IBM Security’s 2023 “Cost of a Data Breach” Report showed that the average cost of a major data breach is now $4,450,000, a figure which has increased 15% in the last three years.[1]  Ransomware attempts grew significantly during the pandemic, partially due to the shift towards remote working.  Ransomware payments reached a record $1.1bn in 2023,[2] with security consultants estimating that ransomware attacks will cause $60bn of losses annually by 2026.[3]

In this context, it is crucial that businesses remain one step ahead when it comes to protecting their data, and know what steps to take should the worst happen.  This article focuses on certain of the legal and compliance considerations businesses should have in mind if they do fall victim to a ransomware attack.  For further information on cybersecurity reporting obligations, see Weil’s alert on “Navigating Cybersecurity Reporting Obligations in the EU and UK”.

1. What is ransomware?

Whilst there are many sub-categories and types of ransomware, in general, it is a type of malware which attackers use to hold captive and prevent access to data or systems until the victim provides a form of payment or ransom.  If you or your business falls victim to an attack, it is important to use HMG’s Where to Report a Cyber Incident portal (link here) as soon as possible for directions on how to report an incident.

2. Legal considerations

Alongside ethical, reputational and financial concerns, one of the main considerations a business will have if they fall victim to a ransomware attack is whether they should pay the ransom.  The UK government expressly states that it does not condone the making of ransomware payments, but is it legal to do so?

The starting position under English law is that the payment of a ransom (whether directly or indirectly) is not of itself illegal or unlawful.  In the case of Masefield AG v Amlin Corporate Member Ltd [2011] EWCA Civ 24, the Court of Appeal (in the context of piracy) upheld the proposition that the payment of a ransom is not against public policy, stating:

“there is no universally recognised principle of morality, no clearly identified public policy, no substantially incontestable public interest, which could lead the courts, as matters stand at present, to state that the payment of ransom should be regarded as a matter which stands beyond the pale, without any legitimate recognition.  There are only elements of conflicting public interests, which push and pull in different directions, and have yet to be resolved in any legal enactments or international consensus as to a solution”.

Over a decade on, a solution is yet to be found, although there appears to be some progress in this area.  As we note at the end of this article, some steps have been taken to ban ransom payments as a matter of public policy.

However, ransomware payments may still breach other laws, and specialist advice should be taken given the case-by-case differences that are likely to arise.  Regard should be had to the following:

A. Sanctions

While the perpetrators of ransomware attacks are usually anonymous, ransom payments may breach financial sanctions regimes.  The Office of Financial Sanctions Implementation (OFSI) has the power to impose civil monetary penalties for breaches of financial sanctions regimes on a strict liability basis, meaning it does not have to prove that a person had knowledge or reasonable cause to suspect that they were in breach of financial sanctions.  However, the paying party’s actions could prove to be a mitigating factor when OFSI assesses the case.

In this context, whilst it is likely to be extremely difficult to establish where and to whom the ransom payment is ultimately going to be paid, it is nonetheless important to conduct due diligence to the extent possible, and to carefully document the checks and due diligence conducted in order to show that investigations on the payee have been undertaken prior to any ransom payment being made.

B. Terrorist Financing

Under sections 15(3) and s17 of the Terrorism Act 2000, a person will be liable for a ransomware payment if they knew or had reasonable cause to suspect that the funds would or may be used for the purposes of terrorism.  This provides further cause to conduct due diligence as described above.

C. Money Laundering

Under section 328(1) of the Proceeds of Crime Act 2002, it is an offence for a person to enter into or become concerned in an arrangement which they know or suspect facilitates (by whatever means) the acquisition, retention, use or control of criminal property by or on behalf of another person.  Ransom payments will likely become criminal property when in the hands of the recipient, but money which is assembled in the UK in preparation for the payment of a ransom is not at that stage criminal property.

D. Bribery and Corruption

Undersection 1 of the Bribery Act 2010, an offence is committed where an offer, promise or giving of a financial advantage to another person is made in circumstances where it is known or believed that the acceptance of the advantage would constitute improper performance of a ‘relevant function’ or activity.  However, the Bribery Act is unlikely to be applicable to ransomware payments because perpetrators of a cyber-attack will not be performing a ‘relevant function’ in good faith, impartially or from a position of trust.

E. Data Protection

UK GDPR requires data controllers to implement “appropriate measures” to restore personal data in the event of a disaster.  The Information Commissioner’s Office does not consider the payment of a ransom as an “appropriate measure” to restore personal data.  If a victim does decide to pay the ransom to gain decryption or avoid the data being published, they should still presume that the data is compromised and take actions accordingly, including notifying the Information Commissioner’s Office.

F. Internal Corporate Documents / Insurance Policies

In addition to the statutory regimes discussed above, a business should also review corporate documents and insurance policies to determine whether disclosure is required to stakeholders and/or insurers.

3. Changing attitudes

Businesses need to be mindful of advancing attitudes across the globe, and caution should be taken regarding the facilitation of ransomware payments in other jurisdictions.

In that context, whilst there has been general acceptance of the legality of ransom payments, subject to the considerations above, some jurisdictions are moving to outlaw the practice.  The International Counter Ransomware Initiative (“CRI”), whose members include the UK, US, EU and INTERPOL, held its third meeting in November 2023, where it announced it is preparing a joint policy statement declaring member governments should not pay ransoms.

In the US, North Carolina and Florida have now explicitly banned government agencies from paying ransoms, and Pennsylvania, Texas, Arizona and New Jersey are exploring similar policies.  New York is proposing banning businesses, as well as government agencies, from paying ransoms.[4]

Businesses are changing their approach too.  In 2019, 85% of ransomware cases handled by Coveware, a cybercrime response company, ended in payment, but this had dropped to 46% by the start of 2022.[5]  There are also increasing concerns around the merits of paying ransoms, as only 4% of businesses that paid ransoms recovered all of their data, and there is no way to guarantee that hackers will not sell stolen data at a later date.  In this rapidly evolving area, where sophisticated attacks are growing in prevalence, it is therefore more essential than ever that companies seek legal advice regarding the risks of engagement with ransomware demands and preventing them in the first place.


[1]Cost of a Data Breach Report 2023”, IBM (https://www.ibm.com/reports/data-breach)

[2]Ransomware payments hit a record $1.1 billion in 2023”, WIRED, 7 February 2024 (https://www.wired.com/story/ransomware-payments-2023-breaks-record/)

[3]Boardroom woes on ransomware intensify”, FT, 2 November 2023 (https://www.ft.com/content/960c8177-c901-453d-81eb-55b5155351c6)

[4]Ransomware attacks: is there a case for paying up?”, FT, 9 November 2022 (https://www.ft.com/content/14de7a07-cc4f-483c-915f-d0b5cfc00a32)

[5] Quarterly Report, Coveware, 3 May 2022 (https://www.coveware.com/blog/2022/5/3/ransomware-threat-actors-pivot-from-big-game-to-big-shame-hunting).