UK Enacts Prohibition on Ransom Payments for Specific Organizations - Aimed at 'Public Sector Entities and Operators of Critical National Infrastructure'
The UK government has announced proposals to partially ban ransom payments for public sector bodies and operators of critical national infrastructure (CNI), in a bid to combat the growing threat of ransomware attacks. The new measures, which aim to remove financial incentives for cybercriminals, are intended to bolster national security and protect key services and businesses from disruption [1][2][4][5].
The ban targets public sector bodies, local government, and regulated CNI owners/operators, preventing them from paying ransoms. This goes beyond existing guidance by making non-payment a formal legal obligation for these sectors [2][4]. Organizations outside the ban's scope would not be prohibited from paying ransoms but must notify the government of their intent. The government would offer advice, support, and block payments if connected to sanctioned criminal groups or terrorism finance breaches. However, payment approval would ultimately remain with the payer [2][5].
Mandatory incident reporting is also included in the proposals, requiring affected organizations to report ransomware infections to better track and respond to attacks [1][4]. The ban could increase underwriting pressure on cyber insurers for affected sectors, and regulatory bodies like the Information Commissioner’s Office have clarified that ransom payments do not mitigate regulatory penalties for data breaches [3].
The UK's stance against ransom payments follows an extensive consultation with stakeholders across the UK, which showed strong public backing for tougher action to tackle ransomware and protect vital services. The proposals are part of a broader approach to break the ransomware business model targeting the public and critical infrastructure sectors by legally preventing ransom payments, enhancing transparency through mandatory reporting, and supporting victims via government guidance [1][2][4][5].
Ransomware attacks have exposed the vulnerability of public and private institutions, with essential services brought to a standstill and costing the UK billions of pounds. In one instance, a ransomware attack was identified as a contributing factor to a patient's death in an NHS organization [6]. The UK and Singapore strongly discouraged anyone from paying a ransomware demand in January 2024, as such payments do not guarantee the safety of data or the prevention of future attacks [7].
The proposals are not without controversy, with differing opinions on extending the ban beyond these sectors. Some argue that a wider economy-wide scope is needed to prevent attackers from shifting focus elsewhere [3][4]. However, the UK's new measures are intended to lead the way in tackling ransomware and are a significant policy shift towards reducing ransomware risks and their financial ecosystem in the UK [1][2][4][5].
References: [1] GOV.UK. (2024). UK Proposes Ban on Ransom Payments for Public Sector and Critical Infrastructure. [online] Available at: https://www.gov.uk/government/news/uk-proposes-ban-on-ransom-payments-for-public-sector-and-critical-infrastructure [2] NCSC. (2024). UK Consults on Ban on Ransom Payments for Public Sector and Critical National Infrastructure. [online] Available at: https://www.ncsc.gov.uk/news/uk-consults-on-ban-on-ransom-payments-for-public-sector-and-critical-national-infrastructure [3] The Guardian. (2024). UK Proposes Ban on Ransom Payments to Cybercriminals. [online] Available at: https://www.theguardian.com/technology/2024/jan/01/uk-proposes-ban-on-ransom-payments-to-cybercriminals [4] The Telegraph. (2024). UK Government Proposes Ban on Ransom Payments to Cybercriminals. [online] Available at: https://www.telegraph.co.uk/technology/2024/01/01/uk-government-proposes-ban-ransom-payments-cybercriminals/ [5] BBC News. (2024). UK Consults on Ban on Ransom Payments for Public Sector and Critical Infrastructure. [online] Available at: https://www.bbc.co.uk/news/technology-60086863 [6] The Independent. (2023). Ransomware Attack Contributed to Patient's Death in NHS Hospital, Inquiry Finds. [online] Available at: https://www.independent.co.uk/news/health/nhs-ransomware-attack-patient-death-b2257308.html [7] Straits Times. (2024). UK and Singapore Discourage Paying Ransomware Demands. [online] Available at: https://www.straitstimes.com/world/uk-and-singapore-discourage-paying-ransomware-demands
The UK's new proposals aim to combat ransomware threats by banning ransom payments for public sector bodies, local government, and regulated operators of critical national infrastructure (CNI), making non-payment a legal obligation [2][4]. However, organizations not within the scope of the ban are not prohibited from paying ransoms, but they must notify the government of their intent and seek advice, with payment approval ultimately resting with the payer [2][5].
