Impending UK Government Cyber Security Legislation on Ransomware Payments

First, the ban on paying ransoms will be extended to all UK public bodies (such as the NHS, local councils and state schools), and private sector organisations operating within the Critical National Infrastructure (CNI) space, such as energy, transport and utility companies.  This proposal builds on the Government’s existing position that the UK taxpayer should not be funding ransom payments.

Second, organisations that intend to pay a ransom will be obliged to consult with the Government first to ensure that there is no block on making payment, such as it being in breach of sanctions or terrorism-financing laws, or simply to offer the organisations guidance and advice before they commit to paying.  This requirement, therefore, stops short of an outright ban on ransom payments, but does introduce a new compliance obligation that organisations will need to integrate into their incident response plans.

Third, all UK organisations that suffer infiltration by ransomware must notify the Government within 72 hours of becoming aware of it, regardless of whether they intend to actually pay a ransom or not.  This will improve intelligence gathering on the subject, enhance national awareness of the ransomware threat landscape, and lead to greater alignment with law enforcement and regulatory bodies such as the Information Commissioner’s Office (ICO).  As an aside, it is understood that the Government’s proposed Cyber Security and Resilience Bill is also going to include a statutory notification duty for ransomware raids.  To learn more about the proposed Bill, read our blog Cyber Security Resilience Bill Policy Statement – What to Expect.

Because there is currently no mandatory reporting regime for ransomware attacks, it is difficult to quantify the scale of the problem.  However, in 2023 the UK Government Cyber Security Breaches Survey reported that 21% of medium businesses in the UK and 37% of large businesses experienced cyber attacks involving ransomware.  The survey noted that many of the organisations affected chose not to disclose whether they paid a ransom.  In the same year, the Sophos State of Ransomware report estimated that the average ransom payment globally was around £1.2 million.  The aim of the new regime is to disincentivise cyber ransomers (who tend to favour easy wins) from targeting UK installations and businesses.  The Security Minister, Dan Jarvis, has described the intention of the new rules as follows: ‘By working in partnership with industry to advance these measures, we are sending a clear signal that the UK is united in the fight against ransomware’.

No timescale has yet been set for the legislation.  Once a draft bill is published, ABC will provide an update on this important topic. This will include details such as the authorities to whom organisations will be required to report ransomware attacks, as this has also not yet been determined.