On 14 January 2025, the UK Home Office published a consultation paper focusing on legislative proposals to reduce payments to cyber criminals and increasing incident reporting.
The proposals set out in the consultation paper aim to protect UK businesses, citizens, and critical infrastructure from the growing threat of ransomware, by reducing the financial incentives for criminals targeting UK organisations and to improve intelligence and understanding of ransomware to support the overall resilience of the UK’s cyber defences.
Summary of key proposals
The consultation sets out three key proposals:
- A targeted ban on ransomware payments – a targeted ban on ransomware payments for all public sector bodies (including local government) and critical national infrastructure (CNI) owners and operators. This proposal goes beyond the current principle that central government departments cannot make ransomware payments – by prohibiting all organisations in the UK public sector from making a payment to cyber criminals in response to a ransomware incident, as well as including CNI owners and operators. This aim of the proposal is to deter criminals by ensuring they cannot profit from attacking essential services. However, the possible impact of this is unclear and the government is seeking input on whether suppliers to such bodies/entities should also be included. The prohibition of ransomware payments by public sector bodies and critical national infrastructure may have a deterrent effect, assuming the threat actors in question are motivated by financial purposes, but a failure to include supply chain would likely simply shift the threat actors’ focus downstream. However, inclusion of the entire chain could be extremely far reaching, particularly where such vendors provide products/services across multiple sectors.
It is also not clear how this proposal will be enforced in practice and the government is seeking views on appropriate measures to support compliance. The consultation includes a number of possible measures, ranging from criminal penalties (such as making non-compliance with the ban a criminal offence) or civil penalties (such as a monetary penalty or a ban on being a member of a board).
- A new ransomware payment prevention regime – requiring all victims, including those not within the scope of the ban, to “engage with the authorities and report their intention to make a ransomware payment before paying over any money to the criminals“. After the report is made, the potential victim would receive support and guidance including the discussion of non-payment resolution options. Under the proposals, the authorities would review the proposed payment to see if there is a reason it needs to be blocked (e.g. known terrorist organisations). If the proposed payment is not blocked, it would be a matter for the victim whether to proceed. Input is sought on the best measures for encouraging compliance with this regime, as well as what additional support and/or guidance should be provided – possibly building on existing collaboration between the National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO).
- A ransomware incident reporting regime – a mandatory ransomware incident reporting regime, which could include a threshold-based requirement for suspected victims to report incidents, enhancing the government’s understanding and response capabilities. Input is sought on whether this should be economy wide, or only apply to organisations/individuals meeting a certain threshold. The consultation proposes that organisations will have 72 hours to provide an initial report of the incident and then 28 days to provide the full report. It is unclear how these reporting requirements will align with existing incident reporting obligations, however, the government has stated that the intent is to ensure that “UK victims are only required to report an individual ransomware incident once, as far as possible“.
These proposals, if implemented in their broadest form, will pose a significant challenge for any business impacted by a ransomware incident, requiring mandatory reporting of such incidents, as well as a need to wait for guidance from authorities before making any payments. This is likely to be particularly problematic where threat actors are imposing deadlines for payment and could lead to significant disruptions to essential services where a ransomware attack has occurred and payment is not possible. The impact of the proposals on organisations not subject to the ban is also unclear, particularly in relation to reporting and disclosure requirements and how these will align with incident/breach notification obligations.
The consultation closes on 8 April 2025.