Employment

      • Business and Human Rights
      • Construction and Engineering
      • Corporate and Securities Litigation
      • Employment
      • International Arbitration
      • Investigations, White Collar, and Fraud
      • Products Law
      • Risks, Disputes, and Litigation
  • Comparative guides
  • Engage Premium
  • Login
  • Register
  1. News
  2. To pay or not to pay: Another regulator weighs in on the decision to pay a ransom

To pay or not to pay: Another regulator weighs in on the decision to pay a ransom

24 February 2021
    • Share by email
    • Share on
    • Twitter
    • LinkedIn
    • Get link
    • Get QR Code
    • Download
    • Print

Ransomware victims face a nearly impossible decision: pay criminals holding their business hostage or refuse and face possible crippling consequences. This decision requires careful analysis of a number of considerations, and regulators and law enforcement are increasingly weighing in. 

On February 4, 2021, the New York State Department of Financial Services (NYDFS) became the latest government entity to provide ransomware guidance when it released a statement recommending that ransomware victims not make ransom payments to cyber threat actors. NYDFS, calling cybersecurity the “biggest risk for government and industry, bar none,” noted that the “biggest driver” in the increasing impact of cybercrime on organizations and insurers is the rise in the frequency and cost of ransomware incidents. According to NYDFS, ransomware payments continue to drive this growing risk because they “fuel the vicious cycle” by enabling cybercriminals to develop and deploy more frequent and sophisticated ransomware campaigns.

In publishing this recommendation as part of the voluntary circular guidelines applicable to insurance companies, NYDFS joins a chorus of other U.S. regulators and law enforcement making similar recommendations of varying applicability to businesses more broadly. For example:

  • the Office of Foreign Assets Control (OFAC) issued guidance in October 2020, which we previously covered in depth, warning of the risk of potentially violating OFAC sanctions when making ransomware payments;
  • the FBI issued a warning that paying a ransom fails to guarantee that an organization will regain control of its data; and
  • the Office of the Comptroller of the Currency (OCC), in its Fall 2020 Semiannual Risk Perspective, warned that ransomware attacks were increasing, while noting that if organizations refused to pay a ransom, the market for ransomware may evaporate.

While this guidance rightfully identifies the societal risks of paying ransoms, these regulators and law enforcement agencies thus far have not gone as far as prohibiting payment to non-sanctioned threat actors. Other federal agencies have provided perspectives that acknowledge the complicated nature of ransomware:

  • the Federal Trade Commission (FTC) noted that law enforcement recommends against making ransom payments, but leaves it to businesses to weigh the risks and costs;
  • the Department of Health and Human Services (HHS), echoing the FTC, noted that law enforcement recommends against making ransom payments, while also highlighting the difficult position of victims; and
  • the Cybersecurity and Infrastructure Security Agency (CISA) discouraged paying ransoms, noting several potential drawbacks, including the risks of failing to regain access to data, being subject to increased ransom demands, becoming a future target of ransomware attacks, and encouraging criminal activity, but CISA ultimately noted that paying a ransom may be the prudent business decision when organizations are faced with an inability to function.

Implicit in this guidance is the recognition of a significant collective action problem in the community of ransomware victims. While the reward for perpetrating ransomware crimes would be diminished if every victim refused to pay, the practical reality is that a ransomware attack can mean failure or survival for a business. In weighing the societal impact articulated by regulators against the obligation to make a decision in the best interest of the company, all victims will not reach the same decision, and many may grudgingly conclude that paying a ransom is the most sensible – if extremely difficult – business decision. 

While the business community cheers recent reports of law enforcement take downs of ransomware networks, including actions against those responsible for Netwalker and Emotet, organizations should continue to strengthen their cyber and ransomware incident response plans. For example, it is increasingly important to notify and cooperate with law enforcement in the early aftermath of a ransomware attack and provide law enforcement with information to help bring cybersecurity threat actors to justice. Meanwhile, the clear trend in regulator recommendations is that ransomware payment is an important legal issue that requires careful consideration and reflection in incident response planning and response. 

 

Authored by Scott Loughlin, Peter Marta, Paul Otto, Tim Tobin, Gregory Lisa, Asmaa Awad-Farid, and Jacob Wall.

Contacts
Scott Loughlin
Partner
Washington, D.C.
Peter Marta
Partner
New York
Paul Otto
Partner
Washington, D.C.
Tim Tobin
Partner
Washington, D.C.
Gregory Lisa
Partner
Washington, D.C.
Related Materials
New York_642134500

New York regulator issues cyber insurance risk framework with implications for insurers and insureds

finance/money6

Treasury Department issues ransomware guidance in response to significant uptick in ransomware attacks

Additional Resources
  • NYDFS Insurance Circular Letter No. 2 (2021)
  • OFAC October 2020 Guidance
  • FBI Warning
  • OCC Fall 2020 Semiannual Risk Perspective
  • FTC Ransomware Guidance
  • HHS Ransomware Guidance
  • CISA Ransomware Guidance
Keywords New York, NYDFS, New York Department of Financial Services, cybersecurity, cybersecurity risks, Ransomware, ransomware payments, Cyber-ransom, OFAC, Federal Trade Commission, FTC, Department of Health and Human Services, HHS, Office of Foreign Assets Control
Languages English
Topics Cybersecurity
Countries United States
Delete Comment ?

Are you sure want to delete comment ?

Get link
Embed
Share by email
Get QR Code

Scan this QR Code to share this content

  • Contact us
  • Disclaimer
  • Privacy
  • Cookies
  • Legal Notices
  • Terms of Use

 

This website is operated by Hogan Lovells International LLP, whose registered office is at Atlantic House, Holborn Viaduct, London, EC1A 2FG. For further details of Hogan Lovells International LLP and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2022 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.

Thomson Reuters HighQ Logo
© 2023 Hogan Lovells | Privacy Policy | Terms of Service