AWARD-WINNING LEGAL & REGULATORY COMPLIANCE CONSULTANTS

Handley Gill Limited

Our expert consultants at Handley Gill share their knowledge and advice on emerging data protection, privacy, content regulation, reputation management, cyber security, and information access issues in our blog.

The Gold at the End of the Rainbow?

While removing the financial incentive for ransomware gangs is a laudable aim, it won’t disincentivise those entities who merely seek to cause disruption and expense. Unless and until the entirety of UK plc increases its cyber resilience to limit the effectiveness of ransomware and improve readiness to recover from it, preventing organisations from taking the necessary steps to to get back on their feet will result in significant disruption to public services and private businesses and cause financial harm to the public purse and wider economy.
The public and private sectors must collaborate to take a holistic approach to cyber security and resilience to protect the people, property and prosperity of UK plc.
— Handley Gill Limited

On 14 January 2025, the Home Office issued a consultation proposing (i) a targeted ban on ransomware payments, (ii) a new ransomware payment prevention regime and, (iii) a ransomware incident reporting regime.

The targeted ban on ransomware payments would apply to all public sector bodies (including local authorities) and owners or operators of critical national infrastructure that are regulated or that have competent authorities.

The ransomware payment prevention regime would create a prior notification obligation in relation to proposed ransomware payments to authorities, which would then result in support and guidance being provided and a decision taken as to whether any payment should be blocked.

The online consultation is open until 08 April 2025 and poses the following questions:

  1. To what extent do you agree, or disagree, that His Majesty's Government (HMG) should implement a targeted ban on ransomware payments for CNI owners and operators (who are regulated/have competent authorities)and the public sector, including local government?

  2. How effective do you think this proposed measure will be in reducing the amount of money flowing to ransomware criminals, and thus reducing their income? 

  3. How effective do you think banning CNI owners and operators (who are regulated/have competent authorities) and the public sector, including local government, from making a payment will be in deterring cyber criminals from attacking them?

  4. What measures do you think would aid compliance with the proposed ban? Select all that apply: Additional guidance to support compliance with the proposed ban; Tailored support to manage the response and impact following an attack; None; Don't know; Other (please specify).

  5. What measures do you think are appropriate for non-compliance with the proposed ban? Select all that apply: Criminal penalties for non-compliance; Civil penalties for non-compliance; None; Don't know; Other (please specify).

  6. If you represent a CNI organisation or public sector body, would your organisation need additional guidance to support compliance with a ban on ransomware payments? 

  7. Should organisations within CNI and public sector supply chains be included in the proposed ban? 

  8. Do you think there should be any exceptions to the proposed ban?

  9. Do you think there is a case for widening the ban on ransomware payments further, or even imposing a complete ban economy-wide (all organisations and individuals)? 

  10. To what extent do you agree, or disagree, that the Home Office should implement the following: Economy-wide payment prevention regime for all organisations and individuals not covered by the ban set out in Proposal 1.

  11. To what extent do you agree, or disagree, that the Home Office should implement the following: Threshold-based payment prevention regime, for certain organisations and individuals not covered by the ban set out in Proposal 1.  For example, the threshold could be based on size of the organisation and/or amount of ransom demanded from the organisation or individual.

  12. To what extent do you agree, or disagree, that the Home Office should implement the following: Payment prevention regime for all organisations not covered by the ban set out in Proposal 1, but excluding individuals. This would exclude individuals from the regime, but apply it to all organisations. 

  13. To what extent do you agree, or disagree, that the Home Office should implement the following: Payment prevention regime for all organisations not covered by the ban set out in Proposal 1, but excluding individuals. This would exclude individuals from the regime, but apply it to all organisations. 

  14. How effective do you think the following will be in reducing ransomware payments? Economy-wide payment prevention regime for all organisations and individuals not covered by the ban set out in Proposal 1.

  15.  How effective do you think the following will be in reducing ransomware payments? Threshold-based payment prevention regime, for certain organisations and individuals not covered by the ban set out in Proposal 1. For example, the threshold could be based on size of the organisation and/or amount of ransom demanded from the organisation or individual.

  16. How effective do you think the following will be in reducing ransomware payments? Payment prevention regime for all organisations not covered by the ban set out in Proposal 1, but excluding individuals. This would exclude individuals from the regime, but apply it to all organisations. 

  17. How effective do you think the following will be in reducing ransomware payments? Threshold-based payment prevention regime for certain organisations not covered by the ban set out in Proposal 1, excluding individuals. This would exclude individuals from the regime, and set a threshold for its application to organisations, e.g. based on the size of the organisation and/or amount of ransom demanded.

  18. How effective do you think the following will be in increasing the ability of law enforcement agencies to intervene and investigate ransomware actors? Economy-wide payment prevention regime for all organisations and individuals not covered by the ban set out in Proposal 1.

  19. How effective do you think the following will be in increasing the ability of law enforcement agencies to intervene and investigate ransomware actors? Threshold-based payment prevention regime, for certain organisations and individuals not covered by the ban set out in Proposal 1. For example, the threshold could be based on size of the organisation and/or amount of ransom demanded from the organisation or individual.

  20.  How effective do you think the following will be in increasing the ability of law enforcement agencies to intervene and investigate ransomware actors? Payment prevention regime for all organisations not covered by the ban set out in Proposal 1, but excluding individuals. This would exclude individuals from the regime, but apply it to all organisations. 

  21. How effective do you think the following will be in increasing the ability of law enforcement agencies to intervene and investigate ransomware actors? Threshold-based payment prevention regime for certain organisations not covered by the ban set out in Proposal 1, excluding individuals. This would exclude individuals from the regime, and set a threshold for its application to organisations, e.g. based on the size of the organisation and/or amount of ransom demanded.

  22. If we introduced a threshold-based payment prevention regime, what would be the best way to determine the threshold for inclusion? Please select all that apply: Organisation’s annual turnover in the UK; Organisation’s number of employees in the UK; The sector the organisation is operating in; Amount of ransom demanded; Don't know; Other (please specify):.

  23. What measures do you think would aid compliance with a payment prevention regime? Please select all that apply: Additional guidance to support compliance; Support to manage the response and impact following an attack; None; Don't know; Other (please specify).

  24. Do you think these compliance measures need to be tailored to different organisations and individuals?

  25. What measures do you think are appropriate for managing non-compliance with a payment prevention regime? Please select all that apply: Criminal penalties for non-compliance; Civil penalties for non-compliance; None; Don't know; Other (please specify).

  26. Do you think these non-compliance measures need to be tailored to different organisations and individuals?

  27. For those reporting on behalf of an organisation, who do you think should be legally responsible for compliance with the regime?  
The organisation; Named individual; Both; Don't know; Not applicable. I am responding as an individual.

  28. For those reporting on behalf of an organisation, do you think any measures for managing non-compliance with the regime should be the same for both the organisation and a named individual responsible for a ransomware payment? 

  29. To what extent do you agree, or disagree, that the Home Office should implement the following: Continuation of the existing voluntary ransomware incident reporting regime.

  30. To what extent do you agree, or disagree, that the Home Office should implement the following: Economy-wide mandatory reporting for all organisations and individuals.

  31. To what extent do you agree, or disagree, that the Home Office should implement the following: Threshold-based mandatory reporting, for certain organisations and individuals. For example, the threshold could be based on size of the organisation and/or amount of ransom demanded from the organisation or individual.   

  32. To what extent do you agree, or disagree, that the Home Office should implement the following: Mandatory reporting for all organisations excluding individuals. This would exclude individuals from the regime, but apply it to all organisations.

  33. To what extent do you agree, or disagree, that the Home Office should implement the following: Threshold-based mandatory reporting, for certain organisations excluding individuals. This would exclude individuals from the regime, and set a threshold for its application to organisations, e.g. based on the size of the organisation and/or amount of ransom demanded.

  34. How effective do you think the following would be in increasing the Government’s ability to understand the ransomware threat to the UK? Continuation of the existing voluntary ransomware incident reporting regime.

  35. How effective do you think the following would be in increasing the Government’s ability to understand the ransomware threat to the UK? Economy-wide mandatory reporting for all organisations and individuals.

  36. How effective do you think the following would be in increasing the Government’s ability to understand the ransomware threat to the UK? Threshold-based mandatory reporting, for certain organisations and individuals. For example, the threshold could be based on size of the organisation and/or amount of ransom demanded from the organisation or individual.   

  37. How effective do you think the following would be in increasing the Government’s ability to understand the ransomware threat to the UK? Mandatory reporting for all organisations excluding individuals. This would exclude individuals from the regime, but apply it to all organisations.

  38.  How effective do you think the following would be in increasing the Government’s ability to understand the ransomware threat to the UK? Threshold-based mandatory reporting, for certain organisations excluding individuals. This would exclude individuals from the regime, and set a threshold for its application to organisations, e.g. based on the size of the organisation and/or amount of ransom demanded.

  39. How effective do you think the following would be in increasing the Government’s ability to tackle and respond to the ransomware threat to the UK? Continuation of the existing voluntary ransomware incident reporting regime.

  40. How effective do you think the following would be in increasing the Government’s ability to tackle and respond to the ransomware threat to the UK? Economy-wide mandatory reporting for all organisations and individuals.

  41. How effective do you think the following would be in increasing the Government’s ability to tackle and respond to the ransomware threat to the UK? Threshold-based mandatory reporting, for certain organisations and individuals. For example, the threshold could be based on size of the organisation and/or amount of ransom demanded from the organisation or individual.   

  42.  How effective do you think the following would be in increasing the Government’s ability to tackle and respond to the ransomware threat to the UK? Mandatory reporting for all organisations excluding individuals. This would exclude individuals from the regime, but apply it to all organisations.

  43. How effective do you think the following would be in increasing the Government’s ability to tackle and respond to the ransomware threat to the UK? Threshold-based mandatory reporting, for certain organisations excluding individuals. This would exclude individuals from the regime, and set a threshold for its application to organisations, e.g. based on the size of the organisation and/or amount of ransom demanded.

  44.  If we introduced a mandatory reporting regime for victims within a certain threshold, what would be the best way to determine the threshold for inclusion? Please select all that apply: 
Organisation’s annual turnover in the UK; Organisation’s number of employees in the UK; The sector organisation is operating in; Amount of ransom demanded; Don't know; Other (please specify).

  45. What measures do you think would aid compliance with a mandatory reporting regime? Please select all that apply: Additional guidance to support compliance; Support to manage the response and impact following an attack; None; Don't know; Other (please specify).

  46. What measures do you think would aid compliance with a mandatory reporting regime? Please select all that apply: 
Additional guidance to support compliance; Support to manage the response and impact following an attack; None;
Don't know; Other (please specify).

  47. What measures do you think are appropriate for managing non-compliance with a mandatory reporting regime? Please select all that apply: Criminal penalties for non-compliance; Civil penalties for non-compliance; None; Don't know; Other (please specify).

  48. Do you think these non-compliance measures need to be tailored for different organisations and individuals?

  49. Do you think the presence of a mandatory incident reporting regime will impact business decisions of foreign companies and investors? 

  50. For the mandatory reporting regime, is 72 hours a reasonable time frame for a suspected ransomware victim to make an initial report of an incident? 

  51. Do you think that an incident reporting regime should offer any of the following services to victims when reporting? Please select all that apply: Support from cyber experts e.g. the National Cyber Security Centre (NCSC)/law enforcement; Guidance documents; Threat intelligence on ransomware criminals and trends; Operational updates e.g. activities law enforcement are undertaking; Other (please specify).

  52. Should mandatory reporting cover all cyber incidents (including phishing, hacking etc.), rather than just ransomware? 

  53. Do you have any other comments on our consultation proposals?  

These questions indicate that the government is at least contemplating the prospect of a much broader, blanket regime.

At Handley Gill, while we are not opposed in principle to restrictions being imposed on the making of ransomware payments, we do object to the proposal to do so in isolation. Any such measures should be the last step in a concerted whole of society approach to improve cybersecurity and resilience, not the first. Furthermore, they should be considered in the context of the content of the promised Cybersecurity and Resilience Bill, which has not yet been published. 

Handley Gill intends to submit and publish its response to the government’s consultation in due course.