As if being the victim of ransomware wasn’t bad enough, there’s a new risk for companies that have been targeted by hackers—legal liability under statutes that regulate or prohibit the payment of ransoms.

Failing to adhere to these myriad laws could make organizations liable for huge civil penalties, even if they were unaware of the rules. Given the substantial stakes involved, let’s dig into the issue.

The Problem

Paying ransoms is a classic public policy collective action problem.

In theory, the best overall course of action for society would be for all entities to refuse to pay. If ransoms universally yielded no return, there would be no incentive for malicious actors to use them and the tactic would stop.

However, for individual organizations, the best outcome is often the opposite—ransoms are structured so that they make economic sense. They ask for a relatively small amount to recover comparatively much more valuable data.

As a result, payments (in the language of game theory, “defections”) are inevitable. According to research, over one-third of businesses victimized by ransomware eventually pay the ransom. This ultimately incentivizes further ransomware attacks.

This, combined with expert concerns about the low number of successes in retrieving stolen data and the lack of reliable guarantees that encryption keys will work, has created growing pressure to control ransomware payments.

Regulatory Growth

In recent years, there has been a significant uptick in the number of laws governing ransomware payments. Gartner estimates that, by the end of 2025, the number of countries regulating ransoms will increase from less than 1% to over 30%.

Legal changes have occurred at multiple levels.

In the United States, several states have prohibited government agencies from complying with ransomware demands. Florida and North Carolina already have laws on the books and bills are pending in Arizona, New York, Pennsylvania, and Texas. There have been some roadblocks to additional state action, but the potential for further expansion is possible.

At the U.S. federal level, regulatory action has been most noticeable from the Office of Foreign Assets Control of the Department of the Treasury (OFAC). Tasked with administering the U.S. economic sanctions regime, OFAC has recently issued guidance that warns that paying ransoms may violate rules against transacting with criminals and rogue states. Currently, OFAC appears to be prioritizing enforcement against currency exchanges that facilitate payments, it remains possible that individual companies could incur liability for paying ransoms.

There are signs of increased regulation in Europe, as well. Under the Security of Network and Information Systems Directive (NIS Directive), EU member states can potentially impose fines for paying ransoms. Legal analysts have also raised concerns that ransom paying could be illegal under U.K. anti-bribery laws or the UK Terrorism Act 2000, which precludes entering into a funding arrangement that could be used to facilitate terrorism.

How This Impacts You

Ransomware regulation is an evolving area with changing statutes and little prior caselaw. For now, most rules are limited to governmental entities (rather than the private sector) or theoretical (regulations that potentially could apply to payments but have not yet been exercised in that manner).

Whether your organization will be subject to rules regarding payment may remain to be seen. In the meantime, VENZA recommends that you take the following steps:

1. Harden your security profile. Make your company a more difficult target by building a robust “human firewall,” securing your network and endpoint devices, and verifying the effectiveness of your IT defenses with frequent penetration and vulnerability testing.

2. Prepare now. Don’t wait until you are the target of ransomware; be proactive in developing an Information Security Policy, connecting with a certified Incident Response Provider, and seeking cybersecurity insurance.

3. Stay on top of legal developments. Closely monitor the laws that may apply to your organization as they continue to develop. VENZA and the Alpine Echo will continue to follow and report on legal changes as they happen.

Feeling overwhelmed? Don’t be. VENZA and CyberTek are here to help. Cybersecurity is complex, but in partnership with us, your company can get started in as little as one month. Get a live demonstration today by contacting our Customer Success Team.

Ready to elevate your game? Contact Sales to discuss signing up for our programs or adding new solutions to your contract.

***

Take VENZA’s free Phishing Test to assess gaps in your human firewall today!

Training your personnel to recognize and report phishing attempts is essential to protecting your guests and their data. Get started by determining your risk and readiness level using this free tool.

***

Want to stay informed? Subscribe to the free VENZA Echo now. You’ll receive a monthly digest with the highlights of our weekly article series and important product updates and news from VENZA.

Disclaimer: In no event shall VENZA Inc. or its subsidiaries be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, consequential, incidental, indirect, economic, or punitive damages, business interruption, loss of business information, or other pecuniary loss) arising out of the use of this document, even if advised of the possibility of such damages.