Clyde & Co was brought in to advise the company on several levels. In the UK it is illegal to pay money to anyone that is, or has links to, a person or group that are under UK sanctions, (for acts of terrorism, for example). To pay such a person or entity would mean a criminal action against the company, and so the response team advised on the legality of the payment. Its specialists conducted their due diligence to determine whether the cyber attacker had known links to any sanctioned or restricted terrorist or well-known criminal/state organizations. In this case there were none, and the advice given was that there were no known restrictions that would prohibit paying the ransom.
The next complication was managing the actual payment. “Handing over the money is not done with used notes in suitcases at midnight, or so easy as writing a cheque,” says Madeleine. “Nowadays cyber attackers insist on the anonymity of Bitcoin payments, a cryptocurrency that can be difficult to trace. We used a trusted vendor who could facilitate payment securely and arrange for the payment to be made within a very short timeframe.”
While this was going on IT experts helped with a forensic search of the company’s systems to assess the damage. The practice also quickly notified the UK’s data protection regulator and the Financial Conduct Authority, all within the relevant regulatory timeframes. Finally, Clyde & Co advised on how best to communicate this incident to the company's stakeholders and clients, thereby managing the narrative and mitigating any adverse reaction to the incident.