Will you have to report paying a ransom? New UK rules proposed

Ransomware is one of the top concerns keeping CISO’s (and some GCs) awake, and many think that it’s ‘when not if’ in terms of having to manage a ransomware incident.

We regularly speak to clients about their approach to ransomware payments and the factors to consider – ideally as part of their cyber preparedness work but sometimes (unfortunately) in the heat of helping them respond to an attack. Yesterday the UK Government launched a consultation which, if the proposals become law, will certainly add to those factors.

The three legislative proposals under consultation are:

1. A targeted ban on ransomware payments for all public sector bodies, including local government, and for owners and operators of Critical National Infrastructure (‘CNI’) that are regulated or that have competent authorities (building on the current ban for central government departments). Ransomware gangs want to get paid and the aim is to make the UK and its essential infrastructure an unattractive target to those gangs. One obvious question then becomes, won’t the gangs then just move down the supply chain? The Home Office is therefore seeking views on whether essential suppliers to these sectors should also be included in the new rules. In terms of enforcement, the Government is seeking an effective but proportionate solution to encourage compliance. The consultation discusses a range of possible measures, from making non-compliance with the ban a criminal offence to considering civil penalties such as a monetary penalty or ban on being a board member. 
    
2. A new ransomware payment prevention regime which would require any ransomware victim (those not covered by the ban mentioned above) to engage with the authorities and report their intention to make a ransomware payment before paying money to the cyber criminals. They would then receive support and guidance, and the authorities would review the proposed payment to see if there is a reason to block it (e.g. sanctions issues). Here, the Government is seeking both to influence victim behaviour and to improve its understanding of the ransomware payment landscape, as law enforcement and operational partners do not currently have a complete view on who the money is going to, how much is being paid etc.   
    
3. A ransomware incident reporting regime which would apply to victims of a ransomware attack, regardless of their intention to pay. The Home Office are currently exploring who would need to report - for example, should the reporting requirement be economy-wide, or only impact organisations and individuals meeting a certain threshold (and, in fact, should individuals be excluded)? Also, the plan is to ensure that UK victims are only required (as far as possible) to report an individual ransomware incident once, but how will this work given there are now multiple pieces of legislation which require incident reporting? Presumably recognising this, the Home Office state that they would work with other Government Departments “to consider the deconfliction of reporting requirements during the development of any legislation.” The proposal envisages both an initial report to relevant parts of the Government within 72 hours, and a fuller report within 28 days.

Comment:

The UK Government has made it clear for some time now that it does not approve of organisations paying ransoms, and wants to disrupt the cyber criminals and their business model. It has sanctioned some cyber criminals and is an active member of the Counter Ransomware Initiative (CRI). As part of its work with the CRI, the UK signed a joint statement against ransomware payments back in November 2023. The statement confirmed, for the first time, that no central government funds should be used to pay ransomware demands (see blog). These latest proposals go a step further, extending the ban and introducing separate notification obligations in relation to suffering an attack, and making a ransomware payment. The proposals seem to reflect public sentiment, as the consultation document references Home Office polling which found that 68 % of the public believed that it is wrong for a business to pay a ransom because that ransom could be used by attackers to fund more criminal activities, and 81% believed a business should report a ransomware attack, even if they can resolve it on their own. 

While the drivers for the new rules are clear, they do raise some interesting questions. How will this all be funded (given current budgetary constraints) and who will enforce the rules? How will it all work in practice? For example, how will it fit with a growing list of regulatory incident/breach notification obligations? And what will be the impact of these rules on the private sector? While some critical national infrastructure suppliers could, potentially, be brought in scope, the rest of the private sector may find themselves more of a target for the threat actors while facing increasing public, regulatory and governmental pressure to resist payment. 

More Lens blogs relating to ransomware are available here.