Ransom Payments Following Cyber Extortion – a Legal Viewpoint
1 March 2022
Authors: Anna-Maria Tamminen and Johanna Vanninen
Cyber extortion has increased in the recent years, as the technologies and methods used by cybercriminals have become more and more complex. The first step for all companies is to prepare for the threat of ransomware and other cyber extortion with proper prevention measures. But what if the preparations and preventative measures are not sufficient and the cyberattack is already occurring?
Most companies facing cyber extortion have globally applicable contractual and compliance undertakings which must be considered in the event of cyber extortion. While generally it is not recommended to make extortion payments if faced with a situation in which the company considers making such payment to mitigate greater harm, companies must ask themselves whether they have commitments or policies that forbid the business to make the payment, and if so, under what circumstances could those commitments be overlooked, and what would ensue in such a situation? Many times cyber extortion situations include not only a significant financial risk to be considered but also risks related to a company’s operations, disclosure of information in a breach of contractual undertakings, or even greater risks such as threats to the health and safety of humans. In addition, paying any ransom potentially exposes a company to further issues concerning insurance policies, accounting, and taxation, which need to be acknowledged.
While no business will generally consider making payments under extortion, and there are never any guarantees that paying a ransom will not result in continued criminal activity towards the target company, in the following we will discuss what to factor in from a compliance and criminal law viewpoint when considering making a ransom payment in a cyber extortion situation.
What to Consider from the Compliance Perspective if Making a Ransom Payment?
The role of compliance in relation to ransom payments is twofold: on one hand, companies should shift their focus to taking proactive compliance steps to reduce the risk of a cyberattack. Having robust compliance measures in place provides security against the unpredictable situations modern cybercrime generates.
On the other hand, given the pace of development in cybercrime, the possibility of a cyberattack can never be completely prevented. Entities can be faced with a situation where possible payment of ransom needs to be evaluated, even when proper resilience measures were in place. Prior to this situation actualising, it is essential to review the company’s general principles as well as all key agreements with regard to whether they include provisions concerning ransom payments or other equivalent circumstances. Depending on the nature of these provisions, the entity can form a risk assessment deciding on the best course of action should they be faced with such a decision one day. Only after gaining knowledge of all the factors, can an informed and justifiable decision — for or against the payment of a ransom — be made.
Is Making a Ransom Payment Criminally Sanctionable?
The main concern companies might have is whether paying the ransom could be considered a crime and result in criminal liability under the Finnish legislation? The short answer is that this is unlikely. The relevant provisions to assess in situations involving payments to unlawful entities are those concerning regulation offences, money laundering, and financing of terrorism.
If the receiver of the payment is an individual, organisation, regime, or a country that is on the international sanctions list, paying the ransom could be considered a regulation offence under Sections 1-3 of Chapter 46 of the Criminal Code of Finland if the person or entity making the payment is aware of the identity of such organisation. This is of significance because some cybercrime groups are on the sanctions list, hence, it cannot be excluded that paying a ransom could, in the above-mentioned situation, constitute a regulation offence. This risk can, however, be mitigated by staying updated with regard to the sanctions list.
The constitutive elements of money laundering under the Finnish Criminal Code include a prerequisite of a predicate offence resulting in illegal profits. Under Section 6 of Chapter 32 of the Criminal Code of Finland, the scope of criminal activities which constitute money laundering are (1) receiving, using, converting, conveying, transferring or transmitting or possessing property acquired through an offence, the proceeds of crime or property replacing such property in order to obtain benefit or to conceal or obliterate the illegal origin of such proceeds or property or in order to assist the offender in evading the legal consequences of the offence; or (2) concealing or obliterating the true nature, origin, location or disposition of, or rights to, property acquired through an offence, the proceeds of an offence or property replacing such property or assists another in such concealment or obliteration. As money laundering requires a predicate offence resulting in illegal profits, paying a ransom due to cyber extortion cannot, from the perspective of the victim of the offence, be considered money laundering under Finnish law. The cybercriminal, however, could commit money laundering under Finnish law, if they, for instance, proceeded to legitimise or conceal the origin of the profits of the extortion.
Section 11 of Chapter 32 of the Finnish Criminal Code also states that a person who is an accomplice in the offence through which the property was obtained or that produced the proceeds (predicate offence) shall not be sentenced for money laundering. Consequently, even in a situation where the extortion would be considered the predicate offence to money laundering, the party paying the ransom would not be considered guilty of money laundering.
Financing of Terrorism
Section 5 of Chapter 34(a ) of the Criminal Code of Finland specifies activities that are considered financing of terrorism under Finnish law. The activities include directly or indirectly providing or collecting funds in order to finance, or being aware that these shall finance, activities including taking of a hostage, preparation of an offence of general endangerment, a nuclear explosives offence, murder, aggravated assault, and taking of a hostage.
The constitutive elements of the criminal activity being financed under sections on financing of terrorism, as can be seen, require a severe level of criminal conduct. The statute is mostly applicable in situations where a person is directly, or indirectly, for example through a terrorist organisation, financing concrete and physical acts of violence, attempts of such violence, or offences of general endangerment. Criminal intent is required to constitute the offence. Cyberattacks or cybercrime are not currently included as terrorism referred to in the section. Should the cybercriminal use funds received from the extortion to finance any criminal activities listed in the provision on financing of terrorism, it would not constitute financing of terrorism if the entity making the payment was not aware of it. Therefore, paying ransom due to cyber extortion cannot, without intent, constitute financing of terrorism under The Criminal Code of Finland.
Any company should take the threat of cybercrime seriously and ensure that it has compliance policies in place to prevent cyberattacks. At the same time, it would be prudent to also have policies in place in the event of a cyberattack being successful. While any company is well-advised not to pay ransom in the event of a cybercrime, it may be helpful to understand that while a cyberattack is always a crime, the payment of a ransom would rarely qualify as a crime without the presence of specific circumstances.