Ransomware Payments Ban Proposal

Are you ready for the Government ransomware policy shake-up? Here's all you need to know.

As ransomware continues to pose a serious threat to businesses worldwide, the UK Government has proposed new ransomware incident response rules aimed at reducing payments made by victims and enhancing the government's ability to respond to these attacks. These proposals are part of a broader effort to reform UK cyber security rules, which was announced last year and is expected to take shape in 2025. 

This blog post will explore the key aspects of the consultation, the potential impacts on businesses, the legitimate questions businesses may have and the necessary preparations to ensure compliance if the proposals become regulation.

What is the Ransomware Reporting Consultation?

The UK Government's Home Office has launched a consultation on new ransomware incident response rules. The main objectives of these proposals are to reduce the amount of money flowing to ransomware criminals, increase the ability of operational agencies to disrupt and investigate ransomware actors and enhance the government's understanding of ransomware threats to inform future interventions. 

The consultation includes three key proposals: 

1. Targeted ban on ransomware payments for critical national infrastructure (CNI) and the public sector 

This proposal would prevent organisations in the UK public sector and owners/operators of CNI from making payments in response to ransomware incidents. 

2. Broader ransomware payment prevention scheme 

Under this proposal, any victim of a ransomware attack would need to report their intention to make a ransomware payment to the government before paying any money. The government would then decide whether to assist the victim and confirm if there is a reason to block the payment.

3. Reporting regime for ransomware incidents 

This proposal would require victims to report ransomware incidents to the government, regardless of their intention to pay a ransom. The reporting process would be phased, with an initial report due within 72 hours and a detailed report within 28 days.

The key questions business are asking 

What incidents need to be reported?

The proposed regulations require organisations to report any incident where a ransom demand is made, regardless of whether the victim intends to pay. This includes incidents affecting CNI and the public sector. 

How will ransomware reporting requirements affect response and recovery times? 

While reporting may introduce some initial administrative steps, it is designed to enhance overall response capabilities by providing the government with critical information to support and potentially intervene in ransomware incidents. This can lead to more effective disruption of ransomware operations and better recovery support. 

What support will the government provide during and after a ransomware incident? 

The government plans to offer support through enhanced intelligence sharing, guidance on best practices, and potential intervention in ransomware incidents. This support aims to help businesses recover more effectively and prevent future attacks. 

How will the government ensure the confidentiality of the information reported? 

The government will implement strict data protection measures to ensure the confidentiality of reported information. This includes secure data handling protocols and compliance with existing data protection regulations such as UK GDPR. 

How do these new requirements align with existing regulations such as UK GDPR and the Network and Information Systems Regulations? 

The new requirements are designed to complement existing regulations. The government aims to streamline reporting processes to avoid duplication and ensure that businesses only need to report incidents once, even if they fall under multiple regulatory frameworks.

How should businesses prepare? 

To prepare for the potential implementation of these proposals, businesses should take the following steps: 

• Establish clear communication channels 

Set up clear communication channels with relevant government agencies to facilitate timely reporting and compliance.

• Designate reporting responsibilities 

Designate specific team members to handle the reporting process and ensure that all necessary information is collected and documented accurately. 

• Conduct regular drills 

Conduct regular cyber crisis management exercises to test plans and ensure preparedness. 

• Review and update cyber security policies 

Conduct a thorough review of current cyber security policies and incident response plans. Ensure that all employees are aware of the new requirements and are trained to recognise and report ransomware incidents promptly. 

• Maintain air-gapped backups 

Ensure that air-gapped backups are maintained to facilitate data recovery and business continuity in the event of a cyber attack. 

• Implement robust security measures 

Adopt best practices for preventing cyber attacks, including employee training, regular software updates, and implementing robust security controls.

How can businesses protect themselves now? 

It remains to be seen whether the government’s ransomware proposals will be implemented, and if they are, what impact they will have. But we do know that the best antidote to ransomware – beyond any regulatory directives – remains preparedness.  

Organisations with air-gapped, immutable backups, robust cyber insurance and well-rehearsed incident response plans are in a far stronger position to resist ransom demands. When businesses are confident in their ability to recover, they aren’t forced to pay a ransom – they can choose not to. And it’s in empowering more organisations to make that choice that we take a meaningful step towards strengthening the UK’s cyber resilience and breaking the cycle of ransomware attacks.