Clifford Chance

The UK Government has proposed new restrictions on making ransom payments following cyber attacks and sweeping changes to reporting arrangements.

What might change?

In a consultation paper released on 14 January, the UK Government has invited views on three key changes to the law and practical arrangements covering situations in which financial demands are made of organisations following cyber incidents.

1. A targeted ban on certain organisations making ransomware payments - all public sector bodies and owners and operators of critical national infrastructure (for now limited to those that are regulated or have competent authorities) would be required to make a "public and binding commitment" to non-payment of ransom demands.
2. A ransomware payment prevention regime – businesses intending to make ransom payments would be required to report their intention to do so to relevant authorities, leading to dialogue and ultimately possible steps by those authorities to block those payments.
3. A ransomware incident reporting regime – businesses falling victim to ransomware attacks would have to report the fact of the attack, any demands made and other details including their ability to cope with the attack within 72 hours and would then have to follow up with a full report within 28 days.

Why are these changes being proposed?

The proposals are aimed at undermining the business model adopted by threat actors involved in ransomware attacks. Taken together, the measures are intended to make it harder to realise any financial benefits from deploying ransomware (thus depleting the resources available for further attacks) and to augment the ability of enforcement authorities to take action by increasing intelligence flows.

Drawing on previous examples of ransomware attacks and risk modelling, the paper highlights the significant financial costs of this type of criminal activity for private enterprises, which may be measured in tens of billions of pounds and have in some cases been decisive factors in companies collapsing into insolvency. It also underlines the significant national security and wider social harms associated with incidents targeting public services and critical national infrastructure.

Financial crime and regulatory considerations

In some instances, business continuity pressures or the sensitivity or commercial importance of the data that has been compromised or exfiltrated is such that organisations feel that they have no alternative but to make payments to threat actors. In the UK, it is generally not illegal for an organisation to do so using its own lawfully obtained funds, although it is always crucial to carefully consider whether, on the available information, doing so may infringe counter-terrorist financing or financial sanctions legislation. For further analysis on legal considerations on making ransomware payments in various jurisdictions, see our previous Clifford Chance briefing.

The proposals would not change this position, but are designed to increase the extent to which enforcement authorities are involved in organisations' decision-making processes about whether to accede to ransom demands.

The consultation paper raises the possibility of civil or criminal penalties for non-compliance with the proposed ban on making ransomware payments (for organisations to which it would apply) and for making payments where authorities have indicated that such payments should be blocked.

Practical concerns for organisations will include the proliferation of reporting obligations concerning cyber incidents and the potential for tension between these requirements. Decision makers within organisations navigating ransomware attacks are already often dealing with multiple considerations about what they have to report, to whom and by when, in addition to making finely balanced assessments about whether to make a payment.

The consultation paper acknowledges some current reporting requirements, in particular those under the Network Information Systems Regulations. It indicates that steps would be taken to seek to put in place a regime under which UK victims would only be required to report a ransomware incident once.

It is not clear at this stage how the proposed requirement to engage with authorities would fit in with existing financial crime legislation. The consultation paper makes clear that, under the proposed ransomware payment prevention regime, if authorities decide not to seek to block a proposed payment "it would be a matter for the victim whether to proceed".

A decision by enforcement authorities not to block a ransomware payment would not provide a defence to any offences organisations may potentially commit by making such payments (for example under the Terrorism Act 2000). Discussions with enforcement authorities about the possible blocking of ransomware payments could lead to organisations being provided with information relevant to assessments about whether it may be necessary to file a Suspicious Activity Report. This is a point on which further clarity will be welcome as the proposals progress.

Next stages

The proposals are at a formative stage. There are not yet any firm indications of how or when they may be enacted. However, it is likely that there will be broad political support for the measures. If, as expected, they do pass into law, they would impose significant new requirements on organisations across all industries, although one possible consequence of the ban on some types of organisations making ransomware payments may be that attacks are targeted on private sector entities.

The consultation paper invites responses by 8 April 2025. Organisations now have an opportunity within those timescales to engage with the UK government to refine the proposals, anticipate possible practical challenges and get involved in the conversation about how to mitigate those.