Ethical, Legal Implications of Paying Ransoms

Carlos Amarillo | Shutterstock

In an opinion piece for National Defense, Phyllis Sumner and Jillian Simons of King & Spalding write about the growing threat of ransomware, and urge companies to “make strategic and risk-based decisions on whether to engage with threat actors and/or pay the ransom.” They stress the need for a incident response plan, and recommend things to do in whether a company has a “no pay” policy or not. They present a number of arguments for not paying, however, including the reputation the company may acquire as a lucrative target, the ethical ramifications of “supporting” the activity and the criminal and terrorist organizations behind it, the FBI’s advocacy against paying ransoms, and the potential to run afoul of Office of Foreign Assets Control’s international sanctions.