ARTICLE
21 January 2025

Held To Ransom? UK Consults On Industry-Wide Payment Approval Regime

RG
Ropes & Gray LLP

Contributor

Ropes & Gray is a preeminent global law firm with approximately 1,400 lawyers and legal professionals serving clients in major centers of business, finance, technology and government. The firm has offices in New York, Washington, D.C., Boston, Chicago, San Francisco, Silicon Valley, London, Hong Kong, Shanghai, Tokyo and Seoul.
The UK Government is consulting on proposals to regulate ransomware responses, including banning public sector payments, requiring private sector pre-approval for payments, and mandatory incident reporting, signaling significant operational impacts for UK businesses.
United States Privacy

Will private sector companies in the United Kingdom soon be required to notify the Government of their intention to make ransom payments and receive approval to do so?

Yesterday (14 January 2025), the Home Office — the Government department responsible for immigration, security, and law and order — opened a consultation on precisely that and related questions. The consultation, which closes on 8 April 2025, contains three proposals on which the Government is seeking feedback before it proceeds with their implementation.

  • Proposal 1. A targeted ban on ransomware payments for all public sector bodies and for regulated owners and operators of critical national infrastructure.

Central government departments currently cannot make ransom payments, but the proposal expands that principle by prohibiting all entities in the UK public sector from doing so. The proposal also covers owners and operators of critical national infrastructure (CNI) — and, potentially, critical suppliers to those organisations.

The Government defines CNIs as "[t]hose critical elements of infrastructure (namely assets, facilities, systems, networks or processes and the essential workers that operate and facilitate them), the loss or compromise of which could result in: (i) major detrimental impact on the availability, integrity or delivery of essential services — including those services whose integrity, if compromised, could result in significant loss of life or casualties — taking into account significant economic or social impacts; and/or (ii) significant impact on national security, national defence, or the functioning of the state.

The Network and Information Systems Regulations 2018 (i.e., the NIS Regulations), that the Labour Government intends to replace with a Cyber Security and Resilience Bill, apply to "essential services" in the transport, energy, water, health and digital infrastructure sectors.

Although the Bill has yet to be tabled before Parliament, it is likely to cover similar ground to the European Union's NIS2 Directive, whose laggard implementation I have recently written about. When the text of the Bill is released, one should look for whether some or all providers of "essential services" are also categorised as CNIs, such that Proposal 1 — if enacted in its current formulation — would apply to those organisations.

  • Proposal 2. A new ransomware payment prevention regime to cover all potential ransomware payments from the UK.

Here, the Government proposes introducing a payment prevention regime that would require any victim of ransomware to report their intention to make a ransomware payment before doing so. After the report is made, the relevant authorities (e.g., the National Crime Agency) would review the proposed payment to determine whether there is a reason it needs to be blocked — such where it could go to sanctioned persons or entities, or would violate terrorism finance laws — and provide advice and guidance to the organisation.

Our experience advising victims of ransomware has been that UK authorities tend not to go as far as their U.S. counterparts, who often work with the organisation up to — and in some cases — after payment in order to better understand the threat actors they are dealing with, but that may well start to change in a more tightly regulated ransom environment in Britain.

Regulators in the UK advise companies not to make ransom payments — and lawyers have been told by the ICO and the Law Society that they should do the same with their clients. The ICO has also made clear that paying a ransom will not mitigate the effects of a personal data breach — but some organisations see making such payments as a commercial reality, and, in some cases, a necessity. Helpfully, the Home Office in its consultation acknowledges the commercial reality of ransom payments, and confirms that if the proposed payment is not blocked, it is for the victim to decide whether to proceed.

Still, one cannot help but wonder about the scenario where a relevant authority advises (on non-legal grounds) not to make a payment but the organisation does so anyway. How will that effect an organisation's ability to claim on insurance? And will the decision to pay reflect negatively on any subsequent investigation into, or future dealings with, the company? Conversely, if an organisation chooses not to pay a ransom on the advice of the Government, will its decision in any way act as mitigation in any enforcement action relating to the personal data breach?

A ransomware event is stressful enough as it is, but businesses will — assuming the proposals are taken forward in something approaching their current form — now have a range of additional factors, both legal and strategic, to consider.

  • Proposal 3. A ransomware incident reporting regime that could include a threshold-based mandatory reporting requirement for suspected victims of ransomware.

Lastly, the Government is seeking views on whether an incident reporting regime should be economy-wide or only impact organisations and individuals meeting a certain threshold (e.g., turnover, number of employees, sector, amount of ransom sought). Importantly, the reporting requirement would apply regardless of the victim's intention to pay the ransom. And unlike the other proposals, organisations would be required to notify relevant authorities with 72 hours of becoming aware of the ransom demand.

Next Steps

The headlines around the consultation have been that public sector bodies and operators of critical national infrastructure will be prohibited from making any ransom payments, and understandably so.

In particular, the Government's thinking is that if bad actors know that — for example — hospitals cannot legally pay a ransom, they will stop targeting those entities. However, that position arguably overlooks the nature, motive and approach of many of these actors, who often choose targets in order to make a statement. In other words: if we are willing to leak data of patients or school children, we are certainly willing to do the same to you, private organisation.

But the bigger story is how what is effectively a licence regime will apply to the millions of companies doing business in the UK — many of who receive, and in some cases pay, ransom demands.

We are necessarily still some way from that becoming a reality. However, the approach taken to recent data protection reforms — albeit under the previous Conservative Government — was to broadly stick to the proposals as initially drafted, even where the consultation responses indicated strong opposition. As such, it is reasonable to think that the proposals described above will probably make it onto the statute book in something approaching their current form. Whether they will comprise part of the Cyber Security and Resilience Bill, or be contained in another piece of legislation, remains to be seen.

What is clear is that we can likely expect a highly significant change to the status quo in the UK regarding ransom payments — one which will have similarly significant practical implications for businesses operating in Britain.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More