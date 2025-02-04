On 14 January 2025, the UK government launched a public consultation on proposed legislative measures to combat the ever-increasing threat of ransomware. With these proposals, the UK government is seeking to step up its efforts to understand, deter and prosecute ransomware attacks by gathering more information from victims and undermining the ransomware business model.

The new framework would ban ransom payments in the public sector and for certain critical infrastructure providers, and more broadly would require all companies to report ransomware attacks, including whether they plan to pay the ransom. The government is seeking views on these proposals, including the introduction of criminal sanctions, and whether the regime should cover all UK individuals and organisations, or be limited by size of the organisation and/or ransom. The public consultation is open until 8 April 2025.

The Three Proposals

Ban on Ransomware Payments for the Public Sector and CNI

Proposal: All organisations in the UK public sector – including local government, as well as owners and operators of critical national infrastructure ("CNI") that are regulated, or that have competent authorities – would be prohibited from making payments to cyber criminals in response to ransomware incidents. The proposal expands the current principle that government departments cannot make ransomware payments.

Ransomware Payment Prevention Regime

Proposal: All companies and individuals not covered by the ban would have to, prior to making a payment in response to a ransomware attack, report their intention to make a payment to the government. Following notification, the government would review the payment proposal and open up a dialogue with the reporting company on next steps, including exploring alternative options. The government could ultimately block any payment.

Ransomware Incident Reporting Regime

Proposal: Companies and individuals would be required to report a ransomware attack to the government, regardless of their intention to pay the ransom. The government intends to harmonise the new ransomware regime with the NIS Regulations and upcoming Cyber Security and Resilience Bill, to ensure that UK victims will only have to report an individual ransomware incident once.

Companies and individuals would be required to report a ransomware attack to the government, regardless of their intention to pay the ransom. The government intends to harmonise the new ransomware regime with the NIS Regulations and upcoming Cyber Security and Resilience Bill, to ensure that UK victims will only have to report an individual ransomware incident once. Goal: To assist the government's understanding of the scale, type and source of the ransomware threats that individuals and organisations in the UK face.

To assist the government's understanding of the scale, type and source of the ransomware threats that individuals and organisations in the UK face. Consultation: The government is seeking views on whether the mandatory reporting requirement should only impact organisations and individuals that meet a certain threshold. If the regime is introduced with a threshold, the government would continue to encourage all victims of a ransomware incident to report through the same mechanism.

Conclusion

Whilst there are clear aims behind this proposal to disincentivise cyber criminals, these reporting obligations will introduce another layer of complexity and accountability during the early stages of a ransomware attack. If the proposals are implemented in their most extreme form, many UK businesses and individuals will be effectively stopped from making ransomware payments, and will face additional reporting obligations. The government is, however, open to input, including on scope and sanctions. Any businesses that wish to submit comments on the proposals should do so here by 8 April 2025.

