The Information Commissioner’s Office (‘ICO’) has reported that it has seen a ‘significant rise’ in cyber security attacks, with 1,345 attacks being reported by organisations in the last six months of 2021. The National Cyber Security Centre (‘NCSC’) recognises ransomware as the biggest cyber threat facing the United Kingdom. It is now more important than ever, particularly in light of current international tensions, to make sure that you have taken adequate steps to prevent attacks and to deal with an attack should one occur. In addition to the risk of significant disruption to businesses and reputational risks, fines for data breaches under the UK GDPR can be up to the higher of £17.5million or 4% of total worldwide annual turnover. 

What is ransomware?

Ransomware is malware that unlawfully encrypts files on computer systems by delivering malicious software. This effectively means that files and data cannot be accessed by the owner of the systems. Attackers will often then ask for payment to be made in return for the files being made accessible.

A ransomware attack can constitute a data breach where either personal data is unlawfully accessed by a third party (including by code) or if it is made unavailable to the controller responsible for it (even if only for a period of time).

Do we need to be concerned if we are a smaller organisation?

In short, yes. It is not uncommon for attackers to use indiscriminate attacks which are sent to a large number of recipients - these attacks are not aimed at particular types of organisations and so can affect businesses of all sizes.

What can we do to prevent ransomware attacks?

The following steps can help to prevent an attack:

  • Implement a cyber incident response plan. This is described by the NCSC as a “critical step towards a robust and effective incident management and technical response capability”.
  • Train employees on cyber security. This will help to reduce the risk to your organisation and to assist with your response in the event of an attack. The NCSC’s ‘Exercise in a Box’ resource provides exercises that organisations may find useful as part of their training strategy.
  • From a technical perspective, the NCSC recommends that organisations: 
     back up data regularly;
     prevent malware from being delivered and spreading to devices; and 
     prevent malware from running on devices.

If you haven’t already done so, you should evaluate what technical steps you can take to make your systems as secure as possible.

  • Consider what effects an attack may have on your business - for example, your ability to supply products, and what steps you could take to mitigate those effects - such as including a right to suspend performance under your supply contracts in the event of an attack.
  • Think about taking out cyber insurance.

What should we do if we suffer an attack?

Initial steps include the following:

  • Tell your IT department (or external IT provider) immediately so that they can take steps to contain the situation.
  • Contact your lawyers as soon as possible. This will help to identify and deal with any potential data protection risks.
  • Determine whether you need to make a report to the ICO and any individuals concerned.
  • Consider whether to respond to a ransom demand. The position of law enforcement and the ICO is that they advise against the payment of ransoms. The NCSC has made it clear that there is no guarantee that paying a ransom will result in access to data being provided and that there is a higher risk of being targeted in the future.

If you would like further information about how we can help with minimising your risks from a data protection perspective or if you have any questions about the content of this update, please contact the Corporate and Commercial department at 3CS or your usual 3CS contact.

Amy Cunliffe-Rowe

GET IN TOUCH

3CS Corporate Solicitors

Providing solutions, not just legal advice
Contact us

GET IN TOUCH

Contact us

3CS Corporate Solicitors Ltd
60 Moorgate
London
EC2R 6EJ

3CS is based in offices in the heart of London's financial district.The nearest underground stations are Liverpool Street, Moorgate and Bank - all within 5 minutes’ walking distance.​

To view a map of where to find us, please click here.

+44(0) 204 5161 260 English (United Kingdom)

info@3cslondon.com

Please enter your name
Please enter your phone number
Please enter your email
Invalid Input
Invalid Input

Our Clients


View all our clients

Registered in England & Wales | Registered office is 60 Moorgate, London, EC2R 6EJ
3CS Corporate Solicitors Ltd is registered under the number 08198795
3CS Corporate Solicitors Ltd is a Solicitors Practice, authorised and regulated by the Solicitors Regulation Authority with number 597935


Registered in England & Wales | Registered office is 60 Moorgate, London, EC2R 6EJ
3CS Corporate Solicitors Ltd is registered under the number 08198795
3CS Corporate Solicitors Ltd is a Solicitors Practice, authorised and regulated by the Solicitors Regulation Authority with number 597935