Threatonomics

Does the proposed UK ransomware payment ban take things too far?

by Tom Egglestone
Published

Why ransomware legislation needs a nuanced implementation

Cowritten with Henry Westwood, Resilience Cyber Underwriting Manager Simon West, Resilience Head of Customer Engagement

The UK government recently launched a consultation on legislative proposals to combat ransomware attacks, one of the most significant cyber threats facing organisations today. As cybersecurity professionals working with organisations across various sectors, we’ve carefully examined these proposals and offered insights that balance deterrence with operational realities.

The growing ransomware threat

Before addressing the specific proposals, it’s worth contextualising the challenge. Ransomware has evolved from opportunistic attacks to sophisticated operations run by well-organised criminal enterprises. These groups target everything from multinational corporations to local councils–like the London Borough of Hackney in 2020, for example–often causing significant operational disruption and financial damage.

Traditional response options typically include:

  1. Restoring from clean backups (when available)
  2. Rebuilding systems from scratch (often taking weeks or months)
  3. Negotiating with attackers (while simultaneously pursuing other recovery options)
  4. Paying the ransom (typically as a last resort when other options aren’t viable)

The government’s proposals aim to eliminate or restrict the last option, with significant implications for organisations across the UK.

Finding balance with a targeted ransomware payment ban

The first proposal includes a ransomware payment ban ransomware for public sector bodies and regulated Critical National Infrastructure (CNI) operators. In theory, this could make these entities less attractive targets and encourage better cyber hygiene. However, the reality is more complex.

Ransoms are typically paid only as a last resort when critical systems are compromised and backup options are exhausted. For public sector and CNI organisations, the consequences of non-payment could potentially be worse than the ransom itself: citizens losing access to healthcare, water, or emergency services. The 2021 Colonial Pipeline attack in the US demonstrated how ransomware can impact critical infrastructure, leading to fuel shortages across multiple states.

Additionally, the negotiation process often provides valuable time for recovery planning and system restoration. Removing this option entirely could accelerate system destruction or data exposure. Attackers, finding themselves unable to monetise their access, might resort to more destructive actions or immediate data leaks.

Our recommendation strikes a middle ground: implement the ransomware payment ban but allow payments in exceptional circumstances with explicit government agency approval. This maintains the deterrent while providing flexibility when public safety is at stake, all while ensuring attacks are reported to relevant authorities. This approach recognises that while discouraging payments is generally sound policy, there may be scenarios where the public interest is better served by allowing a controlled exception.

Practical concerns around expanding prevention

The second proposal would extend the ransomware payment ban beyond the public sector to potentially all UK organisations. While well-intentioned, we have serious reservations about its practicality.

The private sector—and particularly insurance companies—has developed sophisticated, time-sensitive response capabilities over years. These include:

  • Established protocols for evaluating ransom payment decisions
  • Specialist negotiators who understand attacker psychology and tactics
  • Forensic teams that can quickly determine attack scope and recovery options
  • Legal frameworks for ensuring compliance with sanctions and regulatory requirements

Government approval processes would likely create bottlenecks during critical incidents when every minute counts. Consider that many ransomware incidents involve 72-hour deadlines from threat actors before data leaks or price increases—government involvement would need to operate within these tight timeframes.

Rather than a blanket approach, we suggest strengthening existing guidance with mandatory pre-payment checklists. These would include:

  • Confirmation of sanctions clearance to ensure payments don’t fund sanctioned entities
  • Verification that clean backups aren’t available or viable for restoration
  • Assessment of data sensitivity and potential harm from leakage
  • Confirmation that payment is the last viable option for recovery

This approach leverages established insurance industry processes while delegating authority to those with operational experience. Uninsured entities might still require government approval, recognizing their potentially lower response sophistication or access to expert resources.

Smarter reporting requirements

The third proposal addresses incident reporting; a critical component for understanding the ransomware landscape and developing effective countermeasures. We conditionally support mandatory reporting, provided it’s implemented thoughtfully.

Initial reporting thresholds should target larger organisations and significant ransom demands to prevent overwhelming smaller businesses. The reporting mechanism must recognise the extreme pressure organisations face during active incidents:

  • Reports should be simple to submit with minimal administrative burden
  • Initial reporting should capture only essential information
  • Follow-up details can be collected after the immediate crisis has passed

For this system to deliver value, the government must clarify how the collected information will be used and, crucially, how insights will flow back to industry. A one-way reporting stream provides little incentive for engagement. Instead, reporting should offer tangible benefits:

  • Support from cyber experts like the National Cybersecurity Centre
  • Actionable threat intelligence on ransomware groups and their tactics
  • Operational updates from law enforcement on their response efforts
  • Technical indicators that organisations can use to improve their defences

We observed that most organisations already report significant incidents to law enforcement, insurers, and regulators. Any new regime should harmonise with these existing obligations rather than creating potential confusion with duplicate reporting streams, particularly given the fact that victims will be highly preoccupied in mitigating the incident. This is especially pertinent to global entities, which already have to manage multiple reporting regimes in different territories.

Balancing security with business continuity

Throughout our response, we have emphasised the need for pragmatism. While eliminating ransomware payments might seem like a straightforward solution, the reality is that many organisations find themselves with no viable alternative when struck by sophisticated attacks.

Insurance has been at the forefront of facilitating behavioural change within organisations. A good example is how the cyber insurance market raised the baseline of what is acceptable in terms of security controls for ransomware. This is now standard practice. Rather than replacing these established mechanisms, government initiatives should complement and strengthen them.

The government’s intent to combat ransomware and protect UK businesses and the general public deserves support, but implementation requires nuance. Effective countermeasures must balance theoretical deterrence with operational realities.

We recommend a phased approach:

  1. Begin with targeted restrictions for public sector and CNI organisations
  2. Carefully evaluate the impact before expanding to broader sectors by
  3. Develop clear guidance and support mechanisms before imposing restrictions
  4. Ensure incident reporting provides value back to reporting organisations

As cyber threats evolve, so must our collective response strategies. We remain committed to enhancing cyber resilience and welcome further dialogue with government agencies on refining these proposals into practical, effective solutions.

This blog post represents our organisation’s position on the UK Government’s ransomware consultation. The full consultation response contains additional technical details and recommendations.

About the Author
Tom Egglestone

Tom Egglestone ACII is Global Head of Claims at Resilience. Before joining us, Egglestone served as Claims Manager - Enterprise Risk at Tokio Marine Kiln, where he was recognized as a specialist in cyber and intellectual property products, having handled some of the London market’s largest claims in those areas. Previously a claims adjuster at CFC and Hiscox, Egglestone has over a decade of escalating experience and responsibility for complex specialty claims and claims operations in the London market.

You might also like

North Korea is targeting the job interview process to infiltrate US companies

This post is based on threat intelligence compiled by Resilience Intelligence Analyst Steph Barnes, published May 8, 2025. North Korean hackers have turned the interview chair into a staging ground for cyberattacks. Two sophisticated campaigns—Contagious Interview and WageMole—are actively targeting job seekers and employers alike, with a clear endgame: funneling money back to the North […]

Scattered Spider strikes again in recent UK retail attacks

In the past two weeks, the UK retail industry has faced an unprecedented wave of sophisticated cyberattacks, exposing critical vulnerabilities across the sector. The high-profile breaches at Marks & Spencer, Harrods, and others have sent shockwaves through the industry, with M&S alone suffering an estimated £3.8 million in lost online sales per day and seeing […]

See what a cyber attack could really cost your enterprise

Data breaches cost U.S. businesses an average of $9.36 million per breach in 2024, yet many enterprises still struggle to quantify their specific cyber risk exposure in financial terms. How do you translate complex technical vulnerabilities into language that your CFO, board members, and other stakeholders can understand and act upon? We’re excited to announce […]

A decision scientist’s perspective on AI

As the Senior Director of Cyber Resilience at Resilience, I bring a somewhat unconventional perspective to the table. Unlike many in our industry who come from traditional cybersecurity or insurance backgrounds, my expertise lies in decision science. Throughout my career, I’ve been fascinated by one central question: How can we help people make good decisions […]

What enterprises over $10 billion need to know about managing cyber risk

The role of the Chief Information Security Officer has undergone a profound transformation from a purely technical role to a strategic business one in recent years. For CISOs operating in organizations with over $10 billion in revenue—a segment that Resilience has recently expanded its cyber risk solutions to serve—the shift comes with unique pressures and […]

How to create an effective Incident Response Plan

Cyberattacks are no longer a distant threat—they are a certainty. Whether it’s a ransomware attack, data breach, or insider threat, organizations must be prepared to respond quickly and effectively. Without a solid plan in place, even a minor security incident can spiral into a major crisis, leading to financial losses, reputational damage, and regulatory penalties. […]