On January 14, 2025, the United Kingdom government published a consultation on ransomware proposing new measures to increase incident reporting and reduce ransom payments (the “Consultation”). The Consultation outlines three objectives in this regard and is open for responses until April 8, 2025.
Proposal 1: Targeted Ban on Ransomware Payments
The UK government is proposing a ban on ransom payments that would apply to all public sector bodies, including local government, as well as owners and operators of Critical National Infrastructure as defined by the National Protective Security Authority. In proposing this ban, the UK’s goal is to reduce the financial incentive for cybercriminals to target these types of entities in the UK. This would extend the government’s current policy prohibiting central government departments from making ransom payments.
Proposal 2: Ransomware Payment Prevention Regime
The second proposal would require any organization or individual not covered by the targeted ban described above to report to authorities any intention to pay a ransom prior to paying such ransom. After reporting, the potential victim would receive support and guidance from the authorities, including non-payment resolution options and sanctions review. If the payment would violate terrorism finance legislation or be made to a sanctioned entity, the payment would be blocked. Organizations that report a payment that is not blocked will ultimately be able to decide whether to proceed with payment.
Proposal 3: Ransomware Incident Reporting Regime
Finally, the government proposed the introduction of a mandatory reporting requirement for ransomware incidents whereby reporting is required regardless of whether the organization intends to pay the ransom. Reports would be made to the relevant parts of the government, and would be treated confidentially across the government, with information being shared only as necessary. The proposal would require an initial report within 72 hours and a full report within 28 days.
The Consultation notes that it is intended that a victim be required to report a ransomware attack only once, even if different parts of the UK Government require to be informed about the attack. However, no detail is given in the Consultation about how the obligation to report a ransomware incident would interact with the requirement to report a personal data breach to the Information Commissioner’s Office (“ICO”) pursuant to UK GPDR. It does note that reporting obligations might arise for organizations covered by the Network and Information Systems Regulations, and that the Government would work to “deconflict” those cumulative obligations during the legislative process.
The government is seeking input on whether essential suppliers to the Critical National Infrastructure sectors should also be included in the targeted ban on ransomware payments. In addition, the government is seeking input on what civil and/or criminal penalties should be levied for noncompliance with each of the proposals, and whether there should be differing thresholds based on the size of the organization. Similarly, the government is seeking input on whether the proposed reporting requirement should apply only to large organizations or to all victims.
Why now?
The proposals in the Consultation, particularly Proposals 1 and 2 above, can be seen as a continuance of the UK’s stance against the payment of ransoms to cyber criminals. In 2022, the ICO, National Cyber Security Centre (“NCSC”), the Law Society and the Bar Council publicly exchanged correspondence concerning the legal profession’s role in advising clients who had suffered a ransomware attack. In particular, the ICO and NCSC’s joint letter indicated that, “Law Enforcement does not encourage, endorse nor condone the payment of ransoms.” The ICO continues to assert that position on its website, and the NCSC’s guidance seeks to dissuade victims from payment.
The most recent annual report issued by the NCSC notes that the UK needs to wake up to the severity of the cyber threat that it faces. This provides an explanation for Proposals 2 and 3 above, which in part aim to improve the quality of intelligence received by UK law enforcement following ransomware attacks on UK entities.
Please reach out to one of the authors or the Alston attorney with whom you regularly work if you are interested in submitting a response before the April 8, 2025 deadline.
