As the Home Office considers the responses it has received to its January 2025 consultation (now closed) on its proposals to tackle the threats posed by ransomware, we examine what the proposals will mean for businesses and the cyber insurance market in the UK and elsewhere.  The size of the problem is only increasing, with the number of UK victims appearing on ransomware data leak sites doubling since 2022 and the UK’s Information Commissioner’s Office (ICO) noting 511 reported ransomware incidents in the second quarter of 2023. Both the growth in ‘ransomware as a service’ and the sophistication and availability of GenAI tools have the potential to supercharge the powers of criminals engaged in this activity, prompting the UK to look at measures to limit the funds flowing from ransomware attacks to cyber criminals and undermine the criminals’ business model.  At present, the National Cyber Security Centre has guidance for those organisations considering making payment when affected by a ransomware incident. Current UK ICO guidance is that the ICO supports the position of UK law enforcement, which does not encourage, endorse or condone the payment of ransom demands.  The UK is now targeting interventions which will introduce: (i) a ban on certain entities making ransomware payments; (ii) a ransomware payment prevention regime; and (iii) a ransomware incident reporting regime.

The stated aims of the new proposals are to protect UK businesses, citizens and critical national infrastructure (CNI), whether UK-owned or not. The government has therefore sought feedback from organisations with global and multinational structures, to protect UK customers and suppliers who interact with their services. The aim is to prevent ransomware attacks by removing the incentive for criminal gangs to target the UK’s essential agencies and infrastructure, if they know they will make no money from doing so. Currently, central government departments cannot make ransomware payments and this prohibition may be widened to prohibit all organisations in the UK public sector (including local government), and CNI owners and operators (in sectors defined by the National Protective Security Authority, subject to regulation/competent authorities) from making payments when affected by a ransomware incident.  As part of the consultation, given the interwoven nature of technology supply chains, the government is also asking whether essential suppliers to those entities in CNI sectors (which 14 sectors include communications, data centres, finance, energy, health and transport) should be made subject to the same prohibition on making ransomware payments.  This would potentially bring retail banks, suppliers to data centres, utility companies and a range of other IT providers within the scope of the prohibition. This would be in line with the approach adopted by other countries, as set out in the international Counter Ransomware Initiative (CRI) 2023 statement, which confirmed that no central government funds should be used to pay ransomware demands. The CRI was created in 2021, and is a dedicated international forum to enable countries to come together to develop new approaches and processes to combat ransomware.  In October 2024, the UK led efforts at the CRI to endorse new guidance (produced in collaboration with the global insurance industry), to encourage organisations to consider approaches to ransomware attacks other than the making of ransom payments. This guidance made clear that payment may often only embolden these criminals to target other victims, with no guarantee of data retrieval, malware removal or the end of a ransomware attack. Instead, the guidance encourages organisations to report attacks to law enforcement authorities, check if data backups are available and get advice from recognised experts. 

"These proposals help us meet the scale of the ransomware threat, hitting these criminal networks in their wallets and cutting off the key financial pipeline they rely upon to operate." (Dan Jarvis, Home Office Minister)

The government is also considering which sanctions should apply for non-compliance, from criminal penalties (such as making non-compliance with the ban a criminal offence) or civil penalties (such as a monetary penalty or a ban on being a member of a board). Another proposal on the table is a requirement for victims of ransomware to report their intention to make a payment. After a report is made, the potential victim would receive support and discuss possible resolutions that do not involve making the payment. Authorities would also review a proposed payment to see if there is a reason it should be blocked, such as the payment going to sanctioned companies or violating terrorism finance legislation. If the proposed payment is not blocked, it would be up to the victim to decide whether to proceed.

Suffering a ransomware attack raises difficult questions of organisational response strategy, with the UK also looking at victim behaviour during a cyber incident, how much (and the sort of) information that can and should be shared with UK authorities, and if and when it is ever appropriate to pay a ransom.  Where a multinational business is hit, it will therefore need to take into account local laws potentially affecting its ability to respond in a holistic way to avoid incurring a penalty if it elects to make a payment. It also raises the question about how far-reaching the extraterritorial impact of the UK’s new rules will be, if it will catch payment made by a group company in another jurisdiction in respect of a ransomware incident affecting the UK operations of the group (for example, a ransom payment made by a US company). 

The insurance industry is keeping a close eye on the proposed UK developments, concerned that the costs of cyber insurance policies for public sector and CNI businesses will rise (and that some businesses may become uninsurable), if a wider range of businesses are barred from making ransomware payments and thereby incur significant costs in rebuilding digital infrastructure, recovering lost data, dealing with the data breach and seek to recover the costs of lost business during the period of the attack.  Insurers also foresee disputes between policyholder and insurer about the types of entity which are prohibited from making ransom payments. And this structural change could also push incidents down the supply chain, with the proposed rules potentially making sub-contractors or other actors in a supply chain more vulnerable to a ransomware attack (although there are doubts most ransomware groups will be considering whether to exclude an entity from an attack based on the sectors in which it operates).   

It therefore remains to be seen whether rational moves to make payment of ransoms less palatable for a greater array of businesses (by introducing a ban) will have a significant impact on the unpredictable and irrational environment in which cyber criminals operate.