New UK rules proposed for Ransomware payments

Proposal 1: A targeted ban on ransomware payments for all public sector bodies

Central government departments currently cannot make ransom payments, but the proposal expands that principle by prohibiting all entities in the UK public sector from doing so. The proposal also covers owners and operators of critical national infrastructure and, potentially, critical suppliers to those organisations.

Proposal 2: A ransomware payment prevention regime

This would require any ransomware victim to report their intention to make a ransomware payment to the National Crime Agency before making any payment. They would then receive support and guidance, and the National Crime Agency review the proposed payment and consider if there is a reason to block it.

Regulators in the UK advise companies not to make ransom payments — and lawyers have been told by the ICO and the Law Society that they should do the same with their clients. The consultation acknowledges the commercial reality of ransom payments, and confirms that if the proposed payment is not blocked, it is for the victim to decide whether to proceed.

Proposal 3: A ransomware incident reporting regime

Lastly, the Government is seeking views on whether an incident reporting regime should be economy-wide or only impact organisations and individuals meeting a certain threshold (e.g., turnover, number of employees, sector, amount of ransom sought). The reporting requirement will mean that organisations will be obligated to notify the National Crime Agency with 72 hours of becoming aware of the ransom demand and would apply regardless of the victim’s intention to pay the ransom.