ION has reportedly paid the ransom – but could it cause more harm than good?

The firm plans to rebuild rather than restore, despite rumours that the ransom has been paid – but could it be liable for a regulatory penalty in response? 

According to Russian hacker group Lockbit, which claims responsibility for the cyber-attack on ION Cleared Derivatives (a division of ION Markets) last week, the alleged ransom has been paid and a decryption key provided to the firm – although it declined to give details. However, even with the decryption key, sources close to ION tell The TRADE that the firm plans to build new infrastructure for its derivatives platform rather than risk returning to the hacked systems.  

Starting from scratch 

“They are not relying on restoring or reactivating any compromised structures,” said the source. “The focus right now is on rebuilding and mitigating any further risk.”  

The self-spreading, automated ransomware works by gaining access to a system – usually through a compromised server or remote desktop account – and encrypting it so that it cannot be used or its information accessed. A ransom demand is then issued, often accompanied by the threat of making confidential information public if it is not paid. However, even if the ransom is paid, it can take substantial time and effort to restore affected files and systems, which usually need to be wiped once retrieved, as they can no longer be trusted.  

Read More – ION suffers cyber attack on derivatives platform

ION declined to formally comment as to whether it has paid the ransom or not. However, even with access to its systems restored, this could just be the start of its problems.  

A slap on the wrist?  

The authorities take a dim view of cyber-attack ransoms being paid – and could respond with financial penalties that match or exceed the ransoms themselves. In 2018, for example, the UK’s Financial Conduct Authority (FCA) fined Tesco Bank £16.4 million for “failing to exercise due skill, care and diligence” in protecting its personal current account holders against a cyber-attack that took place in 2016.  

The UK regulators have since made their position on the payment of ransoms clear. In July 2022, the UK’s National Cyber Security Centre (NCSC) and Information Commissioner’s Office (ICO) issued updated guidance stating that: “Paying ransoms to release locked data does not reduce the risk to individuals, is not an obligation under data protection law, and is not considered as a reasonable step to safeguard data.” 

“Ransomware remains the biggest online threat to the UK and we are clear that organisations should not pay ransom demands,” said NCSC CEO Lindy Cameron. The ICO has clarified that it will not take this into account as a mitigating factor when considering the type or scale of enforcement action. 

In March 2022, the ICO handed down its first Monetary Penalty Notice for a ransomware attack and data infiltration incident under the UK General Data Protection Regulation (GDRP). The £98,000 fine, against criminal law firm Tuckers, was regarding a cyber-attack in August 2020 in which the firm paid the requested ransom and was subsequently subject to an enforcement action.

In 2018, the introduction of GDPR saw the limit on data breach fines bumped up from a max of £500,000 to a possible 4% of total global turnover or £17.5 million (€20 million in the EU), whichever is greater – making it rather more than just a slap on the wrist, should the penalty for paying the ransom be enforced.

US position  

In the US, the Department of Treasury’s Office of Foreign Asset Control (OFAC) issued an updated advisory in September 2021 warning all ransomware victims that if they succumb to ransomware demands and pay foreign actors who are subject to US sanctions, they could also be subject to financial penalties.  

Read More – ION cyber concerns continue: US Treasury steps in

“Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims,” said the statement. “The US government strongly discourages the payment of cyber ransom or extortion demands.”  The US Treasury has already convened a working group in partnership with industry associations in response to the recent ION attack. 

Companies involved in facilitating ransomware payments on behalf of victims should also consider whether they have regulatory obligations under Financial Crimes Enforcement Network (FinCEN) regulations 

Tightening regulation 

According to the FBI, there was a nearly 21% increase in reported ransomware cases and a 225% increase in associated losses from 2019 to 2020. The UK saw a 51% increase in “material cyber incidents” in 2021, while a 2023 report from Chainalysis claims that globally, $457 million was paid worldwide in ransom payments in 2022. It’s a growing trend, and as the risks increase, so too does regulatory scrutiny.  

In the UK, new FCA and PRA requirements in relation to operational resilience came into force on 31 March 2022, with a focus on cyber resilience forming a key element of the FCA’s 2022/23 Business Plan, while the FCA has also indicated that it wants to increase its powers of direct oversight of service providers like ION. 

Meanwhile in the US, Commodities Futures Trading Commission (CFTC) chairman Rostin Behnam has laid out plans to tighten up cyber regulation on his own side of the pond. “The growth of cybersecurity threats to financial institutions is well-documented and widely recognised as an important and increasingly urgent problem,” he said in prepared comments.  

“While many of our registrants are subject to cyber requirements through prudential and other regulatory regimes, there is a greater role for the Commission to play in fostering sound and responsive cybersecurity practices among our registrants.” 

He confirmed his support for a new operational resilience rule for futures commission merchants (FCMs) and swap dealers (SDs).