Site Search

Menu

Services

Menu

Private Wealth & Entrepreneurs

Menu

Family business & SME consulting

Featured

Artificial Intelligence

Menu

Events

Loading Results

Ransomware as a business model

Legal aspects of ransom payment

Andreas Staubli

Yan Borboën
Partner, Digital Assurance & Cybersecurity and Privacy, PwC Switzerland

Ransomware attacks and extortion are the biggest threats to corporate cybersecurity across all regions and industries, and they have become a lucrative business for cybercriminals. In our blog series “Ransomware as a business model”, we explain the different phases (preparation, attack, spread, and infection) of ransomware attacks, how they work, and how to react. In today’s blog, we shed the spotlight on legal aspects of ransom payment.

Blog series

Phase 1: Making preparations

Read the first blog post here

Phase 2: the attack

Read the second blog post here

Phase 3: the spread

Read the third blog post here

Phase 4: the infection

Read the fourth blog post here
< Back

< Back
[+] Read More

What you’ll learn today

Ransomware attacks continued to be the biggest threat to corporate cybersecurity in 2021 – across all regions and industries. The number of reported ransomware attacks, in which criminals attempt to extort companies, increased from 1,300 in 2020 to 2,435 in 2021.

Source: PwC, 2022, Cyber Threats 2021: A Year in Retrospect
The New Equation

Cybersecurity and Privacy

At PwC, we help clients evaluate their ability to deal with the main cyber risks and threats of the digital world in an easy and understandable way.

Learn more

Ransom payment decision factors

Following an attack, a company must evaluate whether it wants to pay the ransom or try to restore the systems itself, and it must weigh the risks of such a decision. Four factors are decisive in this decision-making process:

  • Feasibility: Is it possible for the company to recover its systems and information in a timely manner from its backups?
  • Effort: How much work is required to recover the company’s systems and information? Does the company have the people and the tools for it? How much would it costs?
  • Impact: What would be the impact of delays due to the recovery process to the company’s business, customers, and employees?
  • Legality: Can the company pay the ransom without legal infringements? What legal risks is the company exposed to?

These factors must be part of a pragmatic risk analysis. PwC does not recommend paying a ransom demand, since there is no guarantee that data will be recovered, or that exfiltrated data will not be passed on or sold to third parties. Ransom payments also fund the continued activity of cyber criminals.

However, if the company believes that it is unable to restore its systems, or that it could only do so with great effort and at a financial cost that far exceeds the amount of the ransom, management must deal with the question of the ransom payment’s legality.

Cyber incident response and recovery

We have a broad range of flexible solutions, including entire packages, to help you plan and prepare for cybersecurity incidents.

Find out more

Legal aspects of paying a ransom

According to the Swiss Criminal Code, paying a ransom is not per se a criminal offense. But it might have legal consequences for other reasons:

  • Attackers often demand that the ransom is paid in a cryptocurrency. Cryptocurrencies are generally anonymous, which raises the question whether the payment of the ransom could be considered an act that supports money laundering, as the company and its bank know that the payment is for illegal behaviour and is therefore highly likely to be laundered.
  • Furthermore, international sanctions and measures to combat terrorism and its financing may be violated if a ransom payment is made. As an example, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) may consider a ransom payment by a person subject to U.S. jurisdiction as a violation of sanctions and impose civil penalties based on strict liability.1 Companies may face not only regulatory scrutiny but also lawsuits and have operational difficulties in the future when dealing with countries which have such rules.
  • Finally, if the IT environment has been negligently maintained and/or not all reasonable cybersecurity measures have been taken, it raises the question of the liability of the board of directors (BoD) and the company. Generally, BoDs are required to have adequate risk management procedures in place to prevent the company, its shareholders, employees, and customers from being harmed by ransomware attacks. Some of the key components are the identification, mitigation, and monitoring of risks stemming from ransomware attacks.

Further risks in case of ransom payment and data loss

First and foremost, there is a risk that despite paying the ransom, the company will not receive the key to decrypt the data and/or that the stolen data is nonetheless published. It also highlights to the attackers and to attacker groups (as word travels quickly amongst them) that the company is willing to pay a ransom, which might open it up to renewed attacks.

The company could also deal with reputational, operational, criminal, and – for supervised entities such as banks and insurance companies – regulatory risks.

Another aspect to consider is the logistics of paying a ransom. Most companies do not have cryptocurrency wallets and do not keep funds in a cryptocurrency. Furthermore, the company’s bank might not execute the payment, due to compliance mechanisms in place related to anti-money laundering, terrorist financing, and sanctions.

If a company’s data has not only been encrypted, but also acessed or even stolen, the GDPR and the revised Swiss Federal Act on Data Protection, which will enter into force on 1 September 2023, both contain a reporting obligation to data protection authorities and data subjects. Companies which are supervised by the Swiss Financial Market Supervisory Authority (FINMA) must additionally report such incidents to the FINMA. This can lead to a logistical effort, which mustn't be underestimated.

Formal decision-making process

The above points should be translated by the company into a formal decision-making process. The steps need to be defined and approved in advance by the company’s leadership and must include the validation by the legal department. The decision-making process can be part of a broader corporate policy on responding to ransomware attacks. The legal and compliance functions should:

  • be included in the preparation efforts concerning incident response,
  • provide the company’s legal and compliance stance on ransom payment and pre-analyse the legal risks, including risks associated with payments to threat actors with connections to nation states, as well as potential extraterritorial application of laws concerning ransom payment,
  • monitor regulatory changes in jurisdiction in which the company operates, and
  • be trained and prepared, as in case of an attack there is usually no time for deeper legal research.

How can PwC support you to be more secure and prepared for a ransomware attack?

Ideally, you are prepared and able to defend your company against a ransomware attack – which also includes the preparation of the legal and compliance functions of the company.

Our experts support you with their in-depth knowledge with the following services:

  • Ransomware readiness assessment
  • Development of ransomware policies, procedures, and playbooks
  • Preparedness test of the leadership team in making key decisions on time through crisis management exercises tailored for ransomware attacks
  • Advice on compliance with money laundering and terrorist financing regulations, sanctions, or other laws
  • Risk management / corporate governance consulting
  • Any further support of the legal and compliance functions

Should you nonetheless be the victim of a cyber-attack, we support you with our extensive knowledge of quickly responding to cyber-incidents, we navigate you through the storm and help you to respond and recover from a disrupting event with the following services:

Reference

1 U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC)’s Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments

#social#

Building trust to succeed

At PwC, we are a community of solvers – powered by technology – committed to helping you protect everyone, and everything, you care about.

Explore our offering

{{filterContent.facetedTitle}}

Contact us

Yan Borboën

Yan Borboën

Partner, Leader Digital Assurance and Cybersecurity & Privacy, PwC Switzerland

Tel: +41 58 792 84 59

Linkedin Follow Email
Xavier Bédat

Xavier Bédat

Cybersecurity and Privacy, PwC Switzerland

Tel: +41 58 792 14 84

Linkedin Follow Email
Services Assurance Consulting Corporate Support Services Deals Global Markets Legal People and Organisation Private Wealth SME and Family Business Tax Advice
Industry Sectors Energy Financial Services Government and Public Sector Health care Industrial Manufacturing Real Estate Retail and Consumer Goods Pharmaceuticals and Life Sciences Sports Business Advisory Technology, Media and Telecommunications
Today's issues Artificial Intelligence Workforce of the Future Finance Transformation Customer Transformation Cybersecurity Data & Analytics ESG: Criteria and Implementation
About PwC Contact Press Locations Organisation and Management Purpose, Values and Code of Conduct Reports Corporate Sustainability Our History Alumni
Careers Open Positions Career Events Experienced Hires Graduates Students Apprentices PwC as an Employer PwC's Career Blog
Research & Insights Our latest insights Subscribe to PwC insights Preference Centre

© 2018 - 2024 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.