26th July 2022

New ICO guidance on ransomware and data protection compliance – is your business prepared against potential attacks?

Dan Insley

Article by:

Dan Insley

Partner
Accounting softwareSpecialist insights

The Information Commissioner’s Office (ICO), the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals, has issued new guidance on ransomware and data protection compliance.

The ICO recommends that businesses and organisations establish incident response, disaster recovery and business continuity plans to address the heightened risk of ransomware attacks.

The recommendation accompanies ICO’s new guidance and a checklist of actions, which businesses should review to assess their preparedness against potential ransomware attacks on their organisation.

Ransomware is an increasingly prevalent form of cyber-attack. Personal data breaches from the ICO’s caseload during 2020/2021 have seen a steady increase in the number and severity of cases caused by ransomware. This guidance presents eight scenarios about the most common ransomware compliance issues the ICO has seen:

  • Scenario 1: Attacker sophistication
  • Scenario 2: Personal data breach
  • Scenario 3: Breach notification
  • Scenario 4: Law enforcement
  • Scenario 5: Attacker tactics, techniques and procedures
  • Scenario 6: Disaster recovery
  • Scenario 7: Ransomware payment
  • Scenario 8: Testing and assessing security controls

Ransomware payment and data protection compliance

In its guidance, the ICO supports the position of law enforcement in not encouraging, endorsing or condoning the payment of ransom demands to criminals by businesses who have lost access to their systems and data. The ICO also does not consider the payment of a ransom as an ‘appropriate measure’ to restore personal data in the event of a disaster.

Businesses that choose to pay the ransom to avoid the data being published should still presume that the data is compromised. They should take actions accordingly to mitigate the risks to individuals even though the ransom fee has been paid, and – where necessary – inform the ICO of the breach.

For further information, go to the ICO website  Ransomware and data protection compliance | ICO