Can’t Pay, Won’t Pay: UK Government Consults on New Ransom Payment Prevention and Reporting Regime for Businesses

As the new year begins, the UK government is launching a targeted offensive against the payment of ransoms to cyber threat actors. A newly issued consultation seeks to evaluate three legislative proposals aimed at reducing the amount of money flowing to cybercriminals from the UK and increasing the UK government’s understanding of ransom demands to better equip agencies to disrupt threat actors.

The proposals include a targeted ban to prevent critical infrastructure and public sector entities from making ransom payments to a threat actor, requiring businesses to consult UK authorities before paying ransoms and mandating a new reporting regime for businesses where they have received a ransom demand in the context of a data security incident.

The consultation paper is intended to cover scenarios where malware has been deployed by a threat actor and a ransom is demanded from the victim to regain access to the system(s), for data to be restored or for data not to be published on criminal-operated data leak websites.

While the UK government hopes that implementing these proposals will lower the rising tide of ransom and extortion in the UK, the consultation arguably raises more questions than it answers. Both UK and global businesses should closely monitor the UK’s position as it develops.

Why the Crackdown?

The UK's Home Office, National Crime Agency (NCA) and National Cyber Security Centre (NCSC) all regard increasingly sophisticated cyberattacks as the most significant cybersecurity threat facing the country. The consultation notes that the number of UK businesses and individuals listed on ransom data leak sites has doubled since 2022.

Cybercriminals are also increasingly using a ‘Ransomware as a Service’ (RaaS) business model, enabling organised crime groups to supply other criminals with the necessary malware to conduct anonymous attacks and share in the ransom payments. The consultation notes that these attacks and the added sophistication have resulted in substantial financial losses, theft of intellectual property or sensitive data and severe service disruptions.

What Is the UK Government Proposing?

1. A targeted ban on ransom payments for ‘Critical National Infrastructure’ and the public sector.

The ban would apply to all public sector bodies, such as the National Health Service, and owners and operators of regulated ‘Critical National Infrastructure’. The UK government defines Critical National Infrastructure as regulated entities in certain sectors defined by the National Protective Security Authority, which includes entities in the communications, defence, energy, finance, food and health sectors. This is likely to extend to private companies who provide certain services to the UK government. As part of the consultation, the UK government has asked respondents to consider if businesses within public sector supply chains should also be included in the ban.

The UK government hopes that such a ban will deter cybercriminals by ensuring they will receive no money from targeting essential agencies and infrastructure. This approach supplements an earlier joint statement by the Counter Ransomware Initiative (CRI) (a consortium of countries that have come together to disrupt cybercriminals), which strongly discouraged individuals and businesses from paying ransom demands on the basis that this incentivises cybercriminals and provides funds without guaranteeing data retrieval or malware removal.

2. A new requirement for businesses to engage with UK authorities before making a ransom payment from the UK.

The consultation does not identify the applicable regulatory authority or authorities that would be responsible for this engagement; however, the UK government has indicated that it wishes to build upon the guidance offered by the NCSC, suggesting that the NCSC may be a likely candidate.

After a report is made to the applicable authority, the business would receive guidance from the authority. The authority will determine if there is a legitimate reason why a ransom payment should be blocked, for instance if the payment is to a sanctioned entity. If the proposed payment is not blocked, the business would still have the ability to decide whether to pay or not.

Some of the UK government’s proposals mirror existing U.S. guidelines. For example, the proposal to introduce a requirement for companies to check if a ransom payment is to a sanctioned entity before paying is aligned with the position of the U.S. Treasury’s Office of Foreign Assets Control (OFAC) (see our previous alert).

During a data security incident where time will be of the essence, the requirement to wait for the UK government to respond before making a decision on whether to pay a threat actor will be another significant factor to consider during complex incident response processes. The consultation is silent on whether the UK government will commit to responding to businesses within a specific timeframe.

The UK government has not outlined what sanctions would apply to a business that fails to comply with the reporting requirements.

3. An obligation for businesses to notify ransom or extortion demands to the UK government within 72 hours and provide a full report within 28 days.

The UK government is actively considering whether to make such notification requirements economy-wide, or if they should be limited to certain sectors or certain thresholds.

Under the new regime, businesses would need to report the data security incident and ransom demand to ‘relevant parts’ of the UK government. This is similar to the reporting obligations contemplated under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) (see our previous alert).

What Still Needs to Be Considered?

Even though the proposals are at a very early stage, the consultation leaves many questions unanswered.

Which incidents are in scope of the regime?

The consultation suggests that ‘suspected’ victims of ransom or extortion relating to a cyber incident would be subject to the mandatory reporting regime. Notably, one of the questions in the consultation’s questionnaire asks respondents whether phishing attempts and other cyber incidents should be covered as part of the mandatory reporting. This broad scope may capture minor incidents such as spam emails or other phishing attempts and would be very burdensome for organisations to implement. As noted above, the consultation is already broad in scope in that it seems to cover ransom demands following a data exfiltration event as well as encryption events.

As part of the notification obligation, the UK government seems to consider the amount of ransom demanded, the organisation’s headcount or the sector in which it operates as potential thresholds for reporting, but (glaringly) not the potential impact of the attack to the business, the impacted data or whether the threat is genuine. Given that many businesses receive demands from threat actors which are unsubstantiated, relying on the amount that the threat actor has demanded to determine if an incident is notifiable could lead to many reports where there is no real risk of harm to individuals or the business. 

How will this regime interact with existing incident reporting requirements?

The consultation does not specify which authority or branch of the UK government will be responsible for receiving reports and taking action. Controllers under the UK GDPR are already subject to obligations to report cyber incidents involving personal information to the UK Information Commissioner’s Office (ICO) where there is a risk of harm. Operators of essential services and certain digital service providers also have an obligation under the UK’s implementation of the Network and Information Systems Directive (NIS) to notify incidents to the ICO that have a substantial impact on the provision of services. There are also industry-specific reporting regimes, for example, in the financial services and charities sectors.

Within the consultation, the UK government notes that the intent is to ensure that UK victims are only required to report a ransom and extortion demand once, as far as possible, and that it will work to consider the deconfliction of reporting requirements during the development of any future legislation. It is not clear how this would work—for example, whether regulators who receive incident reports under the UK GDPR or NIS would share details with the authority responsible for ransom reporting.

Who will the regime apply to?

The UK government has not provided a clear jurisdictional scope for the proposals beyond its aim to protect UK businesses, citizens and critical national infrastructure, whether UK-owned or not. As such, it is unclear whether foreign ransom attacks with a UK nexus or foreign private sector providers of critical national infrastructure are captured within the obligations of the proposals. This should be clarified if the UK government introduces legislation to implement its proposals.  

Next Steps

For now, the UK government is welcoming feedback from organisations (including those with global and multinational structures) and is seeking to understand how to align these proposals with broader existing requirements. The consultation is open for responses until 8 April 2025. After the consultation closes, the UK government has committed to publishing a public response, which should shed more light on whether the UK intends to move forward with these new—and significant—legislative proposals.  

Safwan Akbar, London trainee solicitor, contributed to the drafting of this alert.