Skip to main content
Marsh logo

Article

Laws to disrupt ransomware payments considered in the UK

The UK Government has launched a consultation on proposals to safeguard British businesses and infrastructure against the rising threat of ransomware attacks that will run until early April 2025.

13/02/2025 · 5 minute read

The UK Government has launched a consultation on proposals to safeguard British businesses and infrastructure against the rising threat of ransomware attacks that will run until early April 2025. The consultation marks a significant step towards enhancing the protection of British businesses and infrastructure against the growing threat of ransomware attacks. Below, we summarise the current proposals and highlight various questions that arise out of them.

The consultation’s three proposals

The three proposals put forward by the government to hinder the ransomware business model are:

  1. A targeted ban on ransomware payments for critical national infrastructure (CNI) in the UK (national assets that are essential for the functioning of society, such as those associated with energy supply, water supply, transportation, health, and telecommunications) and the public sector.
  2. A ransomware payment prevention regime that would require any victim of ransomware — that is, organisations and/or individuals not covered by the proposed ban noted above — to engage with the authorities and report their intention to make a ransomware payment before paying any money to the threat actors responsible.

    After the report is made, the potential victim would receive support and guidance, presumably from a newly established taskforce, including the discussion of non-payment resolution options. The relevant authority would review the proposed payment to see if there is a reason for it to be blocked. This could happen if the payment is intended for threat actors that are under sanctions or if it violates laws related to financing terrorism. If the authorities do not block the payment, then the victim would decide whether to proceed.
  3. A ransomware incident reporting regime that could include a threshold-based mandatory reporting requirement for suspected ransomware victims.

Laws could improve understanding of ransomware payments and reduce victim stigma

The proposed legislation is a positive step towards breaking the growing ransomware economy and enhancing understanding of the ransomware payment landscape to guide future interventions.

The proposals could lead to the establishment of a centralised resource serving as a repository of data on various threat groups, for example, their typical behaviours, motives, and tactics. This could provide enhanced intelligence to victims of cyberattacks.

Furthermore, the proposals could help destigmatise ransomware victims. In the past, organisations have been reluctant to share information on cyberattacks due to the damage to reputation that such attacks can trigger, including the potential direct impact on share price. However, with the implementation of these proposals, sharing such information with the government could ultimately benefit society as a whole.

That said, while the consultation is at an early stage, the proposals raise a number of questions, including those outlined below.

Bans on ransom payments

Banning ransom payments may not serve as a significant deterrent for a number of reasons. Firstly, as threat actors not only use encryption, but also exfiltrate and steal data to sell on the dark web, any prohibition on ransom payments may result in threat actors monetising the stolen data in other ways. Secondly, many ransomware attacks are opportunistic rather than targeted, meaning that attackers do not know the identity of their victim until they have encrypted the data and issued a ransom demand. A ban may leave CNI and public bodies in difficult situations where they are unable to pay a ransom but also unable to recover without doing so. Incidents may occur due to zero-day vulnerabilities or problems within the third-party supply chain, which the victim could not control, potentially resulting in unfair consequences for those affected.

Any ban on ransomware payments needs to be coupled with vigorous law enforcement against threat actors and, importantly, planning and resourcing for what public entities will do when they can’t make payments to stop threats. CNI and public bodies will need support to plan for ransomware events, including ensuring they have detailed, well-practiced incident response plans, and advanced public messaging. Unfortunately, attacks will continue and entities subject to the ban will need to be equipped to respond to the threat without paying a ransom.

Ransomware payment prevention regime

Organisations experiencing a ransomware attack need urgent assistance, as decisions to pay often hinge on minute-by-minute considerations. Delays in operations can be financially devastating.

The success of this proposal will depend on whether the resources for the ransomware payment prevention regime are sufficient. For example, will there be a 24/7 team available to provide quick responses for organisations facing a cyberattack, and will this team have the credentials of the vendor panel members that organisations can already access through their cyber insurance? Additionally, how long will authorities take to review and approve proposed payments? Delays in obtaining such approvals could undermine the purpose of the regime and ultimately cause significant financial impact to victims. Policymakers will need to set strong guidelines as to what will be impermissible. Support for victims will need to be coupled with strong law enforcement against threat actors.

It is worth noting that small businesses often lack the resources necessary to prevent cybersecurity incidents and build cyber resilience, leaving them vulnerable. Once they are affected by ransomware, these businesses may see payment as inevitable. If such a regime is implemented, small businesses will need even more extensive support from authorities to get back up and running. Any additional steps or hurdles could further delay their recovery.

Incident reporting

The reporting regime suggested under the proposals introduces an additional procedural step for organisations affected by ransomware to navigate during a demanding time, as they manage other reporting obligations. The proposal calls for an initial report within 72 hours, followed by a full report within 28 days.

Regarding this timeline, several questions remain: When does the 72-hour window start, what criteria define a ransomware event, and who will receive the information? Additionally, will victims receive guidance, or is this merely an information-gathering exercise? What penalties will organisations face for failing to report a ransomware event? Lastly, what protections will be provided to companies that participate in reporting? If reporting only creates a roadmap for liability and litigation, it presents a concern.

Also, questions remain around what are globally operating entities expected to do in this context? Are foreign subsidiaries of UK firms required to comply?

The importance of a robust incident response plan and holistic cyber risk resilience

The UK’s National Crime Agency identifies ransomware as one of the most damaging cyber threats due to the substantial financial losses it causes, the potential theft of intellectual property, sensitive commercial data, or customer personally identifiable information (PII), as well as the service disruptions and reputational damage that can result from attacks.

Focusing on resilience is key. Marsh recommends that organisations have an incident response plan that outlines activities to detect, analyse, and remediate cyber issues, including a ransomware attack, to restore normal operations quickly. This plan should identify external and internal incident teams, with clearly defined roles and responsibilities. Including templates for responses to regulators, media, and data subjects can save time during an incident. Contingency plans should be readily available and tested. Establishing an out-of-band communication method — ways of communicating outside of an organisation’s main systems — is also essential. 

In addition, organisations should review their cyber insurance vendor panels and conduct tabletop exercises at least annually to identify weaknesses in plans, allow incident response teams to develop muscle memory, and incorporate any lessons learned. They should also regularly check that their insurance programmes facilitate effective cyber risk transfer.

Ransomware negotiators will normally be part of a cyber insurance incident response vendor panel and will provide essential intelligence and due diligence in relation to the threat actor. However, the decision of whether to pay a ransom or not lies with the organisation. It is recommended that an organisation discusses its stance on this complex issue ahead of an event. This can be a good topic on which to engage the board, potentially opening and informing a more general conversation on cyber incident management.

For more information on the above, please contact your Marsh adviser. 

About authors

Holly Waszak

Holly Waszak

Head of Cyber Claims, Cyber Risk

  • United Kingdom

Helen Nuttall

Helen Nuttall

Head of Cyber Incident Management

  • United Kingdom

Related insights

Container lifting

Article

Effective Cyber Incident Management Strategies for Supply Chain Resilience

24/12/2024
Placeholder Image

Article

Navigating business interruption claims: Maximizing recovery after a cyber attack

24/12/2024
Business Colleagues Walking

Article

Emphasising preparedness: The role of out-of-band communications in cyber incident response

11/11/2024
Robot hand ai artificial intelligence assistance for medical healthcare practices operation surgical performance, unity with human and ai concept, with graphical icon display blue banner background

Article

"Human in the Loop" in AI risk management – not a cure-all approach

30/08/2024
View more