A significant percentage of UK business executives are prepared to confront potential legal repercussions by making ransom payments.
In a recent announcement, the UK government has proposed a ban on ransomware payments for public sector bodies and operators of critical national infrastructure (CNI). The move aims to remove financial gains for attackers and potentially de-incentivize ransomware targeting of these vital sectors [1][3][4].
The proposed ban, however, does not extend to private firms. Businesses outside these categories would be required to notify the government if they intend to pay a ransom, enabling tailored government advice and support to reduce harm and prevent illegal payments to sanctioned criminal groups [1][4].
A survey conducted by Commvault found that 94% of business leaders support limiting ransom payments for public bodies, and an impressive 99% for private organizations [2]. However, only 10% of private sector respondents said they would comply with a ransom payment ban if attacked [5]. Strikingly, 75% of private sector leaders admitted they would pay a ransom if it were the only way to save their organization.
The rationale behind the ban is to reduce the financial incentives for cybercriminals. Yet, there are concerns about a displacement effect, where cybercriminals may target non-covered private sector businesses more intensively [1]. Compliance challenges and legal uncertainties remain, notably around the precise definition of CNI, scope of enforcement, and how supply chain entities are affected [3].
The survey also revealed that 34% of those who supported a ransom payment ban believed it would lead to increased government support for building cyber resilience [2]. Jane Frankland, CEO of security training firm Knewstart, stated that ransomware and cyber attacks will continue to be a concern for a long time [6].
Intriguingly, nearly half of Managed Service Providers (MSPs) have admitted to having a ransomware kitty, but the details of this are not provided. International cyber gangs make huge profits from ransomware and use these resources to continually develop their attack tools.
The ban, if enforced, could help take the profit out of ransomware. However, it must be matched by greater investment in prevention, detection, and recovery-testing. Businesses must strengthen their cyber defenses, incident preparedness, and ongoing government engagement to mitigate ransomware risks. The ban could reduce attacks on critical services but risks shifting attackers toward less-protected private sector firms, which will still face difficult decisions under pressure from ransomware threats [1][3][5].
- The UK government's proposal to ban ransomware payments for operators of critical national infrastructure (CNI) and public sector bodies aims to reduce the financial gains for attackers and potentially de-incentivize ransomware targeting of these sectors.
- Despite the proposed ban not extending to private firms, the survey conducted by Commvault found that 99% of business leaders support a ransom payment ban for private organizations, with only 10% stating they would comply if attacked.
- Striking concerns have been raised about a potential displacement effect, where cybercriminals may target non-covered private sector businesses more intensively if the ban is enforced, as these sectors are less protected.
