On January 14, the UK government published a consultation on new measures to tackle the increasing threat of ransomware attacks. Ransomware is malicious software (malware) that infects a victim’s computer system and prevents the victim from accessing IT systems, significantly impairs their use of ICT systems, and/or facilitates the theft of sensitive data. A ransom is then demanded for restoration of use and/or data and, as we previously noted, the cost of ransomware attacks is increasing nearly 20% year-on-year.
The consultation outlines three key proposals aimed at reducing payments to criminals, disrupting ransomware attacks, and improving incident reporting. The consultation is open for responses until April 8, 2025.
1. Targeted Ban on Ransomware Payments for Public Sector and Critical Infrastructure
The first proposal is to implement a targeted ban on ransomware payments made by public sector bodies, local authorities, and owners/operators of critical national infrastructure in order to reduce the financial incentive for cybercriminals targeting these organisations. This would extend the current government policy that prohibits central government departments from making such payments. The consultation seeks views on whether essential suppliers to these sectors should be included and what penalties should apply for noncompliance, ranging from criminal penalties (such as making noncompliance with the ban a criminal offence) or civil penalties (such as a monetary penalty or a ban on being a member of a board).
2. Ransomware Payment Prevention Regime
The second proposal is the introduction of a ransomware payment prevention regime. This would require any organisation or individual not covered by proposal 1 above to report their intention to pay a ransom to authorities, before proceeding with the payment. The authorities would then assess the situation and provide guidance, including whether the payment should be blocked due to legal reasons, such as sanctions violations. The government’s objective is to disrupt the ransomware payment cycle and reduce the flow of funds to cybercriminals.
3. Mandatory Ransomware Incident Reporting
The third proposal is introducing a mandatory reporting requirement for ransomware incidents. Businesses and individuals affected by ransomware would be required to report the attack to authorities, regardless of whether they intend to make a ransom payment, and this would be ‘deconflicted’ from any reporting under proposal 1 above. The government’s objective is to close the intelligence gap around ransomware attacks and improve law enforcement’s ability to investigate and target perpetrators. The consultation seeks views on the scope of this reporting requirement, including whether it should apply only to large organisations or to all victims.
Analysis
These proposals come at a time of increasing concern of businesses about the threat of ransomware attacks. The consultation itself names several high-profile examples of organizations that suffered from ransomware attacks which significantly disrupted their operations and, in some cases, were a key factor in their insolvency shortly thereafter.
Each proposal merits its own analysis—of scope, reporting timeframes, security of reporting channels, sanctions for noncompliance, exemptions—and across all three proposals stakeholders will hope for a joined-up and proportionate approach that acknowledges the multiple obligations to which firms may already be subject in the event of a ransomware attack. Not just through legislation such as UK GDPR or sector-specific regulation, but also corporate governance and obligations to key stakeholders (customers, suppliers, and potentially employees). A balance will need to be struck between achieving the government’s objectives, of reducing payments to cybercriminals and improving real-time intelligence of ransomware attacks and payments, while not exacerbating disruption through imposing layers of reporting obligations and time-sensitive assessments of whether certain actions are prohibited.
Trainee solicitor Ava Bajrami contributed to this blog post.