Ransomware payments ban to be introduced in the UK

The UK government has also confirmed further plans to require other businesses not subject to that ban to take more action in relation to ransomware: it said it will develop a new ‘payment prevention regime’, requiring businesses to notify the government of their intention to pay ransom demands of cyber criminals, as well as pursue the implementation of a new mandatory reporting system under which certain ransomware incidents will need to be notified to the UK authorities.

The plans were detailed in a response (89-page / 770KB PDF) the Home Office has published to a consultation it ran earlier this year.

“The new package of measures will lead the way in tackling ransomware and are designed to strike against cyber criminals’ business model, bolstering our national security and protecting key services and businesses from disruption,” the government said in a statement. However, the detailed policy has still to be determined and the government has itself acknowledged the need for clarity on which organisations will be in scope of the ransomware payments ban – including whether it will extend to suppliers to those organisations.

In this regard, the government said: “The government will explore existing arrangements under the Cyber Security and Resilience Bill and other measures such as the reporting work being undertaken by the Bank of England, and existing sectoral reporting requirements. The Home Office is working with lead critical national infrastructure government departments to consider the most appropriate approach for supply chains.”

Another issue to be determined is whether the payment prevention regime will apply on an economy-wide basis or whether a threshold measure, such as annual turnover, will be set to determine which companies are in scope and which are not.

Cyber risk expert Ellie Ludlam of Pinsent Masons said: “There remains a lack of clarity on the scope of the new mandatory reporting regime planned, including what the consequences and penalties might be for non-compliance”.

“The government is still considering whether to apply mandatory reporting obligations to just ransomware incidents or to extend them to other forms of cyber incidents, such as phishing,” she said, adding that it is also not clear as to whether the obligations will be applied on an economy-wide basis or just to businesses of a certain size or that operate in certain sectors.

However, the government did confirm that businesses subject to the mandatory reporting regime will be expected to make an initial report of an incident within 72 hours.

The government has promised to publish “detailed guidance” before new reporting obligations come into force. Ludlam said organisations and practitioners will eagerly await that guidance.

Jonathon Ellison, director of national resilience at the UK’s National Cyber Security Centre, said: “These new measures help undermine the criminal ecosystem that is causing harm across our economy. Ransomware remains a serious and evolving threat, and organisations must not become complacent. All businesses should strengthen their defences using proven frameworks such as Cyber Essentials and our free Early Warning service, and be prepared to respond to incidents, recover quickly, and maintain continuity if the worst happens.”

Ludlam said: “There remain a number of unanswered questions, such as whether new measures banning payments of ransom payments for public sector and critical national infrastructure organisations will result in cyber criminals seeking to monetise attacks on those entities by other means, and how those businesses will recover in the absence of being able to pay a ransom and where there are no technical restoration options, for example. We await further detail from the government to understand how the new measures will impact businesses in the UK.”