Ransomware – What do the Trustees do?
The recent spate of Ransomware interference into major systems around the country has affected businesses, charities, schools all over the UK. I hope it has caused everyone to sit up and outline below the dilemmas currently being faced by Trustees of a Charity. What do you do? How could you have prevented this? How can you prevent this for the future?
A fortnight ago a Ransomware email was received by a charity requesting £3000 to be paid in Bitcoins – otherwise the Charity’s system data would be encrypted. The consequence to this particular charity would have been to disable to regular fund raising campaigns and to have a significant financial impact on the organisation if this continued long term. The Chief Executive was contacted, who subsequently contacted the Chair of Trustees. As you can imagine, a significant debate has ensued. The issues that have been addressed were
- Should the Charity pay the ransom to ensure continuation of cashflow?
- Is it legal to pay the ransom?
- Is it an ethical or pragmatic issue?
- What does it say in the Charity’s digital and cyber policy? (a common answer to this one is that there wasn’t one!)
So, the Trustees have decisions to be made. Of course, the immediate reaction is to follow the gut reaction not to pay – and not to be held to ransom. The Charities Commission guidance is strongly against payment – but it is guidance only. However, the duty of Trustees is also to ensure that the Charity’s objectives continue to be met, so could payment of this ransom, however distasteful, be the only way to ensure that the charitable activities can continue?
The debate has continued. The one unexpected outcome was that the Finance Director, as a precaution, bought £3000 worth of Bitcoin. The price of Bitcoin so the £3000 investment is now worth in the region of £4500.
This is an area where the wisdom of Trustees must be brought to bear on the issue, rapidly, reasonably, and following the appropriate procedure.
A great place to refresh the decision making is in the Charity Commissions publication CC27, which gives some very clear advice on how to take decisions. The next challenge is to make sure that the charitable objectives continue to be achieved as far as possible, obviously avoiding any criminal action. Advice should be taken rapidly – from the Police, the National Cyber Centre, lawyers etc
It is an interesting dilemma – what do you think the decisions were?
Footnote: This major risk to charities has been in many cases overlooked by Trustees. It must now be both a regular item for the Risk Committee and, at the moment, for the full Trustees’ Meetings. Policies need to be urgently drafted to give guidance – this is only going to happen more often in the future.